Open Transactions
December 27, 2011 3:56 PM   Subscribe

Open Transactions is an anonymous digital cash system based upon the Lucre anonymized cache cryptographic library.

Anonymous digital cash system involve a mint who blind signs a coin for the purchasing user. Afaik, all blind signing protocols are implemented using a multiplicatively homomorphic public-key crypto-system such as unpadded RSA (previously). In principle, the mint cannot conspire with venders to correlate a users transactions without using side channel information, like usernames, IP addresses, etc. (example)

In outline, the user hashes and encrypts a well chosen serial number x to obtain x', the mint then signs x' to obtain y', and the user decrypts y' using their private-key to obtain a signature y for x, the coin is the pair (x,y). Anyone may use the mint's public key to verify that (x,y) is indeed a coin signed by the mint. The mint prevent double spending/redemption by ensuring that each serial number x only gets used once. A priori, the need for users to choose x means the mint must rotate private keys and/or limit a coin duration.

Lucre itself is designed to avoid the digital cash patents held by David Chaum, which perhaps retarded the development of digital cash. (pdf)

A digital cash system like Open Transactions might be considered the the opposite of Bitcoin because (1) it's actually anonymous, as opposed to exposed but poorly documented, (2) its coins offer little or usually no saving value, only transactional value, and (3) anyone can issue coins, but coins fundamentally represent a contractual obligation.

Anonymous digital currency lends themselves to a host of obvious applications beyond simply buying stuff online. Examples :

- An advertising network could issue coins whenever users viewed ads. Applications could display the ads to obtain coins to pay service providers and/or developers. Anonymity applications should as Tor or I2P could potentially finance their network in this way.

- An anonymous peer-to-peer (friend-to-friend) network like OneSwarm could implement anonymous ratio credits for providing content and/or anonymously forwarding content. You could avoid any centralized mints by having that every user mint their own coins.
posted by jeffburdges (31 comments total) 12 users marked this as a favorite
 
I should mention that bitcoin recovered slightly too perhaps.
posted by jeffburdges at 4:42 PM on December 27, 2011


Is there a simple explanation of this?
posted by bhnyc at 5:18 PM on December 27, 2011


I think that was the simple explanation.
posted by cmoj at 5:37 PM on December 27, 2011 [9 favorites]


What can I buy with it that's not x264-encoded Doctor Who episodes?
posted by infinitewindow at 5:41 PM on December 27, 2011 [4 favorites]


Is there a simple explanation of this?

Open up your wallets for inspection.
posted by Blazecock Pileon at 5:53 PM on December 27, 2011 [1 favorite]


Again?
posted by graphnerd at 5:55 PM on December 27, 2011 [1 favorite]


Anonymous digital currency lends themselves to a host of obvious applications beyond simply buying stuff online. Examples:

Tax evasion?
Money laundering?
Bypassing banking regulations?
Crime?

I agree that lack of anonymity is being abused by authorities, but I can't help but suspect that the extreme in the other direction - fully anonymous transactions - would become a larger evil. Most of the people who have the most to benefit from it, would seem benefit at the expense of the people around them and the fabric of society.
posted by -harlequin- at 5:57 PM on December 27, 2011 [3 favorites]


Is there a simple explanation of this?

Open up your wallets for inspection.


Hey! You're not the wallet inspector!
posted by PostIronyIsNotaMyth at 5:57 PM on December 27, 2011 [1 favorite]


Is there a simple explanation of this?

Wikipedia's bit on blind signing isn't bad:
As an analogy, consider that Alice has a letter which should be signed by an authority (say Bob), but Alice does not want to reveal the content of the letter to Bob. She can place the letter in an envelope lined with carbon paper and send it to Bob. Bob will sign the outside of the carbon envelope without opening it and then send it back to Alice. Alice can then open it to find the letter signed by Bob, but without Bob having seen its contents.
posted by BungaDunga at 6:09 PM on December 27, 2011 [3 favorites]


Thanks! Now I get it!

*smiles secretively and invests in carbon paper*
posted by pracowity at 6:18 PM on December 27, 2011 [5 favorites]


Also, this is all very clever. Gotta learn about cryptography at some point. Homomorphic encryption is just a wonderful type of mathematical magic.

Basically this system works like this (?):

I have x. I need to get y, x hashed with the mint's private key (a secret it knows but I don't). I don't want to give it x. I encrypt x with a secret only I know. There's a property of this particular cryptosystem that:
hash(encrypted(x)) = encrypted(hash(x))

So I can hand the mint encrypted(x). It hands me back hash(encrypted(x)) and neither of us know the other's secret, and the mint doesn't know what x is.

Now I can calculate decrypted(hash(encrypted(x) ) (using the same secret I encrypted x with). This is the same as decrypted(encrypted(hash(x)) = hash(x) = y.
posted by BungaDunga at 6:18 PM on December 27, 2011 [3 favorites]


uh lets see

open

transasstions?

broken transactions? open transcraptions? buttpen...

man help me out here i need a way to minimize this
posted by This, of course, alludes to you at 6:31 PM on December 27, 2011


What is the difference between this and just burying gold bars in your backyard?
posted by Threeway Handshake at 6:32 PM on December 27, 2011


What is the difference between this and just burying gold bars in your backyard?

Gold bars are likely to still be worth something to someone when you dig them up again?
posted by -harlequin- at 6:34 PM on December 27, 2011 [3 favorites]


After watching the schadenfreude-orgy that was Bitcoin in its prime ("it's the only safe, secure currency with consistent value"/"whoops, a hacking incident wiped out 60% of the value of the universe, who could've predicted that?"), I could scarcely be more skeptical of technological solutions to the currency problem... and I'm a computer programmer, I think technology is the solution to everything. I'll echo -harlequin- to an extent: anonymous transactions are ripe for abuse, and not cute abuse like pot and porn.

The desire for an anonymous currency among law-abiding geeks is just another manifestation of our peculiar social disorders. Who is anyone to tell us how to spend our money, to know how we spend our money, to take a cut of our money? These are refreshingly simple and straightforward principles, which makes them juicy bait for geeky would-be philosophers (see also: Ayn Rand).

Economics is a hard problem, and computer science curricula have hammered it into programmers' heads that there's a simple, elegant, optimal solution to any problem that can be solved at all... to the point where they'll assume that something is an optimal solution simply because it's simple and elegant. It's like claiming that every maze can be solved by just turning left at every fork.

On a more fundamental note, anonymous payments are founded on the idea of independent financial transactions. That foundation is wrong. When you give the hot dog guy a dollar, the transaction is not just between you and him. It incorporates the transactions between him and his suppliers, between them and their suppliers and their employees. Between you and your employer and your employer's customers and their hot dog guys and so on and so forth. Your transaction doesn't exist in a vacuum, and part of the social contract is that the rest of the economic system gets some insight as to the nature and amount of that transaction so that it can react (and, yes, regulate) appropriately.

I'm not saying we submit hot dog receipts to the IRS on a weekly basis or anything, just that a currency system that allows large transfers of money to go unobserved is antithetical to a healthy capital-based society.
posted by Riki tiki at 6:36 PM on December 27, 2011 [7 favorites]


Riki tiki: "I'm not saying we submit hot dog receipts to the IRS on a weekly basis or anything, just that a currency system that allows large transfers of money to go unobserved is antithetical to a healthy capital-based society."

I agree with you. The interesting problem we're facing seems to be less "How can we make transactions totally anonymous so the Fed'ral Gummint can't steal taxes", and more "How can we make a transaction system where a few corporations and large governments (some of them not even in the countries where the transaction originates and ends up) can prevent transactions arbitrarily and without any oversight".

I'm talking about WikiLeaks and similar cases, of course, but the development is worrying in general. I don't think corporations or the government should be able to prevent me from giving money to whoever I want (although they're obviously free to audit me and others afterwards). We need digital currency that works more like cash in this way.
posted by Joakim Ziegler at 6:45 PM on December 27, 2011 [2 favorites]


@joakim ziegler

wikileaks is bad because governments and businesses need secrecy to operate effectively though!
posted by This, of course, alludes to you at 6:48 PM on December 27, 2011 [1 favorite]


wikileaks is bad because governments and businesses need secrecy to operate effectively though!

That about sums it up, right? Secrecy for us, the government. No secrecy for you, the people.

Secret trillion dollar Federal Reserve handouts to banks, access to all financial networks cut off if you're Wikipedia.

Bank of America and Wachovia laundering money for Mexican drug smugglers? No problem. Fears of grandmother's house being seized for a single pot plant? Drugs are bad!

The cypherpunks foresaw so many of the civil liberty abuses over twenty years ago, and dedicated themselves to creating technical systems to restore personal privacy and liberty. The computer scientists that create these systems and the "Angry Internet Anarchists" who use them are often one and the same.

Many of them probably still remember a time, not that long ago really, when the US government tried essentially outlawing or crippling personal cryptography via export controls and key-escrow. Arguments against personal communication privacy were the same I'm hearing in this thread now, "money laundering", "crime", "drugs", etc.

If strong encryption technology "is made freely available worldwide, it would no doubt be used extensively by terrorists, drug dealers and other criminals to harm Americans both in the U.S. and abroad".

That was from a NYTimes article in 1994, and the quote is from the Clinton administration arguing against strong cryptography.

It just gets frustrating fighting the same fight over and over, and all the other side has to do is invoke one of the Four Horsemen of the Infocalypse.
posted by formless at 8:40 PM on December 27, 2011 [10 favorites]


pfft strong cryptography is for gross neckbeards, what are you, some kinda stinkin libertarian, etc etc ad infinitum into the cold cold earth
posted by This, of course, alludes to you at 9:10 PM on December 27, 2011


In fairness, formless, free access to encryption is undoubtedly used by terrorists et al to harm Americans.

The flaw is not in that statement, but in the fact that they're measuring the safety of Americans only in terms of external threats... and also that they give that measure of safety primacy over all other concerns.

Civil rights abuses notwithstanding, I stand by my argument that we should find a way to improve currency that balances individual freedom and the common good, and that complete anonymity is not the way to do so.
posted by Riki tiki at 9:37 PM on December 27, 2011


Formless - for the record I was following the crypto embargoes when it was happening, and on the side that won, and I don't see this as the same battle replaying the same bogeymen, with the same answer being automatically correct.
posted by -harlequin- at 10:01 PM on December 27, 2011


An anonymous digital currency system isn't necessarily more useful for money laundering, tax evasion, etc. than our existing banking system, harlequin.

As I explained, your anonymized coins represent contracts negotiated between the mint and the vender on behalf of an anonymous third party user, but the mint and vender are not anonymous. And said user isn't even anonymous if he purchases the coins from the mint using real money. Those real financial transactions are subject to "know your customer" regulations, subpoenas, etc., creating precisely the side channel attack I warned about, thus making the system inferior to ordinary cash transactions. If you're gonna take such risks, you could simply use the iTunes store, Android market place, Amazon, etc.

Interestingly, such side channel attacks occur whenever you even order stuff off the internet, making the system not terribly advantageous physical delivery. You could anonymously buy digital goods like hosting, DNS names, media, or software of course. And you could have currencies that don't represent money at all.

There were certainly anti-government gold bugs on the bitcoin train, but this targets only payment processors, like Visa, Mastercard, and PayPal, who frankly suck.
posted by jeffburdges at 11:02 PM on December 27, 2011 [1 favorite]


harlequin and threeway shake: tried emailing any Au lately? =)

thanks for posting this, when i clicked i found out i was already watching the repo. I must say the feature set is quite big, has it all been implemented?
posted by 3mendo at 1:19 AM on December 28, 2011


That about sums it up, right? Secrecy for us, the government. No secrecy for you, the people.

With the list that followed of wrongs committed under and made possible by secrecy, it makes the case that greater transparency is the way for a society to go, rather than giving a shroud to everyone in the hopes that more wrongs can make it right, via a levelling of corruption's playing-field.

I do really like the idea of transactions that are transparent and can be observed, but not blocked or blockaded. Perhaps this is a step to that goal.
posted by -harlequin- at 1:33 AM on December 28, 2011


I should point out that the biggest difference between this and bitcoin is that (I think) with Open Transactions you have an issuer (also called a mint, I think) who's responsible for turning your digital data back into files.

So, for example, you could have a company that sells gold issue digital tokens that represent gold. Ultimately the value would come the gold they have in their vaults, and the promise to actually give you some.

So really OT is the equivalent of casino chips or Canadian Tire Dollars or wallmart gift cards: A promise from some entity to give you some item of value, which depends on the issuer.

For an electronic system, like an ad network it's not very risky because the service doesn't really cost much to run, you don't expect it to go away and you're not going to hold the token for long. On the other hand, for something high in value you have to have a lot of trust in the system.

Anyway, how do Open Transactions solve the double spending problem? I can imagine one solution, where when you spend money you 'mint' a new coin saying that you will pay someone in tokens issued by an original issuer, and then, at some point, cause the original issuer to issue a new token to the person who turns in that token?

Seems like that could end up like a credit default swap situation where the original issuer disappears then this huge chain of subsequent transactions becomes valueless.

Anyway, how does OT prevent double spending if there's no public log, or whatever?
posted by delmoi at 2:37 AM on December 28, 2011 [1 favorite]


You prevent double spending by only redeeming each serial number once, delmoi. Coins cannot retain their value indefinitely because people might crack the mint's private key, or users might accidentally reuse serial numbers.
posted by jeffburdges at 6:18 AM on December 28, 2011


I agree that society needs greater transparency, harlequin, but 'inegalitarian' transparency creates serious problems. You'll notice its secret police and private investigators who spy upon everyone, commonly to identify activist leaders, permitting the powerful may set the bureaucracy against them individually. We need more secrecy among individuals to prevent the inevitable progress towards transparency from becoming too one sided.
posted by jeffburdges at 7:16 AM on December 28, 2011


You prevent double spending by only redeeming each serial number once, delmoi. Coins cannot retain their value indefinitely because people might crack the mint's private key, or users might accidentally reuse serial numbers.
Right, but then how is it actually 'cash', or anonymous? If A sends B a token, then, while B could send it to C without redeeming it, neither B nor C would have any way knowing if the token had already been redeemed.

So in that sense, I don't really see how this allows anonymous transactions. Even though A and B don't need to know who each other are, the mint does need a way of collecting money, and distributing it. So it needs to know enough about A and B to do that.
posted by delmoi at 8:59 AM on December 28, 2011


Foolproof anonymous digital currencies are the perpetual motion machines of the 21st century.
posted by Lentrohamsanin at 9:04 AM on December 28, 2011 [3 favorites]


the problem with transparency for individuals is blackmail and being forced to alter one's behavior to avoid the possibility of it
posted by This, of course, alludes to you at 12:14 PM on December 28, 2011


Alice buys a $5 coin from The Mint with which she buys herself a digital good from Matthew. Matthew avoids being defrauded by immediately redeeming the $5 coin with The Mint, probably even before delivering the digital good.

Matthew and The Mint cannot conspire to identify their common customer Alice using this transaction alone because the coin was created by blind signing with Alice's computer supplying all the random numbers.

Alice could obviously be identified by Matthew and The Mint if she revealed a common piece of information to each, such as by giving The Mint her credit card information and giving Matthew her real name, or even birthday and location.

In particular, our mint cannot identify exactly when the coin was issued by inspecting the coin, only the public key with which it was issued. There is however side channel information contained in the transaction timing, meaning Alice's system must impose a random delay for transactions to "clear".
posted by jeffburdges at 4:29 PM on December 28, 2011


« Older Lost in the Supermarket   |   Wrongful Hiring Newer »


This thread has been archived and is closed to new comments