David Molnar wrote:
> I think there are other applications for these digital donation
> type protocols and their techniques besides controls on campaign
> contributions. These applications may qualify as "limits on free speech",
> but limits obtained by private agreement and enforced by protocol instead
> of enforced by external coercion.
>
> The specific example I'm thinking of is the recent "Abuse-Free Contract
> Signing" presented at CRYPTO '99 by Jakobsson, Garay, and McKenzie. (and
> bug-fixed at FC'00 by Shmatikov and Mitchell).
> http://www.bell-labs.com/user/markusj/contract.ps
It doesn't seem all that similar.
> This idea here is that if Alice and Bob are involved in a contract
> negotiation, then usually Bob can show Alice's offer to Carol. Carol will
> then be convinced that Alice wants to make a contract with Bob. Their
> example was a bidding war for hiring Bob; perhaps another example
> could be entrapping Alice (Alice sells porn, Bob obtains an offer to
> sell, Bob shows to the FBI). This is referred to by the authors as "abuse"
> (hence the "abuse-free" in the title).
> [...]
> They solve it by use of "designated verifier signatures" -- signatures
> which are valid for Bob and *no one else*. I can outline the construction
> if anyone wants (this message is becoming long), but it's very simple,
> very clever, and results in a pile of bits which Bob can verify as
> having come from Alice, but Carol _can't_. So Carol can't tell if Bob made
> up some offer himself.
It's trivial for Alice to send a message to Bob that only Bob can verify
that she sent. Just have Bob send Alice a 3DES key, encrypted to Alice's
public key. Alice returns a message encrypted with that 3DES key.
Only she and Bob know that key, and since Bob knows he didn't write it,
Alice must have.
This is not enough for a contract negotiation, as Bob then wants to
be able to hold Alice to her offer in front of a judge. So for that
you do need to be able to designate a third party, the judge, as an
additional verifier.
(Is this right, Choate? Could you please chime in here with your comments
on the applicability of designated verifier signatures? Come on, you
have an opinion on everything else. Why are you always so strangely
quiet when the list actually starts discussing crypto for a change?)
> Speaking of digital donations, take away the whole "donation" background,
> and we're left with what? Alice can send Bob something. After she sends
> it, she can't take credit for sending it, ever, even if she dearly wants
> to and tries to break the system even before sending her first "donation."
Yes, there are situations where this is desirable in a voluntary system,
but the point is that existing payment protocols already achieve this,
trivially. After buying something Alice simply erases her records of
the transaction. As long as the payment protocol doesn't have "identity
escrow" or similar anti-privacy provisions, Alice is completely safe.
> > The problem, aside from the censorious nature of those other lists,
> > lying in the fact that they don't _like_ political discussions. Perry
> > likes what Perry likes, and Lewis (or his succesors) likes what he
> > likes. Their lists, their rules. 'Nuff said.
>
> That's another reason why I would like to discuss protocols like Tomas &
> Sander's "humble" digital donations (my term - I've since discovered that
> a more widely used term may be "receipt-free") on cypherpunks. This
> particular protocol has an explicit political and social application. The
> techniques necessary to construct it have implications which seem to reach
> beyond this single instance. Exploring these possibilities is part of what
> the list is about.
The problem is that there is so little feedback on cypherpunks because
most clueful people are not willing to wade through the Chaotian garbage.
Yes, you get one or two people with strong stomachs who are willing to
respond, but it is a relatively sterile discussion.
