[prev in list] [next in list] [ prev in thread ] [next in thread] List: cypherpunks Subject: Re: b-money/hashcash vs micromint From: Adam Back <aba () dcs ! ex ! ac ! uk> Date: 1999-04-17 17:45:04 [Download RAW message or body] Ben Laurie writes: > > Hash-trees solve this problem, you can't retroactively fake timestamps > > after the fact, even if you have the private key. (hash all your > > hashed docs and publish it in the NY times personals ads, there exists > > a group doing just this, their URL / name was posted to one of the > > crypto lists in the last couple of days). > > Doesn't that require me to find a definitive list of all coins in order > to check the hash-tree Yup, the definitive list of all coins is otherwise known as the "double spend database", and we've already burdened the design with one of them, so at this point that much is free. > (tree? where does the tree come in? [other than the dead ones]). You can hash hashes of documents and hash sets of hashes of hashes of documents etc which forms a tree of hashes, and doing so allows you to reduce the overhead of actually getting every last document to verify a given document. If you believe some hashes in the tree are valid, you can retrict the set of documents you require to verify a given document to a subtree. > > > Which is going to lead you to say that it has to be signed (I'll bet). > > > > Time stamps aren't worth much without signatures. > > > > > In which case, why not just sign serial numbers and be done with it? > > > > Because then you're back to trust problems with the minter and issuer. > > But I can trust the signature on the timestamp? Because after the signature is made and the hash of the signed documents for today (this hour/minute/second) is published, no one, not even the private key owner can retroactively sign another timestamp, because that would invalidate the already published hash. So to that extent you don't need to trust the timestamping agent, because he can't cheat. > I must be missing something: it seems to me that the point of money is > that it costs significantly less to make than it is worth (because > otherwise all the money is spent buying the coins), Well people used to get by with gold bars, and promisory notes before the days of fractional reserves, and then straight fiat money, that actually meant that you could exchange it for the face value in gold or silver. Also the actual paper money in circulation is a fairly small fraction of global wealth. Most of your wealth isn't in paper money. People probably aren't going to want to hold a lot of wealth in something like b-money because you lose interest (as with stuffing paper money under the mattress), and so all you need is enough float. Also b-money is re-used, because it is transferable (as opposed to Chaumian ecash where the blinding mechanism means you have to reissue a fresh coin, and burn the old one for each online transaction), so the quantity of b-money in circulation is cumulative. So, OK a few billion in heat and useless hardware will be burned off, but so what? Digging up lumps of gold (aside from the manufactoring uses) is a fairly pointless exercise also. As long as the wastage is lower than the costs of fiat money it's a win. Fiat money costs a lot because of the hidden taxation of inflation, and because in the US there is some weird arrangement where some astronomical amount of money is printed by a privately owned tax exempt organisation which then lends it to the USG and then all the taxpayers get to pay interest on it. Weird. I still don't understand how that works exactly, or why people put up with it. But the general thrust of my arguments for b-money or limited issue payment systems (rationals from 1 - 1e6) is to discuss systems which try to work towards the requirements for a payment system which: - is distributed - has lower barriers to entry - has no central entities which need to be trusted - is difficult for governments to manipulate through hidden taxes I realise that the results are subject to inflation (b-money especially), require double spending databases (seems inevitable with software systems), and probably not suitable for very low value transactions. But nevertheless I think a departure from the banking mindset (trust the bank), towards systems which avoid the need for risk management overheads, and where the whole system is distributed are interesting to explore. As I think I said in an earlier post you can mix currency systems, eg you can use micropayment systems like say micromint, or millicent backed with b-money, where the value is small enough that the recipient is willing to take the risk of non-payment. In Wei's protocol description b-money is psuedonymous because the identities do not have to be related to real world indentities. You could also back a chaumian ecash system with b-money, and perhaps in a way where the mint need not be trusted too much, by the value of circulating ecash coins and b-money coins backing them could be openly auditable, or better that the opportunities for the mint to cheat were cryptographically restricted. Adam [prev in list] [next in list] [ prev in thread ] [next in thread]