Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-31 Thread cyphrpunk
On 10/28/05, Daniel A. Nagy [EMAIL PROTECTED] wrote:
 Irreversibility of transactions hinges on two features of the proposed
 systetm: the fundamentally irreversible nature of publishing information in
 the public records and the fact that in order to invalidate a secret, one
 needs to know it; the issuer does not learn the secret at all in some
 implementnations and only learns it when it is spent in others.

 In both cases, reversal is impossible, albeit for different reasons. Let's
 say, Alice made a payment to Bob, and Ivan wishes to reverse it with the
 possible cooperation of Alice, but definitely without Bob's help. Alice's
 secret is Da, Bob's secret is Db, the corresponding challenges are,
 respectively, Ca and Cb, and the S message containing the exchange request
 Da-Cb has already been published.

 In the first case, when the secret is not revealed, there is simply no way to
 express reverslas. There is no S message with suitable semantics semantics,
 making it impossible to invalidate Db if Bob refuses to reveal it.

The issuer can still invalidate it even though you have not explicitly
defined such an operation. If Alice paid Bob and then convinces the
issuer that Bob cheated her, the issuer could refuse to honor the Db
deposit or exchange operation. From the recipient's perspective, his
cash is at risk at least until he has spent it or exchanged it out of
the system.

The fact that you don't have an issuer invalidates cash operation in
your system doesn't mean it couldn't happen. Alice could get a court
order forcing the issuer to do this. The point is that reversal is
technically possible, and you can't define it away just by saying that
the issuer won't do that. If the issuer has the power to reverse
transactions, the system does not have full ireversibility, even
though the issuer hopes never to exercise his power.


 In the second case, Db is revealed when Bob tries to spend it, so Ivan can,
 in principle, steal (confiscate) it, instead of processing, but at that
 point Da has already been revealed to the public and Alice has no means to
 prove that she was in excusive possession of Da before it became public
 information.

That is an interesting possibility, but I can think of a way around
it. Alice could embed a secret within her secret. She could base part
of her secret on a hash of an even-more-secret value which she would
not reveal when spending/exchanging. Then if it came to where she had
to prove that she was the proper beneficiary of a reversed
transaction, she could reveal the inner secret to justify her claim.


 Now, one can extend the list of possible S messages to allow for reversals
 in the first scenario, but even in that case Ivan cannot hide the fact of
 reversal from the public after it happened and the fact that he is prepared
 to reverse payments even before he actually does so, because the users and
 auditors need to know the syntax and the semantics of the additional S
 messages in order to be able to use Ivan's services.

That's true, the public visibility of the system makes secret
reversals impossible. That's very good - one of the problems with
e-gold was that it was never clear when they were reversing and
freezing accounts. Visibility is a great feature. But it doesn't keep
reversals from happening, and it still leaves doubt about how final
transactions will be in this system.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-31 Thread cyphrpunk
One other point with regard to Daniel Nagy's paper at
http://www.epointsystem.org/~nagydani/ICETE2005.pdf

A good way to organize papers like this is to first present the
desired properties of systems like yours (and optionally show that
other systems fail to meet one or more of these properties); then to
present your system; and finally to go back through and show how your
system meets each of the properties, perhaps better than any others.
This paper is lacking that last step. It would be helpful to see the
epoint system evaluated with regard to each of the listed properties.

In particular I have concerns about the finality and irreversibility
of payments, given that the issuer keeps track of each token as it
progresses through the system. Whenever one token is exchanged for a
new one, the issuer records and publishes the linkage between the new
token and the old one. This public record is what lets people know
that the issuer is not forging tokens at will, but it does let the
issuer, and possibly others, track payments as they flow through the
system. This could be grounds for reversibility in some cases,
although the details depend on how the system is implemented. It would
be good to see a critical analysis of how epoints would maintain
irreversibility, as part of the paper.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-31 Thread Daniel A. Nagy
On Fri, Oct 28, 2005 at 02:18:43PM -0700, cyphrpunk wrote:

 In particular I have concerns about the finality and irreversibility
 of payments, given that the issuer keeps track of each token as it
 progresses through the system. Whenever one token is exchanged for a
 new one, the issuer records and publishes the linkage between the new
 token and the old one. This public record is what lets people know
 that the issuer is not forging tokens at will, but it does let the
 issuer, and possibly others, track payments as they flow through the
 system. This could be grounds for reversibility in some cases,
 although the details depend on how the system is implemented. It would
 be good to see a critical analysis of how epoints would maintain
 irreversibility, as part of the paper.

I agree, this discussion is missing, indeed. I will definitely include it,
should I write another paper on the subject.

Irreversibility of transactions hinges on two features of the proposed
systetm: the fundamentally irreversible nature of publishing information in
the public records and the fact that in order to invalidate a secret, one
needs to know it; the issuer does not learn the secret at all in some
implementnations and only learns it when it is spent in others.

In both cases, reversal is impossible, albeit for different reasons. Let's
say, Alice made a payment to Bob, and Ivan wishes to reverse it with the
possible cooperation of Alice, but definitely without Bob's help. Alice's
secret is Da, Bob's secret is Db, the corresponding challenges are,
respectively, Ca and Cb, and the S message containing the exchange request
Da-Cb has already been published.

In the first case, when the secret is not revealed, there is simply no way to
express reverslas. There is no S message with suitable semantics semantics,
making it impossible to invalidate Db if Bob refuses to reveal it.

In the second case, Db is revealed when Bob tries to spend it, so Ivan can,
in principle, steal (confiscate) it, instead of processing, but at that
point Da has already been revealed to the public and Alice has no means to
prove that she was in excusive possession of Da before it became public
information.

Now, one can extend the list of possible S messages to allow for reversals
in the first scenario, but even in that case Ivan cannot hide the fact of
reversal from the public after it happened and the fact that he is prepared
to reverse payments even before he actually does so, because the users and
auditors need to know the syntax and the semantics of the additional S
messages in order to be able to use Ivan's services.

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-28 Thread cyphrpunk
On 10/25/05, Travis H. [EMAIL PROTECTED] wrote:
 More on topic, I recently heard about a scam involving differential
 reversibility between two remote payment systems.  The fraudster sends
 you an email asking you to make a Western Union payment to a third
 party, and deposits the requested amount plus a bonus for you using
 paypal.  The victim makes the irreversible payment using Western
 Union, and later finds out the credit card used to make the paypal
 payment was stolen when paypal reverses the transaction, leaving the
 victim short.

This is why you can't buy ecash with your credit card. Too easy to
reverse the transaction, and by then the ecash has been blinded away.
If paypal can be reversed just as easily that won't work either.

This illustrates a general problem with these irreversible payment
schemes, it is very hard to simply acquire the currency. Any time you
go from a reversible payment system (as all the popular ones are) to
an irreversible one you have an impedence mismatch and the transfer
reflects rather than going through (so to speak).

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-26 Thread Travis H.
 If you have
 to be that confident in your computer security to use the payment
 system, it's not going to have many clients.

Maybe the trusted computing platform (palladium) may have something to
offer after all, namely enabling naive users to use services that
require confidence in their own security.  One could argue it's like
going to a Vegas casino; software vendors (MS *cough* MS) probably
won't cheat you in such a system because they don't have to; the odds
are in their favor already.  The whole system is designed to assure
they get paid, and they have a lot to lose (confidence in the
platform) by cheating you (at least in ways that can be detected). 
And since you won't be able to do anything to compromise the security,
you can't screw it up.
While I wouldn't see an advantage in that, I might recommend it for my
grandmother.

More on topic, I recently heard about a scam involving differential
reversibility between two remote payment systems.  The fraudster sends
you an email asking you to make a Western Union payment to a third
party, and deposits the requested amount plus a bonus for you using
paypal.  The victim makes the irreversible payment using Western
Union, and later finds out the credit card used to make the paypal
payment was stolen when paypal reverses the transaction, leaving the
victim short.
--
http://www.lightconsulting.com/~travis/  --
We already have enough fast, insecure systems. -- Schneier  Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-26 Thread Ian G

John Kelsey wrote:

From: cyphrpunk [EMAIL PROTECTED]
Digital wallets will require real security in user PCs. Still I don't
see why we don't already have this problem with online banking and
similar financial services. Couldn't a virus today steal people's
passwords and command their banks to transfer funds, just as easily
as the fraud described above? To the extent that this is not
happening, the threat against ecash may not happen either.



Well, one difference is that those transactions can often be undone,
if imperfectly at times.  The whole set of transactions is logged in
many different places, and if there's an attack, there's some
reasonable hope of getting the money back.  And that said, there have
been reports of spyware stealing passwords for online banking systems,
and of course, there are tons of phishing and pharming schemes to get
the account passwords in a more straightforward way.


Right, the Microsoft operating system as host for virus
/ malware attack for stealing bank and payment systems
value has been going on for a couple of years or so
in a serious (industrial) way.


The payment system operators will surely be sued for this, because
they're the only ones who will be reachable.  They will go broke, and
the users will be out their money, and nobody will be silly enough to
make their mistake again.




They might be sued but they won't necessarily go broke. It depends on
how deep the pockets are suing them compared to their own, and most
especially it depends on whether they win or lose the lawsuit. 



I don't think so.  Suppose there's a widespread attack that steals
money from tens of thousands of users of this payment technology.


That sounds like a version of phishing, 'cept
for being 2 orders of magnitude too small.


There seem to be two choices:

a.  The payment system somehow makes good on their losses.

b.  Everyone who isn't dead or insane pulls every dime left in that
system out, knowing that they could be next.  


Er, no, that doesn't sound like any finance system I
know.  See that post to the Register which I think RAH
forwarded, with 2000 in the class.  That's just this
week's news.

As per my observations, all FC systems bubble along
with something about 1% fraud plus/minus an order of
magnitude.  The credit card people currently report
about 0.1-0.2 % although I think that might be under-
reporting on their part.

Out of that, some people might get
recovered, but enough do not that we wouldn't be able
to push proposition b. with any strength.  We know for
example that even though the banks might recover any
direct losses, they won't accept liability for any
other costs including where their fault caused problems
elsewhere.

iang



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-26 Thread James A. Donald
--
Steve Schear [EMAIL PROTECTED]
 Yes, but unfortunately it is not clear at all that
 courts would find the opposite, either. If a lawsuit
 names the currency issuer as a defendant, which it
 almost certainly would, a judge might order the 
 issuer's finances frozen or impose other measures
 which would impair its business survival while trying
 to sort out who is at fault. It would take someone
 with real cojones to go forward with a business 
 venture of this type in such uncharted waters.

Anyone can sue for anything.  Paypal is entirely located
in the US, making it easy to sue, has done numerous bad
things, but no court orders have been issued to put it
out of business.  If a business's main assets are gold
located in offshore banks, courts are apt to be quite
reluctant to attempt to shut it down, as issuing
ineffectual or difficult to enforce orders makes a judge
look stupid.

People fuss too much about what courts might do.  Courts
are as apt, perhaps more apt, to issue outrageous orders
if you are as innocent. as the dawn.   Courts are like
terrorists in that there is no point in worrying what
might offend the terrorists, because they are just as
likely to target you no matter what you do.

Government regulators are a bigger problem, since they
are apt to forbid any business model they do not
understand, but they tend to be more predictable than
courts. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 CY46prGSdN80nLrJL5G79zdH2Uu2lRjQHD9mlSsf
 4JTEpYw1dnco9AMX6Fvv3Uce0bPsG1TJYg+qpwG5n



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-25 Thread Daniel A. Nagy
One intresting security measure protecting valuable digital assets (WM
protects private keys this way) is inflating them before encryption.

While it does not protect agains trojan applications, it does a surprisingly
good job at reducing attacks following the key logging + file theft pattern.

This security measure depends on two facts: storage being much cheaper than
bandwidth and transmission of long files being detectable, allowing for
detecting  and thwarting an attack in progress.

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-25 Thread cyphrpunk
On 10/24/05, Steve Schear [EMAIL PROTECTED] wrote:
 I don't think E-gold ever held out its system as non-reversible with proper
 court order.  All reverses I am aware happened either due to some technical
 problem with their system or an order from a court of competence in the
 matter at hand.

Back in the days of such companies as emutualfun.com and
stockgeneration.com there were cases where e-gold froze accounts
without waiting for court orders. I was involved with the discussion
on the e-gold mailing lists back then and it caused considerable hard
feeling among the users. E-gold was struggling to deal with the
onslaught of criminal activity (Ian Grigg described the prevailing
mood as one of 'angst') and they were thrown into a reactive mode.
Eventually I think they got their house in order and established
policies that were more reasonable.

 Its not clear at all that courts will find engineering a system for
 irreversibility is illegal or contributory if there was good justification
 for legal business purposes, which of course there are.

Yes, but unfortunately it is not clear at all that courts would find
the opposite, either. If a lawsuit names the currency issuer as a
defendant, which it almost certainly would, a judge might order the
issuer's finances frozen or impose other measures which would impair
its business survival while trying to sort out who is at fault. It
would take someone with real cojones to go forward with a business
venture of this type in such uncharted waters.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-25 Thread cyphrpunk
On 10/24/05, John Kelsey [EMAIL PROTECTED] wrote:
 More to the point, an irreversible payment system raises big practical
 problems in a world full of very hard-to-secure PCs running the
 relevant software.  One exploitable software bug, properly used, can
 steal an enormous amount of money in an irreversible way.  And if your
 goal is to sow chaos, you don't even need to put most of the stolen
 money in your own account--just randomly move it around in
 irreversible, untraceable ways, making sure that your accounts are
 among the ones that benefit from the random generosity of the attack.

To clarify one point, it is not necessary to have accounts in an
ecash system. Probably the simpler approach is for a mint that has
three basic functions: selling ecash for real money; exchanging ecash
for new ecash of equal value; and buying ecash for real money. All
ecash exchanges with the mint can be anonymous, and only when ecash is
exchanged for real money does that side of the transaction require a
bank account number or similar identifying information.

In such a system, the ecash resides not in accounts, but in digital
wallets which are held in files on end users' computers. The basic
attack scenario then is some kind of virus which hunts for such files
and sends the ecash to the perpetrator. If the ecash wallet is
protected, by a password or perhaps a token which must be inserted,
the virus can lie in wait and grab the ecash once the user opens the
wallet manually. There are several kinds of malicious activities that
are possible, from simply deleting the cash to broadcasting it in
encrypted form such as by IRC. Perhaps it could even engage in the
quixotic action of redistributing some of the cash among the users,
but my guess is that pecuniary motivations would dominate and most
viruses will simply do their best to steal ecash. Without accounts per
se, and using a broadcast channel, there is little danger in receiving
or spending the stolen money.

Digital wallets will require real security in user PCs. Still I don't
see why we don't already have this problem with online banking and
similar financial services. Couldn't a virus today steal people's
passwords and command their banks to transfer funds, just as easily as
the fraud described above? To the extent that this is not happening,
the threat against ecash may not happen either.

 The payment system operators will surely be sued for this, because
 they're the only ones who will be reachable.  They will go broke, and
 the users will be out their money, and nobody will be silly enough to
 make their mistake again.

They might be sued but they won't necessarily go broke. It depends on
how deep the pockets are suing them compared to their own, and most
especially it depends on whether they win or lose the lawsuit. As
Steve Schear noted, there is a reasonable argument that a payment
system issuer should not be held liable for the misdeeds of its
customers. Jurisdictional issues may be important as well. Clearly
anyone proposing to enter this business will have to accept the risk
and cost of defending against such lawsuits as part of the business
plan.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-25 Thread John Kelsey
From: cyphrpunk [EMAIL PROTECTED]
Sent: Oct 24, 2005 5:58 PM
To: John Kelsey [EMAIL PROTECTED]
Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like 
Payment Systems

..
Digital wallets will require real security in user PCs. Still I don't
see why we don't already have this problem with online banking and
similar financial services. Couldn't a virus today steal people's
passwords and command their banks to transfer funds, just as easily
as the fraud described above? To the extent that this is not
happening, the threat against ecash may not happen either.

Well, one difference is that those transactions can often be undone,
if imperfectly at times.  The whole set of transactions is logged in
many different places, and if there's an attack, there's some
reasonable hope of getting the money back.  And that said, there have
been reports of spyware stealing passwords for online banking systems,
and of course, there are tons of phishing and pharming schemes to get
the account passwords in a more straightforward way.   The point is,
if you're ripped off in this way, there's a reasonable chance you can
get your money back, because the bank has a complete record of the
transactions that were done.  There's no chance of this happening when
there's no record of the transaction anywhere.  

 The payment system operators will surely be sued for this, because
 they're the only ones who will be reachable.  They will go broke, and
 the users will be out their money, and nobody will be silly enough to
 make their mistake again.

They might be sued but they won't necessarily go broke. It depends on
how deep the pockets are suing them compared to their own, and most
especially it depends on whether they win or lose the lawsuit. 

I don't think so.  Suppose there's a widespread attack that steals
money from tens of thousands of users of this payment technology.
There seem to be two choices:

a.  The payment system somehow makes good on their losses.

b.  Everyone who isn't dead or insane pulls every dime left in that
system out, knowing that they could be next.  

It's not even clear that these are mutually exclusive, but if (a)
doesn't happen, (b) surely will.  Nobody wants their money stolen, and
I don't think many people are so confident of their computer security
that they're willing to bet huge amounts of money on it.  If you have
to be that confident in your computer security to use the payment
system, it's not going to have many clients.  

CP

--John



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-25 Thread Daniel A. Nagy
On Mon, Oct 24, 2005 at 02:58:32PM -0700, cyphrpunk wrote:

 Digital wallets will require real security in user PCs. Still I don't
 see why we don't already have this problem with online banking and
 similar financial services. Couldn't a virus today steal people's
 passwords and command their banks to transfer funds, just as easily as
 the fraud described above? To the extent that this is not happening,
 the threat against ecash may not happen either.

Well, there have been several attacks of this kind against Russia's WebMoney
system. One of the founders and first arbiters, Nikita Sechenko, wrote up
the following text on his advocacy webpage owebmoney.ru (my translation):
https://www.financialcryptography.com/mt/archives/000492.html

It also contains somre relevant bits about governing an payment system based
on pseudonymous accounts. I think, theirs is the most sophisticated
account-based payment system in active use, complete with arbitration,
messaging, billing, key certification, credit operations and credit history,
and a lot more.

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-24 Thread R.A. Hettinga
At 11:17 AM -0700 10/21/05, someone who can't afford a vowel, Alex, ;-)
expressed his anal glands thusly in my general direction:

You're such an asshole.

My, my. Tetchy, this morning, oh vowelless one...

At 11:17 AM -0700 10/21/05, cyphrpunk wrote:
This is what you characterized as a unitary global claim. Aside from
the fact that unitary is meaningless in this context, his claim was
far from global.

That's One size fits all, for those of you in Rio Linda. A little bit of
an Irwin Corey joke for the apparently humor-impaired. Be careful now, I'll
start on the Norm Crosby stuff soon, and you might get an aneurysm, or
something.

While Daniel Nagy has been a model of politeness and modesty in his
claims here, you have reverted to your usual role as an arrogant
bully.

Moi?

I kick sand in your face on a beach somewhere I don't remember about?

Seriously, I tell him who did an exchange protocol, Silvio Micali, and that
they're a dime a dozen, second only to Mo' An' Better Auction Protocols,
and he wants me to go out on google, same as *he* can do, and do his work
for him.

Feh.

At 11:17 AM -0700 10/21/05, cyphrpunk wrote:
I would encourage Daniel not to waste any more time interacting with Hettinga.

Indeed. Especially when he makes with the wet-fish slapping-sounds you do
when actual words are supposed to come out of your mouth. Okay, maybe it's
another orifice. At any rate, you are lacking some, shall we say, ability
to express yourself, on the subject. Be careful, though. Burroughs has this
great cautionary tale about teaching your asshole to talk, speaking of the,
heh, devil...

Cheers,
RAH
Who'll start in on insulting his mother soon, unless Mr. cyphrpunk has
taken that Charles Atlas course he send out for. Hint: Be grateful you
don't have any nipple-hair to get caught in the NEW IMPROVED Charles Atlas
Chest Expander's springs. Hurts like hell, I hear, and deadlifts work
*much* better...
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-24 Thread cyphrpunk
On 10/22/05, Ian G [EMAIL PROTECTED] wrote:
 R. Hirschfeld wrote:
  This is not strictly correct.  The payer can reveal the blinding
  factor, making the payment traceable.  I believe Chaum deliberately
  chose for one-way untraceability (untraceable by the payee but not by
  the payer) in order to address concerns such as blackmailing,
  extortion, etc.  The protocol can be modified to make it fully
  untraceable, but that's not how it is designed.

 Huh - first I've heard of that, would be
 encouraging if that worked.  How does it
 handle an intermediary fall guy?   Say
 Bad Guy Bob extorts Alice, and organises
 the payoff to Freddy Fall Guy.  This would
 mean that Alice can strip her blinding
 factors and reveal that she paid to Freddy,
 but as Freddy is not to be found, he can't
 be encouraged to reveal his blinding factors
 so as to reveal that Bob bolted with the
 dosh.

Right, that is one of the kinds of modifications that Ray referred to.
If the mint allows (de-facto) anonymous exchanges then a blackmailer
can simply do an exchange of his ecash before spending it and he will
be home free. Another mod is for the blackmailer to supply the
proto-coin to be signed, in blinded form.

One property of Daniel Nagy's epoint system is that it creates chains
where each token that gets created is linked to the one it came from.
This could be sold as an anti-abuse feature, that blackmailers and
extortionists would have a harder time avoiding being caught. In
general it is an anti-laundering feature since you can't wash your
money clean, it always links back to when it was dirty.

U.S. law generally requires that stolen goods be returned to the
original owner without compensation to the current holder, even if
they had been purchased legitimately (from the thief or his agent) by
an innocent third party. Likewise a payment system with traceable
money might find itself subject to legal orders to reverse subsequent
transactions, confiscate value held by third parties and return the
ill-gotten gains to the victim of theft or fraud. Depending on the
full operational details of the system, Daniel Nagy's epoints might be
vulnerable to such legal actions.

Note that e-gold, which originally sold non-reversibility as a key
benefit of the system, found that this feature attracted Ponzi schemes
and fraudsters of all stripes, and eventually it was forced to reverse
transactions and freeze accounts. It's not clear that any payment
system which keeps information around to allow for potential
reversibility can avoid eventually succumbing to pressure to reverse
transactions. Only a Chaumian type system, whose technology makes
reversibility fundamentally impossible, is guaranteed to allow for
final clearing. And even then, it might just be that the operators
themselves will be targeted for liability since they have engineered a
system that makes it impossible to go after the fruits of criminal
actions.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-24 Thread John Kelsey

From: cyphrpunk [EMAIL PROTECTED]
Sent: Oct 24, 2005 2:14 PM
Subject: Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like 
Payment Systems

On 10/22/05, Ian G [EMAIL PROTECTED] wrote:

Note that e-gold, which originally sold non-reversibility as a key
benefit of the system, found that this feature attracted Ponzi
schemes and fraudsters of all stripes, and eventually it was forced
to reverse transactions and freeze accounts. It's not clear that any
payment system which keeps information around to allow for potential
reversibility can avoid eventually succumbing to pressure to reverse
transactions. Only a Chaumian type system, whose technology makes
reversibility fundamentally impossible, is guaranteed to allow for
final clearing. And even then, it might just be that the operators
themselves will be targeted for liability since they have engineered
a system that makes it impossible to go after the fruits of criminal
actions.

More to the point, an irreversible payment system raises big practical
problems in a world full of very hard-to-secure PCs running the
relevant software.  One exploitable software bug, properly used, can
steal an enormous amount of money in an irreversible way.  And if your
goal is to sow chaos, you don't even need to put most of the stolen
money in your own account--just randomly move it around in
irreversible, untraceable ways, making sure that your accounts are
among the ones that benefit from the random generosity of the attack.
The payment system operators will surely be sued for this, because
they're the only ones who will be reachable.  They will go broke, and
the users will be out their money, and nobody will be silly enough to
make their mistake again.

CP

--John



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-24 Thread Steve Schear

At 11:14 AM 10/24/2005, cyphrpunk wrote:


Note that e-gold, which originally sold non-reversibility as a key
benefit of the system, found that this feature attracted Ponzi schemes
and fraudsters of all stripes, and eventually it was forced to reverse
transactions and freeze accounts. It's not clear that any payment
system which keeps information around to allow for potential
reversibility can avoid eventually succumbing to pressure to reverse
transactions.


I don't think E-gold ever held out its system as non-reversible with proper 
court order.  All reverses I am aware happened either due to some technical 
problem with their system or an order from a court of competence in the 
matter at hand.



Only a Chaumian type system, whose technology makes
reversibility fundamentally impossible, is guaranteed to allow for
final clearing. And even then, it might just be that the operators
themselves will be targeted for liability since they have engineered a
system that makes it impossible to go after the fruits of criminal
actions.


Its not clear at all that courts will find engineering a system for 
irreversibility is illegal or contributory if there was good justification 
for legal business purposes, which of course there are.


Steve




Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread R.A. Hettinga
At 10:23 PM +0200 10/20/05, Daniel A. Nagy wrote:
The referred 1988
paper proposes an off-line system

Please. You can just as easily do an on-line system, and still have blind
signatures, including m=m=2 shared secret signature hiding to prevent
double spending.

In fact, the *only* viable way to do blind signatures with any security is
to have an *on-line* system, with redemption and reissue of certificates on
every step, and the underwriter not honoring any double spent transaction.

So, you still get the benefits of non-repudiation, you get functional
anonymity (because audit trails become a completely superfluous cost -- all
you need to keep is a single-field database of spent notes against a
possible second spend, deletable on an agreed-upon date), and (I claim :-))
you get the resulting transaction cost benefit versus book-entry
transactions as well.


Sigh. I really wish people would actually read what people have written
about these things for the last, what, 20 years now...

BTW, you can exchange cash for goods, or other chaumian bearer certificates
-- or receipts, for that matter, with a simple exchange protocol. Micali
did one for email ten years ago, for instance.

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread Daniel A. Nagy
On Thu, Oct 20, 2005 at 07:34:34PM -0400, R.A. Hettinga wrote:
 At 12:32 AM +0200 10/21/05, Daniel A. Nagy wrote:
 Could you give us a reference to this one, please?
 
 Google is your friend, dude.
 
 Before making unitary global claims like you just did, you might consider
 consulting the literature. It's out there.

With all due respect, this was unnecessarily rude, unfair and unwarranted.
Silvio Micali is a very prolific author and he published more than one paper
on more than one exchange protocol. I am actually familiar with some of his
work on the subject. I was, however, specifically interested in which
particular one did you have in mind. I can think of several exchange
protocols that would do the job, though I don't particularly like them,
because the infrastructure for carrying them out is not in place and they
require more communication than is strictly necessary for obtaining a receipt.

In general, I think that one should be very careful with piling up
cryptographic operations and additional back-and-forth communication steps
in a payment protocol, because it may easily render it unpractical. There
are reasons why there are no cash-like digital payment systems, and it's not
for the lack of trying (you know that better than anybody else in the world,
I guess) or the lack of demand. Making it sufficiently simple is one of the
most difficult challenges.

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread R.A. Hettinga
At 2:36 AM +0200 10/21/05, Daniel A. Nagy wrote:
With all due respect, this was unnecessarily rude, unfair and unwarranted.

This is the *cypherpunks* list, guy... :-)

Silvio Micali is a very prolific author and he published more than one paper
on more than one exchange protocol

And I just got through saying that there are *lots* of exchange protocols.

You're the guy who said he couldn't figure out how to do a receipts. I toss
one, out of probably hundreds out there in the last 30 years, off the top
of my head, and *you* go all canonical on me here.

Again. Repeat. Google is your friend.

Thank you for playing.

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread R.A. Hettinga
At 12:32 AM +0200 10/21/05, Daniel A. Nagy wrote:
Could you give us a reference to this one, please?

Google is your friend, dude.

Before making unitary global claims like you just did, you might consider
consulting the literature. It's out there.

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread Daniel A. Nagy
On Thu, Oct 20, 2005 at 05:19:49PM -0400, R.A. Hettinga wrote:

 BTW, you can exchange cash for goods, or other chaumian bearer certificates
 -- or receipts, for that matter, with a simple exchange protocol. Micali
 did one for email ten years ago, for instance.

Could you give us a reference to this one, please?

Thank you in advancne!

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread cyphrpunk
As far as the issue of receipts in Chaumian ecash, there have been a
couple of approaches discussed.

The simplest goes like this. If Alice will pay Bob, Bob supplies Alice
with a blinded proto-coin, along with a signed statement, I will
perform service X if Alice supplies me with a mint signature on this
value Y. Alice pays to get the blinded proto-coin Y signed by the
mint. Now she can give it to Bob and show the signature on Y in the
future to prove that she upheld her end.

A slightly more complicated one starts again with Bob supplying Alice
with a blinded proto-coin, which Alice signs. Now she and Bob do a
simultaneous exchange of secrets protocol to exchange their two
signatures. This can be done for example using the commitment scheme
of Damgard from Eurocrypt 93. Bob gets the signature necessary to
create his coin, and Alice gets the signed receipt (or even better,
perhaps Bob's signature could even constitute the service Alice is
buying).

I would be very interested to hear about a practical application which
combines the need for non-reversibility (which requires a degree of
anonymity) with the need to be able to prove that payment was made
(which seems to imply access to a legal system to force performance,
an institution which generally will require identification).

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread R. Hirschfeld
 Date: Thu, 20 Oct 2005 11:31:39 -0700
 From: cyphrpunk [EMAIL PROTECTED]

   2. Cash payments are final. After the fact, the paying party has no
   means to reverse the payment. We call this property of cash
   transactions _irreversibility_.
 
 Certainly Chaum ecash has this property. Because deposits are
 unlinkable to withdrawals, there is no way even in principle to
 reverse a transaction.

This is not strictly correct.  The payer can reveal the blinding
factor, making the payment traceable.  I believe Chaum deliberately
chose for one-way untraceability (untraceable by the payee but not by
the payer) in order to address concerns such as blackmailing,
extortion, etc.  The protocol can be modified to make it fully
untraceable, but that's not how it is designed.

   3. Cash payments are _peer-to-peer_. There is no distinction between
   merchants and customers; anyone can pay anyone. In particular, anybody
   can receive cash payments without contracts with third parties.
 
 Again this is precisely how Chaum ecash works. Everyone can receive
 ecash and everyone can spend it. There is no distinction between
 buyers and vendors. Of course, transactions do need the aid of the
 issuer, but that is true of all online payment systems including
 Daniel's.

Apart from the transferability issue, I think there are some systems
that do not rely on an issuer at all (in effect any payee is an
issuer).  Manasse's Millicent comes to mind, but I confess that I
don't fully remember the details.

Ray



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread Daniel A. Nagy
On Thu, Oct 20, 2005 at 03:36:54PM -0700, cyphrpunk wrote:
 As far as the issue of receipts in Chaumian ecash, there have been a
 couple of approaches discussed.
 
 The simplest goes like this. If Alice will pay Bob, Bob supplies Alice
 with a blinded proto-coin, along with a signed statement, I will
 perform service X if Alice supplies me with a mint signature on this
 value Y. Alice pays to get the blinded proto-coin Y signed by the
 mint. Now she can give it to Bob and show the signature on Y in the
 future to prove that she upheld her end.

I like this one, though there might be a problem if Alice does everything,
except giving Bob the signed version of Y in the end. I can imagine scenarios
where this might be a problem.

However, it can be relatively easily solved if the mint publishes every
signed proto-coin (instead of being handed to the payer, it goes to the
public records, from where the payer can retrieve it). There's no reason not
to.

 A slightly more complicated one starts again with Bob supplying Alice
 with a blinded proto-coin, which Alice signs. Now she and Bob do a
 simultaneous exchange of secrets protocol to exchange their two
 signatures. This can be done for example using the commitment scheme
 of Damgard from Eurocrypt 93. Bob gets the signature necessary to
 create his coin, and Alice gets the signed receipt (or even better,
 perhaps Bob's signature could even constitute the service Alice is
 buying).

This one requires additional infrastructure which needs to be rolled out,
which is expensive. Simultaneous exchange of secrets is an elegant
cryptographic feat, but the required tools are not available to the general
public right now and the motivation to obtain them are insufficient. Thus, a
system relying on this cannot be phased in cheaply.

 I would be very interested to hear about a practical application which
 combines the need for non-reversibility (which requires a degree of
 anonymity) with the need to be able to prove that payment was made
 (which seems to imply access to a legal system to force performance,
 an institution which generally will require identification).

I claim that a system that provides both features will be prefered by users
to one that provides only one or neither.

The desirability of a payment vehicle depends on the assortment of goods and
services available for it. Now, the lack of non-reversibility might be
either a show-stopper or a significant additional cost in the case of some
goods and services, while receipts are required in the case of others.

Both might be required for transactions in the $100 ... $1000 range between
a power-seller and one-time buyers in a low-trust environment. From the
seller's point of view, the risk of a reversal might not be acceptable
(basically, he cannot assess the probability of it, while the cost is
substantial), because the value is too high, so he needs irreversibility.
From the buyer's point of view, the risk of losing the money is not
catastrophic, but highly undesirable; he wants to be able to name-and-shame
the fraud. This would provide the seller with enough incentives to deliver
and enough security to go ahead with the deal.

The legal system in this case is just provable reputation-tracking, which
in case of non-performance deprives the seller of future custom.

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread cyphrpunk
On 10/20/05, Daniel A. Nagy [EMAIL PROTECTED] wrote:
 On Thu, Oct 20, 2005 at 03:36:54PM -0700, cyphrpunk wrote:
  As far as the issue of receipts in Chaumian ecash, there have been a
  couple of approaches discussed.
 
  The simplest goes like this. If Alice will pay Bob, Bob supplies Alice
  with a blinded proto-coin, along with a signed statement, I will
  perform service X if Alice supplies me with a mint signature on this
  value Y. Alice pays to get the blinded proto-coin Y signed by the
  mint. Now she can give it to Bob and show the signature on Y in the
  future to prove that she upheld her end.

 I like this one, though there might be a problem if Alice does everything,
 except giving Bob the signed version of Y in the end. I can imagine scenarios
 where this might be a problem.

 However, it can be relatively easily solved if the mint publishes every
 signed proto-coin (instead of being handed to the payer, it goes to the
 public records, from where the payer can retrieve it). There's no reason not
 to.

Good idea! Even without this, if there is a problem then everything
will come out in the dispute resolution phase, where Alice will be
forced to reveal the mint's signature. Bob may claim at that time
never to have seen it before, while Alice may claim that she had sent
it earlier, but once they get this far both sides will be forced to
agree that Bob has now been paid so the contract can be completed. So
this method would be OK for contracts where timeliness is not an
important issue. But your idea of having the mint publish its
signatures could help even more.


  A slightly more complicated one starts again with Bob supplying Alice
  with a blinded proto-coin, which Alice signs. Now she and Bob do a
  simultaneous exchange of secrets protocol to exchange their two
  signatures. This can be done for example using the commitment scheme
  of Damgard from Eurocrypt 93. Bob gets the signature necessary to
  create his coin, and Alice gets the signed receipt (or even better,
  perhaps Bob's signature could even constitute the service Alice is
  buying).

 This one requires additional infrastructure which needs to be rolled out,
 which is expensive. Simultaneous exchange of secrets is an elegant
 cryptographic feat, but the required tools are not available to the general
 public right now and the motivation to obtain them are insufficient. Thus, a
 system relying on this cannot be phased in cheaply.

I'm not sure what costs you see here. There are two main technologies
I am familiar with for signature (or general secret) exchange. One is
purely local and involves bit by bit release of the signatures. Both
parties first commit to their signatures and use ZK proofs to show
that the committed values are in fact signatures over the required
data. They then release their sigs a bit at a time, taking turns. If
one party aborts prematurely he has at most a factor of 2 advantage
over the other in a brute force search to find the missing bits of the
signature. While this takes many rounds, it is still pretty fast. Of
course the users don't manually initiate each round, it all happens
automatically under control of the software. I saw some code to
implement this a couple of years ago somewhere on Sourceforge. It
actually exchanged PGP signatures, of all things. It does not take any
new infrastructure.

The other technology is so-called optimistic exchange, where the
signatures are provably encrypted to the public key of a trusted third
party. The two parties each exchange such encryptions and prove they
are valid. Then they exchange the actual signatures in the
straighforward manner. If one party does not send his sig, the other
can go to the TTP and get it. Since this option exists, there is no
incentive for the parties not to complete the transaction and hence
the TTP will in practice almost never be used. This one does require
the TTP to exist and his public key to be available, but that should
be no more new infrastructure than is required for the cash issuer and
his key to be distributed. In fact the issuer could be the TTP for
dispute resolution if desired.

 The desirability of a payment vehicle depends on the assortment of goods and
 services available for it. Now, the lack of non-reversibility might be
 either a show-stopper or a significant additional cost in the case of some
 goods and services, while receipts are required in the case of others.

 Both might be required for transactions in the $100 ... $1000 range between
 a power-seller and one-time buyers in a low-trust environment. From the
 seller's point of view, the risk of a reversal might not be acceptable
 (basically, he cannot assess the probability of it, while the cost is
 substantial), because the value is too high, so he needs irreversibility.
 From the buyer's point of view, the risk of losing the money is not
 catastrophic, but highly undesirable; he wants to be able to name-and-shame
 the fraud. This would provide the seller with 

Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-21 Thread cyphrpunk
On 10/20/05, R.A. Hettinga [EMAIL PROTECTED] wrote:
 At 12:32 AM +0200 10/21/05, Daniel A. Nagy wrote:
 Could you give us a reference to this one, please?

 Google is your friend, dude.

 Before making unitary global claims like you just did, you might consider
 consulting the literature. It's out there.

You're such an asshole. Daniel's actual statement was simply:

 I know of no protocol for transfering blinded tokens with a receipt, but I
 do not rule out the possibility of its existence.

This is what you characterized as a unitary global claim. Aside from
the fact that unitary is meaningless in this context, his claim was
far from global. Instead it was a very modest statement about what
aspects of the technology he was familiar with, and explicitly
admitted the possibility that he might be mistaken. I don't think you
could ask for anything more in a world where no one has perfect
knowledge about any topic.

While Daniel Nagy has been a model of politeness and modesty in his
claims here, you have reverted to your usual role as an arrogant
bully. If Daniel's project should be successful then you will
undoubtedly switch over to your other mode of communication,
obsequious ass-kissing. I have experienced both from you, in my many
names and roles, and I have no taste for either one.

I would encourage Daniel not to waste any more time interacting with Hettinga.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-20 Thread cyphrpunk
On 10/19/05, Daniel A. Nagy [EMAIL PROTECTED] wrote:
http://www.epointsystem.org/~nagydani/ICETE2005.pdf

 Note that nowhere in my paper did I imply that the issuer is a bank (the
 only mentioning of a bank in the paper is in an analogy). This is because I
 am strongly convinced that banks cannot, will not and should not be the
 principal issuers of digital cash-like payment vehicles. If you need
 explaination, I'm willing to provide it. I do not expect payment tokens to
 originate from withdrawals and end their life cycles being deposited to
 users' bank accounts.

Suppose we consider your concept of a transaction chain, which is
formed when a token is created based on some payment from outside the
system, is maintained through exchanges of one token for another (we
will ignore split and combine operations for now), and terminates when
the token is redeemed for some outside-the-system value. Isn't it
likely in practice that such transaction chains will be paid for and
redeemed via existing financial systems, which are fully identified? A
user will buy a token using an online check or credit card or some
other non-anonymous mechanism. He passes it to someone else as a
cash-like payment. Optionally it passes through more hands. Ultimately
it is redeemed by someone who exchanges it for a check or deposit into
a bank or credit card account.

If you don't see this as the typical usage model, I'd like to hear your ideas.

If this is the model, my concern is that in practice it will often be
the case that there will be few intermediate exchanges. Particularly
in the early stages of the system, there won't be that much to buy.
Someone may accept epoints for payment but the first thing he will do
is convert them to real money. A typical transaction will start with
someone buying epoints from the issuer using some identified payment
system, spending them online, and then the recipient redeems them
using an identified payment system. The issuer sees exactly who spent,
how much they spent and where they spent it. The result is that in
practice the system has no anonymity whatsoever. It is just another
way of transferring value online.

 Using currency is, essentially, a credit operation, splitting barter into
 the separate acts of selling and buying, thus making the promise to
 reciprocate (that is the eligibility to buy something of equal value from the
 buyer) a tradeable asset itself. It is the trading of this asset that needs
 to be anonymous, and the proposed system does a good enough job of
 protecting the anonymity of those in the middle of the transaction chains.

The hard part is getting into the middle of those transaction chains.
Until we reach the point where people receive their salaries in
epoints, they will have little choice but to buy epoints for real
money. That puts them at the beginning of a transaction chain and not
in the middle. Sellers will tend to be at the end. The only people who
could be in the middle would be those who sell substantially online
for epoints and who also find things online that they can buy for
epoints. But that will be a small fraction of users. For the rest of
them, anonymity is not a sellling point of this system.

If you take away the anonymity, is this technology still valuable?
Does it have advantages over other online payment systems, like egold,
credit cards or paypal?

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-20 Thread Ian G

cyphrpunk wrote:

If this is the model, my concern is that in practice it will often be
the case that there will be few intermediate exchanges. Particularly
in the early stages of the system, there won't be that much to buy.
Someone may accept epoints for payment but the first thing he will do
is convert them to real money. A typical transaction will start with
someone buying epoints from the issuer using some identified payment
system, spending them online, and then the recipient redeems them
using an identified payment system. The issuer sees exactly who spent,
how much they spent and where they spent it. The result is that in
practice the system has no anonymity whatsoever. It is just another
way of transferring value online.



That's a merchant business model.  Typically, that's
not how payment systems emerge.  Mostly, they emerge
by a p2p model, and then migrate to a merchant model
over time.  How they start is generally a varied question,
and somewhat a part of the inspiration of the Issuer.

According to the Issuer's design, he may try and force
that migration faster or slower.  In a more forced
system, there is typically only one or a few exchange
points and that is probably the Issuer himself.  If
the Issuer also pushes a merchant design, and a
triangular flow evolves, the tracing of transactions
is relatively easy regardless of the system because
time and amount give it away.  But, typically, if the
Issuer has designs on merchant business, he generally
doesn't care about the hyphed non-tracking capabilities
of the software, and also prefer the tracking to be
easy for support and segmentation purposes.

A game that Issuers often play is to pretend or market
a system as privacy protecting, but if their intention
is the merchant model then that game stops when the
numbers get serious.  (I gather they discuss that in
the Paypal book if you want a written example.)

Either way, it is kind of tough to criticise a software
system for that.  It's the Issuer and the market that
sets the tune there;  not the software system.  The
ideal software system allows the Issuer to decide
these paramaters, but it is also kind of tough to
provide all such paramaters in a big dial, and keep
the system small and tight.  (I suppose on this note,
this is a big difference between Daniel's system and
mine.  His is small and tight and he talks about being
able to audit the 5 page long central server ... mine
is relatively large and complex, but it can do bearer
and it can do fully traceable, as well as be passably
extended to imitate of his design.)  Meanwhile, the
Issuers who want to provide privacy with a bog
standard double entry online accounts system still
have a better record of doing that than any other
Issuers that might have boasted mathematical blah
blah, they just run theirs privately.  e.g., your
average Swiss bank.

iang



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-20 Thread Daniel A. Nagy
I will provide a detailed answer a bit later, but the short answer is that
anonymity and untraceability are not major selling points, as experience
shows. After all, ATMs could easily record and match to the user the serial
numbers of each banknote they hand out, yet, there seems to be no preference
to coins vs. banknotes.

The major selling point, as noted in the paper and in the presentation is
that the security (and hence the transaction cost manifesting itself in the
effort required for each transaction) scales with transaction value. For
paying pennies, you just type, say, 12-character codes. Yet, if the
transaction value warrants it, you can have a full-fledged, digitally signed
audit trail within the same system. And it's completely up to the users to
decide what security measures to take.

Another important issue is that you never risk more than the transaction
value. There is no identity to be stolen.

So, in short, the selling point is flexible and potentially very high
security against all sorts of threats. Someone finding out who you might be
is not, by far, the most serious threat in a payment system.

-- 
Daniel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-20 Thread cyphrpunk
Let's take a look at Daniel Nagy's list of desirable features for an
ecash system and see how simple, on-line Chaum ecash fares.

  http://www.epointsystem.org/~nagydani/ICETE2005.pdf

  One of the reasons, in the author s opinion, is that payment systems
  based on similar schemes lack some key characteristics of paper-based
  cash, rendering them economically infeasible. Let us quickly enumerate
  the most important properties of cash:

  1.  Money doesn't smell.  Cash payments are -- potentially --
  _anonymous_ and untraceable by third parties (including the issuer).

This is of course the main selling point of Chaum's system, where it
excels. I will point out that defining cash as merely potentially
anonymous leaves a loophole whereby fully non-anonymous systems get to
call themselves cash. This underplays the strength of Chaum's system.
It is not just potentially anonymous, it has a strong degree of
anonymity.

  2. Cash payments are final. After the fact, the paying party has no
  means to reverse the payment. We call this property of cash
  transactions _irreversibility_.

Certainly Chaum ecash has this property. Because deposits are
unlinkable to withdrawals, there is no way even in principle to
reverse a transaction.

  3. Cash payments are _peer-to-peer_. There is no distinction between
  merchants and customers; anyone can pay anyone. In particular, anybody
  can receive cash payments without contracts with third parties.

Again this is precisely how Chaum ecash works. Everyone can receive
ecash and everyone can spend it. There is no distinction between
buyers and vendors. Of course, transactions do need the aid of the
issuer, but that is true of all online payment systems including
Daniel's.

  4. Cash allows for acts of faith or _naive transactions_. Those who
  are not familiar with all the antiforgery measures of a particular
  banknote or do not have the necessary equipment to verify them, can
  still transact with cash relying on the fact that what they do not
  verify is nonetheless verifiable in principle.

I have to admit, I don't understand this point, so I can't say to what
extent Chaum ecash meets it. In most cases users will simply use their
software to perform transactions and no familiarity is necessary with
any antiforgery or other technical measures in the payment system. In
this sense all users are naive and no one is expected to be a
technical expert. Chaum ecash works just fine in this model.

  5. The amount of cash issued by the issuing authority is public
  information that can be verified through an auditing process.

This is the one aspect where Chaum ecash fails. It is a significant
strength of Daniel Nagy's system that it allows public audits of the
amount of cash outstanding.

However note that if the ecash issuer stands ready to buy and sell
ecash for real money then he has an incentive not to excessively
inflate his currency as it would create liabilities which exceed his
assets. Similarly, in a state of competition between multiple such
ecash issuers, any currency which over-inflates will be at a
disadvantage relative to others, as discussed in Dan Selgin's works on
free banking.

Daniel Nagy also raised a related point about insider malfeasance,
which is also a potential problem with Chaum ecash, but there do exist
technologies such as hardware security modules which can protect keys
in a highly secure manner and make sure they are used only via
authorized protocols. Again, the operators of the ecash system have
strong incentives to protect their keys against insider attacks.

  The payment system proposed in (D. Chaum, 1988) focuses on the first
  characteristic while partially or totally lacking all the others.

In summary, I don't think this is true at all. At least the first
three characteristics are met perfectly by Chaumian ecash, and
possibly the fourth is met in practice as naive users can access the
system without excessive complications. Only the fifth point, the
ability for outsiders to monitor the amount of cash in circulation, is
not satisfied. But even then, the ecash mint software, and procedures
and controls followed by the issuer, could be designed to allow third
party audits similarly to how paper money cash issuers might be
audited today.

There do exist technical proposals for ecash systems such as that from
Sander and Ta-Shma which allow monitoring the amount of cash which has
been issued and redeemed while retaining anonymity and unlinkability,
but those are of questionable efficiency with current technology.
Perhaps improved versions of such protocols could provide a payment
system which would satisfy all of Daniel Nagy's desiderata while
retaining the important feature of strong anonymity.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-20 Thread Daniel A. Nagy
Thank you for the detailed critique!

I think, we're not talking about the same Chaumian cash. The referred 1988
paper proposes an off-line system, where double spending compromises
anonymity and results in transaction reversal. I agree with you that it was
a mistake on my part to deny its peer-to-peer nature; should be more careful
in the future.

I strongly disagree that potentially anonymous systems do not deserve to be
called cash. For the past approx. 100 years, banknotes have been used as
cash and there seems to be no preference on the market for coins, even
though banknotes have unique serial numbers and are, therefore, traceable.
I maintain, that anonymity and untraceability are primarily not privacy
concerns but -- to some extent -- necessary conditions for irreversibility,
which is the ture reason why cash is such a mainstay in commerce and why I
would expect its electronic equivalent would be a desirable financial instrument
in the world of electronic commerce. In a low-trust environment,
irreversible payments are preferable to reversible ones.

Simple on-line Chaumian blinded tokens, where the value is determined by the
public key and the signed content is unimportant, as long as it is unique,
are more like coins. And the most serious problem with them is that of
transparent governance. Unfortunately, those hyperinflating their currency
are not caught early enough. One way to handle this problem is by expiring
tokens. For example, for each value, keys can be introduced in a brick-wall
pattern: keys are replaced in regular intervals with two keys being valid at
all times, with one expiring in the middle of the lifetime of the other.
Tokens signed by the old key are always excahnged for those signed by the
new one. This would allow a regular re-count of all tokens in circulation
(by the time a key expires, at most as many tokens would have been exchanged
for the next key as have been issued), but it raises other concerns.

With simple blinded tokens, naive transactions are possible only with the
already unblinded ones. One can accept them on faith, and pass on without
exchanging. This does not require additional equipment/software.

I know of no protocol for transfering blinded tokens with a receipt, but I
do not rule out the possibility of its existence.

Without it, however, the blinded tokens are useful for a very narrow range
of transaction values. Namely, those small enough not to be bothered about
receipts, but large enough so that the effort of making a payment does not
exceed the transaction value. This confines their usability to part of the
micropayment market.

To reiterate, the main advantage of the proposed system is that it allows
for a very large range of transaction values by providing adequate security
for high-value ones, while requiring extremely little effort for low-value
ones. And all that at the sole discretion of the users.

Regards,

-- 
Daninel



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-20 Thread David Alexander Molnar



On Thu, 20 Oct 2005, cyphrpunk wrote:


system without excessive complications. Only the fifth point, the
ability for outsiders to monitor the amount of cash in circulation, is
not satisfied. But even then, the ecash mint software, and procedures
and controls followed by the issuer, could be designed to allow third
party audits similarly to how paper money cash issuers might be
audited today.


One approach, investigated by Hal Finney, is to run the mint on a platform 
that allows remote attestation. Check out rpow.net - he has a working 
implementation of a proof of work payment system hosted on an IBM 4758.


-David Molnar



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-19 Thread cyphrpunk
  Just presented at ICETE2005 by Daniel Nagy:

  http://www.epointsystem.org/~nagydani/ICETE2005.pdf

  Abstract.  In present paper a novel approach to on-line payment is
  presented that tackles some issues of digital cash that have, in the
  author s opinion, contributed to the fact that despite the availability
  of the technology for more than a decade, it has not achieved even a
  fraction of the anticipated popularity. The basic assumptions and
  requirements for such a system are revisited, clear (economic)
  objectives are formulated and cryptographic techniques to achieve them
  are proposed.

This is a thorough and careful paper but the system has no blinding
and so payments are traceable and linkable. The standard technique of
inserting dummy transfers is proposed, but it is not clear that this
adds real privacy. Worse, it appears that the database showing which
coins were exchanged for which is supposed to be public, making this
linkage information available to everyone, not just banking insiders.

Some aspects are similar to Dan Simon's proposed ecash system from
Crypto 96, in particular using knowledge of a secret such as a hash
pre-image to represent possession of the cash. Simon's system is
covered by patent number 5768385 and the ePoint system may need to
step carefully around that patent.  See
http://www.mail-archive.com/cpunks@einstein.ssz.com/msg04483.html for
further critique of Simon's approach.

CP



Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

2005-10-19 Thread Daniel A. Nagy
On Tue, Oct 18, 2005 at 11:27:53PM -0700, cyphrpunk wrote:
   Just presented at ICETE2005 by Daniel Nagy:
 
   http://www.epointsystem.org/~nagydani/ICETE2005.pdf
 
 This is a thorough and careful paper but the system has no blinding
 and so payments are traceable and linkable. The standard technique of
 inserting dummy transfers is proposed, but it is not clear that this
 adds real privacy. Worse, it appears that the database showing which
 coins were exchanged for which is supposed to be public, making this
 linkage information available to everyone, not just banking insiders.
 
 Some aspects are similar to Dan Simon's proposed ecash system from
 Crypto 96, in particular using knowledge of a secret such as a hash
 pre-image to represent possession of the cash. Simon's system is
 covered by patent number 5768385 and the ePoint system may need to
 step carefully around that patent.  See
 http://www.mail-archive.com/cpunks@einstein.ssz.com/msg04483.html for
 further critique of Simon's approach.

At the time of writing, I was already familiar with Simon's proposal and its
above mentioned critique (I learnt about them from Stefan Brands' blog). At
that time, the design and the implementation were already complete and the
process of writing up the paper was also well advanced. Wishing to postpone
the discussion of patents for as long as possible, I decided against citing
Dan Simon's work in references, which may be regarded as an act of academic
dishonesty on my part. Mea culpa. I am reasonably confident that I can
legally defend the point that there are sufficient differences between my
proposal and Simon's, but I might not be ready to fight off a legal assault
from Microsoft (lack of time and money) right now. Leaving the patent issue
at that, let us proceed to the substance.

I will probably need to write another paper, clarifiing some of these
issues. Let me, however, re-emphasize some of the points already present in
the paper and perhaps cast them in a slightly different light.

In my paper, I am explicitly and implicitly challenging Chaum's assumptions
about the very problem of digital cash-like payment. One can, of course,
criticize my proposal under chaumian assumptions, but that would miss the
point entirely. I think, a decade of consistent failure at introducing
chaumian digital cash to the market is good enough a reason to re-think the
problem from the very basics.

Note that nowhere in my paper did I imply that the issuer is a bank (the
only mentioning of a bank in the paper is in an analogy). This is because I
am strongly convinced that banks cannot, will not and should not be the
principal issuers of digital cash-like payment vehicles. If you need
explaination, I'm willing to provide it. I do not expect payment tokens to
originate from withdrawals and end their life cycles being deposited to
users' bank accounts.

Insider fraud is a very serious risk in financial matters. A system that
provides no safeguards against a fraudulent issuer will sooner or later be
exploited that way. Financial systems (not just electronic ones) often fall
to insider attacks. They must be addressed in a successful system. All
chaumian systems are hopelessly vulnerable to insider fraud.

And now some points missing from the paper:

Having a long-term global secret, whose disclosure leads to immediate,
catastrophic failure of the whole system is to be avoided in security
engineering (using Schneier's terminology, it makes a hard system brittle).
The private key of a blinding-based system is exactly such a component. Note
that in the proposed system, the digital signature of the issuer is just a
fancy integrity protection mechanism for public records, which can be
supplemented and even temporarily substituted (while a new key is phased in
in the case of compromise) by other mechanisms of integrity protection. It
is the public audit trail that provides most of the security.

Using currency is, essentially, a credit operation, splitting barter into
the separate acts of selling and buying, thus making the promise to
reciprocate (that is the eligibility to buy something of equal value from the
buyer) a tradeable asset itself. It is the trading of this asset that needs
to be anonymous, and the proposed system does a good enough job of
protecting the anonymity of those in the middle of the transaction chains.

Hope, this helps.

-- 
Daniel