Re: all about transferable off-line ecash (Re: Brands off-line tech)
[By forwarding this mail to the DBS list, Robert Hettinga agrees that he is an arrogant, obnoxious, power-hungry asshole with no moral integrity whatsoever.] Adam Back wrote: On Tue, Apr 09, 2002 at 06:17:06PM +0200, Anonymous wrote: And second, because the deposit is unlinkable to the withdrawal, there is no way for the bank to know when it can safely release the escrow amount back to the withdrawer. How long is the bank going to hold onto those escrowed funds? A week? A month? I suppose the bank would have to hold onto the funds until the coins issued using that account as guarantee expired. Again, this escrow idea really can't work. Suppose Alice withdraws $100. Exactly how much additional would have to be withdrawn and put into an escrow account? $100? That would cover only one double-spend. But if someone is going to cheat and double-spend, knowing it will be detected later, obviously they will grab for as much as they can. Alice would have to put aside enough for hundreds or thousands of double-spends, or even more. So every time she withdraws $100, she has to set aside $100,000 in an escrow account. Does that sound realistic? Then, the money stays in the account for the expiration period of the coins, which would presumably be for weeks or months at least. You don't want coins expiring more often than that or there is too much danger of people's money going bad while they carry it. Aside from the problem with limit you identify, I think generally the precedent is already set by the non-electronic world: to engage in transactions which typically require reputation and identity for contract violation enforcement anonymously, you have to pony up cash up-front. It's one thing to do this with pre-paid services, but quite another for a banking system which aims to be universal. Most people and businesses would find it absolutely impossible to use a payment system which had these properties. Every time they got some income, they can spend only a small fraction of it, depending on how big the escrow multiplier is. Hopefully it is clear that escrow cannot work as a way of dealing with double-spending after the fact. The only other alternative is for the bank to Know Its Customer intimately, and for there to be some kind of worldwide police which can track and arrest people anywhere. This would entail strengthening and centralizing international law enforcement, exactly the opposite of the trends we would want to encourage. Are you saying that if Alice pays Bob, he can anonymously exchange the coins and end up with new fresh coins with ALICE's identity in them? That's great, he can double spend all he wants and she ends up going to the pokey. No thanks. No that is prevented. [Description of how the final payee refreshes his 0-value coin up to the value of the transaction, without identifying himself] Okay, that sounds pretty good. But it's specific to Brands cash, right? The generic transferable off-line cash you described earlier can't do that. Of course Brands is patented up the wazoo. It's amazing the harm he and Chaum have done to the world by locking up their best ideas. And they didn't even get rich. What a waste. If either of them had the balls to put their patents into the public domain, they could make a very comfortable living just from consulting and speaking fees. A correction on something I said earlier about Chaum double-blinding: | (There is the double blind Chaum variant, but it is even less | convenient as both the payer and payee have to be online at what | becomes a simultaneous withdrawl, spend and deposit time.) This is innacurate, it is actually a simultaneous withdrawal and spend, followed by an arbitrarily later spend by the payee as the payee knows the payer does not see the coin due to the extra blinding. Please, this is such ancient history. MTB's ecash died a long time ago, we don't need to keep rehashing how to work around its limitations. The right way to do Chaum cash with two-sided anonymity is simply to allow anonymous coin exchanges at the bank. There is no issue in recognizing the payee's deposited coins if he is fully anonymous and gets fresh coins at that time. In fact there don't need to be bank accounts at all, and in further fact there doesn't need to be a bank; just a coin exchanging mint. We talked about this a while ago. You start it up and it emits one coin, which represents all of the value of this mint's money supply. From then on it does only one operation: you give it $X in old coins, and it gives you $X in new coins (possibly partitioned differently). When someone pays Alice, she turns it in at the bank and gets new coins, incidentally checking the old ones for validity and double-spending. Her new coins are completely untraceable and ready for whatever use she desires. She keeps all her money in her wallet. Third parties can offer secure backup services, exchange to other
R.A. as A.J. (was Re: all about transferable off-line ecash (Re: Brands off-line tech))
At 8:30 AM +0200 on 4/11/02, Anonymous exfumed out of Vienna again: [By forwarding this mail to the DBS list, Done... Robert Hettinga agrees that he is an arrogant, Check... obnoxious, Check... power-hungry Check... asshole Walter-Brennan-as-Stinky-Pete Now yew wait jes' a gol'darn minute, here, pardner. I thought we figgered out only yessidy that *yew* were th' only tawlkin' asshole 'roun' these parts. (Okay, mebbe not th' *only* tawlkin' asshole...) /W-B-a-S-P with no moral integrity whatsoever.] and...check!. Okay. 3 out of 4 isn't bad. Thank you for playing. I know it's only 75%, but at least this way you can say that you've passed something besides gas... Cheers, RAH (Three millidollars, payable whenever we print 'em, to whoever figures out what the new subject header means...) -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: all about transferable off-line ecash (Re: Brands off-line tech)
[By forwarding this mail to the DBS list, Robert Hettinga agrees that he is an arrogant, obnoxious, power-hungry asshole with no moral integrity whatsoever.] Adam Back wrote: On Tue, Apr 09, 2002 at 06:17:06PM +0200, Anonymous wrote: And second, because the deposit is unlinkable to the withdrawal, there is no way for the bank to know when it can safely release the escrow amount back to the withdrawer. How long is the bank going to hold onto those escrowed funds? A week? A month? I suppose the bank would have to hold onto the funds until the coins issued using that account as guarantee expired. Again, this escrow idea really can't work. Suppose Alice withdraws $100. Exactly how much additional would have to be withdrawn and put into an escrow account? $100? That would cover only one double-spend. But if someone is going to cheat and double-spend, knowing it will be detected later, obviously they will grab for as much as they can. Alice would have to put aside enough for hundreds or thousands of double-spends, or even more. So every time she withdraws $100, she has to set aside $100,000 in an escrow account. Does that sound realistic? Then, the money stays in the account for the expiration period of the coins, which would presumably be for weeks or months at least. You don't want coins expiring more often than that or there is too much danger of people's money going bad while they carry it. Aside from the problem with limit you identify, I think generally the precedent is already set by the non-electronic world: to engage in transactions which typically require reputation and identity for contract violation enforcement anonymously, you have to pony up cash up-front. It's one thing to do this with pre-paid services, but quite another for a banking system which aims to be universal. Most people and businesses would find it absolutely impossible to use a payment system which had these properties. Every time they got some income, they can spend only a small fraction of it, depending on how big the escrow multiplier is. Hopefully it is clear that escrow cannot work as a way of dealing with double-spending after the fact. The only other alternative is for the bank to Know Its Customer intimately, and for there to be some kind of worldwide police which can track and arrest people anywhere. This would entail strengthening and centralizing international law enforcement, exactly the opposite of the trends we would want to encourage. Are you saying that if Alice pays Bob, he can anonymously exchange the coins and end up with new fresh coins with ALICE's identity in them? That's great, he can double spend all he wants and she ends up going to the pokey. No thanks. No that is prevented. [Description of how the final payee refreshes his 0-value coin up to the value of the transaction, without identifying himself] Okay, that sounds pretty good. But it's specific to Brands cash, right? The generic transferable off-line cash you described earlier can't do that. Of course Brands is patented up the wazoo. It's amazing the harm he and Chaum have done to the world by locking up their best ideas. And they didn't even get rich. What a waste. If either of them had the balls to put their patents into the public domain, they could make a very comfortable living just from consulting and speaking fees. A correction on something I said earlier about Chaum double-blinding: | (There is the double blind Chaum variant, but it is even less | convenient as both the payer and payee have to be online at what | becomes a simultaneous withdrawl, spend and deposit time.) This is innacurate, it is actually a simultaneous withdrawal and spend, followed by an arbitrarily later spend by the payee as the payee knows the payer does not see the coin due to the extra blinding. Please, this is such ancient history. MTB's ecash died a long time ago, we don't need to keep rehashing how to work around its limitations. The right way to do Chaum cash with two-sided anonymity is simply to allow anonymous coin exchanges at the bank. There is no issue in recognizing the payee's deposited coins if he is fully anonymous and gets fresh coins at that time. In fact there don't need to be bank accounts at all, and in further fact there doesn't need to be a bank; just a coin exchanging mint. We talked about this a while ago. You start it up and it emits one coin, which represents all of the value of this mint's money supply. From then on it does only one operation: you give it $X in old coins, and it gives you $X in new coins (possibly partitioned differently). When someone pays Alice, she turns it in at the bank and gets new coins, incidentally checking the old ones for validity and double-spending. Her new coins are completely untraceable and ready for whatever use she desires. She keeps all her money in her wallet. Third parties can offer secure backup services, exchange to other
R.A. as A.J. (was Re: all about transferable off-line ecash (Re: Brands off-line tech))
At 8:30 AM +0200 on 4/11/02, Anonymous exfumed out of Vienna again: [By forwarding this mail to the DBS list, Done... Robert Hettinga agrees that he is an arrogant, Check... obnoxious, Check... power-hungry Check... asshole Walter-Brennan-as-Stinky-Pete Now yew wait jes' a gol'darn minute, here, pardner. I thought we figgered out only yessidy that *yew* were th' only tawlkin' asshole 'roun' these parts. (Okay, mebbe not th' *only* tawlkin' asshole...) /W-B-a-S-P with no moral integrity whatsoever.] and...check!. Okay. 3 out of 4 isn't bad. Thank you for playing. I know it's only 75%, but at least this way you can say that you've passed something besides gas... Cheers, RAH (Three millidollars, payable whenever we print 'em, to whoever figures out what the new subject header means...) -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, Apr 09, 2002 at 06:45:43AM -0700, Mike Rosing wrote: On Tue, 9 Apr 2002, Adam Back wrote: If you use the normal approach of putting the identity in the coin, you can't double-spend anonymously. But it's not until the coin goes back online, you need the minter's secret key to decode the chain (maybe I have that wrong?). You don't need the minter's secret key to identify the double-spender. Anyone who happens to see two coin transcripts answering different challenges with the same coin private key can recover all the attributes of the coin, including the identity attribute. This is described on p23 of [1]. Adam [1] A Technical Overview of Digital Credentials, Stefan Brands, to appear International Journal on Information Security http://www.xs4all.nl/~brands/overview.pdf
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Wed, 10 Apr 2002, Adam Back wrote: You don't need the minter's secret key to identify the double-spender. Anyone who happens to see two coin transcripts answering different challenges with the same coin private key can recover all the attributes of the coin, including the identity attribute. This is described on p23 of [1]. Adam [1] A Technical Overview of Digital Credentials, Stefan Brands, to appear International Journal on Information Security http://www.xs4all.nl/~brands/overview.pdf Not everyone agrees with Brands that these credentials work. There's a group called PKILAB that's trying to make access/credentials to work across large organizations, and they kind of dismiss it. I haven't really sat down with them to find out why, but in general they feel that there's some high level conceptual problems. I wish I had time to read all this stuff!! But thanks for the pointers, at least I've got it copied so I can read a page or so when I get a chance. Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Wed, 10 Apr 2002, Adam Back wrote: You don't need the minter's secret key to identify the double-spender. Anyone who happens to see two coin transcripts answering different challenges with the same coin private key can recover all the attributes of the coin, including the identity attribute. This is described on p23 of [1]. Adam [1] A Technical Overview of Digital Credentials, Stefan Brands, to appear International Journal on Information Security http://www.xs4all.nl/~brands/overview.pdf Not everyone agrees with Brands that these credentials work. There's a group called PKILAB that's trying to make access/credentials to work across large organizations, and they kind of dismiss it. I haven't really sat down with them to find out why, but in general they feel that there's some high level conceptual problems. I wish I had time to read all this stuff!! But thanks for the pointers, at least I've got it copied so I can read a page or so when I get a chance. Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, Apr 09, 2002 at 07:47:51PM -0700, Morlock Elloi wrote: In the smart card setting with Brands protocols there is a host computer (eg pda, laptop, mobile-phone main processor, desktop) and a tamper-resistant smart-card which computes part of the coin transfer and prevents double-spending (to the limit of it's tamper-resistance). I don't understand which problem are you trying to solve. The issue the smart-card setting addresses is that people don't, or anyway shouldn't place great trust in closed systems that they, or someone with the technical background necessary can not examine. A smart card is such a closed system. The framework allows the use of smartcards to resist fraud while not making it necessary to for the users to trust the smart-card with their privacy. Privacy is controlled by the more auditable host computer. Adam Apart for few cypherpunks, People With Real Money and mafia, all of whom already have all the anonymity they want, sheeple is handled by corporations whose income depends on non-anonymity. I don't see a market pressure for anon replacement for credit cards from the consumer side any more that I see pressure for IPSec'd traffic from Joe FivePack.
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Wed, 10 Apr 2002, Adam Back wrote: Is there anything specific PKILAB have said about Brands certs? No, it was early in the set up when it was discussed. Sounds like they want to at least listen to him :-) btw I did a google search for PKILAB and Brands to see if I could find anything along the lines you mention and look what it said: Mar 2001 Welcome Stefan Brands to PKILabs Advisory Board http://www.cs.wisc.edu/~lists/archive/pkilab/msg00179.html Yup, that's the place! I told them I thought the math was valid, but I've really no idea what the high level stuff is they are trying to do. I avoid large organizations when possible, and most of their stuff is aimed at problems in that realm, so I'm not paying too close attention. Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Adam Back wrote: You can't outright counterfeit technically as the recipient of each coin checks that it's correctly formed, and authenticated by the bank, and that the chain of spends are all bound together. By doing this the user is assured that either the coin will not be double-spent, or the bank will identify the double spender when the coin is deposited. You might reasonably expect the bank to deal with double-spending itself and give the depositor fresh money regardless of double spent status. In this case double spending and counterfeit are the same thing - you can spend the same coin 1000 times in a few seconds. As anonymous points out, it can be from half way across the planet too. Banks aren't going to deal nicely with double spent coins, they can't afford to. If you use the normal approach of putting the identity in the coin, you can't double-spend anonymously. But it's not until the coin goes back online, you need the minter's secret key to decode the chain (maybe I have that wrong?). Building up technology trust is harder yes. But that I guess is largely marketing and reputation. Most people probably don't understand the security mechanisms in place with credt-cards either (PIN offset on card etc.), or even more the more secure smart-card based credit cards used in some parts of the world. I was thinking about this a bit while drifting off to sleep last night. It'd be cool to have electronic paper bills - flexable/cloth electronics where the value of the bill is variable. At each transaction, the bill reduces the amount it has (plain old smart card stuff) but it'd have the look and feel of paper money. the transaction machines that work with the bills would all need to be online, but you could easily trade bills for anonymous barter. It might even be easy to have a reader that just tells how much is left in the bill. The point here isn't technology, it's psycology. The bill looks like money, so people will trust that it is :-) Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Adam Back wrote: [...snip...] Another example would be having to give a deposit to get mobile phone for people with poor credit ratings. Also in Europe pay as you go, cash only mobile phone usage is popular due to credit elegibility reasons also I think. You can plunk down a 10 pound note and walk out with a mobile phone with air time on it, you can buy more air time similarly.) Slightly off-topic, but credit eligibility isn't the main reason for prepay. A lot of well-off people like it because it is easier to administer. I know people with jobs and credit ratings who chose to move to prepay, but I can't think of anyone who went the other way. You walk into the shop and buy airtime, which many people find easier than having yet another relationship with yet another boring company. Incidentally what they actually sell you is a card with a number printed on it, which you then send to phone company - there would be a lot of money for anyone who found a way to predict the numbers - this is cypherpunk technology - millions of people all over the world are paying cash money for large random numbers. They are also popular with parents who give them to their kids don't want to have to bankroll a serious teenage phone habit. And some people even like anonymity. The airtime numbers are available more or less anywhere, supermarket checkouts, every little corner shop, sometimes even bars. There is also a new breed of phonecard shops, sometimes doubling up as small Internet cafes and/or the more traditional copier shops. For some reason many of them are run by Africans (high-tech retail in UK is usually dominated by Indians). Their main business is in long-distance discount phonecalls. You get a certain amount of long-distance or international phone time through a local number. If you'd asked me 15 years ago I might have guessed that reselling bandwidth would be a big business in the first decade of the 21st century, but I wouldn't have guessed that it would mostly be over-the-counter in corner shops. Actually selling bits of plastic with numbers printed on them (most of them don't even bother with mag stripes) seems very low-tech and physical! Ken Brown
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Mike Rosing wrote: [...] It'd be cool to have electronic paper bills - flexable/cloth electronics where the value of the bill is variable. At each transaction, the bill reduces the amount it has (plain old smart card stuff) but it'd have the look and feel of paper money. I'd rather have stiff cards than floppy paper ones. At least you can put them into the slot of a machine easily. the transaction machines that work with the bills would all need to be online, but you could easily trade bills for anonymous barter. It might even be easy to have a reader that just tells how much is left in the bill. The point here isn't technology, it's psycology. The bill looks like money, so people will trust that it is :-) But paper money is such a 20th-century thing! These days we're slowly drifting back to higher value metal coins (2 pounds out for a few years now, 5 pounds coming soon I think). Much more fun. Feels like real treasure! Less of the floppy stuff, we want our ecash to look like real cash. Ken
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Adam Back wrote: On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote: an off-line system inherently requires users to identify themselves to the bank at withdrawal time. Not quite inherently, there are other things you could do. (This has been discussed before I think in [1] at least from reference in the thesis). You could if you wished, rather than putting identity in the coin, put an anonymous escrow account number in the coin. Users who preferred to be anonymous at withdrawal would put a deposit which is held in escrow like a good behavior bond. If they double spend they are not identified but their escrow account is frozen. The account could optionally be based on is-a-person credentials as a further inconvenience for double-spenders to have an account frozen, though is a-person-credentials implies strong identification to a Registration Authority. The actual withdrawal could then be made from the anonymous account hiding identity from the bank. However similar effect can be achieved with accountless operation, which brings us to your next comment... Two problems with this escrow idea. First, as noted before, there is no limit on how much can be double-spent in a short time, hence the escrow account can't cover it. This is not just a minor flaw, it makes the whole escrow idea unworkable, because it completely fails to achieve its goal of forcing the user to make good his double spends. And second, because the deposit is unlinkable to the withdrawal, there is no way for the bank to know when it can safely release the escrow amount back to the withdrawer. How long is the bank going to hold onto those escrowed funds? A week? A month? The withdrawer can simply wait until after that time interval and then double spend without losing a cent. And how many people are going to want to use a bank which makes them set aside an equal amount of every withdrawal for some extended period? That is absolutely impossible given how most people and businesses manage their cash flow. With Brands off-line coins you _can_ anonymously exchange off-line coins at the bank if you choose to set it up that way. Technically how this works is using an attribute hiding refreshing protocol which issues a new fresh coin with the same attributes (identity, denomination) as the previous spent coin while revealing only some negotiated sub-set of the attributes of the old coin (in this case denomination), so the new coin is unlinkable for the bank and yet the bank is assured that it will contain the same identity that was certified originally so the bank will be able to recover the identity if it is later double spent. There is a description of this protocol in section 5 of [3]. This works for off-line coins. For transferable off-line coins you need additionally to update the 0-value last holder coin to match the value of the coin being exchanged, using the updating protocol (see section 5.2.1 in [2], or probably [1] may have some discussion). Are you saying that if Alice pays Bob, he can anonymously exchange the coins and end up with new fresh coins with ALICE's identity in them? That's great, he can double spend all he wants and she ends up going to the pokey. No thanks.
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Ken Brown wrote: I'd rather have stiff cards than floppy paper ones. At least you can put them into the slot of a machine easily. But with an RF tag you'd not even have to pull it out of your pocket :-) But paper money is such a 20th-century thing! These days we're slowly drifting back to higher value metal coins (2 pounds out for a few years now, 5 pounds coming soon I think). Much more fun. Feels like real treasure! Less of the floppy stuff, we want our ecash to look like real cash. 18th century actually. And the point is the same - people don't like to change (pun intended!) Patience, persistence, truth, Dr. mike
RE: all about transferable off-line ecash (Re: Brands off-line tech)
Mike Rosing[SMTP:[EMAIL PROTECTED]] On Tue, 9 Apr 2002, Ken Brown wrote: I'd rather have stiff cards than floppy paper ones. At least you can put them into the slot of a machine easily. But with an RF tag you'd not even have to pull it out of your pocket :-) Putting RF Tags in cash is one of those ideas with Unintended Consequences. Muggers would love having a way of determining which victims are carrying a wad, as would many salesmen (and JBTs looking to perform a 'civil confiscation' on 'a sum of currency'.) But paper money is such a 20th-century thing! These days we're slowly drifting back to higher value metal coins (2 pounds out for a few years now, 5 pounds coming soon I think). Much more fun. Feels like real treasure! Less of the floppy stuff, we want our ecash to look like real cash. 18th century actually. And the point is the same - people don't like to change (pun intended!) Patience, persistence, truth, Dr. mike I was living in Britain (and of an allowance-recieving age) when decimalization occured. While we lost the big penny, we gained the 50p piece. In those days, it was a large, heavy, seven-sided coin, bigger than a US half-dollar, and worth $1.20. It felt good in your pocket. Since then, the Brits have shrunk it to a much smaller size. Do they still call the 1 pound coins 'maggies'? Actually, the mutability of British currency is quite astonishing to Americans. Bills and coins seem to change size and/or color every few years. Of course, there's a good chance Britain will join the Euro soon, which would be another change. Re going back to coins - it's not happening everywhere. The US Mint would love to get rid of the $1 bill, but the proposed replacements have been resounding failures. In the mid-70's they started minted 'pseudo-silver' dollars for the Bicentennial. While fun, these were just too big, and did not work in vending machines. A few years later they tried the 'Susan B Anthony' dollar, but it was rejected as well - it was similar in size and color to a quarter, and the two could be easily confused. Just about a year ago, they tried again, with the 'Sacagawea' or 'Golden Dollar'. This is a very handsome coin, gold in color, but it was the same size as a SBA dollar (to fit the machines). You can still confuse it with a quarter in your pocket or in the dark. It's been months since I've seen one. Peter Trei
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote: [Copied to Adam so he doesn't have to wait for some moderator to get off his fat ass and approve it. The LNE CDR isn't moderated in the usual sense. However, postings from new users[1] don't go through until I look at them (since about 99.5% are spam). I do this as often as possible, but I do have a life. So if you (the generic you) feel the urge to forge a new cute name on every post, be warned that your posts may take a while to go through. I suggest forging one cute name and sticking with it... besides, you will want all of us to have a pseudo to attach the appropriate reputation capital to. [1] a 'new' user is the name in the From: line which isn't a subscriber to a node and which hasn't already posted. Eric, your fat ass moderator
Burroughs' Revenge (was Re: all about transferable off-line ecash (Re: Brands off-line tech))
At 8:37 AM +0200 on 4/9/02, Some Anonymous Flatualist emitted the following bit of flammable gas out of an Austrian remailer somewhere: And BTW permission is NOT granted to forward this or any part of it to the DBS list because Hettinga is an asshole who kicks people off his list for spite. He can piss in his own sandbox if he wants but we don't have to play in it. Yup, that's me, Anonymous. Evil Bob. Violating copy protection protocols like the above at the drop of the hat. The tragedy of the commons is that no one owns the commons? It takes a village to forward an idiot's dreck? :-). Nonetheless, Anonymous, I'm also guy who forwarded your comment to my lists anyway, methagenous ejaculata and all, because, like I'm doing with this rejoinder to same, I can. :-). Also because it seems that, at the moment, and exclusive of your noxious spew above, you apparently have a clue about the present impossibility of, or at least economic impracticability of, off-line bearer transactions. Proving once again, like assholes, everyone has a clue at least once in a while, no matter who they are -- or how badly they misuse their own in public. [I could also note that beggars who can't muster their own resources, or at least an audience, can't be choosers, and thus have to post on others' lists, anonymously, but, hey, that would be, um, Evil, right? ;-).] Granted, Anonymous, I do tend to kick various assholes off of lists where I am in charge of subscriptions. Apparently, this includes yourself, now reduced to what looks like single-hop anonymous posting, most likely because you've now Graduated From College, or even Grad School, or at least a way-kewl down-the-toilet dot-com, and now you have an entry-level cubicle-job somewhere that apparently doesn't appreciate free speech. And, certainly, I kick people off of lists I run for any reason I feel like it, including for spite, if not by absolute whim, because, like you seem to have been, some people who end up on my lists, *are*, in fact, assholes, in my opinion, and, like I said, I either own, or at least, control the subscription list. Call it Bourgeoisie Oblige, if you want :-). No tragedy of the commons here, out in the land of actual property and responsibility for same. [As a further side note, anyone can subscribe to any list I run, and I certainly don't subscribe anyone against their will, and, most important, I don't actually moderate any lists, just play list.bouncer. So, as such, if someone pisses me off when they get there, for any reason whatsoever, even if I'm just having a bad day, they're out of there. Off with their heads, out the airlock, game over, whatever. Also, lots of people's mail addresses fail for various reasons, and, since I get to see all the bounced mail on some lists I do, I have short patience with such things.] As always, Anonymous, your definition of asshole, like mine, may vary, but only on *your* lists, please, if you can ever make that happen with your otherwise clueful reputation, though one you keep pissing on with comments like I've quoted above. Unfortunately, just like that William Burroughs story in _Naked_Lunch, about the guy who taught his asshole to talk, you keep trying to prove that, once again, that one man's asshole is indeed another man's larynx. Cheers, RAH Napalm in the morning, by any other name, smells just as sweet as a metaphor beaten like a dead horse... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
RE: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Trei, Peter wrote: I was living in Britain (and of an allowance-recieving age) when decimalization occured. While we lost the big penny, we gained the 50p piece. In those days, it was a large, heavy, seven-sided coin, bigger than a US half-dollar, and worth $1.20. It felt good in your pocket. Since then, the Brits have shrunk it to a much smaller size. Do they still call the 1 pound coins 'maggies'? I have been living in the UK for 17 years and have never heard this term. Younger people aren't sure who Maggie is anyway ;-) (15-year old daughter sitting next to me: Who's Maggie? and then Why would a pound be called Margaret Thatcher? ) -- Jim Dixon [EMAIL PROTECTED] tel +44 117 982 0786 mobile +44 797 373 7881 -- THAT'S A CHANGE OF ADDRESS: I'm no longer [EMAIL PROTECTED]
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Ben Laurie wrote: Anonymous wrote: It's not just an extra feature; an off-line system inherently requires users to identify themselves to the bank at withdrawal time. It cannot allow users to anonymously exchange coins at the bank. So it has an inherent lack of anonymity which is not present in an online system. If they withdraw blinded coins, then although they were identified they are not linked with the coins. Did I miss something? Yes. You missed the point that the lack of anonymity is not in the coins, but in the protocol. An off-line system requires people to identify themselves to the bank at withdrawal time, so that their identities can be embedded in the coin. That means no anonymous exchanges at the bank. This is unlike an online system, which could allow someone to exchange coins for fresh ones who never identifies himself to the bank, who has no account at the bank, who in fact has never communicated with the bank in any way, shape or form ever before. There are no records of this guy, his identity, how often he uses the bank, the amounts which he deposits and withdraws. That's real anonymity. Off-line systems can't do this because they need to track down double-spenders after the fact. They accumulate all kinds of information about their customers. Eric Murray wrote: [Copied to Adam so he doesn't have to wait for some moderator to get off his fat ass and approve it. The LNE CDR isn't moderated in the usual sense. However, postings from new users[1] don't go through until I look at them (since about 99.5% are spam). I do this as often as possible, but I do have a life. So if you (the generic you) feel the urge to forge a new cute name on every post, be warned that your posts may take a while to go through. I suggest forging one cute name and sticking with it... besides, you will want all of us to have a pseudo to attach the appropriate reputation capital to. Reputation is overrated. Here's a clue: if you want to know what people really think of your ideas, post anonymously. Eric, your fat ass moderator It's not you, it's Brian Minder. Adam is on the cypherpunks-moderated list. Note the almost 24 hour delay between the initial response to his message by Anonymous and Adam's reply. This is almost certainly due to moderation-imposed delay (plus time zone issues). We might as well try to converse by carrier pigeon. Moderated lists do not support lively discussion.
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On 9 Apr 2002 at 16:54, Ken Brown wrote: But paper money is such a 20th-century thing! These days we're slowly drifting back to higher value metal coins (2 pounds out for a few years now, 5 pounds coming soon I think). Much more fun. Feels like real treasure! Less of the floppy stuff, we want our ecash to look like real cash. Ken Yeah, but is that because people want it, or because the treasury wants it? They've been trying to foist dollar coins on US for years because they're cheaper (last forever and cost about a dime to make vs. last about a year and cost maybe 3 cents to make) but people hate them and don't use them. George
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Peter Trei writes: Speaking for myself and a few friends and relations, we'd be perfectly happy to use them, if they were available. A good place to get Sacagawea dollars is from the stamp machine at your local post office. Put in a $20 bill and buy as small an amount of stamps as you can, and many of the machines will give you golden dollars in change. Make sure you check the machine first; it should be labeled about what kind of change it gives. Otherwise you'll be hauling around dozens of quarters.
Re: all about transferable off-line ecash (Re: Brands off-line tech)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Rosing[SMTP:[EMAIL PROTECTED]] On Tue, 9 Apr 2002, Ken Brown wrote: I'd rather have stiff cards than floppy paper ones. At least you can put them into the slot of a machine easily. But with an RF tag you'd not even have to pull it out of your pocket :-) Putting RF Tags in cash is one of those ideas with Unintended Consequences. Muggers would love having a way of determining which victims are carrying a wad, as would many salesmen (and JBTs looking to perform a 'civil confiscation' on 'a sum of currency'.) Not to mention the possibility of a surreptitious centralized database tracking purchases of people on a watch list. Sign up if you want to, but you might do well to remember a point Lt. Gen. Hayden (who really ought to know) once made: all SIGINT can be defeated and destroyed simply by putting the handset in the receiver. Something to keep in mind while you're thinking this through,anyway. As for the counterfeiting problem, nobody's said much about the kind of sophisticated countermeasures used in casino chips, for example. Seems workable. One of many interesting topics covered in a truly frightening pub you might not have come across: Global ID Magazine http://web.tiscali.it/homeglobal/issues.htm Global ID Magazine is a publication describing the activity and the products of the leading Identification (ID) Technology Suppliers in the world. Its scope encompasses state-of-the-art technologies, innovative concepts and trends within the automatic identification systems industry that will have the most significant impact on design and use of ID systems. The editorial focus of Global ID Magazine is on the use of identification systems based on radio frequency, biometrics, global positioning, multifunctional systems, data communication and similar. Global ID Magazine speaks to decision makers, both at a management and at a technical level, within companies that use or could leverage from using ID systems. It suggests innovative solutions, the improvement of existing applications, describing trends and future possibilities. ~Faustine. *** He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself. - --Thomas Paine -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. (Diffie-Helman/DSS-only version) iQA/AwUBPLNWGvg5Tuca7bfvEQLRzQCg2iSdcpbXf/K+FQRzVNGYa9voHToAn3Jd 35JycT/4X0aUnT7bzWycwYEe =sSz8 -END PGP SIGNATURE-
Re: all about transferable off-line ecash (Re: Brands off-line tech)
You can't outright counterfeit technically as the recipient of each coin checks that it's correctly formed, and authenticated by the bank, and that the chain of spends are all bound together. By doing this the user is assured that either the coin will not be double-spent, or the bank will identify the double spender when the coin is deposited. So now one must provide MORE information to get e-checks than for regular cash or money orders ? I can walk in and buy the money order without providing ANY info on myself. Credit cards work fine as it is. Calling it a coin is deceptive. What is exactly the purpose of this ? Partial anonymity ? AmEx already has that (single-use CC numbers). If you use the normal approach of putting the identity in the coin, you can't double-spend anonymously. And how will a regular consumer, with no math degree, verify that her coins are indeed partially blinded ? Trust the bank ? No shit. Dollar bills in plain white envelope wiith no return address beat the crap out of all these convoluted schemes. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
Re: all about transferable off-line ecash (Re: Brands off-line tech)
And how will a regular consumer, with no math degree, verify that her coins are indeed partially blinded ? Trust the bank ? No shit. The regular consumer will rely on a third party to examine the source to see that they securely and correctly implement the protocols to assure privacy. That doesn't work in meatspace. Take a look at much (mathematically) simpler situations of so-called consumer PCs attached to the so-called Internet. Consumer are clueless about war that goes on on their hardware between corps and governments that want the control of that piece of equipment. But it's mostly OK since nothing really serious is done with PCs - some e-mails, some shopping. Yet many people are already wary of computers, and we are not talking luddites here. Using a piece of hardware with invisible transistors and uncomprehensible firmware to store money doesn't seem likely at all. Real cash has advantage that it does not need mediation of experts and expert-built machinery for practical verification and use. It is itself in human-readable form. While it is true that said experts try to insert their products in everyday life to secure the regular income, prostituting their professions, it is unlikely that it will be success when cash is the object. More people that I know store gold today than ten years ago. General disenchantment with computing machinery is obvious to all except those blinded by their vested interests. If you want to find the real state of computer-consumer economy njust look at the parking lot in front of Fry's. No, it's not a helidrome, it used to be for cars. To succeed in this situation the idea, or product, that modifies some very old concepts has to be really good and sane. The e-checks, as discussed here, fail to impress even experts, and don't count that sheeple will be *that* dumb. In the smart card setting with Brands protocols there is a host computer (eg pda, laptop, mobile-phone main processor, desktop) and a tamper-resistant smart-card which computes part of the coin transfer and prevents double-spending (to the limit of it's tamper-resistance). I don't understand which problem are you trying to solve. Apart for few cypherpunks, People With Real Money and mafia, all of whom already have all the anonymity they want, sheeple is handled by corporations whose income depends on non-anonymity. I don't see a market pressure for anon replacement for credit cards from the consumer side any more that I see pressure for IPSec'd traffic from Joe FivePack. It may seem convoluted, but by comparison assurance of security of algorithms used with credit-cards over SSL, or even the authentication framework used by card swipe credit cards also would appear The difference here is that large and capable entities - banks - stand to lose if something goes wrong, and they handle the whole system. Privacy and anonymity, on the other hand, is personal and no one is on your side. You have to have all resources. Assuming that the bank will expend resources to protect YOUR anonymity when you don't have any practical means of verifying it is silly. For acceptance of privacy features similar issues will hold. Do the privacy advocates, analysts, and experts agree that the system provides privacy. I, for one, will try to avoid situations where advocates of any kind can influence the amount and security of my cash. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Morlock Elloi wrote: Apart for few cypherpunks, People With Real Money and mafia, all of whom already have all the anonymity they want, sheeple is handled by corporations whose income depends on non-anonymity. I don't see a market pressure for anon replacement for credit cards from the consumer side any more that I see pressure for IPSec'd traffic from Joe FivePack. Here's the rub. When we can trade e-cash the same way we trade meat cash for illegal goods, it will fly. Until then, forget it. The pot head has to be able to use it, without worry, before e-cash can really be anonymous and trusted. Once it works for the mafia, it works for everybody :-) Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Mon, Apr 08, 2002 at 07:52:32PM -0700, Mike Rosing wrote: While I agree with goal, it's not clear to me that it's physically possible. What makes money useful is it's physical existance, people have been counterfiting coins since they were invented but it's been getting harder to do. With off-line coins you could easily counterfit or You can't outright counterfeit technically as the recipient of each coin checks that it's correctly formed, and authenticated by the bank, and that the chain of spends are all bound together. By doing this the user is assured that either the coin will not be double-spent, or the bank will identify the double spender when the coin is deposited. You might reasonably expect the bank to deal with double-spending itself and give the depositor fresh money regardless of double spent status. double spend and live off the float, especially if you do it all anonymously. If you use the normal approach of putting the identity in the coin, you can't double-spend anonymously. And if you just do it once with some huge sum, you'd get away with it (like Enron guys did :-) Money boils down to psycology - people trust that it trades their effort for somebody elses effort. who's going to trust ephemeral bits? Crossing that barrier is going to be a lot harder than any technology. Building up technology trust is harder yes. But that I guess is largely marketing and reputation. Most people probably don't understand the security mechanisms in place with credt-cards either (PIN offset on card etc.), or even more the more secure smart-card based credit cards used in some parts of the world. Adam
Re: all about transferable off-line ecash (Re: Brands off-line tech)
[Copied to Adam so he doesn't have to wait for some moderator to get off his fat ass and approve it. And BTW permission is NOT granted to forward this or any part of it to the DBS list because Hettinga is an asshole who kicks people off his list for spite. He can piss in his own sandbox if he wants but we don't have to play in it.] Adam Back wrote: On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote: First, off-line coins suck, as described above. [...] Off-line coins just offer an extra optional feature for the user, any user who chooses can instead use them as online coins. So I would argue off-line coins are better than online coins. It's not just an extra feature; an off-line system inherently requires users to identify themselves to the bank at withdrawal time. It cannot allow users to anonymously exchange coins at the bank. So it has an inherent lack of anonymity which is not present in an online system. Furthermore, off-line coins require a complex infrastructure to work. Unlike online systems, where cheating is impossible, off-line systems attempt to locate and punish cheaters after the fact. How can that possibly work in an Internet system where people may be engaging in transactions all over the world? If someone cheats you from Timbuktu do you really expect the cops over there to track him down for you? Or maybe the bank will make good by forcing each person to keep a certain amount in their account to pay off creditors they have cheated? The problem there is that there is no limit to how fast people can cheat in an off-line system, so there is no way the bank can force people to keep enough in their account to cover cheating. In short, off-line cash simply can't work in an Internet economy. It violates the fundamental nature of the net, which is distributed and anonymous. An old cypherpunk aphorism says that any internet protocol which ends with then the cops track down the bad guy is fundamentally flawed. Off-line cash is a non-starter by this criterion. Transferred coins are recognizable and linkable. Hence they suck even worse than off-line coins. Tranferable off-line coins allow all kinds of cool anonymity features as described above, I also argued above that the linkability deficiency can somewhat defended against. Most of the anonymity features are just as applicable in an online system where people can exchange coins without identifying themselves. This allows for fully anonymous transactions with the bank and accountless operation. You talked about moneychangers, but the discussion was confusing. What exactly is a moneychanger? You seem to have an unstated assumption that moneychangers wouldn't be allowed by the bank and this was a way around that. But if transferrable off-line cash allows moneychangers, which the bank won't allow, then such a bank probably wouldn't provide for transferrable off-line cash either. Anyway, what the hell is a moneychanger, and why wouldn't a bank allow one? As for hidden banks, there is no evidence yet that people are clamoring to trust their hard earned savings to a bank which won't even show its face and which could abscond with the entire money supply at any time without penalty. Turning to the fact that the off-line coin chains are linkable, that's such an ugly blot on the whole idea that it deserves to kill it on those grounds alone. In one stroke you've gone from mathematical anonymity to somewhat anonymity. It's reminiscent of Dan Simon's fully linkable cash, where he offered the same sort of lame ideas like spending to yourself a few times. If all you want is pretend anonymity then don't bother with the fancy mathematics. Real anonymity means unlinkable coins. End of story. And transferable off-line coins add yet more flexibility, while again not preventing online clearing for those that prefer it. While some of the features have the linkability artifact, those features are optional and the user has free choice to select methods to avoid entirely or defend against linkability by any of the available methods respectively fetching fresh online coins, using money-changers to do the same more off-line, and self re-spending to add confusion. Hence transferable off-line coins are already superior to both non-transferable off-line coins and online coins due to the selection of choice of new features and trade-offs offered to the users. All we need now is a way to more robustly defeat linkability. Linkability can't be defeated. The ChaumPedersen paper implies that anyone can collude with the bank to determine if a coin is a later instance of one they held earlier. They simulate a second spend of their earlier coin, and let the bank determine if that produces a double-spending match with the later one, which it would have to do if they were both on the same chain. Hence there is no way even in principle to avoid chain linkability. Let's face it, transferrable off-line coins have so many
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Adam Back wrote: [...snip...] Another example would be having to give a deposit to get mobile phone for people with poor credit ratings. Also in Europe pay as you go, cash only mobile phone usage is popular due to credit elegibility reasons also I think. You can plunk down a 10 pound note and walk out with a mobile phone with air time on it, you can buy more air time similarly.) Slightly off-topic, but credit eligibility isn't the main reason for prepay. A lot of well-off people like it because it is easier to administer. I know people with jobs and credit ratings who chose to move to prepay, but I can't think of anyone who went the other way. You walk into the shop and buy airtime, which many people find easier than having yet another relationship with yet another boring company. Incidentally what they actually sell you is a card with a number printed on it, which you then send to phone company - there would be a lot of money for anyone who found a way to predict the numbers - this is cypherpunk technology - millions of people all over the world are paying cash money for large random numbers. They are also popular with parents who give them to their kids don't want to have to bankroll a serious teenage phone habit. And some people even like anonymity. The airtime numbers are available more or less anywhere, supermarket checkouts, every little corner shop, sometimes even bars. There is also a new breed of phonecard shops, sometimes doubling up as small Internet cafes and/or the more traditional copier shops. For some reason many of them are run by Africans (high-tech retail in UK is usually dominated by Indians). Their main business is in long-distance discount phonecalls. You get a certain amount of long-distance or international phone time through a local number. If you'd asked me 15 years ago I might have guessed that reselling bandwidth would be a big business in the first decade of the 21st century, but I wouldn't have guessed that it would mostly be over-the-counter in corner shops. Actually selling bits of plastic with numbers printed on them (most of them don't even bother with mag stripes) seems very low-tech and physical! Ken Brown
Burroughs' Revenge (was Re: all about transferable off-line ecash (Re: Brands off-line tech))
At 8:37 AM +0200 on 4/9/02, Some Anonymous Flatualist emitted the following bit of flammable gas out of an Austrian remailer somewhere: And BTW permission is NOT granted to forward this or any part of it to the DBS list because Hettinga is an asshole who kicks people off his list for spite. He can piss in his own sandbox if he wants but we don't have to play in it. Yup, that's me, Anonymous. Evil Bob. Violating copy protection protocols like the above at the drop of the hat. The tragedy of the commons is that no one owns the commons? It takes a village to forward an idiot's dreck? :-). Nonetheless, Anonymous, I'm also guy who forwarded your comment to my lists anyway, methagenous ejaculata and all, because, like I'm doing with this rejoinder to same, I can. :-). Also because it seems that, at the moment, and exclusive of your noxious spew above, you apparently have a clue about the present impossibility of, or at least economic impracticability of, off-line bearer transactions. Proving once again, like assholes, everyone has a clue at least once in a while, no matter who they are -- or how badly they misuse their own in public. [I could also note that beggars who can't muster their own resources, or at least an audience, can't be choosers, and thus have to post on others' lists, anonymously, but, hey, that would be, um, Evil, right? ;-).] Granted, Anonymous, I do tend to kick various assholes off of lists where I am in charge of subscriptions. Apparently, this includes yourself, now reduced to what looks like single-hop anonymous posting, most likely because you've now Graduated From College, or even Grad School, or at least a way-kewl down-the-toilet dot-com, and now you have an entry-level cubicle-job somewhere that apparently doesn't appreciate free speech. And, certainly, I kick people off of lists I run for any reason I feel like it, including for spite, if not by absolute whim, because, like you seem to have been, some people who end up on my lists, *are*, in fact, assholes, in my opinion, and, like I said, I either own, or at least, control the subscription list. Call it Bourgeoisie Oblige, if you want :-). No tragedy of the commons here, out in the land of actual property and responsibility for same. [As a further side note, anyone can subscribe to any list I run, and I certainly don't subscribe anyone against their will, and, most important, I don't actually moderate any lists, just play list.bouncer. So, as such, if someone pisses me off when they get there, for any reason whatsoever, even if I'm just having a bad day, they're out of there. Off with their heads, out the airlock, game over, whatever. Also, lots of people's mail addresses fail for various reasons, and, since I get to see all the bounced mail on some lists I do, I have short patience with such things.] As always, Anonymous, your definition of asshole, like mine, may vary, but only on *your* lists, please, if you can ever make that happen with your otherwise clueful reputation, though one you keep pissing on with comments like I've quoted above. Unfortunately, just like that William Burroughs story in _Naked_Lunch, about the guy who taught his asshole to talk, you keep trying to prove that, once again, that one man's asshole is indeed another man's larynx. Cheers, RAH Napalm in the morning, by any other name, smells just as sweet as a metaphor beaten like a dead horse... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Ben Laurie wrote: Anonymous wrote: It's not just an extra feature; an off-line system inherently requires users to identify themselves to the bank at withdrawal time. It cannot allow users to anonymously exchange coins at the bank. So it has an inherent lack of anonymity which is not present in an online system. If they withdraw blinded coins, then although they were identified they are not linked with the coins. Did I miss something? Yes. You missed the point that the lack of anonymity is not in the coins, but in the protocol. An off-line system requires people to identify themselves to the bank at withdrawal time, so that their identities can be embedded in the coin. That means no anonymous exchanges at the bank. This is unlike an online system, which could allow someone to exchange coins for fresh ones who never identifies himself to the bank, who has no account at the bank, who in fact has never communicated with the bank in any way, shape or form ever before. There are no records of this guy, his identity, how often he uses the bank, the amounts which he deposits and withdraws. That's real anonymity. Off-line systems can't do this because they need to track down double-spenders after the fact. They accumulate all kinds of information about their customers. Eric Murray wrote: [Copied to Adam so he doesn't have to wait for some moderator to get off his fat ass and approve it. The LNE CDR isn't moderated in the usual sense. However, postings from new users[1] don't go through until I look at them (since about 99.5% are spam). I do this as often as possible, but I do have a life. So if you (the generic you) feel the urge to forge a new cute name on every post, be warned that your posts may take a while to go through. I suggest forging one cute name and sticking with it... besides, you will want all of us to have a pseudo to attach the appropriate reputation capital to. Reputation is overrated. Here's a clue: if you want to know what people really think of your ideas, post anonymously. Eric, your fat ass moderator It's not you, it's Brian Minder. Adam is on the cypherpunks-moderated list. Note the almost 24 hour delay between the initial response to his message by Anonymous and Adam's reply. This is almost certainly due to moderation-imposed delay (plus time zone issues). We might as well try to converse by carrier pigeon. Moderated lists do not support lively discussion.
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On 9 Apr 2002 at 16:54, Ken Brown wrote: But paper money is such a 20th-century thing! These days we're slowly drifting back to higher value metal coins (2 pounds out for a few years now, 5 pounds coming soon I think). Much more fun. Feels like real treasure! Less of the floppy stuff, we want our ecash to look like real cash. Ken Yeah, but is that because people want it, or because the treasury wants it? They've been trying to foist dollar coins on US for years because they're cheaper (last forever and cost about a dime to make vs. last about a year and cost maybe 3 cents to make) but people hate them and don't use them. George
RE: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Trei, Peter wrote: I was living in Britain (and of an allowance-recieving age) when decimalization occured. While we lost the big penny, we gained the 50p piece. In those days, it was a large, heavy, seven-sided coin, bigger than a US half-dollar, and worth $1.20. It felt good in your pocket. Since then, the Brits have shrunk it to a much smaller size. Do they still call the 1 pound coins 'maggies'? I have been living in the UK for 17 years and have never heard this term. Younger people aren't sure who Maggie is anyway ;-) (15-year old daughter sitting next to me: Who's Maggie? and then Why would a pound be called Margaret Thatcher? ) -- Jim Dixon [EMAIL PROTECTED] tel +44 117 982 0786 mobile +44 797 373 7881 -- THAT'S A CHANGE OF ADDRESS: I'm no longer [EMAIL PROTECTED]
Re: all about transferable off-line ecash (Re: Brands off-line tech)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Rosing[SMTP:[EMAIL PROTECTED]] On Tue, 9 Apr 2002, Ken Brown wrote: I'd rather have stiff cards than floppy paper ones. At least you can put them into the slot of a machine easily. But with an RF tag you'd not even have to pull it out of your pocket :-) Putting RF Tags in cash is one of those ideas with Unintended Consequences. Muggers would love having a way of determining which victims are carrying a wad, as would many salesmen (and JBTs looking to perform a 'civil confiscation' on 'a sum of currency'.) Not to mention the possibility of a surreptitious centralized database tracking purchases of people on a watch list. Sign up if you want to, but you might do well to remember a point Lt. Gen. Hayden (who really ought to know) once made: all SIGINT can be defeated and destroyed simply by putting the handset in the receiver. Something to keep in mind while you're thinking this through,anyway. As for the counterfeiting problem, nobody's said much about the kind of sophisticated countermeasures used in casino chips, for example. Seems workable. One of many interesting topics covered in a truly frightening pub you might not have come across: Global ID Magazine http://web.tiscali.it/homeglobal/issues.htm Global ID Magazine is a publication describing the activity and the products of the leading Identification (ID) Technology Suppliers in the world. Its scope encompasses state-of-the-art technologies, innovative concepts and trends within the automatic identification systems industry that will have the most significant impact on design and use of ID systems. The editorial focus of Global ID Magazine is on the use of identification systems based on radio frequency, biometrics, global positioning, multifunctional systems, data communication and similar. Global ID Magazine speaks to decision makers, both at a management and at a technical level, within companies that use or could leverage from using ID systems. It suggests innovative solutions, the improvement of existing applications, describing trends and future possibilities. ~~Faustine. *** He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself. - --Thomas Paine -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. (Diffie-Helman/DSS-only version) iQA/AwUBPLNWGvg5Tuca7bfvEQLRzQCg2iSdcpbXf/K+FQRzVNGYa9voHToAn3Jd 35JycT/4X0aUnT7bzWycwYEe =sSz8 -END PGP SIGNATURE-
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Peter Trei writes: Speaking for myself and a few friends and relations, we'd be perfectly happy to use them, if they were available. A good place to get Sacagawea dollars is from the stamp machine at your local post office. Put in a $20 bill and buy as small an amount of stamps as you can, and many of the machines will give you golden dollars in change. Make sure you check the machine first; it should be labeled about what kind of change it gives. Otherwise you'll be hauling around dozens of quarters.
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Anonymous gives some comments on some deficiencies in the properties of the transferable ecash schemes to date: On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote: [...] And second, because they grow, it is possible to tell exactly how many hands a particular coin has passed through - just count the transcripts of previous spends. So coins are not all that anonymous. And further, there is no re-blinding of the earlier transcripts. The Alice transcript is in the clear in all following uses of that same coin. Transferred coins are recognizable and linkable. While it is true that the coins are by unavoidably linkable, the linkability will only leak information where a user happens to see the same coin twice as it gets re-spent, as he can recognize this. As the chain length is also visible he knows how many hands it has gone through since he spent it. However he has no way to identify the intermediate payers except the last payer. The amount of identifying information the immediate payer discloses is up to that payer, though some identification may be relatively hard to avoid if there is no anonymous communication link used. So in general the shorter the intermediate chain the more revealing about the first and last payer in the intermediate chain the observation is. The more people who collude, the more chance their is that the colluding group can find samples of respent coins and so identify or gain information about the transactions of a target payer or payee. The transaction information leakage from the linkability may be fairly limited in practice -- for example by comparison how much transaction leakage would you expect to get as an individual or small group of coluding individuals if you write down the serial number on a bank note and wait until you see it again -- or even if a bank were to perform the same experiment, and they are far more likely to see it again due to volume. The issue will tend to be worse in small payment communities. Clearly it's not ideal, and it is useful to think about things you could do to improve the situation: - One thing that could be done to obscure this is to add a few extra random spending hops (say 0-2) which the user can do himself by spending to himself, though this comes at some extra space overhead. The recipient won't be able to distinguish self-spends from third-party spends. - Another defense would be to use third party money-changer to exchange coins for different coins. Basically to shuffle coins around a bit so that receiving a coin from someone with a short enough chain length between current and recognised spend to normally leak some information will no longer gain useful information. Ideas for more robustly fixing it: - Perhaps there is a way to encrypt the original chain with the bank's public key with a randomizable encryption algorithm such as Elgamal and yet retain sufficient proofs that the encrypted chain contains coin transcripts which would identify the appropriate part if the coin were double spent, and such that people handling the coin are assured of it's issue value. Also here are some comments on the conclusions: So it works, but broadly speaking there are two problems. First, off-line coins suck, as described above. And second, because they grow, it is possible to tell exactly how many hands a particular coin has passed through - just count the transcripts of previous spends. So coins are not all that anonymous. And further, there is no re-blinding of the earlier transcripts. The Alice transcript is in the clear in all following uses of that same coin. Transferred coins are recognizable and linkable. Hence they suck even worse than off-line coins. Online actions are harder to perform anonymously, therefore added flexibility to behave more off-line is good for anonymity. Off-line and transferable off-line coins add several new features which are useful to an anonymous user: - ability to transfer rather than deposit, so better hiding payee identity from bank for payers that want this (there are good uses for payee privacy as well as payer privacy) - accountless operation is better for privacy than forcing payments to be deposited and withdrawn as it also gives a user privacy of transaction volume; however accountless operation where you have to connect to the bank in real time (online protocol) makes it more difficult to remain anonymous due to the need for interactive low-latency communication - a money changer is much easier and more realistic to operate with off-line transferability -- it's basically impossible for the bank to detect with off-line transferability. With online coins a money changer would stand out exchanging a lot of coins through it's account (with forced-account option), plus even with accountless online exchange of fresh coins at the bank it's harder for the money changer to hide it's identity due to it's necessarily high bandwidth, low-latency interactive
Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Adam Back wrote: Tranferable off-line coins allow all kinds of cool anonymity features as described above, I also argued above that the linkability deficiency can somewhat defended against. And transferable off-line coins add yet more flexibility, while again not preventing online clearing for those that prefer it. While some of the features have the linkability artifact, those features are optional and the user has free choice to select methods to avoid entirely or defend against linkability by any of the available methods respectively fetching fresh online coins, using money-changers to do the same more off-line, and self re-spending to add confusion. Hence transferable off-line coins are already superior to both non-transferable off-line coins and online coins due to the selection of choice of new features and trade-offs offered to the users. All we need now is a way to more robustly defeat linkability. While I agree with goal, it's not clear to me that it's physically possible. What makes money useful is it's physical existance, people have been counterfiting coins since they were invented but it's been getting harder to do. With off-line coins you could easily counterfit or double spend and live off the float, especially if you do it all anonymously. And if you just do it once with some huge sum, you'd get away with it (like Enron guys did :-) Money boils down to psycology - people trust that it trades their effort for somebody elses effort. who's going to trust ephemeral bits? Crossing that barrier is going to be a lot harder than any technology. Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
The issue with off-line cash is this: has the coin being offered already been spent? With on-line cash, the offered coin is immediately deposited at the bank, hence doubly-spent coins are detected instantly. With off-line cash this cannot be done because by definition there is no connection to the bank. Hence there is no way to know, off-line, if a coin has already been spent. The solution is to embed the identity of the withdrawer into the coin when it is withdrawn from the bank, in such a way that this identity will only be revealed if the coin is double-spent. That provides a partial solution to the off-line scenario. A coin is offered off-line, and the recipient again has no guarantee that it hasn't been spent already. He accepts the coin anyway, and later when he gets on-line he tries to deposit it at the bank. But he learns that he was cheated; the coin had already been spent. Now he has a fall-back solution: the doubly-spent coin reveals the embedded identity of the party who withdrew it (and who doubly-spent it). He can call the cops and try to track down and prosecute the cheater. All off-line spending schemes work this way. All they can offer is the hope of tracking down cheaters after the fact. They can never offer the assurance of validity that an immediate on-line check can provide. With off-line coins, unlike on-line coins, the spender knows more than he's telling. He knows secrets about those coins which would reveal his identity; that is, his identity is embedded in some secret information associated with the coin. When he spends it at a shop, he responds to a random challenge from the shop, using his secret information. The system is set up so that the shop, and later the bank, can validate his response as being valid, proving that he truly owned a coin. For the double-spending detection, the system is further arranged that if two different shops offer two different random challenges, then from the responses to these two challenges, the user's secret information and therefore his identity is revealed. To turn this into a transferrable system, we would allow a chain of transfers before the bank gets involved. Alice spends the coin with Bob, who spends it with Carol, who spends it with David, who deposits it at the bank. There are two problems. First, only Alice knows the secret information associated with the coin. She can't give all the secrets to Bob, or else he would know her identity. So Bob only has a limited amount of information about the coin. Second, after this chain of transfers, if there was double-spending, it might have been anyone along the chain. The system for double-spending detection has to be able to identify which person was the cheater. The solution which Adam describes works as follows. Each party pre-withdraws a zero-value coin from the bank. This is an off-line coin which has their identity encoded in it, if they double-spend it. Alice first spends her coin with Bob in the normal off-line way. Bob ends up with a transcript sufficient to prove that he received a presumably valid coin from Alice (but one which might have been doubly-spent). Now Bob wants to spend with Carol. He does two things: he gives her the transcript of Alice's spend with him, which implicitly identifies the value of the coin; and also he engages in the regular off-line coin spend with her, using his zero-value coin. If Carol then spends the coin with David, she does the same two things: she gives David the transcript of Bob's spend with her (which itself included the two parts above), and also spends a zero-value coin with him. The resulting transcript now has three parts. So it grows at each transfer, and in the end the transcript is deposited. If there was a double-spend, someone spent his zero-value coin twice, and his own identity is revealed. There is one flaw, which is that Bob could use the same Alice transaction with more than one zero-value coin, which he after all gets for free. Carol can't tell that the Alice transaction she sees is the same one someone else saw, and if Bob uses a unique zero-value coin for each spend, then Bob's identity will not be revealed as it should be. The fix for this is that when Bob receives the coin from Alice, knowing that he is going to pass it on, he must link the specific zero-value coin he will later use into the transcript he will receive of Alice's spend with him. This is done by including a hash of the coin information into the random challenge he sends to Alice. Then when he tries to pass the coin on to Carol, she checks that the zero-value coin he is spending with her matches the value used in the Alice transcript. That prevents Bob from using two different zero-value coins with a single Alice transcript. So it works, but broadly speaking there are two problems. First, off-line coins suck, as described above. And second, because they grow, it is possible to tell exactly how many hands a particular coin has
Re: all about transferable off-line ecash (Re: Brands off-line tech)
The issue with off-line cash is this: has the coin being offered already been spent? With on-line cash, the offered coin is immediately deposited at the bank, hence doubly-spent coins are detected instantly. With off-line cash this cannot be done because by definition there is no connection to the bank. Hence there is no way to know, off-line, if a coin has already been spent. The solution is to embed the identity of the withdrawer into the coin when it is withdrawn from the bank, in such a way that this identity will only be revealed if the coin is double-spent. That provides a partial solution to the off-line scenario. A coin is offered off-line, and the recipient again has no guarantee that it hasn't been spent already. He accepts the coin anyway, and later when he gets on-line he tries to deposit it at the bank. But he learns that he was cheated; the coin had already been spent. Now he has a fall-back solution: the doubly-spent coin reveals the embedded identity of the party who withdrew it (and who doubly-spent it). He can call the cops and try to track down and prosecute the cheater. All off-line spending schemes work this way. All they can offer is the hope of tracking down cheaters after the fact. They can never offer the assurance of validity that an immediate on-line check can provide. With off-line coins, unlike on-line coins, the spender knows more than he's telling. He knows secrets about those coins which would reveal his identity; that is, his identity is embedded in some secret information associated with the coin. When he spends it at a shop, he responds to a random challenge from the shop, using his secret information. The system is set up so that the shop, and later the bank, can validate his response as being valid, proving that he truly owned a coin. For the double-spending detection, the system is further arranged that if two different shops offer two different random challenges, then from the responses to these two challenges, the user's secret information and therefore his identity is revealed. To turn this into a transferrable system, we would allow a chain of transfers before the bank gets involved. Alice spends the coin with Bob, who spends it with Carol, who spends it with David, who deposits it at the bank. There are two problems. First, only Alice knows the secret information associated with the coin. She can't give all the secrets to Bob, or else he would know her identity. So Bob only has a limited amount of information about the coin. Second, after this chain of transfers, if there was double-spending, it might have been anyone along the chain. The system for double-spending detection has to be able to identify which person was the cheater. The solution which Adam describes works as follows. Each party pre-withdraws a zero-value coin from the bank. This is an off-line coin which has their identity encoded in it, if they double-spend it. Alice first spends her coin with Bob in the normal off-line way. Bob ends up with a transcript sufficient to prove that he received a presumably valid coin from Alice (but one which might have been doubly-spent). Now Bob wants to spend with Carol. He does two things: he gives her the transcript of Alice's spend with him, which implicitly identifies the value of the coin; and also he engages in the regular off-line coin spend with her, using his zero-value coin. If Carol then spends the coin with David, she does the same two things: she gives David the transcript of Bob's spend with her (which itself included the two parts above), and also spends a zero-value coin with him. The resulting transcript now has three parts. So it grows at each transfer, and in the end the transcript is deposited. If there was a double-spend, someone spent his zero-value coin twice, and his own identity is revealed. There is one flaw, which is that Bob could use the same Alice transaction with more than one zero-value coin, which he after all gets for free. Carol can't tell that the Alice transaction she sees is the same one someone else saw, and if Bob uses a unique zero-value coin for each spend, then Bob's identity will not be revealed as it should be. The fix for this is that when Bob receives the coin from Alice, knowing that he is going to pass it on, he must link the specific zero-value coin he will later use into the transcript he will receive of Alice's spend with him. This is done by including a hash of the coin information into the random challenge he sends to Alice. Then when he tries to pass the coin on to Carol, she checks that the zero-value coin he is spending with her matches the value used in the Alice transcript. That prevents Bob from using two different zero-value coins with a single Alice transcript. So it works, but broadly speaking there are two problems. First, off-line coins suck, as described above. And second, because they grow, it is possible to tell exactly how many hands a particular coin has