A stab at the sealer in E

hal@finney.org hal@finney.org
Tue, 9 Nov 1999 11:52:41 -0800


> Btw, an I using the right terminology?  I would say that E/Pluribus provides 
> pseudonymity & bearer rights, Freedom provides untraceability, and Blinding 
> provides unlinkability.  Robust privacy benefits from having all three 
> together.

Pseudonymity is somewhat ambiguous.  Generally it refers to anonymity
where there is linkability: I don't know who you are, but I know you
are the same person I was talking to yesterday.  Anonymity is strictly
unlinkable, like the "Anonymous Coward" postings on slashdot.  You don't
know whether one Anonymous is the same or different from another.

Pluribus does seem to provide bearer rights, but whether it provides
pseudonymity is questionable.  You do know the IP address of the machine
you are talking to.  That doesn't seem particularly anonymous.  On the
other hand, it is not tightly bound to a particular human's name and
identity, so perhaps the IP address could be thought of as a pseudonym,
in a sense.

(Or perhaps the pseudonym you are referring to is the Vat ID, essentially
a public key.  In that case, Pluribus on top of Freedom could be thought
of as providing pseudonymity, assuming that Vats retain their IDs for
extended periods of time.)

Freedom provides untraceability, and also anonymity.  I distinguish
these by saying that the former is with respect to a third party, and
the latter is with respect to the communicating peer.  The links are
untraceable in the sense that if the FBI came and tried to figure out who
was talking to whom, they would fail (ideally).  The communications are
anonymous because the server doesn't know anything about who his client
is, not even his IP address.

You could imagine a system which provided untraceability but not
anonymity, for example if the system revealed the source address to
the destination, but otherwise kept it hidden.  Likewise you could have
anonymity without untraceability, which is pretty much what you get on
slashdot; with enough work someone could track down who a particular
"Anonymous Coward" is.

Blinding provides unlinkability?  Yes, although now you're talking more
about software objects, rather than about objects in the real world like
people and machines.

Blinding is basically a protocol by which one party comes into possession
of an object which has specified mathematical properties which can be
recognized by the issuing party.  The object should be unforgeable,
that is it should not be possible to create it without the cooperation
of the issuing party; and it should be unlinkable in that the issuing
party cannot recognize the object and link it to the interaction by
which it was created.

The created object is much like a capability, although it is not bound
to a specific object.  But because it can be recognized as authentic by
the issuer, it can be used like a capability to request certain actions.

If you did blinded cash, you might want to think about the resulting
object as being something like a "sturdyref", where you can turn it
into a real capability.  At the time it was transformed in this way,
the object to which it was a capability would have to be created, unlike
with a regular sturdyref where the object already exists.  I don't know
how well this would work with the rest of the system, though.

Hal