[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No digital coins (was: Chaum on the wrong foot?)

There is no silver bullet!

Here are some comments about why there are no easy to use "digital
coins," and why the digital money protocols are so complicated and
involve banks, tamper-resistant modules, and other things that may not
be make difficult some of our Cypherpunks goals.

I agree with Hal Finney's basic point about David Chaum's current
direction: it is not precisely the direction I'd like to see.

However, in Chaum's defense, his is only one group and can only do so
much. I don't see other groups pursuing digital cash with the same
vigor and depth, save for the occasional paper about "electronic
wallets" and so forth, and so Chaum is doing what he is doing.

It is possible that someone here in Cypherpunks will develop some form
of competing system. (Bear in mind, though, that these protocols are
notoriously complicated, and involve issues of forgery, spoofing,
denial (that a transaction occurred), tax laws, and so on.)

One of Hal's points deserves special comment:

(speaking of the observer protocol)

> Now, this approach has the obvious advantage that it allows solving
> certain problems which can't be solved otherwise.  There appears to be
> no way to provide for secure, off-line digital cash, for example, other
> than with something like an observer.

There are no digital coins.

A physical piece of gold, the canonical piece of money, is essentially
imposssible to counterfeit/forge, so coins can be passed from person
to person, person to shop, to banks, to tax collectors, etc. It is the
ultimate "bearer instrument." Importantly, the flow of such money is
"conservative" in that the total amount of such money is constant...no
amount of trickery or protocol complexity can increase the amount
present, and only loss of the physical coins can reduce the amount.

Paper currency is ostensibly a parallel to physical money (at least in
countries on a gold or silver standard, which the U.S. is not any
longer). Strong currencies (DM, yen, dollar, SF...though this is all
debatable) still have some of the "conservative" nature, because the
bills/notes are very difficult to counterfeit and are exchanged as
physical items or tokens.

I won't get into things like VISA transactions, promissory notes,
etc., except to say they are quite a bit less "tangible" (anyone who
has gotten unexpected VISA transactions, triggered by someone out
there, understands that the transactions are much less straightforward
and tangible). 

A problem with digital money has always been that there apparently is
no close equivalent to a digital coin, a token which can be passed
around freely, as a quarter or a dollar bill can be.

The reasons are obvious: a cryptographic number can be trivially
duplicated (counterfeited/forged) and presented to a second or third
person. Thus, the receiver of such a piece of digital money must
confirm that it has not already been spent, that some bank will redeem
it for "real" money, etc.

Digital coupons have this same problem. (Real coupons are made fairly
counterfeit-resistant, as are such things as lottery tickets. Lottery
tickets also use a clever scheme whereby the winning number, the thing
that gets announced, is hashed/transformed into another number with a
secret key, and this second number is also printed on the ticket, but
would-be spoofers are unable to generate the second number.)

The complicated Chaum protocols, which now are going in the direction
of the tamper-resistant "observer" chips (in smartcards, PDAs, etc.),
address these issues of spoofing, denial, counterfeiting, etc., in
various ways.

Later, Hal makes another good point:

> A related point is that there have already been comparisons on sci.crypt
> between Chaum's observers and the Clipper chip, in that both rely on
> tamper-resistant technology to implement features which are not entirely
> in their owner's best interests.  Assuming we do manage to successfully
> defeat Clipper, the taint of this association may increase resistance to
> observers.
> I wish Chaum and his group would stop directing their efforts towards
> protocols which require an observer chip to be effective.  Granted,
> there are some things that don't work as nicely without observers.  But
> I think that a realistic appraisal of the pros and cons suggests that
> non-observer protocols are more likely to further our ultimate goal of
> personal privacy.

It seems likely to me that even now a group within the bowels of the
NSA and NIST is developing a "digital money clipper" (a euphonious
pun?), that is, a standard for digital money with similar sorts of
backdoors, emergency doors, etc., that Clipper has.

NSA/NIST surely knows of the pressures for digital money, and could
plan to introduce their own standard. Instead of "LEAFs" for the FBI
and other law enforcement, this one could have "IRS observers" and
"money-laundering observers" (this is wild speculation, I'll grant
you) which tie-in to currency exchange reporting, sales tax, and
income tax law enforcement systems.

It may be that Chaum, who is eager to actually get some sales to
groups within Europe and elsewhere, is already responding to some
pressures for "accountability" (the digital money version of
"wire-tappability") by various European governments and the observer
protocols are an effort to satisfy some of these concerns.

(I am not accusing Chaum of anything, just speculating that some
groups developing digital money--and Chaum is the clear leader
here--may have market or legal constraints which are shaping their
focus away from the digital money = untraceable cash = crypto anarchy
direction many of us favor.)

A "Cypherpunks digital money" system may be more urgent than ever.

-Tim May

Timothy C. May         | Crypto Anarchy: encryption, digital money,  
[email protected]       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.
Note: I put time and money into writing this posting. I hope you enjoy it.