[2249] in cryptography@c2.net mail archive
Digital Bearer Settlement
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Tue Mar 3 15:04:10 1998
Date: Tue, 3 Mar 1998 13:46:23 -0400
To: ;@"Recipient.List.Suppressed"
From: Robert Hettinga <rah@shipwright.com>
Here's the concluding article in the pair that I did for Nikkei.
Cheers,
Bob Hettinga
--- begin forwarded text
X-Sender: rah@pop.sneaker.net (Unverified)
Mime-Version: 1.0
Date: Mon, 2 Mar 1998 19:42:47 -0400
To: gis-ec@nikkei.co.jp
From: Robert Hettinga <rah@shipwright.com>
Subject: [gis-ec 47] Digital Bearer Settlement
Reply-To: gis-ec@nikkei.co.jp
X-MLserver: majordomo-1.94.1 k-patch-2.0-alpha p-patch-1.0
X-sequence: gis-ec 47
Sender: owner-gis-ec@tokyo.nikkei.co.jp
Precedence: bulk
Having just help run last week's Financial Cryptography 1998 Conference and
Exhibition (complete with a high-speed catamaran ride down to see a total
solar eclipse looming over the smoldering Montserrat volcano :-)), I'm
sufficiently recovered today to talk about the more focused, financial
settlement rant I want to do here on the gis-ec list, before your own
conference starts.
First of all, I'd like to thank Tatsuo Tanaka for the privilege of getting
to correspond with you all about something he and I both think will be a
very important, if not the most important component in the emerging digital
economy: The impact of instantaneous, (and I think bearer), digital
settlement on transaction cost, and, more important in my opinion, its
impact on the whole idea of non-repudiation as practiced in current
book-entry settlement methods.
Put into plain language, I like to claim that, soon enough, the era of
book-entry settlement -- that is, our way of representing money as
offsetting debits and credits exchanged between the two parties of a trade
through a hierarchy of trusted intermediaries -- will be over.
I think that the social and economic impact of the new alternative to
book-entry settlement, digital bearer settlement, will be quite large,
because, at the root of the status quo's book-entry transaction protocols
is the need to involve government and regulation at the most intimate
levels. Essentially, "...and then you go to jail" is the penultimate
error-handling step in a book entry transaction. This eventually leads, I
claim, to more, shall we say, friction, in the transaction process than
currently available with advanced techniques in financial cryptography.
I claim, that, historically, bearer settlement, particularly at the time of
a trade's execution, barely required legal enforcement of non-repudiation
(the inability of someone to renege on a transaction) at all. Finally, I
claim that secure digital bearer settlement cryptographic protocols,
operating on insecure public networks like the internet, will reduce
transaction costs enormously over insecure book-entry settlement
debit/credit swaps, operating on strongly secure private transaction
networks like ACH, or SWIFT, or the old NIDS, or whatever.
"Three orders of magnitude cheaper than book-entry" (dividing the cost by a
thousand) is my favorite, and quite plausible, design mantra for such new
systems based on modern cryptographic transaction protocols. We'll see why
in a bit.
In the old days, before telegraphy (but after barter :-)), most financial
transactions were done by trading bearer certificates, or tokens, of one
form or another. Exchanging cash for a bearer bond would be a good 19th
century example. Even trading bearer forms of equity was trivial -- and
instantanous: the offer, the acceptance of the offer, and the settlement of
the transaction occured almost all in one operation.
With the advent of telegraphy and eventually telephony, it was possible to
make the offer and accept the offer at a distance, but settlement had to
wait until bearer certificates were physically relocated, sometimes over
long distances and then exchanged. After all, you couldn't very well send
them over a wire.
The solution was to move all the certificates to a central trusted
location, called a clearinghouse, and for the trading parties to swap
debits and credits between themselves and the clearinghouse. It's pretty
apparent that having the certificates physically locked down in the
clearinghouse's vault becomes superfluous in such a scheme, because what
really matters is the impartial arbitration of the clearinghouse in the
case of a transaction dispute. All except for one thing. If someone lies or
reneges on a book entry transaction, there isn't much that the other two
parties can do except bar them from trading, which, of course, works in
bearer certificates, but not nearly as well in book-entry settlement.
So, we need several things to cope with non-repudiation in book-entry
settlement. First, we need the ability to determine who physically made
what book-entry so we can find them and send them to jail for fraud if
necessary. That's because book entries are inherently unstable, insecure,
digits sitting in a database somewhere. Many people in Asia are familiar
with commodities and derivatives traders who were capable of hiding
fraudulent book-entries for long enough periods of time to bring down their
respective firms, for instance. In cryptography we call this an
authentication problem. :-).
So, besides authentication of the book-entries themselves, we need to
secure the links between various charts of database accounts, first by
authenticating the users of those electronic links, originally with
passwords, then with cryptographic keys and signatures, and now with some
combination of biometrics (finger or retinal prints, say) and digital
signatures. And, second, by actually encrypting the links themselves so
that no one can see what they are even if they can't change the
authenticated data without someone noticing.
Sorry for the long-winded explanation, but it's long-winded stuff, as most
people who clear trades on the net for a living will tell you. Anyway, for
all intents and purposes, you now know everything there is to know about
the guts of electronic commerce on the internet. When you punch your credit
card number into a secure web page, pretty much all of the above happens,
plus or minus the retinal scan. :-). (You can even do other book-entry
transactions like checks in the above fashion, and a bunch of us are
working on a simple but very effective public-domain protocol to do exactly
that, which we're calling Internet Deposit Box, or IDBX for short. Coming
soon to an internet bank near you...)
However, if you'll excuse me, I think all this stuff about moving
book-entries down encrypted pipes on the internet, including the
much-heralded SET protocol for credit cards, is so much financial
"shovelware". It's the equivalent of a major corporation's promotion
department scanning in one of their brochures into a giant .GIF picture and
putting it on a web page without any interactive features at all. Much less
taking orders :-).
Fortunately, there is *so* much more that can be done with financial
cryptography. There's a whole string of cryptographic protocols out there,
beginning with David Chaum's blind digital signature patent in the middle
1980's (and ending, say, last Saturday night :-)). You can actually create
unique digital objects which can't be forged if you handle them right (if
you only exchange them on-line, for instance). You can attach any arbitrary
financial value you want to these cryptographically secure objects as long
as everyone else agrees with you, and, most important, you honor your
agreements concerning their exchangibility into some other financial
instrument. So, I call these objects "digital bearer certificates", after
the paper bearer certificates of yore, which I claim these crypto-blobs
behave like, more or less.
The fun part comes when you actually start to trade these things. The first
thing you notice is that they settle instantly. I give you digital cash
certificates, you give me digital bearer bond certificates. Trade over.
Elapsed time, thousandths of a second. I can turn right around and take
that bearer bond and sell it again, if I want. More to the point, I don't
have to wait for my broker work out how to move my money to your broker
through the clearinghouse, for their banks to arrange to pay each other,
all of which takes days and costs lots of money. Remember that "three
orders of magnitude" I was talking about. If what I claim is true, then the
cost of even your on-line Schwabb or E-trade transaction could move from
being measured in dollars to somewhere in the sub-penny range, and probably
less over time. Actually, these aren't account based protocols at all. So
there ain't no Schwab, or Merrill Lynch, or Morgan Stanley, required. Well,
not completely true. You still need financial financial intermediaries, no
matter how small, to "rent" repuatation to a given transaction. Anyway, you
don't keep digital bearer certificates in an account, you just keep them on
your hard drive. Or, in some more interesting cryptographic protocols, on
pieces in many hard drives all over the net, in such a fashion that you
only need, say, 7 of 12 to reconstruct any given bearer certificate.
What may be the most efficient protocol I've seen is a digital cash
protocol invented by Ian Goldberg just this past Saturday, after the FC98
conference here in Anguilla. Ian's calling it HINDE (for HINDE Is Not
DigiCash's Ecash). From our back-of-the envelope calculations, this
particular bearer settlement mechanism got us into the hundredth of a penny
range of transaction cost, even after throwing in a few cursory orders of
magnitude in imagined administrative fudge factors.
As far as non-repudiation goes, I know that what you gave me is real
because I can test it with the issuer. You can do the same thing. It's so
trivial that I equate the act with the physical inspection each of us does,
unconciously or not, when we're handed a piece of cash. If I don't like
what I "see" (determined by the calculation of the cyptographic protocol,
of course), I don't trade with you. I'd say it's much better than detecting
fraud after the fact, finding who made the offending book-entry, and
apprehending, trying, and jailing the miscreant. Frankly, I'd go one
further and say book-entry settlement is so complicated an unwieldy that
the *only* reason we have book-entry settlement now is because we couldn't
shove paper down a wire back when telegraphy was invented.
Finally, there's no real recordkeeping of transaction logs with digital
bearer settlement. Like a pile of cash, you count it up, and that's what
you have. There is no need for seven years of audit trails at up to six
different transacting parties because you don't have to hunt someone down
and send them to jail for reneging on a trade before it settles, and more
frequently, to prove you're innocent should you be suspected of something
untoward. You don't need a lawyer or an accountant to keep you out of jail
at tax time for making the wrong book entry somewhere.
In fact, you don't *care* who gave you what money as long as they're happy
with what you gave them in exchange for it. Reputation becomes the most
important thing there is, because damaging someone's reputation is your
only recourse in a world where your digital signature is your *only*
identity. The threat of blackballing is in fact a very effective fraud
deterrent, and once a digital reputation is trashed, it takes time -- and
higher transaction risk premia -- to build a new one. To quote J. Pierpont
Morgan on the subject, "I wouldn't buy anything from a man with no
character if he offered me all the bonds in Christendom." With apologies
for Mr. Morgan's 19th century Episcopalian sexism, of course. ;-).
But, you might say, what about taxation? Indeed, what about it at all? Most
of our taxes are collected on book-entries (income, sales, value-added,
capital gains), but I claim that the reason we have book-entry taxation is
because we have book-entries, and not the other way around. For instance,
in the early 1980's the government of the United States apparently
legislated paper bearer bonds out of existence by declaring interest paid
on them to be non-tax-deductible. Of course, if a concerted effort to make
paper bearer instruments obsolete because of their high handling cost
hadn't occured prior to that, such a legislation of economic reality by the
US government would have been laughed out of any room in which it was
proposed. I like to say that physics creates economics, which creates
politics and law, and not the reverse. Or, as Thomas Sowell likes to say,
"Reality is not Optional". I expect that since aristocrats figured out how
to extort economic rents from farmers, and nation-states figured out how to
extort economic rents from industry, that something close enough to a
government for government work will figure out how to extort economic rents
from whatever the producing unit of a geodesic society is, probably pieces
of code. As the crypto professor says, "I leave that to the student as an
exercise for further study." :-).
Finally, what about laws? Aren't there laws applicable to this kind of
stuff? Laws about money laundering for instance? While there are lots of
cypherpunks out there who say, like I even do on occasion, "Write Software,
not Laws", there is nothing wrong with doing digital bearer settlement, as
long as it stays on the net. In the earliest stages, there will be bearer
cash, which can be traced when it goes on and off the net through a bank
account, no matter how many hops it goes through before it comes out. So,
it's pretty simple in that scenario to "Render unto FinCEN" (FinCEN: the
Financial Crimes Enforcement Network). Everything's traceable, which should
keep them happy. At least until people start *keeping* money on the net and
never taking it off. Then, of course, the world will have more interesting
things to think about than whether or not FinCEN can do it's job anymore,
and they've said as much.
Once we get to digital bearer bonds, stocks, and derivatives thereof, the
world starts to change considerably. However, I still claim that reality is
not optional. If you reduce the cost of settling a transaction to
effectively zero (okay, past the last basis point but not zero), then the
financial markets are going to figure out how to use the technology. Not
only is it cheaper, but by being cheaper, it allows for smaller and smaller
publically held entities. And automated financial intermediaries. Those
little personal bearer bond 'bots' I was talking about in my Geodesic
Society rant before I went to Anguilla, for instance. The asset sizes of
verious trades could get much smaller, but, in addition, I claim, that
because trading of financial instruments can happen so quickly,
efficiently, and by so many self-interested actors, it'll probably be the
way money is raied very large security issues and for very large projects.
Maybe Intel's inevitable $10billion chip fab, for instance, will be floated
into a market "swarm" of financial intermediaries. Microintermediation,
instead of disintermediation, in other words...
Okay. I've now walked you up the edge of the abyss, and pushed you over the
cliff, and, you'll notice, you didn't get hurt at all. That's important to
think about, because sometimes being quantitatively cheaper has qualative
effects, but, for modern society at least, the future is no different from
the past, except that we've figured out how to live better. I expect if we
can blow the doors of the cost of financial with digital bearer settlement,
the world will be a much better place to live in, indeed.
Cheers,
Robert Hettinga
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>
--- end forwarded text
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>
