Bitcoin and previously created anonymous electronic money systems
In this publication, I will make a comparison of Bitcoin, which many have heard of, with previously created electronic money systems, the foundation of which was laid by David Chaum in the early 1980s. Bitcoin in most information sources seems to be something revolutionary, out of the ordinary. I will demonstrate that this is just just another payment system, not much better than PayPal, WebMoney and the like, and in many ways even behind them.
I will take the article “Universal Electronic Cash” as a basis , in which cryptographers give clear requirements for an ideal electronic payment system (in this work, the conditions for creating a decentralized system are not set):
For example, paper money, coins, "cash" are safe: using a bill leads to the fact that you lose it, lose something tangible. The labor involved in creating bills (faking them) is too high due to the complexity of the technology. To create gold coins you need gold. Cash also gives privacy to the user. And anonymity. Giving a bill to a store or receiving change, neither I nor the store know in whose hands these bills have been before. They can no longer link my purchases with banknotes. They can be transferred to other people (without banks), make payments offline.
We will not go into details of the implementation of Bitcoin: there is an enormous amount of materials on this topic. Each user has a wallet, which is a pair of asymmetric keys. Each transaction is a set of data signed by asymmetric keys, which says how much is transferred and where. Transmitted transactions from user to user (which may be stores) form a time-related chain. This chain is a single database for everyone, according to which everyone can check whether the money has been reused. Adding transactions / data to this (or many other) chains is possible only by making resource-intensive calculations (proof of work).
The whole essence of Bitcoin is based on the assumption that the longest data chain is always used, since it spent the most resources, and well-wishers, honest users, spend the most resources. Having opened the whitepaper on Bitcoin, we see that it is clearly stated: the system works until the attacker has 51% (slightly more than half) of the computing resources. In this case, he will be able to create alternative transaction chains and make it so that, for example, today the store sees and trusts my payment, and tomorrow it will not be in the longest chain, although the goods could easily have already been shipped to me. In addition, one who has the right to create a valid trusted chain can introduce censorship: not allowing certain wallets to appear in it. It may not include transactions, for which the minimum duty has not been paid. All this is not prohibited by the protocol.
The one who has concentrated more than half of the computing resources turns the system into a centralized one. He can cancel the accounts (not allowing transactions to appear from them), he can demand a commission - in general, there is everything that modern banks are so bad at.
The idea of Bitcoin could work if the computing resources were really very dispersed between users. However, we know that on simple CPUs it is useless to try to do mining, even the GPU is already a less and less option. Huge mining data centers are being built. That is, the farther, the more and more computing power migrates to small centers. The ghash.io network has already crossed the threshold of 51%.
There are other implementations of electronic payments, where the SHA256 hash function from Bitcoin is replaced by algorithms - also memory-intensive, to reduce the gap between cheap ASIC mining chips and expensive, but inefficient CPUs. All this revolves all the same around the idea of proof of work, and therefore this is only a delay in the inevitable centralization of computing resources. Proof of work has been known for a long time since the appearance of spam in email. And over the decades, people should have realized that this is not a means of preventing the appearance of spam (alternative transaction chains in the context of Bitcoin), but only a tool to reduce it. It is completely impossible to eliminate spam: then the entry threshold, the amount of necessary resources grows so much that it’s impossible for mere mortals to use the system, and again everything will come to the small huge powerful service providers. In the context of money, they can be called the most ordinary banks, those with a well-developed and expensive infrastructure. The richest people make money.
When it comes to money security, when it comes to transactions of millions or billions of conventional units, then it is not up to the hope that no one will replace the longest chain of Bitcoin transaction blocks. No one will take such a risk. Therefore, proof of work as a whole is not applicable for working with money, except when it comes to trifles (micropayments), where the risk is not so terrible.
Thus, at the moment, Bitcoin is a centralized system.
If money or regular banking transactions are safe, then Bitcoin is out of the question: the chain can be changed. People who sold something for a large sum will be extremely disappointed tomorrow if they don’t see the amount paid in their wallet (since the transaction on their public key is in another chain that is not trusted).
If anonymity means the ability to instantly say that such and such a user (or rather, such and such a public key) is Vasily Pupkin from such and such a house, then Bitcoin is anonymous in this context, unlike bank transactions generated by bank cards. But absolutely the entire history of purchases, the entire history of any cash movements of the user is forever fixed in the chain of blocks. There is always a trivial opportunity to say that this purchase was made by the person who once bought this and that.
No one forbids having many wallets, generally making one or two transactions per wallet, but if we are talking about using money related to the outside world, material, then the user will already be forced to give out some additional information about himself. Indeed, for years you can guarantee that no information is leaked in transactions, but just make one contact with the outside world - and someone will already know something deanonymizing about you, automatically attaching this information to your entire previous history of money transfers. To prevent the leakage of any data about you almost completely limits the applicability of Bitcoin in reality. The store may not send you the goods - how will you contact them and try to return the money? How to pick up the goods? Only by deanonymizing yourself.
Offline payments in Bitcoin cannot be made. Moreover: they can’t even be done quickly, because in order to confirm a transaction it is necessary that it appears in several blocks of the longest chain (although the fact of the appearance of a transaction is visible quickly). If you pay for some little things (well, there is a sandwich) you can take the risk, and even if the transaction does not turn out to be valid, the loss is not great. That is, again, in practice, only micropayments.
This table implies that bank cards are microchipped and you can make offline payments with them. PayPal simply means a web interface with which you can somehow manage cash flows, it can also be your bank’s web interface. By schneiercash is meant an example of creating an anonymous electronic currency described in Bruce Schneier 's book “Applied Cryptography” . This currency will be written below.
Ready-made developments on anonymous (really, and not in the narrow, practically inapplicable in life, Bitcoin context) and safe electronic money, such as schneiercash, were already created in the 80s. Many cryptographers dealt with cryptocurrency issues, but not one was able to come up with a decentralized solution. They came up with anonymous, safe, offline and other things (by the way, there is quite complicated mathematics and implementation), everyone knows about proof of work, but only Satoshi Nakamoto was able to make a decentralized cryptocurrency using trivial engineering knowledge (any software engineer is in a state from scratch to get to the idea of transaction chains connected by time hashes with proof of work)? Of course, this cannot be. If the media and even some states recommend developing this system, advise her to support, it is guaranteed to someone beneficial. If the system were honest, anonymous, safe, without tricks, decentralized, then it would not be beneficial for anyone to spend time on the media advertising it. This was already understandable before the computing resources of the network were concentrated in the same data centers.
Another obvious fact: no state in their right mind will allow the development of an anonymous monetary system. The state will do everything in order not to lose its power, which rests on the army and the economy, rather entirely on the economy, its control. Anonymous systems are the inability to control and even track and observe transactions. David Chaum created companies embodying his achievements, but they were all crushed and closed. About the ability of people to unite around the good idea that they can’t be broken, they have in their hands the Internet and so on - all this is utopia, nothing more. If the states have nothing against Bitcoin, then they can control it, which means it is not anonymous, not censorship-resistant. The fact that Bitcoin is prohibited, for example, in Russia, is certainly reasonable, since why allow sponsorship of third-party unfriendly countries?
Bitcoin currently has a couple of advantages over the same online payment systems, such as PayPal: the lack of mandatory expensive commissions (only for now); No fuss with banking bureaucracy, binding cards, accounts, their maintenance. That is, it can be considered as an alternative, more convenient from the point of view of the interface.
Let's look at how to make an electronic money system step by step.
The first approach to the projectile is simple: there is a bank whose public key is known to everyone. Users have accounts in it. Before buying in the store, the user makes a request to the bank for a certain amount. The Bank checks whether there is such an amount in the account, deducts it, signs with its private key the value of this amount, this check. Technically, it can really be just a text file with “100.56” and a signature. This file / check is sent to the user. The user sends this signed check to the store. The store makes sure, using the public key of the bank, that the signature, respectively the check, is valid and releases the goods. The store can send this check to the bank at any convenient time and that, after checking the signature, will increase the value of the store’s cash account.
Of course, the main problem here is that the check / file can be copied and reused. This problem can be solved by adding a unique identifier to each check by the user and saving identifiers of used checks in the bank database. We get security.
However, the bank at the time of signing the check sees its identifier and can remember it and associate with the user. That is, there is no anonymity. David Chaum solved this problem by inventing the so-called blind signatures. In the RSA asymmetric encryption algorithm, you can apply a masking function to the data before signing it. The peculiarity of this function is that after unmasking the data, the signature remains valid anyway. This can be compared with an envelope from tracing paper: inside it you can put a check (masking operation), leave a signature on the envelope itself (we don’t see the contents), then remove the check from the envelope (unmask) and it will have a valid signature.
Of course, the bank will not sign completely unknown what. Therefore, to receive a signed masked check from a bank, for example, in the amount of 100 cu we do the following:
In this case, the bank does not know that the store received the check precisely from us, because he did not see its identifier anywhere, because he signed a masked envelope. In our case, we have one chance for a thousand to deceive the bank: to hope that it will not choose one single envelope, in which there may be a large differing amount. If the bank is afraid of this probability, then you can demand to provide at least a million envelopes: you can take this risk. In any case, if the client is seen trying to cheat, he will not be greeted.
We get anonymity, valid. The bank can detect the fact of an attempt to deceive it: either the user sent the check twice or the store. The bank does not know who tried to do this, but it is necessary to punish. To find out which of the two of them is to blame, we’ll complicate the protocol: when the store accepted the check from the user and verified the bank signature, he asks the user to leave a random line on his check. This check with a random line is sent to the bank, where he stores it together with the check ID in his database. It is assumed that the store / seller is not able to replace this line (if you take an analogy from the material world, then, for example, this is paper in which squares are cut that you can pierce - you can’t put it back in place). When checking the availability of a check identifier in the database, the bank also looks at the saved random line:
If the user is to blame, then he still remains anonymous to the bank. If it were possible to deanonymize it at the time of attempting to double-use the check, but not in regular, honest cases, then this would make it possible to make offline payments, as is the case with chip bank cards: if the user tried to trick the cash register and took advantage of the fact that he didn’t have a connection with the bank, the bank anyway later finds out who it was from the cash register transaction log and the user will be punished. There is no need to instantly "take" it in place.
This can be done using cryptography techniques such as secret splitting and bit commitment. Let's continue to complicate the current protocol:
The decryption key is disclosed only one of the parts of each line of the identifier and the bank is not able to get its original. However, if the check is used repeatedly, then, since the seller randomly selects which part of each of the lines to reveal, the probability that the decryption key of any of the lines will be requested for the missing half is maximum. The decrypted half of at least one line (with a sufficiently large N) will already be in the bank database and, when reused, the second one will also be decrypted, making it possible to combine them (XOR) and get the original identification line. The bank will find out which particular user has tried to use the check twice.
This anonymous, secure, with the ability to work offline and identify who tried to inflate the bank, the protocol is already quite complicated. But it still does not make it possible to split money (checks are atomic and you have to make a request to the bank to replenish the account, and request two separate checks for the lower amounts required) and transfer directly to users, bypassing communication with the bank (that is, the user will have to play the role of a seller who must replenish your account). There are much more complex implementations that solve these remaining problems ... except for the unresolved decentralization problem.
I will take the article “Universal Electronic Cash” as a basis , in which cryptographers give clear requirements for an ideal electronic payment system (in this work, the conditions for creating a decentralized system are not set):
- Independence from any physical conditions. Money should represent only information flows so that it can be used on computer networks;
- Security. The possibility of reuse, copying money should be excluded;
- Privacy, untraceability, anonymity. The ability to track the relationship between the user and his purchases should be excluded;
- Offline payments. If the network is unavailable, the store should still be able to accept money from the user;
- The ability to transfer money to other users, bypassing communication with a bank or some similar centralized service;
- The possibility of crushing, exchanging banknotes of a given value into smaller parts, without the participation of the bank directly.
For example, paper money, coins, "cash" are safe: using a bill leads to the fact that you lose it, lose something tangible. The labor involved in creating bills (faking them) is too high due to the complexity of the technology. To create gold coins you need gold. Cash also gives privacy to the user. And anonymity. Giving a bill to a store or receiving change, neither I nor the store know in whose hands these bills have been before. They can no longer link my purchases with banknotes. They can be transferred to other people (without banks), make payments offline.
We will not go into details of the implementation of Bitcoin: there is an enormous amount of materials on this topic. Each user has a wallet, which is a pair of asymmetric keys. Each transaction is a set of data signed by asymmetric keys, which says how much is transferred and where. Transmitted transactions from user to user (which may be stores) form a time-related chain. This chain is a single database for everyone, according to which everyone can check whether the money has been reused. Adding transactions / data to this (or many other) chains is possible only by making resource-intensive calculations (proof of work).
The whole essence of Bitcoin is based on the assumption that the longest data chain is always used, since it spent the most resources, and well-wishers, honest users, spend the most resources. Having opened the whitepaper on Bitcoin, we see that it is clearly stated: the system works until the attacker has 51% (slightly more than half) of the computing resources. In this case, he will be able to create alternative transaction chains and make it so that, for example, today the store sees and trusts my payment, and tomorrow it will not be in the longest chain, although the goods could easily have already been shipped to me. In addition, one who has the right to create a valid trusted chain can introduce censorship: not allowing certain wallets to appear in it. It may not include transactions, for which the minimum duty has not been paid. All this is not prohibited by the protocol.
The one who has concentrated more than half of the computing resources turns the system into a centralized one. He can cancel the accounts (not allowing transactions to appear from them), he can demand a commission - in general, there is everything that modern banks are so bad at.
The idea of Bitcoin could work if the computing resources were really very dispersed between users. However, we know that on simple CPUs it is useless to try to do mining, even the GPU is already a less and less option. Huge mining data centers are being built. That is, the farther, the more and more computing power migrates to small centers. The ghash.io network has already crossed the threshold of 51%.
There are other implementations of electronic payments, where the SHA256 hash function from Bitcoin is replaced by algorithms - also memory-intensive, to reduce the gap between cheap ASIC mining chips and expensive, but inefficient CPUs. All this revolves all the same around the idea of proof of work, and therefore this is only a delay in the inevitable centralization of computing resources. Proof of work has been known for a long time since the appearance of spam in email. And over the decades, people should have realized that this is not a means of preventing the appearance of spam (alternative transaction chains in the context of Bitcoin), but only a tool to reduce it. It is completely impossible to eliminate spam: then the entry threshold, the amount of necessary resources grows so much that it’s impossible for mere mortals to use the system, and again everything will come to the small huge powerful service providers. In the context of money, they can be called the most ordinary banks, those with a well-developed and expensive infrastructure. The richest people make money.
When it comes to money security, when it comes to transactions of millions or billions of conventional units, then it is not up to the hope that no one will replace the longest chain of Bitcoin transaction blocks. No one will take such a risk. Therefore, proof of work as a whole is not applicable for working with money, except when it comes to trifles (micropayments), where the risk is not so terrible.
Thus, at the moment, Bitcoin is a centralized system.
If money or regular banking transactions are safe, then Bitcoin is out of the question: the chain can be changed. People who sold something for a large sum will be extremely disappointed tomorrow if they don’t see the amount paid in their wallet (since the transaction on their public key is in another chain that is not trusted).
If anonymity means the ability to instantly say that such and such a user (or rather, such and such a public key) is Vasily Pupkin from such and such a house, then Bitcoin is anonymous in this context, unlike bank transactions generated by bank cards. But absolutely the entire history of purchases, the entire history of any cash movements of the user is forever fixed in the chain of blocks. There is always a trivial opportunity to say that this purchase was made by the person who once bought this and that.
No one forbids having many wallets, generally making one or two transactions per wallet, but if we are talking about using money related to the outside world, material, then the user will already be forced to give out some additional information about himself. Indeed, for years you can guarantee that no information is leaked in transactions, but just make one contact with the outside world - and someone will already know something deanonymizing about you, automatically attaching this information to your entire previous history of money transfers. To prevent the leakage of any data about you almost completely limits the applicability of Bitcoin in reality. The store may not send you the goods - how will you contact them and try to return the money? How to pick up the goods? Only by deanonymizing yourself.
Offline payments in Bitcoin cannot be made. Moreover: they can’t even be done quickly, because in order to confirm a transaction it is necessary that it appears in several blocks of the longest chain (although the fact of the appearance of a transaction is visible quickly). If you pay for some little things (well, there is a sandwich) you can take the risk, and even if the transaction does not turn out to be valid, the loss is not great. That is, again, in practice, only micropayments.
Cash | Bank cards | Paypal | Bitcoin | schneiercash | |
---|---|---|---|---|---|
Decentralization | Not | Not | Not | Not | Not |
Physical independence | Not | Not | Yes | Yes | Yes |
Security | Yes | Yes | Yes | Not | Yes |
Anonymity | Yes | Not | Not | Not | Yes |
Offline Payments | Yes | Yes | Not | Not | Yes |
Transferring money to users | Yes | Not | Not | Not | Not |
Splitting up | Not | Yes | Yes | Yes | Not |
This table implies that bank cards are microchipped and you can make offline payments with them. PayPal simply means a web interface with which you can somehow manage cash flows, it can also be your bank’s web interface. By schneiercash is meant an example of creating an anonymous electronic currency described in Bruce Schneier 's book “Applied Cryptography” . This currency will be written below.
Ready-made developments on anonymous (really, and not in the narrow, practically inapplicable in life, Bitcoin context) and safe electronic money, such as schneiercash, were already created in the 80s. Many cryptographers dealt with cryptocurrency issues, but not one was able to come up with a decentralized solution. They came up with anonymous, safe, offline and other things (by the way, there is quite complicated mathematics and implementation), everyone knows about proof of work, but only Satoshi Nakamoto was able to make a decentralized cryptocurrency using trivial engineering knowledge (any software engineer is in a state from scratch to get to the idea of transaction chains connected by time hashes with proof of work)? Of course, this cannot be. If the media and even some states recommend developing this system, advise her to support, it is guaranteed to someone beneficial. If the system were honest, anonymous, safe, without tricks, decentralized, then it would not be beneficial for anyone to spend time on the media advertising it. This was already understandable before the computing resources of the network were concentrated in the same data centers.
Another obvious fact: no state in their right mind will allow the development of an anonymous monetary system. The state will do everything in order not to lose its power, which rests on the army and the economy, rather entirely on the economy, its control. Anonymous systems are the inability to control and even track and observe transactions. David Chaum created companies embodying his achievements, but they were all crushed and closed. About the ability of people to unite around the good idea that they can’t be broken, they have in their hands the Internet and so on - all this is utopia, nothing more. If the states have nothing against Bitcoin, then they can control it, which means it is not anonymous, not censorship-resistant. The fact that Bitcoin is prohibited, for example, in Russia, is certainly reasonable, since why allow sponsorship of third-party unfriendly countries?
Bitcoin currently has a couple of advantages over the same online payment systems, such as PayPal: the lack of mandatory expensive commissions (only for now); No fuss with banking bureaucracy, binding cards, accounts, their maintenance. That is, it can be considered as an alternative, more convenient from the point of view of the interface.
schneiercash
Let's look at how to make an electronic money system step by step.
The first approach to the projectile is simple: there is a bank whose public key is known to everyone. Users have accounts in it. Before buying in the store, the user makes a request to the bank for a certain amount. The Bank checks whether there is such an amount in the account, deducts it, signs with its private key the value of this amount, this check. Technically, it can really be just a text file with “100.56” and a signature. This file / check is sent to the user. The user sends this signed check to the store. The store makes sure, using the public key of the bank, that the signature, respectively the check, is valid and releases the goods. The store can send this check to the bank at any convenient time and that, after checking the signature, will increase the value of the store’s cash account.
Of course, the main problem here is that the check / file can be copied and reused. This problem can be solved by adding a unique identifier to each check by the user and saving identifiers of used checks in the bank database. We get security.
However, the bank at the time of signing the check sees its identifier and can remember it and associate with the user. That is, there is no anonymity. David Chaum solved this problem by inventing the so-called blind signatures. In the RSA asymmetric encryption algorithm, you can apply a masking function to the data before signing it. The peculiarity of this function is that after unmasking the data, the signature remains valid anyway. This can be compared with an envelope from tracing paper: inside it you can put a check (masking operation), leave a signature on the envelope itself (we don’t see the contents), then remove the check from the envelope (unmask) and it will have a valid signature.
Of course, the bank will not sign completely unknown what. Therefore, to receive a signed masked check from a bank, for example, in the amount of 100 cu we do the following:
- We create a thousand requests to remove "100", each of which has its own unique identifier, a random number. We mask each request (put in an envelope). And we send them all to the bank;
- The bank randomly selects 999 disguised requests and asks us to give him the unmasking value for them. We provide this information and the bank unmasks these requests, opens the envelope;
- The Bank is convinced that absolutely in all 999 requests the same number is indicated and the identifiers of checks are different. Checks if this money is in our account. Signs the only remaining masked request and sends it to us;
- We unmask the request and get on hand a valid signed check identifier that no one has yet seen;
- Further, this check, as before, is sent to the store, that bank, the bank checks the signature, enters the identifier in the database (to check that such a check has not been used even once) and increases the store’s account.
In this case, the bank does not know that the store received the check precisely from us, because he did not see its identifier anywhere, because he signed a masked envelope. In our case, we have one chance for a thousand to deceive the bank: to hope that it will not choose one single envelope, in which there may be a large differing amount. If the bank is afraid of this probability, then you can demand to provide at least a million envelopes: you can take this risk. In any case, if the client is seen trying to cheat, he will not be greeted.
We get anonymity, valid. The bank can detect the fact of an attempt to deceive it: either the user sent the check twice or the store. The bank does not know who tried to do this, but it is necessary to punish. To find out which of the two of them is to blame, we’ll complicate the protocol: when the store accepted the check from the user and verified the bank signature, he asks the user to leave a random line on his check. This check with a random line is sent to the bank, where he stores it together with the check ID in his database. It is assumed that the store / seller is not able to replace this line (if you take an analogy from the material world, then, for example, this is paper in which squares are cut that you can pierce - you can’t put it back in place). When checking the availability of a check identifier in the database, the bank also looks at the saved random line:
If the user is to blame, then he still remains anonymous to the bank. If it were possible to deanonymize it at the time of attempting to double-use the check, but not in regular, honest cases, then this would make it possible to make offline payments, as is the case with chip bank cards: if the user tried to trick the cash register and took advantage of the fact that he didn’t have a connection with the bank, the bank anyway later finds out who it was from the cash register transaction log and the user will be punished. There is no need to instantly "take" it in place.
This can be done using cryptography techniques such as secret splitting and bit commitment. Let's continue to complicate the current protocol:
- To each check, before requesting its signature, adds N identification lines. The identification string is the name, account number, place of residence: in general, deanonymizing information necessary for the bank. Each of the N lines of identification is divided into two parts so that you can get its original only by combining these and only these two parts. For example, we have an identification string 40 bytes long. We generate a random string (noise) of the same length and apply XOR to this string and the identification string. At the output, we also get a random line. This is akin to a one-time cipher block and it is proved that only having these two halves (a random string and the result after XOR) can we get the original;
- Each half of the identification lines is encrypted by the user with different symmetric keys;
- As a result, 1000 disguised envelopes are sent to the bank, in which, in addition to the amount and check ID, it also contains N encrypted pairs of identification lines;
- After unmasking 999 envelopes, the bank also asks the user to provide a decryption key for each half of all identification lines and makes sure that they are all equal and that they contain all the information the bank needs (at least just some kind of user ID). At the same time, the bank is still automatically convinced that the user is really correctly encrypted and halved all these lines;
- The bank signs the remaining envelope, gives it to the user, that person unmasks it, sends it to the seller. The user can no longer replace identification lines, as this will make the bank signature invalid;
- After checking the bank’s signature, recording a random string, the seller also asks him to provide N decryption keys for the right or left side (randomly) of each of the lines;
- The user provides decryption keys and the seller along with the check also sends them to the bank, which will store them together with the check identifier and a random string written in it from the user.
The decryption key is disclosed only one of the parts of each line of the identifier and the bank is not able to get its original. However, if the check is used repeatedly, then, since the seller randomly selects which part of each of the lines to reveal, the probability that the decryption key of any of the lines will be requested for the missing half is maximum. The decrypted half of at least one line (with a sufficiently large N) will already be in the bank database and, when reused, the second one will also be decrypted, making it possible to combine them (XOR) and get the original identification line. The bank will find out which particular user has tried to use the check twice.
This anonymous, secure, with the ability to work offline and identify who tried to inflate the bank, the protocol is already quite complicated. But it still does not make it possible to split money (checks are atomic and you have to make a request to the bank to replenish the account, and request two separate checks for the lower amounts required) and transfer directly to users, bypassing communication with the bank (that is, the user will have to play the role of a seller who must replenish your account). There are much more complex implementations that solve these remaining problems ... except for the unresolved decentralization problem.