[4210] in cryptography@c2.net mail archive
Digital Bearer Documents -- an Oxymoron ??
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Sun Feb 14 21:56:48 1999
Date: Sun, 14 Feb 1999 18:44:09 -0500
To: dcsb@ai.mit.edu, e$@vmeng.com, cryptography@c2.net,
cypherpunks@cyberpass.net, mac-crypto@vmeng.com
From: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
Date: Sun, 14 Feb 1999 17:13:21 -0500 (EST)
From: Ron Rivest <rivest@theory.lcs.mit.edu>
To: rah@shipwright.com
cc: micropay@ai.mit.edu, dbs@philodox.com, amir@haifa.vnet.ibm.com
Subject: Digital Bearer Documents -- an Oxymoron ??
I don't often contribute to these lists, but thought I might add my
own two cents to the "digital bearer" discussion. I find rah's use of
terminology confusing and misleading.
The simplest form of money is gold, which is easily authenticated as
genuine by the recipient. This enables true "two-party" transactions,
where the recipient knows what he is getting without having to rely
on a third party. (Of course, the value of the gold, in terms of how
many oxen it will buy, is a standard market-value question...)
Hettinga talks a lot about "digital bearer certificates", which seem
to me to be an oxymoron. The basic problem with digital documents,
unlike gold, is that they are easily copied. Unlike gold, you need a
third party (typically the issuer) to tell you if the copy you have is
worth anything. The issuer will need to keep a book (!) to tell him
if the "digital bearer document" has already been cashed in. Thus,
with digital bearer documents you have three-party (or more-party)
transactions, not two-party, and the third party must keep a book.
The value of the document is not in the fact that you are bearing it,
but in the fact that there is no book-entry saying it has been used
already.
I would think that anything worth the name "digital bearer document"
should imply that the system is "database-free" (i.e. no "book
entries" of any sort). I think equating "no book entries" and "no
databases" is a fair and useful equation, both from an engineering
point of view and from a banking point of view. But digital documents
*require* databases, since a digital document can be copied and
presented multiple times. A database (with "book entries") is *required*
to prevent multiple spending.
Once you are maintaining databases keeping track of each digital
document, it is not a big deal if you have one such database (for the
issuer, as for digital coins), or a couple (one for signer and one for
recipient, as for electronic checks). To within a small constant
factor, the database work is the same. Hettinga's talk to the contrary
notwithstanding, I don't buy his strong statements about the supposed
"efficiency" of digital bearer documents. To within a small factor, it's
all the same. Databases are involved, and they take some work.
(The biggest real savings may come from "probabilistic payments", as
in my "Lottery Tickets as Micropayments" papers, because then most
potential "payments" get tossed as non-winning by the recipient, so
the database doesn't need to be consulted for each payment.)
Perhaps I've missed something in Bob's long proselytizing on these matters,
but I hope that others will find this note useful in trying to decipher his
wheat from his chaff....
Cheers,
Ron
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
