[Shovelware, (6/95)] e$: Non-Repudiation

http://www.shipwright.com/rants/rant_01.txt

e$: Non-Repudiation

From: rah@shipwright.com (Robert Hettinga)

Subject: e$: Non-Repudiation

Dr. May said:

>the "ontology" of digital money, the instruments and forms it

>can take, are _impoverished_ compared to the real world.

Ah... Someone's playing my song...

Sorry I took so long, but I wanted to give this excellent post some serious

attention, which is hard to come by when you're a person like me (praise the

lord and pass the Ritalin ;-) ).

>In my eight years of following digital cash work, I've been

>struck with how little _economics_ enters the fray.

I think you're right, Tim. More and more people are finally realizing that

digital commerce is cryptography: cryptography as it's applied to economics

on a network of microprocessors. After all, Netscape plans to make its money

on servers, most important, its commerce servers, the servers that require

the most cryptography.

A major leader on this front, to my mind -- that is, someone who has been

barking on the end of his chain ;-) the longest and loudest about all this,

and who has gone out and learned how the clearing of transactions happens in

the capital markets and elsewhere -- is Eric Hughes. Eric, who, along with

Tim May, founded this group to begin with, who has worked with David Chaum,

and who designed and built the first anonymous remailers. One of the reasons

we don't see much of Eric around here these days is because he's out there

putting some rubber to the road in his consulting business, where he's

focusing on the very issue of cryptography and its applications to digital

commerce, and I wish him well.

That is not to slight others in this group who are also thinking about this

stuff. Not at all. In addition, most of us are looking at other issues in

cryptography, like remailers, like keeping the state out of our face, like

pithing SSL, and, frankly, most of the rest of us are too busy making a

living to do anything but lurk here. Cryptography is huge, and digital

commerce is a small conceptual subset of the whole field, no matter how

important some of us think it is.

Nonetheless, the fact that both of the founders of this group are focusing

on cryptographic financial objects and/or their network infrastructure

speaks volumes its importance anyway.

Having laid down that as covering fire ;-), let's talk about creating an

ecosystem of autonomous financial objects on public networks, and why I

think that Tim's post is particularly important.

The reason we have the multiplicity of financial instruments out there to

begin with is because there is money in creating them. But the reason

there's money in it is because of the fall of the price of networked

computer-based communication. The market they're traded in exists in

computers. The decisions made to buy and sell them are at least facilitated

by computers. The clearing and settlement of these instruments are done on

computers. However, these systems are all centralized, closed, private

systems. For that reason, the very accelleration of processing

cost-effectiveness which created them is going to sweep them away someday.

The bleeding edge of all this is the so-called 'synthetic' security,

something which exists as a software manifestation of the most recent

financial theory, sometimes only experimental and a few hours old, sometimes

sold to an investment bank's clients just like any other security, secondary

markets and all. A combination of purchases and short sales of put and call

options on a particular bond, which behaves like the bond in price, for

example, without having to hold the bond itself. This is usually done

because the liquidity or the transaction cost of holding these instruments

is lower than that of the bond. In addition, since unwinding of the

synthetic security should yield the price of the bond after transaction

costs, any discrepancies between the two yields an opportunity for

arbitrage.

Of course, in the early days, all of 10 years ago, theory held somewhat more

promise than reality. The great "portfolio insurance" fiasco of the early

80's arose from the fact that the options trades which were supposed to

offset the fall of the price of a security in this fashion turned out to be

not very liquid after all. When the time came to unwind these positions in a

hurry, they got stuck. That's not as much of a problem these days, as

evidenced by the proliferation of increasingly sophisticated securities

based on the same idea, which trade and settle just fine,

Note that we're talking about book-entry entities here. That is, these

modern securities are creatures of an environment where software

"applications" reside on a particular computer on a particular local or

private network, to manipulate centralized accounting entries on that

computer or elsewhere, in order to reflect the expected or traded value of a

security. Things that live "on" a computer. It's controlled completely from

the outside, with the exception of the behavior of the market. Not "in" it,

or "in" the network the computer's hooked into.

Notice how different all that is from a digital certificate like Chaumian

digital cash. When you get a digital certificate, you receive it through a

cryptographic protocol which ensures that it is what it says it is. If the

certificate is traded on-line, then the certificate's issuer vouches for it

right then and there. If it is traded off-line (someday, I hope...) the

certificate speaks for itself, just like a dollar bill's supposed to. As

such, it can reside anywhere, not as a book-entry "on" a central computer

somewhere, but "in" the network.

Notice also we are backing down a level of abstraction from the status quo.

A certificate is what it says it is, it is not book-entry, which is a

pointer to something which is what it says it is.

That's the paradox of modern book entry systems. A book entry used to just

"point" to a physical certificate, which in turn points to a cash-flow or a

series of cash-flows of some kind. Of course, the term "book entry" is

almost exclusively used to describe clearing capital market trades without

the physical exchange of certificates for other pieces of paper (receipts,

checks, signature guarantees, etc.). The institutional ideal in this

environment is a clearing-house wire clearing the trade in exchange for a

bank wire transfer settling the trade. The book entry becomes the primary

abstraction, not any certificate it is supposed to represent.

The problem with book entries, of course, is the problem with any database.

You have to manipulate that database, and to do that, you have to get

access, and to do that you need permission... you get the point. In a

capital market, that costs money, and it's costing more and more as a

percentage of the revenue derived from the transaction, because to get

access, you need human permission and intervention. If a human isn't

supervising things, people take advantage of their access. Mr. Leeson of

Barings was a classic case in point. Meanwhile, Moore's law keeps lowering

the cost of the rest of the production cycle.

Another problem, closer to the heart of this list, is that of anonymity. The

ultimate authority to modify that particular line item or database field

derives from the "owner" of that entry, since it is usually modified by

someone else, "a chain of custody" is needed: audit trails, and of course,

True Names are necessary somewhere, even with numbered accounts. The primary

point for inventing double-entry bookeeping was so owners could control

accountants, after all.

When electronic book entries started replacing paper ones, the resulting

economies of scale caused great centralization to occur. As I've said here

before, lines were cheaper than nodes, and things got bigger and bigger. The

advent of the microprocessor has been continually eating away at these large

control hierarchies, and making them harder and harder to maintain. Things

are getting out of control again.

In an out of control environment, like that found on public uncontrolled

networks like the internet, software has to be autonomous. A certificate,

like a piece of digital cash, is an autonomous entity. As we said before, it

is what it says it is. Because of a cryptographic protocol, you trust the

thing because of the way it behaves, not because you trust the people who

gave you access to it.

Now, Tim is talking about another type of autonomous entity, an agent,

basically, a "friendly" virus. A piece of code which is launched or launches

itself on one machine, crosses a network, runs itself on another machine,

and returns with a result. Our current concept of software agents implies

that there's something on another machine needs to be "got", usually a

database requiring access and permissions, which is why people who manage

centralized repositories of information are nervous about them, just like

microcomputers made their mainframe predecessors nervous.

On the other hand, it's easy to see a scenario where two agents arrange to

meet somewhere on a public network, in the presence of another "impartial"

agent to exchange certificates, trading, settling and clearing all in one

shot. Unsupervised. Out of control. Because the agents are engaging in a

cryptographic process which "breaks" if the entities behave improperly,

fraud is supposed to be prevented.

Which brings me to something which goes right to the heart of one of our

most cherished ideas here on cypherpunks, the idea of crypto-anarchy: with

the right cryptography, agreements become uninforceable because perfect

anonymity disconnects the "pointers" between digital and physical identity.

Crypto-anarchy means that states don't know who to force to do what.

Technology does this, it's reality, it's not optional, so we better get used

to it. The catch to all of this is a curious conceptual double negative

called non-repudiation.

I had trouble remembering the name for a while, I kept wanting to say

"plausible deniability", in the spirit of Admiral Poindexter. But I've had

to remember the real name, because the idea's so damned important.

Right now, the canon of commercial law for the entire free world (just so I

can't be accused of quibbling here :-) ) is completely based on the concept

of non-repudiation, that is, you can't repudiate an agreement, or a trade,

or you or you face legal sanction. Force, in other words. Ultimately, the

state can send you to jail, or worse.

About a year ago, when www-buyinfo had active discussion on it, (and had not

yet been turned into cyphe$rpunks by my reflexive redirection there of all

the e$ cheezy-bits from cypherpunks ;-), ) I got into an interesting

discussion there about non-repudiation and I didn't even know I was involved

in one. We were arguing about a familiar dichotomy in the concept of digital

cash, the difference between on-line and off-line protocols.

I was arguing that on-line cash was better because it was a more

"peer-to-peer" proposition than an online system, which required access to a

network connection, and high-bandwidth processing at the certificate issuer

so the issuer could participate in every single cash settlement. That

invasive participation struck me as antithetical to the whole concept of a

hyper-distributed geodesic economy that I thought that digital commerce was

going to become. The technology which made it possible for anyone, anywhere,

to sell anything digitable -- music, movies, information, teleoperator

control sequences, professional services, and financial instruments -- to

anyone else, while using the cheapest possible transaction protocol, that

is, cash, a protocol which immediately and finally clears and settles a

transaction, will win out in the end.

So, I was finding myself twisting in the wind about all of this, trying to

figure out how offline cash was going to have to work if double-spending was

possible, how could be kept to managable levels. I found myself saying

things like (forgive me), "Well, if they double-spend, put 'em in the airlo-

er, throw 'em in jail!". In other words, we have the key of the double

spender, even if she's anonymous, so we could use snitches, subpoenas of

bank records, and plain old detective work, to send her to jail should she

repudiate the agreement to not double-spend.

It's hard to see how that would happen in a perfect world with perfect

anonymity, much less in a world where nation-states couldn't collect income

to pay for judges, courts, and LEAs. Nick Szabo was gleefully slapping me

around the head and shoulders about this, and I retired from the field. So,

no matter how much the idea refuses to leave my thick Frisian head, I'll

leave that big, red, dog ("Hey, baby...") sleeping on the front porch for

the time being. This without even touching the other problem with digital

cash in general, Nathaniel Borenstein's favorite anti-digital-cash 2-by-4 --

which threatens all digital cash systems on- or off- line -- the prospect of

someone inside a certificate issuer stealing the private key for an entire

issue, and printing all the money she wants. To that I say, use multiple

issues, and distribute keys, but I see that big red dog's waking up, so

we'll move on...

So, you can see we're talking about the alleged inability of cryptography to

deal with the repudiation of digital cash trades. It cannot currently keep

transactions either the way cypherpunks want, utterly anonymous, and the way

I want them, off-line.

In fact, at the moment, I'm very close to holding the strong form of this

argument, that is, the concept of non-repudiation is the only reason we're

being forced into true-name trades right now. It's not the long arm of the

law, it's the market, which makes sense. If it was just a legal obstacle,

and really contrary to market forces, it should have collapsed under a

barrage regulatory arbitrage attempts. No threat of legal force would have

prevented people from trying to make money issuing digital cash.

The War on Some Drugs is a good example of this.

If we could get digital cash trades, or trades of any kind of financial

instrument for that matter, to trade on public networks without the ability

to repudiate them, it probably won't matter whether they're illegal, which

is interesting, to say the least, but it's no different from what happens

with paper certificates.

Now, as usual, all this is no brilliant insight on my part. A few days ago,

I didn't know what "non-repudiation" meant.

On Wednesday, I had a very interesting over-coffee conversation with Yet

Another Professional Who Wants To Remain Anonymous. I must be a magnet to

these people for some reason, at least until they figure out I'm not that

useful. Or maybe because it's because I need so much help. Anyway, people

who were on cypherpunks last summer remember my previous anonymous legal

informant, the esteemed councellor Vinnie "The Pro" Bono, not to be confused

with his second cousin, the Honorable Sonny. "Vinnie" wanted to remain

anonymous because he was afraid of being deluged with requests for free

legal advice, among other things. I still won't tell you who he was, but he

has since "come out", and, of course, we aren't choking his POP server with

requests to get our various relations out of the slammer, or anything else

for that matter, even though he talks freely here under his True Name.

I expect my new friend will figure this out soon enough. The other reason he

gave is that he's so damn busy he doesn't have time to do much but lurk.

Unfortunately, this guy lurks not here, but on www-buyinfo, having signed on

to cypherpunks and deciding not to drink from a firehose, thank you very

much, and since I've been spamming it lately with the aforementioned

cypherpunks e$ cheezy bits, he seems to prefer it there. I have to admit

myself that as much as I like it here, it is an acquired taste...

Now, our friend Vinnie has very some serious credentials, but this new guy

is just plain scary because he's so focused on the commercial law of EDI and

electronic commerce. This hypercredentialed gentleman shows up on the

program committee of various "suit" conferences on electronic commerce,

sponsored by various international legal entities and TLAs, and seems to be

up to his elbows in the Current Fantasy according to the Powers that Be, in

particular, its legal armature: legal sanction, non-repudiation, True Names,

and all.

Which leads me to his moniker. I thought I was going to be civil about this,

and just refer to him in the third person singular, but I had this amazing

brainstorm. Remember the comedian "Professor" Edwin Corey, who died

recently? His schtick was a variant on the nutty professor, obfiscatory

language, lab coat, Converse high-tops and all, and he called himself the

"The World's Foremost Authority". Didn't say on what, which was the point.

As a philosophy major at Mizzou who really loved his informal fallacies, one

of which was the Appeal to Authority, this particular example always made me

laugh. So, I've dubbed this particular informant "Edwin Corey", or "Mr.

Corey" in true Oxfordian fashion, not to be at all uncharitable, but

because, in truth, this guy is probably the world's foremost authority on

this stuff, if anyone is...

He's going to give me pointers to some of this proposed "legal armature"

from time to time, the first of which is a report by one Michael Baum

entitled, deep breath, "Federal Certification Authority Liability and

Policy: Law and Policy of Certificate-Based Public Key and Digital

Signatures". This 500+ page monster can be obtained from, who else, The

Feds, in particular, another big breath, the United States Department of

Commerce, Technology Administration, National Technical Information Service,

Springfield, VA, 22161; (703) 487-4650. The cost is $61, plus $6 for

shipping and handling, plus $2 for orders sent outside the U.S., Canada or

Mexico, plus rush charges if you call 1-800-553-NTIS, and if you don't jump

up and down three times before you write the check or read them your credit

card over the phone, the trade will be repudiated. ;-).

Oh. It says something here about being able to get it through a web-site

called FedWorld, http://www.fedworld.gov .

So, it's very important to work on financial objects and agents. However, I

should really try to concentrate on the issue of non-repudiation, because it

is a necessary, and maybe (strong form) necessary and sufficient, criteria

for the development of digital commerce on public networks.

�

Cheers,

Bob Hettinga

�

----------------------------------------------------------------------------

               [ [Image] home page ] | [ On to the next Rant ]