[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto Protocols are Hard to Analyze

In the interests of keeping the volume of postings down, I'll say only
a few words about Nick Szabo's many good points:

> > I'm currently trying to analyze a digital cash "coupon" system proposed by
> > Nick Szabo,
> Whoa nelly!  "S&H greenstamps" and another recent idea I've bounced
> off Tim refer to a LEGAL "protocol".  S&H greenstamps are
> "coupons" that can be used to "win" a wide variety of items from
> several participating companies; they are not just coupons good for 
> discount on a specific item or the products & services of a specific 
> company ("Disney Dollars").  S&H greenstamps got into some legal hot 
> water for being too close to a privately issued currency, but 
> nevertheless they are still around.  S&H greenstamps make a good legal 
> "edge case".

I certainly consider "legal" issues to be part of the larger protocol,
inasmuch as banks, credit unions, etc., must obey all sorts of laws.
And there are IRS reporting "protocols," and so on. 

Part of my point was that calling things "Green Stamps" (not a slur on
Nick's idea) does not exempt them, nor does it even really mean they
are not money. Whether Green Stamps, coupons, digital bearer bonds,
"Get Out of Jail Free Cards," whatever, are "money" or not is a
complicated issue, which I can't go into here (1. No space, 2. I'm not
an expert, 3. The _names_ alone are not enough to tell.).

Eric Hughes investigated digital money from a legal point of view (for
example, the funny messages printed on your checks, like "Pay to
the order of," have actual, real meanings). I'm sure Eric, Duncan
Frisell, Sandy Sandfort, Perry Metzger, etc., can elaborate.

Part of the energy barrier we face, or soon will, is that crypto money
has had none (or very little) of the centuries of evolution--successes
and failures--that ordinary money has had. There may be clever ways to
make some forms of digital money essentially be isomorphic to actual
money--the stuff the world is used to, that is--and hence ride the
coat tails of the world's current system. But these will be
complicated, adding to the difficulty of analyzing new protocols for
crytographic, legal, fiduciary, and social acceptability.

> >From an object-oriented point of view, "E-greenstamps" inherit
> digital cash and add legal structure.  Here I am assuming that 
> E-greenstamps or other business/legal manifestations of digital cash can 
> be implemented with Chaum's protocol, providing "Pretty Good Digital 
> Cash" in the cryptographic sense.   The "Chaum off the shelf" 
> assumption.  If there are holes in Chaum's scheme, or major problems 
> with implementing it in software, I'd like to hear more, but "S&H 
> greenstamps" concept doesn't address software security issues.

Well, Chaum and his students have various specialized protocols, that
is, they reduce the complexity by mainly targeting one particular type
of system (toll roads, or digital cash for shops to redeem, whatever).
The "difficulty of analyzing protocols" issue.

Where Nick's idea fits it, how it might be spoofed by shopkeepers,
what prevents forgery, etc., are some of the many issues.

By the way, the latest (August) issue of "Mother Jones" has an article
on a small town in New England (I think) which has their own barter
dollars. We talked about barter dollars, and the Italian experiment
some time back, about a year or so ago, when the List was just getting

Let me point out that the IRS takes a dim view of barter transactions
that are denominated in things other than dollars. 

> cash.  If we think the work ends with implementing a 
> good cryptographic protocol, we are sadly mistaken.  Perhaps that's 
> where the work of "cypherpunks" ends, but I have a broader vision of
> crypto-anarchy that covers the legal, business, and in general
> social issues as well.  Any group that wants to seriously
> deploy cryptography in the real world has to discuss these as well.

Agreed. Which is yet another reason to better formalize our reasoning
about complex protocols. The metaphors are too vague.

> We do need to be more clear on when we are talking about cryptographic 
> protocols ("digital cash"), legal structures ("S&H greenstamps"), and 
> business concepts ("commercial remailer"). 

The lines that separate them are tenuous. I agree it would be nice to
try to identify some truly basic "cryptographic primitives," and even
have them available in libraries (secret sharing, bit committment,
n-out-of-m voting, etc.). (But this is a tall order, as most of these
schemes have been written about, but are not available in software.)

> I'd love to see some digicash papers on soda.  I also agree on the

They're best left scattered amongst the "Crypto" Proceedings, for
reasons I've mentioned (briefly: 1. Hard to OCR them, 2. Anyone doing
work in this area _must_ have access to the Proceedings, if only to
track down the various referenced papers, 3. Too many papers on soda
could expose it to legal action (copyright), 4. The printed papers are
easier to read, anyway.).

> * A "cracker's guild" to break weak cryptography and publicize
> * A formal Crypto Auditing Agency that would verify the algorithms
> and protocols were secure, without revealing trade secrets.

Any Cypherpunks are of course free to do these things, but I won't
hold my breath waiting. These things take a lot of time. And the
Cypherpunks group just is in no position to "decide" on a strategy and
then somehow "assign" staff to these projects. So, it won't get done
this way.

(That's also why a "Cypherpunk chip" is farfetched....too much work.)

This is not because Cypherpunks are lazy or unfocussed, but because
Cypherpunks is a group of volunteers, all with their own goals and pet

-Tim May

Timothy C. May         | Crypto Anarchy: encryption, digital money,  
[email protected]       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.
Note: I put time and money into writing this posting. I hope you enjoy it.