[Shovelware, (6/95)] e$: Non-Repudiation
From: firstname.lastname@example.org (Robert Hettinga)
Subject: e$: Non-Repudiation
Dr. May said:
>the "ontology" of digital money, the instruments and forms it
>can take, are _impoverished_ compared to the real world.
Ah... Someone's playing my song...
Sorry I took so long, but I wanted to give this excellent post some serious
attention, which is hard to come by when you're a person like me (praise the
lord and pass the Ritalin ;-) ).
>In my eight years of following digital cash work, I've been
>struck with how little _economics_ enters the fray.
I think you're right, Tim. More and more people are finally realizing that
digital commerce is cryptography: cryptography as it's applied to economics
on a network of microprocessors. After all, Netscape plans to make its money
on servers, most important, its commerce servers, the servers that require
the most cryptography.
A major leader on this front, to my mind -- that is, someone who has been
barking on the end of his chain ;-) the longest and loudest about all this,
and who has gone out and learned how the clearing of transactions happens in
the capital markets and elsewhere -- is Eric Hughes. Eric, who, along with
Tim May, founded this group to begin with, who has worked with David Chaum,
and who designed and built the first anonymous remailers. One of the reasons
we don't see much of Eric around here these days is because he's out there
putting some rubber to the road in his consulting business, where he's
focusing on the very issue of cryptography and its applications to digital
commerce, and I wish him well.
That is not to slight others in this group who are also thinking about this
stuff. Not at all. In addition, most of us are looking at other issues in
cryptography, like remailers, like keeping the state out of our face, like
pithing SSL, and, frankly, most of the rest of us are too busy making a
living to do anything but lurk here. Cryptography is huge, and digital
commerce is a small conceptual subset of the whole field, no matter how
important some of us think it is.
Nonetheless, the fact that both of the founders of this group are focusing
on cryptographic financial objects and/or their network infrastructure
speaks volumes its importance anyway.
Having laid down that as covering fire ;-), let's talk about creating an
ecosystem of autonomous financial objects on public networks, and why I
think that Tim's post is particularly important.
The reason we have the multiplicity of financial instruments out there to
begin with is because there is money in creating them. But the reason
there's money in it is because of the fall of the price of networked
computer-based communication. The market they're traded in exists in
computers. The decisions made to buy and sell them are at least facilitated
by computers. The clearing and settlement of these instruments are done on
computers. However, these systems are all centralized, closed, private
systems. For that reason, the very accelleration of processing
cost-effectiveness which created them is going to sweep them away someday.
The bleeding edge of all this is the so-called 'synthetic' security,
something which exists as a software manifestation of the most recent
financial theory, sometimes only experimental and a few hours old, sometimes
sold to an investment bank's clients just like any other security, secondary
markets and all. A combination of purchases and short sales of put and call
options on a particular bond, which behaves like the bond in price, for
example, without having to hold the bond itself. This is usually done
because the liquidity or the transaction cost of holding these instruments
is lower than that of the bond. In addition, since unwinding of the
synthetic security should yield the price of the bond after transaction
costs, any discrepancies between the two yields an opportunity for
Of course, in the early days, all of 10 years ago, theory held somewhat more
promise than reality. The great "portfolio insurance" fiasco of the early
80's arose from the fact that the options trades which were supposed to
offset the fall of the price of a security in this fashion turned out to be
not very liquid after all. When the time came to unwind these positions in a
hurry, they got stuck. That's not as much of a problem these days, as
evidenced by the proliferation of increasingly sophisticated securities
based on the same idea, which trade and settle just fine,
Note that we're talking about book-entry entities here. That is, these
modern securities are creatures of an environment where software
"applications" reside on a particular computer on a particular local or
private network, to manipulate centralized accounting entries on that
computer or elsewhere, in order to reflect the expected or traded value of a
security. Things that live "on" a computer. It's controlled completely from
the outside, with the exception of the behavior of the market. Not "in" it,
or "in" the network the computer's hooked into.
Notice how different all that is from a digital certificate like Chaumian
digital cash. When you get a digital certificate, you receive it through a
cryptographic protocol which ensures that it is what it says it is. If the
certificate is traded on-line, then the certificate's issuer vouches for it
right then and there. If it is traded off-line (someday, I hope...) the
certificate speaks for itself, just like a dollar bill's supposed to. As
such, it can reside anywhere, not as a book-entry "on" a central computer
somewhere, but "in" the network.
Notice also we are backing down a level of abstraction from the status quo.
A certificate is what it says it is, it is not book-entry, which is a
pointer to something which is what it says it is.
That's the paradox of modern book entry systems. A book entry used to just
"point" to a physical certificate, which in turn points to a cash-flow or a
series of cash-flows of some kind. Of course, the term "book entry" is
almost exclusively used to describe clearing capital market trades without
the physical exchange of certificates for other pieces of paper (receipts,
checks, signature guarantees, etc.). The institutional ideal in this
environment is a clearing-house wire clearing the trade in exchange for a
bank wire transfer settling the trade. The book entry becomes the primary
abstraction, not any certificate it is supposed to represent.
The problem with book entries, of course, is the problem with any database.
You have to manipulate that database, and to do that, you have to get
access, and to do that you need permission... you get the point. In a
capital market, that costs money, and it's costing more and more as a
percentage of the revenue derived from the transaction, because to get
access, you need human permission and intervention. If a human isn't
supervising things, people take advantage of their access. Mr. Leeson of
Barings was a classic case in point. Meanwhile, Moore's law keeps lowering
the cost of the rest of the production cycle.
Another problem, closer to the heart of this list, is that of anonymity. The
ultimate authority to modify that particular line item or database field
derives from the "owner" of that entry, since it is usually modified by
someone else, "a chain of custody" is needed: audit trails, and of course,
True Names are necessary somewhere, even with numbered accounts. The primary
point for inventing double-entry bookeeping was so owners could control
accountants, after all.
When electronic book entries started replacing paper ones, the resulting
economies of scale caused great centralization to occur. As I've said here
before, lines were cheaper than nodes, and things got bigger and bigger. The
advent of the microprocessor has been continually eating away at these large
control hierarchies, and making them harder and harder to maintain. Things
are getting out of control again.
In an out of control environment, like that found on public uncontrolled
networks like the internet, software has to be autonomous. A certificate,
like a piece of digital cash, is an autonomous entity. As we said before, it
is what it says it is. Because of a cryptographic protocol, you trust the
thing because of the way it behaves, not because you trust the people who
gave you access to it.
Now, Tim is talking about another type of autonomous entity, an agent,
basically, a "friendly" virus. A piece of code which is launched or launches
itself on one machine, crosses a network, runs itself on another machine,
and returns with a result. Our current concept of software agents implies
that there's something on another machine needs to be "got", usually a
database requiring access and permissions, which is why people who manage
centralized repositories of information are nervous about them, just like
microcomputers made their mainframe predecessors nervous.
On the other hand, it's easy to see a scenario where two agents arrange to
meet somewhere on a public network, in the presence of another "impartial"
agent to exchange certificates, trading, settling and clearing all in one
shot. Unsupervised. Out of control. Because the agents are engaging in a
cryptographic process which "breaks" if the entities behave improperly,
fraud is supposed to be prevented.
Which brings me to something which goes right to the heart of one of our
most cherished ideas here on cypherpunks, the idea of crypto-anarchy: with
the right cryptography, agreements become uninforceable because perfect
anonymity disconnects the "pointers" between digital and physical identity.
Crypto-anarchy means that states don't know who to force to do what.
Technology does this, it's reality, it's not optional, so we better get used
to it. The catch to all of this is a curious conceptual double negative
I had trouble remembering the name for a while, I kept wanting to say
"plausible deniability", in the spirit of Admiral Poindexter. But I've had
to remember the real name, because the idea's so damned important.
Right now, the canon of commercial law for the entire free world (just so I
can't be accused of quibbling here :-) ) is completely based on the concept
of non-repudiation, that is, you can't repudiate an agreement, or a trade,
or you or you face legal sanction. Force, in other words. Ultimately, the
state can send you to jail, or worse.
About a year ago, when www-buyinfo had active discussion on it, (and had not
yet been turned into cyphe$rpunks by my reflexive redirection there of all
the e$ cheezy-bits from cypherpunks ;-), ) I got into an interesting
discussion there about non-repudiation and I didn't even know I was involved
in one. We were arguing about a familiar dichotomy in the concept of digital
cash, the difference between on-line and off-line protocols.
I was arguing that on-line cash was better because it was a more
"peer-to-peer" proposition than an online system, which required access to a
network connection, and high-bandwidth processing at the certificate issuer
so the issuer could participate in every single cash settlement. That
invasive participation struck me as antithetical to the whole concept of a
hyper-distributed geodesic economy that I thought that digital commerce was
going to become. The technology which made it possible for anyone, anywhere,
to sell anything digitable -- music, movies, information, teleoperator
control sequences, professional services, and financial instruments -- to
anyone else, while using the cheapest possible transaction protocol, that
is, cash, a protocol which immediately and finally clears and settles a
transaction, will win out in the end.
So, I was finding myself twisting in the wind about all of this, trying to
figure out how offline cash was going to have to work if double-spending was
possible, how could be kept to managable levels. I found myself saying
things like (forgive me), "Well, if they double-spend, put 'em in the airlo-
er, throw 'em in jail!". In other words, we have the key of the double
spender, even if she's anonymous, so we could use snitches, subpoenas of
bank records, and plain old detective work, to send her to jail should she
repudiate the agreement to not double-spend.
It's hard to see how that would happen in a perfect world with perfect
anonymity, much less in a world where nation-states couldn't collect income
to pay for judges, courts, and LEAs. Nick Szabo was gleefully slapping me
around the head and shoulders about this, and I retired from the field. So,
no matter how much the idea refuses to leave my thick Frisian head, I'll
leave that big, red, dog ("Hey, baby...") sleeping on the front porch for
the time being. This without even touching the other problem with digital
cash in general, Nathaniel Borenstein's favorite anti-digital-cash 2-by-4 --
which threatens all digital cash systems on- or off- line -- the prospect of
someone inside a certificate issuer stealing the private key for an entire
issue, and printing all the money she wants. To that I say, use multiple
issues, and distribute keys, but I see that big red dog's waking up, so
we'll move on...
So, you can see we're talking about the alleged inability of cryptography to
deal with the repudiation of digital cash trades. It cannot currently keep
transactions either the way cypherpunks want, utterly anonymous, and the way
I want them, off-line.
In fact, at the moment, I'm very close to holding the strong form of this
argument, that is, the concept of non-repudiation is the only reason we're
being forced into true-name trades right now. It's not the long arm of the
law, it's the market, which makes sense. If it was just a legal obstacle,
and really contrary to market forces, it should have collapsed under a
barrage regulatory arbitrage attempts. No threat of legal force would have
prevented people from trying to make money issuing digital cash.
The War on Some Drugs is a good example of this.
If we could get digital cash trades, or trades of any kind of financial
instrument for that matter, to trade on public networks without the ability
to repudiate them, it probably won't matter whether they're illegal, which
is interesting, to say the least, but it's no different from what happens
with paper certificates.
Now, as usual, all this is no brilliant insight on my part. A few days ago,
I didn't know what "non-repudiation" meant.
On Wednesday, I had a very interesting over-coffee conversation with Yet
Another Professional Who Wants To Remain Anonymous. I must be a magnet to
these people for some reason, at least until they figure out I'm not that
useful. Or maybe because it's because I need so much help. Anyway, people
who were on cypherpunks last summer remember my previous anonymous legal
informant, the esteemed councellor Vinnie "The Pro" Bono, not to be confused
with his second cousin, the Honorable Sonny. "Vinnie" wanted to remain
anonymous because he was afraid of being deluged with requests for free
legal advice, among other things. I still won't tell you who he was, but he
has since "come out", and, of course, we aren't choking his POP server with
requests to get our various relations out of the slammer, or anything else
for that matter, even though he talks freely here under his True Name.
I expect my new friend will figure this out soon enough. The other reason he
gave is that he's so damn busy he doesn't have time to do much but lurk.
Unfortunately, this guy lurks not here, but on www-buyinfo, having signed on
to cypherpunks and deciding not to drink from a firehose, thank you very
much, and since I've been spamming it lately with the aforementioned
cypherpunks e$ cheezy bits, he seems to prefer it there. I have to admit
myself that as much as I like it here, it is an acquired taste...
Now, our friend Vinnie has very some serious credentials, but this new guy
is just plain scary because he's so focused on the commercial law of EDI and
electronic commerce. This hypercredentialed gentleman shows up on the
program committee of various "suit" conferences on electronic commerce,
sponsored by various international legal entities and TLAs, and seems to be
up to his elbows in the Current Fantasy according to the Powers that Be, in
particular, its legal armature: legal sanction, non-repudiation, True Names,
Which leads me to his moniker. I thought I was going to be civil about this,
and just refer to him in the third person singular, but I had this amazing
brainstorm. Remember the comedian "Professor" Edwin Corey, who died
recently? His schtick was a variant on the nutty professor, obfiscatory
language, lab coat, Converse high-tops and all, and he called himself the
"The World's Foremost Authority". Didn't say on what, which was the point.
As a philosophy major at Mizzou who really loved his informal fallacies, one
of which was the Appeal to Authority, this particular example always made me
laugh. So, I've dubbed this particular informant "Edwin Corey", or "Mr.
Corey" in true Oxfordian fashion, not to be at all uncharitable, but
because, in truth, this guy is probably the world's foremost authority on
this stuff, if anyone is...
He's going to give me pointers to some of this proposed "legal armature"
from time to time, the first of which is a report by one Michael Baum
entitled, deep breath, "Federal Certification Authority Liability and
Policy: Law and Policy of Certificate-Based Public Key and Digital
Signatures". This 500+ page monster can be obtained from, who else, The
Feds, in particular, another big breath, the United States Department of
Commerce, Technology Administration, National Technical Information Service,
Springfield, VA, 22161; (703) 487-4650. The cost is $61, plus $6 for
shipping and handling, plus $2 for orders sent outside the U.S., Canada or
Mexico, plus rush charges if you call 1-800-553-NTIS, and if you don't jump
up and down three times before you write the check or read them your credit
card over the phone, the trade will be repudiated. ;-).
Oh. It says something here about being able to get it through a web-site
called FedWorld, http://www.fedworld.gov .
So, it's very important to work on financial objects and agents. However, I
should really try to concentrate on the issue of non-repudiation, because it
is a necessary, and maybe (strong form) necessary and sufficient, criteria
for the development of digital commerce on public networks.
[ [Image] home page ] | [ On to the next Rant ]