I’m not an economist nor an IRS employee, but I know one thing: the day an anonymous cryptocoin (such as ZeroCoin or AppeCoin) becomes widespread, governments won’t stand idly by. Something is obvious: governments agencies want the money flow to be as clear as possible. They say it’s required to track terrorism financing, tax evasion, and illegal currency outflows. I cannot judge the effectiveness of their methods, but until better methods are put into practice or these methods are proven to be ineffective, this is what we must live with.
But I also think that financial privacy should be a right, and that we might loose this right with the advent of new e-money technologies. Bitcoin is quite weak in this regard. For example, financial privacy can help to preserve the life of wealthy individuals against extortion, kidnapping and torture. It protects citizens from poor security in the storage of financial records in banks and companies. It can protect politicians opposed to the government of turn from blackmail. And since companies are ager to build individual behavior databases based on buying habits, financial privacy can protect individuals from job discrimination, dynamic and targeted price adjustments, automatic insurance costs fixing (based on risky habits), automatic health plan cost fixing (based on dietary, and sport habits), and all sort of morally questionable commercial practices. Currently your buying habits reveal a lot of information we consider private by any standard: your medical condition (drugs bought), your political affiliation (donations), your sex preferences, your hobbies, your friends (by detecting concurrent-payments), and also your trade secrets (suppliers, contractors), etc.
But financial privacy also can protect us from abuse of power by the governments. I don’t trust governments. I’ve always been scared by state power. In Argentina, we had too many military dictatorships. So financial privacy also protects us from corrupt governments.
For financial privacy to coexists with the law, it’s possible that citizens may have to resign to complete anonymity. Denying this fact is pretending there are no laws, and no economic and military powers. It would be like naively dreaming of a crypto-techno revolution that will overturn governments without weapons.
The point we must discuss is what information should be handed out to the governments and what should be the procedures the governments should follow to access that information, so that when governments realize they need to do something against cryptocoins (and they will), we can give them something they feel satisfied with. This is my coward strategic idea: give something so they don’t take everything. But it’s not silly: complex systems such as Bitcoin cannot be easily adapted to instant outside requirements, such as the sudden appearance of new regulations. This could be a death sentence to cryptocoins that rely on consensus. If we build the features in a new coin by design (or we implement them in Bitcoin in advance) we could comply with regulation easily or even help the people in charge of writing future regulations to do it right.
One proposal is that our cryptocoin clients allow logging all our payments in an encrypted log, uploaded periodically to some government server. Since no one can be forced to reveal a key (a key that could be simply forgotten), the key should be securely stored somewhere. It could be split between a number of international accredited parties chosen by the user. For example, one user could split the key and give one share to the United Nations, and the other share to his government. Then his government would need a justified international warrant to receive the UN share. And if the composed key does not correctly match the key used to log, then the individual would be liable with false testimony.
This proposal has some drawbacks: an individual cannot prove he didn’t make more unlogged payments, nor the individual can deny having made a certain payment. After the key is reconstructed by the government, it can even forge payments, and fabricate evidence.
These are the times where crypto comes to help.
Group Signatures with proposed Trapdoor threshold anonymity property
One interesting cryptographic scheme that could help is group signatures. A group signature scheme allows users to sign in behalf of a group without disclosing who the signer is. Normally the group is setup by a “group manager” who is able to add and remove members, and infer the signer of each group signature.
Bellare et al.  give three properties that a group signature scheme must satisfy:
- correctness, which ensures that honestly-generated signatures verify and trace correctly;
- full-anonymity, which ensures that signatures do not reveal their signer’s identity; and
- full-traceability, which ensures that all signatures, even those created by the collusion of multiple users and the group manager, trace to a member of the forging coalition.
We also require a forth property (introduced by Ateniese and Tsudik ):
- Exculpability. No member of the group and not even the group manager—the entity that is given the tracing key—can produce signatures on behalf of other users.
And a new fifth property:
- Trapdoor threshold anonymity. When a user generates a group private key, he also generates an associated anonymity key. He discloses the anonymity key in m shares given to m different non-colluding third parties, such that only a subset of n of them is able to detect if a signature was signed by the user, but not forge signatures.
The last property implies that there is no single tracing key: each signing key is associated with its own tracing key. Note that this last property could be approximated by using a threshold scheme to disclose the group private key. But in this case the third parties would be able to collude to forge signatures, which trapdoor threshold anonymity prevents. I don’t know a group signature scheme that supports this property, but I guess it’s not impossible to support. In the last section I describe how to achieve this property for any group scheme, doubling the size of the signature.
No let’s see how these group signatures can help us solve the problem of disclosure of payments.
Each government becomes a “group manager” and an each individual is given a private key to sign on behave of the group it belongs (using a protocol to achieve exculpability). At the same time, the individual sends each anonymity trapdoor share to different accredited organizations.
Each payment specifies the group the individual belongs and is signed by each user using his group private key. The cryptocoin client has a number of embedded public keys of each group administrator, and each administrator supplies updates for each group public key by signing them with its own key. Unsigned payments are rejected or monitored by government agencies. In the event that a judge orders to break a user financial anonymity, some of the spread key shares are requested by court order, sent to the judge, the trapdoor key is created, and the payments belonging to the user are identified in the transaction log. Afterwards, a new private key is generated for the user, and the previous one is disposed.
Does this trapdoor threshold anonymity property exists in a published scheme? I don’t know, but it’s easy to approximate such system by concatenating two group signatures: one for identity and the other for anonymity. Each government creates two signature groups: the identity group and the anonymity group. Each user is given two private keys. If exists, the anonymity “master” tracing key is then disposed. Each user anonymity key is broken in shares in a secret sharing scheme and each share is given to a third party. The identity key is never disclosed. Each transaction must be signed by both keys. Whenever the government requires to break a user anonymity, it collects the shares of the anonymity key. This way the government will never be able to forge the complete user signature.
Until the next post, kindly, Sergio.
 M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In E. Biham, editor, Proceedings of Eurocrypt 2003, volume 2656 of LNCS, pages 614–29. Springer-Verlag, May 2003.
 G. Ateniese and G. Tsudik. Some open issues and directions in group signatures. In Proceedings of Financial Cryptography 1999, volume 1648, pages 196–211. Springer-Verlag, Feb. 1999.