L Other Looming Issues Related to Cryptography Policy
L.1 DIGITAL CASH1
National economies are based on money. The most basic form of money is cash. Coins, originally made of valuable metals, had intrinsic value and came to be more or less universally acceptable. Paper money (bills) came to substitute for coins as the value of transactions increased and it became physically impractical to carry ever-larger volumes of coins. However, paper money was originally backed by stores of precious metals (gold and silver). In 1971, the United States abandoned its last effective link to the gold standard, and paper moneywith no intrinsic value came to represent value that was backed by the integrity and solvency of the (increasingly international) banking system. Other mediums of exchange have come to supplement cash, including paper checks written by consumers; bank-to-bank financial interactions that are electronically mediated; nonretail business transactions conducted through electronic data interchange among customers, vendors, and suppliers; and credit and debit cards used to make retail purchases.
Today, interest in so-called digital cash is increasing. Digital cash is similar to paper cash in the sense that neither the paper on which paper
1 This section draws heavily on Cross Industry Working Team, Electronic Cash, Tokens, and Payments in the National Information Infrastructure, Corporation for National Research Initiatives, 1895 Preston White Drive, Suite 100, Reston, Va., 1994; available on-line at email@example.com.
• Monetary value. Electronic tokens must have a monetary value; they must represent either cash (currency), a bank-authorized credit, or a bank-certified electronic check.
• Exchangeability. Electronic tokens must be exchangeable as payment for other electronic tokens, paper cash, goods or services, lines of credit, deposits in banking accounts, bank notes or obligations, electronic benefits transfers, and the like.
• Storability and retrievability. Electronic tokens must be able to be stored and retrieved. Remote storage and retrieval (e.g., from a telephone or personal communications device) would allow users to exchange electronic tokens (e.g., withdraw from and deposit into banking accounts) from home or office or while traveling. The tokens could be stored in any appropriate electronic device that might serve as an electronic ''wallet."
• Tamper-resistance. Electronic tokens should be tamper-proof and be difficult to copy or forge. This characteristic prevents or detects duplication and double spending. Counterfeiting poses a particular problem, since a counterfeiter may, in network applications, be anywhere in the world and consequently be difficult to catch without appropriate international agreements. Detection is essential to determine whether preventive measures are working.
SOURCE: Adapted from Cross Industry Working Team, Electronic Cash, Tokens, and Payments in the National Information Infrastructure, Corporation for National Research Initiatives, Reston, Va., 1994.
money is printed nor the string of bits that represents digital cash has intrinsic value; value is conferred on a piece of paper or a particular string of bits if, and only if, an institution is willing to accept responsibility for them. The basic characteristics of digital cash are described in Box L.1.
Public interest in digital cash is driven largely by pressures for electronic commerce. For example, cash is usually the medium of choice in conducting low-value transactions; present mechanisms for conducting transactions at a distance make economic sense only when the value is relatively high (the average credit card transaction is several tens of dollars). In addition, these mechanisms generally require a preexisting arrangement between vendors and credit card companies: completely spontaneous transactions between parties without such arrangements are not possible with credit cards as they are with cash. Instant settlement when conducting financial transactions at a distance and reducing the cost of managing physical cash are still other advantages.
Both cryptography and information technology, including computer
hardware and software, underlie the feasibility of digital cash. Strong cryptographic technologies and secure network architectures are necessary to give users of a digital cash system confidence in its security and integrity, while the exponentially improving price-performance ratio of computer hardware is needed for the extensive computation required for strong cryptography in a mobile environment. Moreover, important advances in making electronics tamper-proofanother feature needed to ensure confidencemay be in the hands of any number of users. Box L.2 describes the properties that a digital cash system must have.
Digital cash raises many basic questions. For example, if electronic cash is legal tender, who should be authorized to issue it and how should the public be assured that a particular issuing authority is legitimate? How does a digital U.S. dollar affect the U.S. position in the world economy? How will the money supply be controlled or even measured with digital cash
It is widely accepted that a digital cash system must have the following properties:
• Authentication. Users must be assured that digital cash tokens cannot be easily forged or altered and that, if they are altered, evidence of this tampering will be apparent immediately.
• Nonrefutable. Users must also be able to verify that exchanges have taken place between the intended parties, despite any complications that may result from delivery of services over long periods of time, interruptions in service, or differences in billing and collection policies of various service providers. ("Nonrepudiable" is the term used in traditional computer and network security work.)
• Accessible and reliable. Users must find the exchange process to be accessible, easy to effect, quick, and available when necessary, regardless of component failures in other parts of the system.
• Private. Users must be assured that knowledge of transactions will be confidential within the limits of policy decisions made about features of the overall system. Privacy must be maintained against unauthorized parties.
• Protected. Users must be assured that they cannot be easily duped or swindled, or be falsely implicated in a fraudulent transaction. Users must be protected against eavesdroppers, impostors, and counterfeiters. For many types of transactions, trusted third-party agents will be needed to serve this purpose.
All of these features depend on cryptography and secure hardware in varying degrees.
SOURCE: Cross Industry Working Team, Electronic Cash, Tokens, and Payments in the National Information Infrastructure, Corporation for National Research Initiatives, Reston, Va., 1994.
in circulation? Apart from such questions, digital cash also raises policy issues that are part of cryptography policy writ large. Based largely on the reference in footnote 1, the discussion below sketches some of the main issues.
L.1.1 Anonymity and Criminal Activity
The technology of digital cash will support essentially any degree of anonymity desired. Digital cash can be designed so that it is as closely associated with the user as electronic funds transfer is today (i.e., highly nonanonymous) or in a way that disassociates it entirely from the user (i.e., more anonymous than physical cash is today). Intermediate levels of anonymity are technically possible as well: for example, transactions could be anonymous except when a court order or warrant compelled disclosure of the identities of parties involved in a transaction. Furthermore, the various partiespayer, payee, and bankcould be identified or not, depending on policy choices.
Many privacy advocates support digital cash because such a system can provide high levels of anonymity for electronic transactions comparable to the anonymity of face-to-face transactions made with physical cash. Such anonymity is not generally possible for other types of electronic payment vehicles. On the other hand, anonymous perpetrators of crimes cannot be identified and apprehended. To the extent that digital cash facilitates the commission of anonymous crimes, it raises important social issues. Box L.3 describes what might be considered a "perfect crime" possible with anonymous digital cash. Fraud, embezzlement, and transportation of stolen property and information products are other crimes of direct concern. Highly anonymous digital cash may also facilitate money laundering, a key element of many different types of criminal activity. Law enforcement officials consider financial audit trails an essential crime-fighting tool; a digital cash system designed to support the highest levels of anonymity may put such tools at risk.
The important policy issue for digital cash is the extent to which the anonymity possible with physical cash in face-to-face transactions should also be associated with electronic transactions. Note that the question of the appropriate degree of anonymity for a digital cash system replays to a considerable degree the debate over the conditions, if any, under which law enforcement officials should have access to encrypted communications.
L.1.2 Public Trust
Public confidence in the monetary system is a prerequisite for its success. Most members of the public have sufficient confidence in the
Anonymous digital cash provides the user with anonymity and untraceability, attributes that could be used, in theory, to commit a "perfect crime"that is, a crime in which the financial trail is untraceable and therefore useless in identifying and capturing the criminal.
A famous kidnapping case in Tokyo in the early 1970s serves to illustrate the concept. A man opened a bank account under the false name Kobayashi and obtained a credit card drawing on the account. He kidnapped the baby of a famous actor and demanded that a 5 million yen ransom be deposited in the account. The police monitored automated teller machines (ATMs) drawing on Kobayashi's bank, and when Kobayashi later tried to withdraw the ransom money using his card, they arrested him.
Kobayashi's use of a physical token, the credit card, unambiguously linked him to the account. Anonymous digital cash presents the opportunity to eliminate this link. Creation of anonymous cash involves a set of calculations performed in turn by the user who requests the cash and a bank. The user's calculations involve a blinding factor, chosen and known only by him or her. These procedures yield digital cash that the merchant and bank can verify is valid when it is presented for a purchase, while simultaneously making it impossible to trace the cash to the user who originally requested it from the bank.
Ordinarily, the procedures by which digital cash is created occur in a real-time transaction between the user's and the bank's computers. However, a criminal such as the kidnapper Kobayashi could choose a set of blinding factors, perform the subsequent calculations, and mail the results to the bank along with the ransom demand. Kobayashi could insist that the bank perform its portion of the calculations and publish the results in a newspaper. He could then complete the procedures on his own computer. This would give Kobayashi valid, untraceable cash, without the need for any direct link to the bank (such as a visit to an ATM or a dial-in computer connection) that could reveal him to waiting authorities.
SOURCE: Adapted from Sebastiaan von Solms and David Naccache, "On Blind Signatures and Perfect Crimes," Building in Big Brother, Lance J. Hoffman (ed.), Springer-Verlag, New York, 1995, pp. 449-452.
exchange of physical cash and checks and of credit or debit cards to make the system work. However, the logic underlying these mediums of exchange is straightforward by comparison to the mathematics of digital cash, which are quite complex; a public understanding of how digital cash works may be essential to the success of any such system and to the infrastructure needed to support it.
A second major trust issue relates to the counterfeiting of digital cash. With paper money, the liability for a counterfeit bill belongs to the one who last accepted it because that person could have taken steps to check
its legitimacy (e.g., check for a watermark) and thus may not disclaim liability by asserting that it was accepted in good faith. No such protection is available with counterfeit digital cash. An individual can rely only upon the cryptographic protection built into the digital cash system. A forged digital bank note that gets into circulation has by definition broken through that protection; thus, it is the bank that purportedly issued the note that must hold the liability.
If a digital cash system is designed to support the highest levels of anonymity so that financial transactions are effectively untraceable, the collection of taxes may become problematic. Most taxes bear some relationship to a financial quantity that must be determined, such as the income collected in a year or the amount of a sales transaction. When money flows only between two parties, how will the government determine how much money has changed hands or even know that a transaction has occurred at all?
L.1.4 Cross-Border Movements of Funds
Governments find it desirable as an instrument of policy to be able to track money flows across their borders. Today, the "cross-border" movement of funds does not really transfer cash. Instead, messages direct actions in, for example, two banks in the United States and two banks in the United Kingdom to complete a transaction involving dollars-to-pounds conversion. Moving cash outside national borders has effects on the economy, and governments will have to come to terms with these effects.
L.2 CRYPTOGRAPHY FOR PROTECTING INTELLECTUAL PROPERTY
Much of the interest in a global information infrastructure comes from the prospect of transporting digitized information objects over communications lines without the need for transport of physical matter. At the same time, concerns are raised about the fact that digital information objects can be retransmitted in the same way by the receiving party. Thus, for example, the entertainment industry looks forward to the possibility of large-scale distribution of its products electronically but is concerned about how to ensure receipt of appropriate compensation for them. Even today, cable television vendors encrypt their transmissions domestically for that very reason. The software industry is concerned about the theft that occurs when a person buys one copy of a software package and
duplicates it for resale. Thus, a global information infrastructure raises many questions about how best to compensate authors and producers of intellectual property for each use, as well as how to prevent piracy of intellectual property.2
One approach to protecting digital representations of intellectual property involves the use of cryptography to scramble a digital information object.3 Without the appropriate decryption key, the encrypted object is worthless. The basic notion is that vendors can distribute large digital objects in an encrypted form to users, who would then pay the vendor for the decryption key. Since the decryption key is in general much smaller than the digital object, the cost of transmitting the decryption key is much lower and, for example, could be performed over the telephone upon submission of a credit card number.
The Administration's Working Group on Intellectual Property Rights concluded the following:
Development of an optimal NII [national information infrastructure] and GII [global information infrastructure] requires strong security as well as strong intellectual property rights. Copyright owners will not use the NII or GII unless they can be assured of strict security to protect against piracy. Encryption technology is vital because it gives copyright owners an additional degree of protection against misappropriation.4
Using cryptography to protect intellectual property raises questions related to the strength of algorithms used to encrypt and decrypt digital objects. Specifically, the use of weak cryptography to protect exported digital objects could well result in considerable financial damage to the original creators of intellectual property.5 If it proves reasonable to protect intellectual property through encryption, pressures may well grow to allow stronger cryptography to be deployed worldwide so that creators of intellectual property can market their products safely and without fear of significant financial loss.
2 See Information Infrastructure Task Force (IITF), Working Group on Intellectual Property Rights, Intellectual Property and the National Information Infrastructure, U.S. Government Printing Office, Washington, D.C., 1995.
3 For example, see Carl Weinschenk, "Cablevision to Test Anti-Theft System," Cable World, February 6, 1995, p. 22.
4 IITF, Intellectual Property and the National Information Infrastructure, 1995.
5 For example, an article in the Wall Street Journal reports that pirates of direct digital satellite television broadcasts are able to obtain decoders that are capable of decrypting encrypted signals that are received, thus allowing these individuals to avoid the monthly fee for authorized service. See Jeffrey Trachtenberg and Mark Robichaux, "Crooks Crack Digital Codes of Satellite TV," Wall Street Journal, January 12, 1996, p. B1.
Cryptography may also support the embedding of digital "watermarks" into specific pieces of intellectual property to facilitate tracing the theft to an original copy. Such a scheme would insert information that would not affect the use of the object but could be subsequently identified should ownership of that work be called into question. For example, a digital watermark might embed information into a digital representation of a photograph in such a way that it did not affect the visual presentation of the photograph; nevertheless, if the photograph were copied and distributed, all subsequent copies would have that hidden information in them.