[Cryptography] GNU's "anonymous-but-taxable electronic payments system" Heh.

Robert Hettinga hettinga at gmail.com
Fri Jun 10 09:47:46 EDT 2016

So. A few observations and maybe a question or two. 

When we were talking to CRESTCo., circa 1999/2001 (CRESTCo owns(ed?) CREST, which is/was? a database mirror of all the custodial positions in the UK and Ireland, Bob is Old, and Technically Retired, and hasn’t been paying attention for a very long time, if ever) we figured that it would be trivial to pay stamp duty on securities transactions as they went through clearing, we just couldn’t say, with any precision :-), *who* was paying the duty. 

Our plan, before the dot-bomb finally blew us up in July 2001, and then 9/11 made the rubble bounce, was to hook a mint up to CREST, take delivery as the beneficial owner of the securities in question there, including depository receipts for the S&P, which would have been interesting, and issue, say, Chaumian (or Wagner, as Chaum was, um, entailed…) blind-signature digital bearer certificates representing a claim on those securities when the holder wanted to take possession of them, delivered via CREST to a custodial account of their own somewhere. Sticking a nonce or something out of band was probably how we were going to know how to match certificate deposits/withdrawals with certificates.

More-or-less instantaneous T-0 intra-day settlements among a “club” (HT Eric Hughes) of known large institutions was one of the possible ways to bootstrap this, and moving to retail after things shook out a bit and people and lawyers stopped yelling at each other. 

So, people transferred securities in their possession to an underwriter like IBUC was going to be, or an OBUC (Other Bearer Underwriting Company) :-) competing with IBUC, the underwriter would issue them a certificate on the net, and, when the ultimate holder of the certificate was ready to take it off the net and convert the claim to an actual CREST position.   

Certainly the only sure-fire way to prevent double spending of Chaumian blind-signature digital bearer certificates is to redeem and reissue them at each transaction, obviously sans dealing with the custodial stuff that one would with a deposit/withdrawal. At each redeem-reissue, a stamp duty to the powers that be could then be paid. In cash. Settled instantaneously. Bob’s — or Sam’s — your, um, uncle. :-)

Strangely, after 9/11, GWOT, KYC and all the other fun stuff that has happened, nobody really wants to talk about technically anonymous bearer-settled transactions on the net, even if they might be almost instantaneous and three orders of magnitude cheaper than book-entry settlement. 

It certainly looks like it’s illegal now, and it was going to cost a couple of million pounds in legal fees to figure it out even when it looked legal then. We were talking to the lawyer who did the work setting up CREST, dematerializing physical shares, and making the database mirror like CREST the legal equivalent of a clearinghouse like DTC in the US. It was doable. Probably not now. So far. :-)

After Bitcoin, people might be more receptive to the idea, but again, if it’s cheaper. A lot cheaper. The fun bit about bitcoin was, of course, look ma, no lawyers. For a while. Solved all kinds of problems, it did.

However, I still think the idea of m-of-n where m=n=2 is a good idea. It’s the kind of backstop that financial people like to know they have if they need it. 

(ObBelt-Onion: When I was the most junior clerk possible at Morgan’s Chicago office in the early 80’s we were doing this very glamorous thing of transmitting the contents of an 8-inch IBM floppy, containing the results of a couple of hours’ keypunching (by, heh, me) every night to New York using an always-nailed-up telephone circuit with a couple of 300bps modems on either end.  

We also kept paper copies of the transmission, and of course all the paper I read when punching the stuff in. And we stored two weeks of office trash in case we threw something out. By the way, you can’t say “belt and suspenders” in the UK without getting at least a titter, and even the odd shocked glance, by the way, a warning to Americans traveling abroad…)

Anyway, just popping out the key that double-spent the certificate and bouncing it, and  the trade itself, back to the redeemer before it even clears or settles was a nifty piece of kit to my mind. Keeping a list of *redeemed* certificates only, because the *issued* certificate copies were blinded and thus literally meaningless, was also pretty slick, besides keeping the costs down considerably, which was always my focus in these things. Bitcoin needing to keep *all* transactions *forever* (for various values of ever) always struck me as lumpy, but it works, and Moore’s Law is our friend so far. 

The *other* feature to me back then with m-of-n , keeping only *redeemed* certificates, and changing issuing keys in epochs driven probably by redeemed value of the collateral pool, instead of time (HT Ian Goldberg), the Coaseian transaction cost would be driven increasingly lower, and thus the cost of being an *underwriter* could keep falling over time. I joked in Wired in 1996 or so about a syndicate of bots underwriting a bond issue for your lunch. Instead of a many-to-one relationship between borrower to creditor in a credit-card transaction would be inverted. Cats and dogs living together. Mass hysteria. &cet.

So, now a question. Can Thaler work in such a model? Could it just be hooked up, modulo the odd twiddle and the approval of your friendly local force monopoly, to somebody like CREST, or DTC?  


More information about the cryptography mailing list