[Cryptography] Krugman blockchain currency skepticism

Ray Dillinger bear at sonic.net
Thu Aug 9 15:33:46 EDT 2018 

I did the design way the hell back in 1995 for a digital cash protocol.
I was combining David Chaum's blinded certificates with proof chains
(now called block chains) to enable the 'coins' to make more than one
offline hop.  Each 'coin' got larger and larger, dragging its proof
chain behind it with an additional link for every transaction, until it
made its way back to the issuer and got redeemed.  If anybody along the
way spent it more than once, then multiple versions of the coin with
inconsistent history chains would come back to the issuer and comparing
the transaction records at the chain fork would reveal the ID of the
cheater.

I never even attempted to launch it; the only people I knew of who had
ever actually launched digital cash systems were crooks.  I was
interested in working out a protocol puzzle, but not interested in being
a crook and had nowhere near the assets to do it legally and properly.

Being a natural-born pessimist, I had already figured out that the only
people willing to loan me such assets would inevitably turn out to be
crooks.  And paying the interest on a loan would have forced me to make
it more expensive than a checking account - so nobody would want it anyway.

It required a Trusted node to create certificates matching IDs in the
system (IDs that could be revealed by double spends) to entities that
could be held legally/financially accountable for double spending.  So,
since that was the power the Trusted node could abuse, of course the
heavy boot on the door in the middle of the night would have been about
denying someone the use of the system.

I left the question of issuance completely open.  The presumption was
that someone buys a 'coin' from the issuer for a fungible asset to be
held in escrow until the coin is redeemed, but I was then and am now
well aware that the usual outcome of anything like this is that in a few
months to a few years, people notice the assets are gone and some
scammer faces prosecution or jail time.

We keep thinking that "real" bankers who are accustomed to dealing with
fiduciary duty should be able to do better than this. IIRC the only
"real" banker who ever tried Chaum's e-cash - the Mark Twain Bank - did
in fact manage to avoid that variety of scamming, but still went out of
business.

Honestly, the boot on the door, in some manifestation or other,  is
inevitable.  Any payment system requires mutual consent between payer
and payee.  And therefore any entity capable of creating a strong
motivation to refuse consent, for either side, can kill the system.  If
accepting payments via Bitcoin becomes illegal, and enforcement actually
starts charging the owners of any server seen running a node with a
crime and levying fines, then overnight the value of Bitcoin crashes and
it ceases to be useful for making payments.  There is no way to
simultaneously protect all nodes and keep the system publicly available.
 If the people using it know where to send packets, then the people
levying fines know where to shut down servers. Even heroic attempts like
Tor can be and have been penetrated, given the will to do so.  This is
what Tim May called "squishability" years ago.


On 08/06/2018 07:55 AM, Patrick Chkoreff wrote:
> Benjamin Kreuter wrote on 08/05/2018 07:38 PM:
> 
>> Which is why I said at least one offline hop.  Once you have a 
>> certificate from the bank, your ability to use the system cannot
>> be revoked unless you are caught cheating.  With one offline hop,
>> you can receive and spend money without communicating with the
>> bank.

See, this just isn't true.  What happens when you get caught cheating?
The issuer sees that you have cheated and revokes your key.  How do the
other users of the system know your key has not yet been revoked?  They
access a key server that gets updates and knows when the issuer has
revoked your key.  So how does someone kick you off the system?  They go
to the issuer's key server and remove your key.  If the other users of
the system can't find current proof that your key remains unrevoked,
then mutual consent fails and you cannot use the system.

If the protocol allows a valid revocation to be formed without a
recorded proof of cheating, they'll do that too.  But even if proof of
cheating is required to create a valid revocation, about 99% of the
effect of a revocation can be had just by removing the key from the
issuer's server.

> If you want high efficiency and a well-defined security model, it's
> hard to compete with blinded tokens.  But if you want something that
> exists, you'll have to look elsewhere.

Blinded Tokens always require a Trusted role to act as issuer.  This is
fine, assuming the Trusted role is held by a Trustworthy entity.  But so
far history has taught us, emphatically, that this may not be assumed.

					Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180809/c46371da/attachment.sig>

More information about the cryptography mailing list