[4212] in cryptography@c2.net mail archive
Re: Digital Bearer Documents -- an Oxymoron ??
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Mon Feb 15 14:04:33 1999
In-Reply-To: <199902142213.RAA26416@swan.lcs.mit.edu>
Date: Sun, 14 Feb 1999 20:41:21 -0500
To: Ron Rivest <rivest@theory.lcs.mit.edu>
From: Robert Hettinga <rah@shipwright.com>
Cc: micropay@ai.mit.edu, dbs@philodox.com, amir@haifa.vnet.ibm.com,
dcsb@ai.mit.edu, e$@vmeng.com, cryptography@c2.net,
cypherpunks@cyberpass.net, mac-crypto@vmeng.com
At 5:13 PM -0500 on 2/14/99, Ron Rivest, the hardest working man in
cryptography, wrote:
> I find rah's use of
> terminology confusing and misleading.
Hi, Ron. The line forms to the rear... :-).
> The simplest form of money is gold, which is easily authenticated as
> genuine by the recipient.
Actually, this is only true if you *coin* it and put standard gold into a
tamper-resistant package so you don't have to assay all the time, (hence,
"rich as Croessus", the Lydian king who figured this out) but, do go on...
By the way, you're right. The answers to questions your posing here *are*
all on my website, <http://www.philodox.com>, and, um, well, heh... they're
even FAQs.
But, here goes, anyway...
> This enables true "two-party" transactions,
> where the recipient knows what he is getting without having to rely
> on a third party. (Of course, the value of the gold, in terms of how
> many oxen it will buy, is a standard market-value question...)
Right. Even with a "standard" trading commodity, you have to have an
"intermediary" who guarantees the quality and purity of the commodity. See
Croessus, above. In modern times, *every* form of money, no matter what
it's backed by, has a financial intermediary, someone who guarantees the
transaction. In fact, every *financial instrument* is intermediated, by
people called underwriters.
Okay, so that handles the "financial" part of "financial intermediation".
Now on to the next bit...
> Hettinga talks a lot about "digital bearer certificates", which seem
> to me to be an oxymoron. The basic problem with digital documents,
> unlike gold, is that they are easily copied.
No. If you use an on-line form of, say, Chaum's protocol, you cannot copy
the cryptographic objects I call "digital bearer certificates" without
getting caught, or at least refused.
Even with your MicroMint protocol, which *is* done off-line, samples of
tokens would still have to be validated stochastically. Your *chances* of
getting a double-spent "coin", "certificate", "token", whatever, would have
to be within some tolerable risk tolerance.
Remember the on-line/off-line "continuum" paper at FC97. I see micro-bearer
transactions as ideal in situations, like packet-routing, or web-page
clicks, or, um, "$MTP", where *machines* are actually spending money for
the resources they provide to each other, and double-spent money is more a
sign of damage than anything else. And, of course, "blackballing" a machine
is much easier than it is to black-ball a key signed to a blind-signature
certificate, for instance. In fact, in a bearer-settled packet-switched
network, you *want* to double-spend, that is, drop "pay-packets" on the
floor when things aren't working well. "Thieving" machines are fairly easy
to ostracize, as you can just ignore their IP address as broken, for
instance. Micro-reputation capital punishment, if you will, just like the
macro-reputation punishment in the old "robber-baron" bearer-settled
economies of yore. Cf. my favorite Morgan quote about character and
Christendom.
Finally, since bits *are* cheap, it's trivial to redeem and reissue a
"macro"-bearer certificate, say, a Chaumian one, for *every* transaction.
It's not like you have to go all the way out to western Massachusetts and
get Crane and Company to print you a new piece of paper, right? That way,
you, and the intermediary for that matter, are *assured* that *nobody* can
double-spend your money, (or equity, or bond, or derivative :-)) except you.
Which brings us to your next FAQ:
> The issuer will need to keep a book (!) to tell him
> if the "digital bearer document" has already been cashed in.
Absolutely, Ron. But, you don't get off so easily.
Remember that items in the spent certificate database can be *deleted*,
over time. (Yes, Virginia, deleted...). MicroMint does the same thing on a
periodic basis itself, by *expiring* certificates, you said every month,
right? With Chaumian certificates, you need to do the same kind of thing to
control the risk of someone stealing the "minting" key. I heard Ian
Goldberg using the word "epochs" for this, and I use it myself, now. The
length of a given epoch is derived almost entirely from the secondary
transaction volume on a given financial instrument's outstanding
certificate base. In a market where people buy and hold something forever,
like some bonds, maybe, these epochs would be longer. For cash, they'd be
shorter. I bet there's an actual financial calculation in this, and that
someone's gotten a Nobel for it, the financial economics of transaction
liquidity being what it is. :-).
So, is this a database a "book"? Well, not really. There is no way to
*read* that book unless someone double spends. It's of no use to *anyone*
for anything but that purpose alone. The data just takes up space, and,
eventually, on a financial, *risk*-adjusted, basis, the data is *deleted*.
Game over. If someone comes in with an ancient a bearer certificate from
some, heh, previous epoch, rooted out from under some digital mattress
somewhere, it's just paid out, and *kept* by the underwriter after
redemption. If it comes in again, it's unblinded, right? And, yes, you can
game the system, but you run right into the time value of money, here, and,
more to the point, an underwriter can game the system right back, keeping
some small, random sample of deleted certificates, to bust the random gamer
down to his shorts, keeping the rest of the money-"cracking" community in
check.
Now, assuming that all of the above is true, assuming even that you kept
*all* transactions, you still have less load on the system than you do now.
Why? Because, right now, you have a *hierarchy* of book-entries to go
through, all of which *multiplies* the storage and processing resources in
the problem. Count the number of intermediaries in the hierarchy of a VISA
transaction, and don't forget the check you write to pay off your VISA bill
at the end of the month, and all the cash flowing from your bank to the
merchant that was the basis of your revolving credit loan. I'll even spot
you the FDIC, the Fed, and the IRS, just to render unto FinCEN. With a
digital bearer instrument, exchanged on a secondary basis, where you're not
taking it off the net, but just exchanging it for some other bits, be they
financial or not, you only have a *single* intermediary. The transaction is
not hierarchical, it's geodesic. It "looks" one of like those triangles
that Bucky Fuller's domes were made out of. Multiply all the transactions
times all the intermediaries, and that adds up to something interesting,
and no, it's compounded, and not linear, in it's cost effect. Remember your
economic multipliers, after all.
But, Ron, that's not even the most important cost. The longer a transaction
takes to clear, not only is the time value of the money in the float lost,
which is a lot in a world of decreasing, "frictionless" profit margins, but
also, and, I think more important, the *risk* of the transaction itself
goes up. And, in order to speed up that transaction, you forward-load as
much information as possible, especially the authorization, the
"reputation" of the transaction's underwriter, so that all the transaction
needs to do is to validate the permission of the intermediary to the
transaction instead of the parties to the transaction, you have, I claim, a
functional digital bearer certificate. You have the value of the asset. You
have the intermediary's authenticating signature blinded or not, but I
claim that blinding it makes it more secure. You have the signature of who
the money belongs to, the shared secret whatever, again blinded, so they
can't double spend the "document", as you say, or as I say, "certificate",
to reclaim the word from people who don't know it's origins in actual
finance. :-).
In other words, you have, paradoxically, a single issue bearer certificate.
Which is fine, since, bits are free, right? Just issue redeem it and issue
another. It's still a bearer (as in "pay to the bearer") certificate.
That's why I say that as you converge a book-entry transaction to
instantaneity, the transaction itself can't help but converge to bearer
form. It's like the fundemental theorem of calculus, or the link between
existential and universal quantifiers in logic. How's *that* for thin ice,
Ron? :-).
> I would think that anything worth the name "digital bearer document"
> should imply that the system is "database-free" (i.e. no "book
> entries" of any sort).
Nope. Not at all. After all, every bearer bond ever issued had a serial
number on it, right? In fact, if you go look at one, you'll see that all
their *coupons* had serial numbers as well, though typically they were the
same as the principal certificate, because they had date information to
make them unique objects themselves. Those serial numbers were checked off
a *list*, at the trustee/custodian, to make sure, guess what, they weren't
double spent. Did the trustee know, did they *care*, *who* turned in the
coupon at interest time, or the certificate itself at principal or call
time? No. At least until mainframes made bank accounts, and thus
income/capital gains/sales taxes, cheap enough for the hoi polloi :-). And,
of course, trustee *certainly* didn't care who owned the certificate
between it's primary sale on the market and all it's subsequent secondary
transactions before redemption.
Heck, even dollar bills are serialized, or we wouldn't have liar's poker,
right? :-). They're still bearer instruments, because the issuer, the
underwriter, and the trustee don't care a whit who owns, "bears" the
certificate, and thus by extension the asset, in question.
And, finally, even if you were to "print" and reissue a new certificate, or
coupon, for every transaction, you still have something in bearer form. The
trustee doesn't know, or care who owns the asset, because the digital
bearer certificate contains all the available information to execute,
clear, and settle the transaction.
> Once you are maintaining databases keeping track of each digital
> document, it is not a big deal if you have one such database (for the
> issuer, as for digital coins), or a couple (one for signer and one for
> recipient, as for electronic checks).
I think you're going to find that even this matters a lot, but I've already
addressed this above.
Interestingly, digital bearer certificates probably allow you to *scale*
the problem to the net much cheaper by having many separate underwriters,
distributing the calculation, storage, and, most important, financial risk
of the market. Maybe that's not so much about transaction cost, or maybe it
is, I don't know. Remember all those triangles in a geodesic dome
distribute the load to the ground. The more triangles, the straighter the
lines of force across the structure. In fact, that's what "geodesic",
means, literally: the straightest line across a sphere. You can use the
same analogy with transaction risk, if you think about it.
> (The biggest real savings may come from "probabilistic payments", as
> in my "Lottery Tickets as Micropayments" papers, because then most
> potential "payments" get tossed as non-winning by the recipient, so
> the database doesn't need to be consulted for each payment.)
That's okay, Ron. You can ride your hobby-horse, as long I get to ride
mine. :-). Frankly, I think that *holders*, and not issuers, are going to
want to choose which certificate they redeem in a stochastic redemption
off-line model, and to do that, the underwriter is going to have to stand
ready redeem *any* of them, like with Micromint, and not just one chosen by
the issuer, like your "lottery" model, no matter how secure and fair the
lottery is. We'll see.
> Perhaps I've missed something in Bob's long proselytizing
I don't call it "Evangelism" for nothing, folks. It won't be science until
we have data, but I think my hypotheses about all this stuff will prove
out...
> on these matters,
> but I hope that others will find this note useful in trying to decipher his
> wheat from his chaff....
And here I thought that "chaffing and winnowing" involved no cryptography. :-).
See you in Anguilla in a week, Ron. We'll haggle over a beer then, if you want.
Cheers,
Robert Hettinga,
Philodox Financial Technology, yes, Evangelism
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
