e$: Non-Repudiation From: rah@shipwright.com (Robert Hettinga) Subject: e$: Non-Repudiation Dr. May said: >the "ontology" of digital money, the instruments and forms it >can take, are _impoverished_ compared to the real world. Ah... Someone's playing my song... Sorry I took so long, but I wanted to give this excellent post some serious attention, which is hard to come by when you're a person like me (praise the lord and pass the Ritalin ;-) ). >In my eight years of following digital cash work, I've been >struck with how little _economics_ enters the fray. I think you're right, Tim. More and more people are finally realizing that digital commerce is cryptography: cryptography as it's applied to economics on a network of microprocessors. After all, Netscape plans to make its money on servers, most important, its commerce servers, the servers that require the most cryptography. A major leader on this front, to my mind -- that is, someone who has been barking on the end of his chain ;-) the longest and loudest about all this, and who has gone out and learned how the clearing of transactions happens in the capital markets and elsewhere -- is Eric Hughes. Eric, who, along with Tim May, founded this group to begin with, who has worked with David Chaum, and who designed and built the first anonymous remailers. One of the reasons we don't see much of Eric around here these days is because he's out there putting some rubber to the road in his consulting business, where he's focusing on the very issue of cryptography and its applications to digital commerce, and I wish him well. That is not to slight others in this group who are also thinking about this stuff. Not at all. In addition, most of us are looking at other issues in cryptography, like remailers, like keeping the state out of our face, like pithing SSL, and, frankly, most of the rest of us are too busy making a living to do anything but lurk here. Cryptography is huge, and digital commerce is a small conceptual subset of the whole field, no matter how important some of us think it is. Nonetheless, the fact that both of the founders of this group are focusing on cryptographic financial objects and/or their network infrastructure speaks volumes its importance anyway. Having laid down that as covering fire ;-), let's talk about creating an ecosystem of autonomous financial objects on public networks, and why I think that Tim's post is particularly important. The reason we have the multiplicity of financial instruments out there to begin with is because there is money in creating them. But the reason there's money in it is because of the fall of the price of networked computer-based communication. The market they're traded in exists in computers. The decisions made to buy and sell them are at least facilitated by computers. The clearing and settlement of these instruments are done on computers. However, these systems are all centralized, closed, private systems. For that reason, the very accelleration of processing cost-effectiveness which created them is going to sweep them away someday. The bleeding edge of all this is the so-called 'synthetic' security, something which exists as a software manifestation of the most recent financial theory, sometimes only experimental and a few hours old, sometimes sold to an investment bank's clients just like any other security, secondary markets and all. A combination of purchases and short sales of put and call options on a particular bond, which behaves like the bond in price, for example, without having to hold the bond itself. This is usually done because the liquidity or the transaction cost of holding these instruments is lower than that of the bond. In addition, since unwinding of the synthetic security should yield the price of the bond after transaction costs, any discrepancies between the two yields an opportunity for arbitrage. Of course, in the early days, all of 10 years ago, theory held somewhat more promise than reality. The great "portfolio insurance" fiasco of the early 80's arose from the fact that the options trades which were supposed to offset the fall of the price of a security in this fashion turned out to be not very liquid after all. When the time came to unwind these positions in a hurry, they got stuck. That's not as much of a problem these days, as evidenced by the proliferation of increasingly sophisticated securities based on the same idea, which trade and settle just fine, Note that we're talking about book-entry entities here. That is, these modern securities are creatures of an environment where software "applications" reside on a particular computer on a particular local or private network, to manipulate centralized accounting entries on that computer or elsewhere, in order to reflect the expected or traded value of a security. Things that live "on" a computer. It's controlled completely from the outside, with the exception of the behavior of the market. Not "in" it, or "in" the network the computer's hooked into. Notice how different all that is from a digital certificate like Chaumian digital cash. When you get a digital certificate, you receive it through a cryptographic protocol which ensures that it is what it says it is. If the certificate is traded on-line, then the certificate's issuer vouches for it right then and there. If it is traded off-line (someday, I hope...) the certificate speaks for itself, just like a dollar bill's supposed to. As such, it can reside anywhere, not as a book-entry "on" a central computer somewhere, but "in" the network. Notice also we are backing down a level of abstraction from the status quo. A certificate is what it says it is, it is not book-entry, which is a pointer to something which is what it says it is. That's the paradox of modern book entry systems. A book entry used to just "point" to a physical certificate, which in turn points to a cash-flow or a series of cash-flows of some kind. Of course, the term "book entry" is almost exclusively used to describe clearing capital market trades without the physical exchange of certificates for other pieces of paper (receipts, checks, signature guarantees, etc.). The institutional ideal in this environment is a clearing-house wire clearing the trade in exchange for a bank wire transfer settling the trade. The book entry becomes the primary abstraction, not any certificate it is supposed to represent. The problem with book entries, of course, is the problem with any database. You have to manipulate that database, and to do that, you have to get access, and to do that you need permission... you get the point. In a capital market, that costs money, and it's costing more and more as a percentage of the revenue derived from the transaction, because to get access, you need human permission and intervention. If a human isn't supervising things, people take advantage of their access. Mr. Leeson of Barings was a classic case in point. Meanwhile, Moore's law keeps lowering the cost of the rest of the production cycle. Another problem, closer to the heart of this list, is that of anonymity. The ultimate authority to modify that particular line item or database field derives from the "owner" of that entry, since it is usually modified by someone else, "a chain of custody" is needed: audit trails, and of course, True Names are necessary somewhere, even with numbered accounts. The primary point for inventing double-entry bookeeping was so owners could control accountants, after all. When electronic book entries started replacing paper ones, the resulting economies of scale caused great centralization to occur. As I've said here before, lines were cheaper than nodes, and things got bigger and bigger. The advent of the microprocessor has been continually eating away at these large control hierarchies, and making them harder and harder to maintain. Things are getting out of control again. In an out of control environment, like that found on public uncontrolled networks like the internet, software has to be autonomous. A certificate, like a piece of digital cash, is an autonomous entity. As we said before, it is what it says it is. Because of a cryptographic protocol, you trust the thing because of the way it behaves, not because you trust the people who gave you access to it. Now, Tim is talking about another type of autonomous entity, an agent, basically, a "friendly" virus. A piece of code which is launched or launches itself on one machine, crosses a network, runs itself on another machine, and returns with a result. Our current concept of software agents implies that there's something on another machine needs to be "got", usually a database requiring access and permissions, which is why people who manage centralized repositories of information are nervous about them, just like microcomputers made their mainframe predecessors nervous. On the other hand, it's easy to see a scenario where two agents arrange to meet somewhere on a public network, in the presence of another "impartial" agent to exchange certificates, trading, settling and clearing all in one shot. Unsupervised. Out of control. Because the agents are engaging in a cryptographic process which "breaks" if the entities behave improperly, fraud is supposed to be prevented. Which brings me to something which goes right to the heart of one of our most cherished ideas here on cypherpunks, the idea of crypto-anarchy: with the right cryptography, agreements become uninforceable because perfect anonymity disconnects the "pointers" between digital and physical identity. Crypto-anarchy means that states don't know who to force to do what. Technology does this, it's reality, it's not optional, so we better get used to it. The catch to all of this is a curious conceptual double negative called non-repudiation. I had trouble remembering the name for a while, I kept wanting to say "plausible deniability", in the spirit of Admiral Poindexter. But I've had to remember the real name, because the idea's so damned important. Right now, the canon of commercial law for the entire free world (just so I can't be accused of quibbling here :-) ) is completely based on the concept of non-repudiation, that is, you can't repudiate an agreement, or a trade, or you or you face legal sanction. Force, in other words. Ultimately, the state can send you to jail, or worse. About a year ago, when www-buyinfo had active discussion on it, (and had not yet been turned into cyphe$rpunks by my reflexive redirection there of all the e$ cheezy-bits from cypherpunks ;-), ) I got into an interesting discussion there about non-repudiation and I didn't even know I was involved in one. We were arguing about a familiar dichotomy in the concept of digital cash, the difference between on-line and off-line protocols. I was arguing that on-line cash was better because it was a more "peer-to-peer" proposition than an online system, which required access to a network connection, and high-bandwidth processing at the certificate issuer so the issuer could participate in every single cash settlement. That invasive participation struck me as antithetical to the whole concept of a hyper-distributed geodesic economy that I thought that digital commerce was going to become. The technology which made it possible for anyone, anywhere, to sell anything digitable -- music, movies, information, teleoperator control sequences, professional services, and financial instruments -- to anyone else, while using the cheapest possible transaction protocol, that is, cash, a protocol which immediately and finally clears and settles a transaction, will win out in the end. So, I was finding myself twisting in the wind about all of this, trying to figure out how offline cash was going to have to work if double-spending was possible, how could be kept to managable levels. I found myself saying things like (forgive me), "Well, if they double-spend, put 'em in the airlo- er, throw 'em in jail!". In other words, we have the key of the double spender, even if she's anonymous, so we could use snitches, subpoenas of bank records, and plain old detective work, to send her to jail should she repudiate the agreement to not double-spend. It's hard to see how that would happen in a perfect world with perfect anonymity, much less in a world where nation-states couldn't collect income to pay for judges, courts, and LEAs. Nick Szabo was gleefully slapping me around the head and shoulders about this, and I retired from the field. So, no matter how much the idea refuses to leave my thick Frisian head, I'll leave that big, red, dog ("Hey, baby...") sleeping on the front porch for the time being. This without even touching the other problem with digital cash in general, Nathaniel Borenstein's favorite anti-digital-cash 2-by-4 -- which threatens all digital cash systems on- or off- line -- the prospect of someone inside a certificate issuer stealing the private key for an entire issue, and printing all the money she wants. To that I say, use multiple issues, and distribute keys, but I see that big red dog's waking up, so we'll move on... So, you can see we're talking about the alleged inability of cryptography to deal with the repudiation of digital cash trades. It cannot currently keep transactions either the way cypherpunks want, utterly anonymous, and the way I want them, off-line. In fact, at the moment, I'm very close to holding the strong form of this argument, that is, the concept of non-repudiation is the only reason we're being forced into true-name trades right now. It's not the long arm of the law, it's the market, which makes sense. If it was just a legal obstacle, and really contrary to market forces, it should have collapsed under a barrage regulatory arbitrage attempts. No threat of legal force would have prevented people from trying to make money issuing digital cash. The War on Some Drugs is a good example of this. If we could get digital cash trades, or trades of any kind of financial instrument for that matter, to trade on public networks without the ability to repudiate them, it probably won't matter whether they're illegal, which is interesting, to say the least, but it's no different from what happens with paper certificates. Now, as usual, all this is no brilliant insight on my part. A few days ago, I didn't know what "non-repudiation" meant. On Wednesday, I had a very interesting over-coffee conversation with Yet Another Professional Who Wants To Remain Anonymous. I must be a magnet to these people for some reason, at least until they figure out I'm not that useful. Or maybe because it's because I need so much help. Anyway, people who were on cypherpunks last summer remember my previous anonymous legal informant, the esteemed councellor Vinnie "The Pro" Bono, not to be confused with his second cousin, the Honorable Sonny. "Vinnie" wanted to remain anonymous because he was afraid of being deluged with requests for free legal advice, among other things. I still won't tell you who he was, but he has since "come out", and, of course, we aren't choking his POP server with requests to get our various relations out of the slammer, or anything else for that matter, even though he talks freely here under his True Name. I expect my new friend will figure this out soon enough. The other reason he gave is that he's so damn busy he doesn't have time to do much but lurk. Unfortunately, this guy lurks not here, but on www-buyinfo, having signed on to cypherpunks and deciding not to drink from a firehose, thank you very much, and since I've been spamming it lately with the aforementioned cypherpunks e$ cheezy bits, he seems to prefer it there. I have to admit myself that as much as I like it here, it is an acquired taste... Now, our friend Vinnie has very some serious credentials, but this new guy is just plain scary because he's so focused on the commercial law of EDI and electronic commerce. This hypercredentialed gentleman shows up on the program committee of various "suit" conferences on electronic commerce, sponsored by various international legal entities and TLAs, and seems to be up to his elbows in the Current Fantasy according to the Powers that Be, in particular, its legal armature: legal sanction, non-repudiation, True Names, and all. Which leads me to his moniker. I thought I was going to be civil about this, and just refer to him in the third person singular, but I had this amazing brainstorm. Remember the comedian "Professor" Edwin Corey, who died recently? His schtick was a variant on the nutty professor, obfiscatory language, lab coat, Converse high-tops and all, and he called himself the "The World's Foremost Authority". Didn't say on what, which was the point. As a philosophy major at Mizzou who really loved his informal fallacies, one of which was the Appeal to Authority, this particular example always made me laugh. So, I've dubbed this particular informant "Edwin Corey", or "Mr. Corey" in true Oxfordian fashion, not to be at all uncharitable, but because, in truth, this guy is probably the world's foremost authority on this stuff, if anyone is... He's going to give me pointers to some of this proposed "legal armature" from time to time, the first of which is a report by one Michael Baum entitled, deep breath, "Federal Certification Authority Liability and Policy: Law and Policy of Certificate-Based Public Key and Digital Signatures". This 500+ page monster can be obtained from, who else, The Feds, in particular, another big breath, the United States Department of Commerce, Technology Administration, National Technical Information Service, Springfield, VA, 22161; (703) 487-4650. The cost is $61, plus $6 for shipping and handling, plus $2 for orders sent outside the U.S., Canada or Mexico, plus rush charges if you call 1-800-553-NTIS, and if you don't jump up and down three times before you write the check or read them your credit card over the phone, the trade will be repudiated. ;-). Oh. It says something here about being able to get it through a web-site called FedWorld, http://www.fedworld.gov . So, it's very important to work on financial objects and agents. However, I should really try to concentrate on the issue of non-repudiation, because it is a necessary, and maybe (strong form) necessary and sufficient, criteria for the development of digital commerce on public networks. Cheers, Bob Hettinga ---------------------------------------------------------------------------- [ [Image] home page ] | [ On to the next Rant ]