Governance of anonymous financial services

Hal Finney hal at
Fri Mar 30 16:15:27 EDT 2007

Steve Schear writes:
> Here is the situation.  An on-line financial service, for example a DBC 
> (Digital Bearer Certificate), operator wishes his meat space identity, 
> physical whereabouts, the transaction servers and at least some of the 
> location(s) of the service's asset backing to remain secret...

Pretty tough to do much with crypto in this situation.  My
software was an attempt to create what Nick Szabo called "bit gold",
transferrable certificates that had intrinsic rarity.  It uses trusted
computing concepts to create RSA signatures that are backed by hash
collisions.  Unfortunately rarity does not automatically translate into
value, so even though the system was highly inflation-resistant it was
not too successful in attracting users.

> The service 
> provides frequent, maybe even real-time, data on its asset backing versus 
> currency in circulation. The operator wishes to provide some assurance to 
> his clients that the backing and the amount of currency in circulation are 
> in close agreement.  The mint's backing need not be in a single location 
> nor in the sole possession of the operator.

Maybe he could publish a picture of the backing commodities, and design
the system so that everyone could see how much money was in circulation?

Keep in mind that this is only part of the trust picture.  Showing that
the backing is there won't prevent this anonymous operator from absconding
with the funds in the future.  That would be one of my concerns if I
were a user.

> If the backing is distributed among a multitude of holders (e.g., in a 
> fashion similar to how Lloyds backs their insurance empire), who's 
> identities are kept secret until audit time and then only a few, randomly 
> selected, names and claimed deposit amounts are revealed to the auditors, 
> might this statistical sampling and the totals projected from the results 
> be a reasonable replacement for 'full asset' audit?  To protect the 
> identities of the holders could a complete list of the hashes of each name 
> and claimed deposit be revealed to the auditors, who then select M of N 
> hashes whereupon the operator reveals only those identities and claimed 
> deposits work cryptographically?

One problem is the holders could collude and play a "shell game".
Suppose that 30% of the holders were going to be asked to reveal their
assets, then the company could back only 30% of the currency, and
redistribute the assets to the selected holders before the auditors come.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list