Argomenti trattati: privacy, controllo, matching, crittografia, denaro elettronico, PGP, public-key, ARA, pseudonimi digitali, crypto-hacker
Electronic Money
The next step, the third layer in our description, is digital cash-electronic money. Cash, ordinary folding paper money, is one of the last bastions of privacy in our financial lives. And many of the problems described above - the losses of privacy, the increase in computerized information-could beavoided if cashcould be used more easily. But cash has many disadvantages. It can be lost, or stolen, and it's not safe to carry in large quantities. Also, it is useless for purchases made electronically, over the phone or (in the future) over computer networks. Digital cash is designed to combine the advantages of electronic payment systems - the safety and convenience - with the advantages of paper money - the privacy and anonymity.
Once again, we are faced with paradoxes in the notion of digital cash. Since digital cash may be sent by email and other electronic methods, it must basically be an information pattern - in concrete terrns, some pattem of letters and numbers. How could such a string of characters have value, in the same sense that the dollar bill in your wallet does? What about counterfeiting? Couldn't another copy of the character string be created trivially? What prevents a person from aspending" the same money twice?
To answer these questions we turn again to public-key cryptography. Realize, though, that electronic money is an active area of research in cryptography. Many people have proposed different systems for electronic cash, each of which has its own advantages and disadvantages. I will present here a simplified concept to give a feel for the problems and solutions which exist (4).
One way to think of digital cash is by analogy to the early days of paper money. At one time, paper money was not the monopoly of govemments that it is today. Instead, paper money was "bank notes", often given as receipts for the deposit of gold or similar "real money" in bank vaults. These notes would carry a description of what they were worth, such as, "Redeemable for one ounce of gold." A particular bank note could be redeemed at the issuing bank for its face value. People used these bank notes as we use paper money today. They were valuable because they were backed by materials of value in the bank vaults.
In a sense, then, a bank note can be viewed as a signed document, a promise to perform a redemption for the bearer who presents it at the bank. This suggests a way of thinking of digital money. Instead of a paper note with an engraved signature, we instead would use an electronic mail message with a digital signature.
An electronic bank could, like the t,anks of old, have valuable materials in its vaults. Today, these would likely be dollars or other government currency, but they could be gold or other commodities. Using these as backing, it would issue bank notes. These would be electronic messages, digitally signed by the bank's secret l;ey, promising to transfer a specified sum to the account of whomever presented the note to the bank (or, if desired, to redeem the note in dollars or other valuables.)
Here is how it might work. You open an account with an electronic bank, depositing some money as in any bank. The bank then credits your account with your initial balance. Now, suppose you are going to want to make an electronic payment to me. Prior to any transactions, you would send a message to the bank, requesting one or more bank notes in specified denominations. (This is exactly analogous to with drawing cash from your regular bank account.) The bank debits your account, creates new bank note messages, and sends them to you. They are sent to you as signed messages, encrypted with the bank's secret key. When decrypted with the bank's public key, which everyone knows, a one-dollar digital bank note would say, in effect, "This note is worth $1.00, payable on demand ." It would also include a unique serial number, like the serial number on a dollar bill.
The serial number is important; as we will see below, it is used by the bank to make sure that a particular note is accepted for deposit only once. But putting serial numbers on the bank notes hurts anonymity; the bank can remember which account a banknote was with drawn from, and then when it is deposited the bank will know that the depositer is doing business with the with drawer. To avoid this, Chaum introduces a clever mathematical trick (too complex to describe here) which allows the serial number to be randomly changed as the note is with drawn from the bank. The bank note still retains its proper form and value, but the serial number is different from the one the bank saw. This allows the bank to check that the same note isn't deposited more than once, while making it impossible for the bank to determine who with drew any note that is deposited.
When you are ready to purchase something from me, you simply email me the appropriate banknote messages. I can check that they are legitimate bank notes by using the bank's public key to verify its signature. I then email the notes to the bank, which checks that the account numbers on the notes have not been deposited before this. If they are valid bank notes, the bank credits my account for the face value of the notes. Your account was decreased when you with drew the bank notes, which you held like cash, and mine was increased when I sent them to the bank. The result is similar to how it would work if you with drew (paper) cash from the bank, mailed it to me, and I deposited the cash in my own account.
Figure 4 shows a similar transaction between Alice and Bob. The bank, in the upper left corner, creates a digital bank note by signing a message which specifies the serial number and value of the note, and sends it to Alice. Alice, as she with draws it, uses Chaum's technique to alter the serial number so that the bank will not recognize the note as being from this with drawal. She then pays Bob electronically by sending the bank note to him. Bob checks the note's validity by decrypting using the bank's public key to check its signature. He then sends the note to the bank, which checks the serial number to confirm that this bank note hasn't been spent used before. The serial number is different from that in Alice's withdrawal, preventing the bankfrom linking the two transactions.
With this simple picture in mind, we can begin to answer some of the objections listed above. Bank notes cannot be forged because only the bank knows the secret key that is used to issue them. Other people will therefore not be able to create banknotes of their own. Also, anyone can check that a bank note is not a forgery by verifying the bank's digital signature on the note. As for the copying issue, preventing a person from spending the same bank note more than once, this is handled by checking with the bank to see if the serial number on the note had been used before before accepting a bank note as payment. If it had been, the note would not be accepted. Any attempt to re-use a bank note will be detected because the serial number will be a duplicate of one used before. This means, too, that once you "spend" your digital cash by emailing it to someone, you should delete it from your computer, as it will be of no further value to you.
This simple scheme gives some of the flavor of electronic cash, but it still has awkward features. The need to check with the bank for each transaction may be inconvenient in many environments. And the fixed denominations of the banknotes described here, the inability to split them into smaller pieces, will also limit their usefulness. Chaum and others have proposed more complex systems which solve these problems in different ways.(5) With these more advanced systems, the anonymity, privacy, and convenience of cash transactions can be achieved even in a purely electronic environment.
Electronic Money in Practice
Having described the three layers of privacy protection, we can now see how electronic transactions can maintain individual privacy. Public-key cryptography protects the confidentiality of messages, as well as playing a key role in the other layers. Anonymous messaging further allows people to communicate without revealing more about themselves thanthey choose. And electronic money combines the anonymity of cash with the convenience of electronic payments. David Chaum has described variations of these techniques that can extend privacy protection to many other areas of our lives as well.(6)
Although my description of digital cash has been in terms of computer networks with email message transactions, it can be applied on a more local scale as well. With credit card sized computers, digital cash could just as easily be used to pay for groceries at the local supermarket as to order software from an anonymous supplier on the computer networks. "Smartcard"computers using digital cash could replace credit or debit cards for many purposes. The same types of messages would be used, with the interaction being between your smart card and the merchant's card reader.
On the nets themselves, any goods or service swhich are primarily information based would be natural candidates for digital cash purchases. Today this might include such things as software, electronic magazines, even electronic books. In the future, with higher-bandwidth networks, it may be possible to purchase music and video recordings across the nets.
As another example, digital cash and anonymous remailers (such as Chaum's Mixes) have a synergistic relationship; thatis,eachdirectlybenefits theother. Without anonymous remailers, digital cash would be pointless, as the desired confidentiality would be lost with each transaction, with message source and destination blatantly displayed in the electronic rnail messages. And in the other direction, digital cash can be used to support anonymous remailirtg services. There could be a wide range of Mix services available on the nets; some would be free, and presumably offer relatively simple services, but others would charge, and would offer more service or more expensive security precautions. Such for-profit remailers could be paid for by digital cash.
What are the prospects for the eventual implementation of digital cash systems and the other technologies described here? Some experiments are already beginning. David Chaum has started a company, DigiCash, based in Amsterdam, which is attempting to set up an electronic money system on a small scale. As with any new business concept, though, especially in the conservative financial community, it will take- time before a new system like this is widely used.
The many laws and regulations covering the banking and financial services industries in most Western nations will undoubtedly slow the acceptance of digital cash. Some have predicted that the initial success of electronic money may be in the form of a technically illegal "black market a where crypto-hackers buy and sell information, using cryptography to protect against government crackdowns.
In the nearer term, the tools are in place now for people to begin experimenting with the other concepts discussed here. Public-key cryptography is becomirlg a reality on the computer networks. And experimental remailers with integrated public-key cryptosystems are already in use on a small scale. Digital-pseudonym-based anonymous message posting should begin happening within the next year. The field is moving rapidly, as privacy advocates around the world hurry to bring these systems into existence before governments and other large institutions can react. See the "Access" box for inforrnation on how you can play a part in this quiet revolution.
We are on a path to day which, if nothing changes, will lead to a world with the potential for greater government power, intrusion, and control. We can change this; these technologies can revolutionize the relationship between individuals and organizations, putting them both on an equal footing for the first time. Cryptography can make possible a world in which people have control over information about themselves, not because government has granted them that control, but because only they possess the cryptographic keys to reveal that information. This is the world we are working to create.
Notes
(1) For a review of the status of current monitoring technology, see [CIarke 88].
(2) See [Diffie 76].
(3) The "Mix" is described in [Chaum 81]. Chaum's other solution, the "DC-Net", is described in [Chaum 88A].
(4) The electronic money scheme I describe is a simplification of Chaum's first proposal in [Chaum 88B].
(5) For more proposals about electronic cash, see: [Even 83], [Chaum 85], [Okamoto 89], [Okamoto 90], [Hayes 90], and [Chaum 90].
(6) see [Chaum 85] and [Chaum 92].
Public-Key Cryptography
Philip Zimmermann's free program PGP ("Pretty Good Privacy" is a widdy available implementation of public key cryptography. It features high speed and has excellent key management, and operates on many systems, including PC compatibles, Macintoshes, and most Unix-based work stations. At publication time, version 2.1 was current Readers with Internet access should be able to find PGP on such hosts as princeton.edu (/pub/pgp20) and pencil.cs.missouri.edu (/pub/crypt). Many of the larger bulletin-board systems carry PGP as well. Send email to Hugh Miller at <info-pgp-request@lucpul.it.luc.edu> for current information, or check the Usenet newsgroup alt.security.pgp.
Mark Riordan's free program RIPEM was in beta test at press time, with a release expected soon. Contact the author at <mrr@scss3.cl.msu.edu> for information about availability.
The Internet PEM ("Privacy Enhanced Mail") standard was due to be completed soon at press time. PEM uses a key-management hierarchy in which users register their public keys with a centralized organization. Free software implementing the basic public-key algorithms was expected to be available soon after the standard is finalized. Mail to <pem-dev@tis.com> for more information on availability.
Anonymow Remailers
An email discussion group exists which is devoted to the topics of encryption, remailers, digital cash, and other topics related to these. Experimental anonymous remailers are under development at press time and should be widely available soon. Contact <cypherpunksrequest@toad.com> for information.
References
[Chaum 81] Chaum, D., Untraceable Elcetronic Mail, Return Addresses and Digital Pseudonyms. Communications of the ACM, vol. 24, n . 2, p. 84-88, February, 1981.
[Chaum 85] Chaum, D., Security wthout Identificatlon: Transaction Systems to make Big Brother Obsolete. Communications of the ACM, vol. 28, n. 10, p. 1030-1044, October, 1985.
IChaum 88AI Chaum, D., The Dining Cryptographers Problern: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, vol. 1, p. 65-75,1988.
[Chaum 88B] Chaum, D., Fiat, A., Naor, M., Untraceable electronic cash. In: Advances in Cryptology- CRYPTO '88, p. 319-27,1988.
[Chaum 90] Chaum, D., Showing Credentials without Idcntifycation. Transfcrring Signatures between Unconditionally Unlinkable Pseudonyms. In: Advances in Cryptology - AUSCRYIPT '90, p. 246-64, 1990.
[Chaum 92] Chaum, D., Achieving Electronic Privacy. Scientific American, vol 267, n. 2, p. 96-101, August, 1992.
[CIarke88] Clarke, R., lnformation Technology and Dataveillance. Communications of the ACM, vol. 31, n. 5, p. 498-512, May, 1988.
[Diffie 76] Diffie, W., Hellman, M., New Directions in Cryptography. IEEE Transactions on Information Theory, November, 1976, p. 644.
[Even 83] Even, S., Goldreich, O., Electronic Wallet. In Advances in Cryptology - CRYPTO '83, p. 383-386,1983.
[Hayes 90] Hayes, B., Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash In: AusCrypt '90, p. 294-305,1990.
[Okamoto 89] Okamoto, T., Ohta, K., Disposable Zero-Knowledge Authentications and Their Application to Untraceable Electronic Cash In: Advances In Cryptology - CRYPTO '89, p. 481-496,1989.
[Okamoto 90] Okamoto, T., Ohta, K., Universal Electronic Cash. In: Advances in Cryptology - CRYPTO '90, p. 324-337,1990.