Anonymous Transport Layer
Patrick Chkoreff
patrick at fexl.com
Sun Apr 27 08:35:25 PDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
From: John Kelsey <kelsey.j at ix.netcom.com>
(Regarding my non-blinded scheme)
> Right. You actually can get reasonable anonymity with the kind of
> scheme
> you're proposing, assuming anonymous communications and heavy use of
> the
> system. When you get a coin issued, you just keep it in limbo for
> awhile,
> and then "spend" it with yourself, iterating until your paranoia level
> is
> satisfied. If the system is heavily used for real stuff, and the uses
> are
> over an anonymous communications network, there should be no way for
> the
> bank to tell when you're transferring the coin to yourself, vs. when
> you're
> transferring it to someone else. ...
I have sometimes wondered if it might be possible to use non-blinded
digital notes on top of an anonymous transport layer and thereby
achieve the same untraceability as that provided by blinded digital
notes.
So, I considered the possibility that a coder might be lazy and write a
system that over normal IP would have undesirable traceability
characteristics, and simply wave his hands and say "Ah, no problem, I'm
letting the transport layer (Tarzan, ANON, etc.) take care of that."
If such a division of labor were possible, it would be analogous to
using a Secure Socket Layer in an application, knowing only how to set
up and tear down the protocol but nothing in particular about
cryptography.
One might even assume the worst case, that the server records every bit
of information it ever receives for all time. The main events recorded
would be of the form "At time T, the server received note P[i] for
redemption and sent out note P[i+1] in return." So there would in fact
(worst case) be a traceable chain P[1]-> ... ->P[n]. However, there
would be no IP address information because of the anonymous transport
layer.
> The bank can tell that you have coin X
> today, and that 20 iterations ago, that was coin Y. ...
Yes, I see, the P[1]->...->P[n] chain.
> But that isn't going
> to give very much information about whether the coin is still in the
> possession of the same person. ...
Yes, but the 20 rounds of thrashing occur within a specific short time
period, so that won't fool ANY spook worth his salt, right?
Alice deposits a gold Maple at the bank and receives P[1]. The next
day she thrashes P[1]-> ... -> P[20] in a period of one second. Four
days later she spends P[20] with Bob's Kinky Sex Emporium. Bob swaps
P[20] for P[21]. The next day he redeems P[21] for a gold Maple
(ignoring fees of course).
I guess the problem here is that the bank receiving and issuing gold
Maples knows that P[1] belongs to Alice and P[21] belongs to Bob at Kinky.
The time stamps on the chain of swaps P[1] ... P[20] look
suspiciously like obscurity-thrashing, although the bank cannot be
absolutely sure, of course. Instead, Alice might have spent P[1] for a
gardening book at Amazon and some kinky employee there did the
thrashing P[2] ... P[20].
Such a scheme might provide a certain level of plausible deniability,
but I am not sure one could capitalize on it enough to build a solid
system. It does sound a bit crufty compared to blinding, although the
possibility of a more efficient implementation (storing unspent coins
only for low disk usage and hyper-fast lookup) might compensate --
although there might be a cost in bandwidth, but that might be
proportional to paranoia level and charged accordingly.
The idea of implementing a relatively unsafe digital note protocol on
top of an anonymous transport layer is appealing, but I am not sure
such a division of labor is possible. Can anyone provide a bit of
guidance on this point? I know Google is my friend, but this is a
pretty subtle question and just a hint will suffice.
The problem at the endpoints described above might be mitigated
considerably if we had a world-wide network of gold kiosks providing
bidirectional swapping of physical gold and digital notes -- a true
e-hawala. Alice could don a ski mask and deposit a gold Maple in
Jasper, Georgia, and five days later Bob at Kinky could don a ski mask and
receive a gold Maple in Helsinki. There would be no "bank" where Alice
or Bob would have to identify themselves.
<tangent>
There's an ideal world scenario for you -- gold kiosks, cheap
disposable smart card note purses, and wireless network everywhere. In
an interesting twist, this would not in fact be a "cashless society,"
but an even more "cashful society" with one brand new feature: the
ability to teleport fungible gold atoms from Jasper to Helsinki in a
fraction of a second. The ultimate hawala, where oil-powered shipment
of gold would only occasionally be necessary to balance out the kiosk
inventories. Perhaps eventually the need for giant central stores of
gold could be nearly eliminated. Gold would just be laying around in
kiosks everywhere on the planet, just waiting for someone with the
right bits (or tools :-) to pick it up. I'm sure many of you have
discussed such starry-eyed visions at length, but please forgive this
newbie for indulging a bit as this cappuccino-inspired vision possesses
him.
</tangent>
- -- Patrick
http://fexl.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPqv4x1A7g7bodUwLEQIMfQCgw3QwMINRZKzZdP+8ke6JjuLYAlUAoKBl
fMuBMYvCkXdK+kZv1PT5Ki51
=Vxog
-----END PGP SIGNATURE-----
More information about the Testlist
mailing list