I’m not an economist nor an IRS employee, but I know one thing: the day an anonymous cryptocoin (such as ZeroCoin or AppeCoin) becomes widespread, governments won’t stand idly by. Something is obvious: governments agencies want the money flow to be as clear as possible. They say it’s required to track terrorism financing, tax evasion, and illegal currency outflows. I cannot judge the effectiveness of their methods, but until better methods are put into practice or these methods are proven to be ineffective, this is what we must live with.
But I also think that financial privacy should be a right, and that we might loose this right with the advent of new e-money technologies. Bitcoin is quite weak in this regard. For example, financial privacy can help to preserve the life of wealthy individuals against extortion, kidnapping and torture. It protects citizens from poor security in the storage of financial records in banks and companies. It can protect politicians opposed to the government of turn from blackmail. And since companies are ager to build individual behavior databases based on buying habits, financial privacy can protect individuals from job discrimination, dynamic and targeted price adjustments, automatic insurance costs fixing (based on risky habits), automatic health plan cost fixing (based on dietary, and sport habits), and all sort of morally questionable commercial practices. Currently your buying habits reveal a lot of information we consider private by any standard: your medical condition (drugs bought), your political affiliation (donations), your sex preferences, your hobbies, your friends (by detecting concurrent-payments), and also your trade secrets (suppliers, contractors), etc.
But financial privacy also can protect us from abuse of power by the governments. I don’t trust governments. I’ve always been scared by state power. In Argentina, we had too many military dictatorships. So financial privacy also protects us from corrupt governments.
For financial privacy to coexists with the law, it’s possible that citizens may have to resign to complete anonymity. Denying this fact is pretending there are no laws, and no economic and military powers. It would be like naively dreaming of a crypto-techno revolution that will overturn governments without weapons.
The point we must discuss is what information should be handed out to the governments and what should be the procedures the governments should follow to access that information, so that when governments realize they need to do something against cryptocoins (and they will), we can give them something they feel satisfied with. This is my coward strategic idea: give something so they don’t take everything. But it’s not silly: complex systems such as Bitcoin cannot be easily adapted to instant outside requirements, such as the sudden appearance of new regulations. This could be a death sentence to cryptocoins that rely on consensus. If we build the features in a new coin by design (or we implement them in Bitcoin in advance) we could comply with regulation easily or even help the people in charge of writing future regulations to do it right.
One proposal is that our cryptocoin clients allow logging all our payments in an encrypted log, uploaded periodically to some government server. Since no one can be forced to reveal a key (a key that could be simply forgotten), the key should be securely stored somewhere. It could be split between a number of international accredited parties chosen by the user. For example, one user could split the key and give one share to the United Nations, and the other share to his government. Then his government would need a justified international warrant to receive the UN share. And if the composed key does not correctly match the key used to log, then the individual would be liable with false testimony.
This proposal has some drawbacks: an individual cannot prove he didn’t make more unlogged payments, nor the individual can deny having made a certain payment. After the key is reconstructed by the government, it can even forge payments, and fabricate evidence.
These are the times where crypto comes to help.
Group Signatures with proposed Trapdoor threshold anonymity property
One interesting cryptographic scheme that could help is group signatures. A group signature scheme allows users to sign in behalf of a group without disclosing who the signer is. Normally the group is setup by a “group manager” who is able to add and remove members, and infer the signer of each group signature.
Bellare et al.  give three properties that a group signature scheme must satisfy:
- correctness, which ensures that honestly-generated signatures verify and trace correctly;
- full-anonymity, which ensures that signatures do not reveal their signer’s identity; and
- full-traceability, which ensures that all signatures, even those created by the collusion of multiple users and the group manager, trace to a member of the forging coalition.
We also require a forth property (introduced by Ateniese and Tsudik ):
- Exculpability. No member of the group and not even the group manager—the entity that is given the tracing key—can produce signatures on behalf of other users.
And a new fifth property:
- Trapdoor threshold anonymity. When a user generates a group private key, he also generates an associated anonymity key. He discloses the anonymity key in m shares given to m different non-colluding third parties, such that only a subset of n of them is able to detect if a signature was signed by the user, but not forge signatures.
The last property implies that there is no single tracing key: each signing key is associated with its own tracing key. Note that this last property could be approximated by using a threshold scheme to disclose the group private key. But in this case the third parties would be able to collude to forge signatures, which trapdoor threshold anonymity prevents. I don’t know a group signature scheme that supports this property, but I guess it’s not impossible to support. In the last section I describe how to achieve this property for any group scheme, doubling the size of the signature.
No let’s see how these group signatures can help us solve the problem of disclosure of payments.
Each government becomes a “group manager” and an each individual is given a private key to sign on behave of the group it belongs (using a protocol to achieve exculpability). At the same time, the individual sends each anonymity trapdoor share to different accredited organizations.
Each payment specifies the group the individual belongs and is signed by each user using his group private key. The cryptocoin client has a number of embedded public keys of each group administrator, and each administrator supplies updates for each group public key by signing them with its own key. Unsigned payments are rejected or monitored by government agencies. In the event that a judge orders to break a user financial anonymity, some of the spread key shares are requested by court order, sent to the judge, the trapdoor key is created, and the payments belonging to the user are identified in the transaction log. Afterwards, a new private key is generated for the user, and the previous one is disposed.
Does this trapdoor threshold anonymity property exists in a published scheme? I don’t know, but it’s easy to approximate such system by concatenating two group signatures: one for identity and the other for anonymity. Each government creates two signature groups: the identity group and the anonymity group. Each user is given two private keys. If exists, the anonymity “master” tracing key is then disposed. Each user anonymity key is broken in shares in a secret sharing scheme and each share is given to a third party. The identity key is never disclosed. Each transaction must be signed by both keys. Whenever the government requires to break a user anonymity, it collects the shares of the anonymity key. This way the government will never be able to forge the complete user signature.
Until the next post, kindly, Sergio.
 M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In E. Biham, editor, Proceedings of Eurocrypt 2003, volume 2656 of LNCS, pages 614–29. Springer-Verlag, May 2003.
 G. Ateniese and G. Tsudik. Some open issues and directions in group signatures. In Proceedings of Financial Cryptography 1999, volume 1648, pages 196–211. Springer-Verlag, Feb. 1999.
#1 by Franco on July 31, 2013 - 3:28 am
Los gobiernos se adaptarán, para su propio beneficio. Al fin y al cabo, el motivo de la regulación es principalmente impositivo, si no pueden adaptar a la regulación entonces adaptarán al régimen impositivo de manera tal que puedan sobrevivir.
Las formas son muchas, aumentando las tasas por servicios comprobables (patente a quienes tienen auto dado utilizan el servicio “calles públicas”), ABL e impuesto a la tierra al estilo Henry George, etc. Son alternativas mucho más justas que el IVA, así que bienvenidas sean.
Por otro lado, teniendo en cuenta las futuras criptomonedas anónimas, cuando una prohibición se vuelve inaplicable en la práctica (copyright musical por ej.), al final del camino solo encontraremos un cambio de cultura o, en caso de existir lucro, un cambio de modelo de negocio.
La solución técnica propuesta es interesante, aunque tal vez no la comprendo del todo en la parte de voluntariamente elegir las “international accredited parties”. Asumamos un acto pacífico como la venta de marihuana, tanto el gobierno local como la ONU no dudarían en difundir sus llaves. Acaso la revista THC podría ser una de estas entidades a elegir para uno estar refugiado? De no ser así entonces no cambia mucho la situación. Y de ser así entonces habrá entidades para cada cosa que normalmente los gobiernos persiguen, de manera que uno siempre contará con una entidad confiable que lo resguarda, haciendo irrelevante todo el concepto dado que para ello usamos criptomonedas anónimas sencillas y listo.
A los “naive dreamers” en el sur de EE.UU. alguna vez les preguntaban “¿y quién recolectará el algodón?”. Poco importo no saber la respuesta, ese tipo concreto de esclavitud desapareció, y el mundo se adapto…
#2 by AnonyÓðinn (@AnonyOdinn) on August 7, 2013 - 6:22 pm
Would you do this stupid shit for your cash transactions? Make a log of everything you do with your neighbor and send it to the UN or your national government? Would everybody log their oranges or their weed buys or their diaper purchases? No. There. I have just deconstructed your lame argument proposing to hand the keys of bitcoin with zerocoin over to the UN or alternately any national government. I shit on anyone’s argument who says that we should take progressively stronger cryptocurrency that has growing potential for anonymity and just toss it over into the world of regulatory compliance. Laws and the governments that make them (and uphold them by violence) are going the way of the dinosaur – sooner than you think. Wake up.