On Fri, 14 Apr 2000, Tim May wrote:
> Oh, I think it's a "fun" adversary model, too. There are zillions of
> interesting crypto protocols involved between Alice, Bob, Charles,
> Dorothy, Elizabeth, Fred, etc., when these persons are in various
> roles as citizens, tax collecor, political campaign monitors,
> policemen, censors, et.
>
> Spending a lot of effort on one of these zillions of possiblies,
> e.g., how crypto protocols can be used to implement limits on free
> speech, seems bizarre, however.
I think there are other applications for these digital donation
type protocols and their techniques besides controls on campaign
contributions. These applications may qualify as "limits on free speech",
but limits obtained by private agreement and enforced by protocol instead
of enforced by external coercion.
The specific example I'm thinking of is the recent "Abuse-Free Contract
Signing" presented at CRYPTO '99 by Jakobsson, Garay, and McKenzie. (and
bug-fixed at FC'00 by Shmatikov and Mitchell).
http://www.bell-labs.com/user/markusj/contract.ps
(don't have a URL for the FC'00 paper -- anyone?)
This idea here is that if Alice and Bob are involved in a contract
negotiation, then usually Bob can show Alice's offer to Carol. Carol will
then be convinced that Alice wants to make a contract with Bob. Their
example was a bidding war for hiring Bob; perhaps another example
could be entrapping Alice (Alice sells porn, Bob obtains an offer to
sell, Bob shows to the FBI). This is referred to by the authors as "abuse"
(hence the "abuse-free" in the title).
Alice might want to have a kind of contract in which Bob is not allowed to
show her offers to Carol. In the physical world, this might take the form
of a pre-contract or NDA in which Bob agrees not to show Alice's offer to
anyone else. Should Bob show Alice's offer to Carol, Alice can sue and win
if she finds out. This seems to require some kind of monitoring,
detection, and enforcement procedure.
This may be a "limit to free speech", but it's framed as part of a
contract between two private parties now. It seems to me to be about the
same standing as an NDA, assuming Bob has the option not to contract.
(note that in the donations case, this doesn't quite hold, since a donor
may have no other way to donate to a candidate)
A better solution would be to create a cryptographic protocol in which Bob
"cannot" show Alice's offer to Carol. This property is called
"abuse-freeness" by the authors of the paper.
Some thought will show that Bob can always show the string of bits he
receives from Alice to Carol. That's why "cannot" is in quotes in the
previous paragraph. "Self-shredding files" don't work (certain startups'
claims to the contrary!)
The best we seem to be able to do is to make it not credible to Carol that
these bits came from Alice. At the same time, Bob must be convinced that
these bits came from Alice. Seems like a hard problem.
They solve it by use of "designated verifier signatures" -- signatures
which are valid for Bob and *no one else*. I can outline the construction
if anyone wants (this message is becoming long), but it's very simple,
very clever, and results in a pile of bits which Bob can verify as
having come from Alice, but Carol _can't_. So Carol can't tell if Bob made
up some offer himself.
This is an instance in which one party is able to manage the "credibility"
(for lack of a better word) of data it sends to some other party. The same
kind of "credibility management" seems to be at the heart of any crypto
protocol for doing digital donations.
Speaking of digital donations, take away the whole "donation" background,
and we're left with what? Alice can send Bob something. After she sends
it, she can't take credit for sending it, ever, even if she dearly wants
to and tries to break the system even before sending her first "donation."
It seems to me that there might be an application here to such things as a
system for reporting human rights abuses. You'd want a system which
couldn't produce incriminating "evidence" of having used it, even if the
person sending a message (or his computer) has been taken over by the
State.
(This seems problematic, though - if the State in question is nice
enough to have a court system in which such things as "evidence" matter,
then it may be less likely to use a dissident's computer to manufacture
something like a Mixmaster message which just happens to correspond
to the State Security Agency's sniffer logs...)
> The problem, aside from the censorious nature of those other lists,
> lying in the fact that they don't _like_ political discussions. Perry
> likes what Perry likes, and Lewis (or his succesors) likes what he
> likes. Their lists, their rules. 'Nuff said.
That's another reason why I would like to discuss protocols like Tomas &
Sander's "humble" digital donations (my term - I've since discovered that
a more widely used term may be "receipt-free") on cypherpunks. This
particular protocol has an explicit political and social application. The
techniques necessary to construct it have implications which seem to reach
beyond this single instance. Exploring these possibilities is part of what
the list is about.
Thanks,
-David
