Governance of anonymous financial services

Ian G iang at
Fri Mar 30 16:55:24 EDT 2007

Steve Schear wrote:
> Here is the situation.  An on-line financial service, for example a DBC 
> (Digital Bearer Certificate), operator wishes his meat space identity, 
> physical whereabouts, the transaction servers and at least some of the 
> location(s) of the service's asset backing to remain secret.  The 
> service provides frequent, maybe even real-time, data on its asset 
> backing versus currency in circulation. The operator wishes to provide 
> some assurance to his clients that the backing and the amount of 
> currency in circulation are in close agreement.  The mint's backing need 
> not be in a single location nor in the sole possession of the operator.

The servers are not so relevant, as long as you have created 
legally firm transactions.  Although, in the event of 
collapse, the data trail suddenly becomes of critical 
importance, so there are limits to that.

The reserve assets' location(s) is fairly important from a 
customer trust perspective.  People look at the overall 
safety and make their own judgements.  One person might 
decide that New York is safe and another will find that a 
horrible thought (for those who follow this arcane field, 
there was a big bust of a dodgy operator in NY some months 
back).  Having said that, once a system is up and running, 
and is robust, it seems that moving the assets from one 
continent to another has not been a source of concern to 
many users.

The issuer himself is pretty important.  His physical 
location isn't so important -- everyone flies around these 
days -- but nobody has ever been able to gain trust in a 
system to date without reference to a real meatspace hook. 
And for good reason ... how do you take him to court?  (And 
if you are thinking of extra-jurisdictional transactions, 
how do you beat him to a pulp with a baseball bat?)

> I realize this is a governance question but I suspect that crypto/data 
> security may play a key role.

It does ... but only after the full governance story is put 
into place.  Then, we can look at ways to solve certain 
governance problems with crypto.

E.g., Ricardian contracts (my stuff) take the user agreement 
as a document and bind it into each transaction by means of 
the hash of the contract;  they also ensure various other 
benefits such as the contract being available and readable 
to all at all times, and the acceptability of same, by the 
simple expedient of coding the decimalisation into the 
contract.  Ensuring that the contract is readable, 
applicable and is available to all is a huge win in any 
court case.

Other governance tricks:  the usage of signed receipts can 
be used to construct a full audit of the digital system. 
Also, signed receipts are strong evidence of a transaction, 
which leads by some logic to a new regime which we call 
triple entry accounting.  This dramatically changes the 
practice of accounting (which feeds into governance).

With DB side, one trick is to use psuedonym accounts for the 
basis, and this allows no-loss protocols to be created. 
Again, this is useful for governance, because if you have a 
lossy protocol, you have a potential for fraud.

> Some questions:
> If independent auditors are used do they need to know the operator's 
> identity?

The essence is the contract.  In a classical online 
financial offering, this contract defaults to the user 
agreement.  This contract offers things to the user, and it 
offers it in the name of the Issuer.

If the contract offers nothing, you don't care who the 
Issuers is.  (Some contracts do offer you nothing...)

An Independent Auditor (of a valuable contract) would need 
to know the pedigree of the Issuer.  In evaluating the 
contract that is extended between the issuer and the holders 
of value, there needs to be some "meatspace mass" that says 
that the various clauses in the contract can be met.  E.g., 
If the issuer is totally anonymous and the contract says 
that the issuer will be good for a million of personal 
assets backing then this is a difficult clause to believe in.

> What aspects of good governance can be brought to bear on this situation 
> so that the operator's interests are more aligned with its clients?

Well, one of the things that is normally done is that the 
assets that reserve the contractual promises can be audited 
in some fashion.  For the gold people it was commonly 
suggested that cameras be used;  another possibility was to 
conduct an audit of reserves from time to time with a person 
of known integrity and independence, a different one each 
time, under the cameras.

> Has anyone explored this from a math-crypto view?

It's well explored in Ricardo (my stuff).  The digital side 
is capable of being fully and completely audited (not that 
it is, but the signed receipt structure allows it).  5PM and 
the balance sheet approach tie the numbers to the contract 
and then across to the physical assets.  5PM can also be 
used to control the physical assets to a lesser extent, but 
there we find more need for physical auditing.  It's hard to 
go totally digital and cryptographic with a pallet of gold, 
unless we're in one of those Neal Stephenson novels.

> If the backing is distributed among a multitude of holders (e.g., in a 
> fashion similar to how Lloyds backs their insurance empire), who's 
> identities are kept secret until audit time and then only a few, 
> randomly selected, names and claimed deposit amounts are revealed to the 
> auditors, might this statistical sampling and the totals projected from 
> the results be a reasonable replacement for 'full asset' audit?  To 
> protect the identities of the holders could a complete list of the 
> hashes of each name and claimed deposit be revealed to the auditors, who 
> then select M of N hashes whereupon the operator reveals only those 
> identities and claimed deposits work cryptographically?

The Independent Auditor is likely to demand the whole list 
and then to sample and test.  If not, he has to audit your 
formulas, and Auditors don't place much faith in crypto blah 
blah as a matter of principle.

With something like physical assets, it is hard to gain long 
term trust if you do not identify the location of the assets 
to some extent, at least in the early days.  Short term 
trust can be gained, this has been shown empirically, so if 
you are operating a transient payment system then that has 
more of a chance of getting away with missing elements of 
governance.  The smaller transactions cycle is completed so 
quickly that people know when things aren't working more 

Bear also in mind that the classical audit approach is 
designed for a static, snap-shot, long-distance approach. 
This is all topsy turvy these days.  You need to look more 
for open governance, rather than employing auditors, as 
otherwise you're wasting your money.


PS: disclosure, I write these things, and am also a auditing 
a non-FC system at the moment.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list