Note: for index of full report see: http://jya.com/nrcindex.htm

---------



                              M


     Other Looming Issues Related to Cryptography Policy



                     M.1 DIGITAL CASH(1)

   National economies are based on money. The most basic form
of money is cash. Coins, originally made of valuable metals,
had intrinsic value and came to be more or less universally
acceptable. Paper money (bills) came to substitute for coins
as the value of transactions increased and it became
physically impractical to carry ever-larger volumes of coins.
However, paper money was originally backed by stores of
precious metals (gold and silver). In 1971, the United States
abandoned its last effective link to the gold standard, and
paper money -- with no intrinsic value came to represent value
that was backed by the integrity and solvency of the
(increasingly international) banking system. Other mediums of
exchange have come to supplement cash, including paper checks
written by consumers; bank-to-bank financial interactions that
are electronically mediated; nonretail business transactions
conducted through electronic data interchange among customers,
vendors, and suppliers; and credit and debit cards used to
make retail purchases.

   Today, interest in so-called digital cash is increasing.
Digital cash is similar to paper cash in the sense that
neither the paper on which paper money is printed nor the
string of bits that represents digital cash has intrinsic
value; value is conferred upon a piece of paper or a
particular string of bits if, and only if, an institution is
willing to accept responsibility for them. The basic
characteristics of digital cash are described in Box M.1.

   Public interest in digital cash is driven largely by
pressures for electronic commerce. For example, cash is
usually the medium of choice in conducting low-value
transactions; present mechanisms for conducting transactions
at a distance make economic sense only when the value is
relatively high (the average credit card transaction is
several tens of dollars). In addition, these mechanisms
generally require a preexisting arrangement between vendors
and credit card companies: completely spontaneous transactions
between parties without such arrangements are not possible
with credit cards as they are with cash. Instant settlement
when conducting financial transactions at a distance and
reducing the cost of managing physical cash are still other
advantages.

   Both cryptography and information technology, including
computer hardware and software, underlie the feasibility of
digital cash. Strong cryptographic technologies and secure
network architectures are necessary to give users of a digital
cash system confidence in its security and integrity, while
the exponentially improving price-performance ratio of
computer hardware is needed for the extensive computation
required for strong cryptography in a mobile environment.
Moreover, important advances in making electronics
tamper-proof -- another feature needed to ensure confidence --
may be in the hands of any number of users. Box M.2 describes
the properties that a digital cash system must have.

   Digital cash raises many basic questions. For example, if
electronic cash is legal tender, who should be authorized to
issue it and how should the public be assured that a
particular issuing authority is legitimate? How does a digital
U.S. dollar affect the U.S. position in the world economy? How
will the money supply be controlled or even measured with
digital cash in circulation? Apart from such questions,
digital cash also raises policy issues that are part of
cryptography policy writ large. Based on the references in
footnote 1, the discussion below sketches some of the main
issues.

----------

   (1)  This section draws heavily on Cross Industry Working
Team, *Electronic Cash, Tokens, and Payments in the National
Information Infrastructure*, 1994, Corporation for National
Research Initiatives, 1895 Preston White Drive, Suite 100,
Reston, Va.; Internet: info-xiwt@cnri.reston.va.us.

____________________________________________________________


            M.1.1 Anonymity and Criminal Activity

   The technology of digital cash will support essentially any
degree of anonymity desired. Digital cash can be designed so
that it is as closely associated with the user as electronic
funds transfer is today (i.e., highly nonanonymous) or in a
way that disassociates it entirely from the user (i.e., more
anonymous than physical cash is today). Intermediate levels of
anonymity are technically possible as well: for example,
transactions could be anonymous except when a court order or
warrant compelled disclosure of the identities of parties
involved in a transaction. Furthermore, the various parties --
payer, payee, and bank -- could be identified or not,
depending on policy choices.

   Many privacy advocates support digital cash because such a
system can provide high levels of anonymity for electronic
TRansactions comparable to the anonymity of face-to-face
transactions made with physical cash. Such anonymity is not
generally possible for other types of electronic payment
vehicles. On the other hand, anonymous perpetrators of crimes
cannot be identified and apprehended. To the extent that
digital cash facilitates the commission of anonymous crimes,
it raises important social issues. Box M.3 describes what
might be considered a "perfect crime" possible with anonymous
digital cash. Fraud, embezzlement, and transportation of
stolen property and information products are other crimes of
direct concern. Highly anonymous digital cash may also
facilitate money laundering, a key element of many different
types of criminal activity. Law enforcement officials consider
financial audit trails an essential crime-fighting tool; a
digital cash system designed to support the highest levels of
anonymity may put such tools at risk.

   The important policy issue for digital cash is the extent
to which the anonymity possible with physical cash in
face-to-face transactions should also be associated with
electronic transactions. Note that the question of the
appropriate degree of anonymity for a digital cash system
replays to a considerable degree the debate over the
conditions, if any, under which law enforcement officials
should have access to encrypted communications.


                     M.1.2 Public Trust

   Public confidence in the monetary system is a prerequisite
for its success. Most members of the public have sufficient
confidence in the exchange of physical cash and checks and of
credit or debit cards to make the system work. However, the
logic underlying these mediums of exchange is straightforward
by comparison to the mathematics of digital cash, which are
quite complex; a public understanding of how digital cash
works may be essential to the success of any such system and
to the infrastructure needed to support it.

   A second major trust issue relates to the counterfeiting of
digital cash. With paper money, the liability for a
counterfeit bill belongs to the one who last accepted it
because that person could have taken steps to check its
legitimacy (e.g., check for a watermark) and thus may not
disclaim liability by asserting that it was accepted in good
faith. No such protection is available with counterfeit
digital cash. An individual can rely only upon the
cryptographic protection built into the digital cash system.
A forged digital bank note that gets into circulation has by
definition broken through that protection; thus, it is the
bank that purportedly issued the note that must hold the
liability.


                       M.1.3 Taxation

   If a digital cash system is designed to support the highest
levels of anonymity so that financial transactions are
effectively untraceable, the collection of taxes may become
problematic. Most taxes bear some relationship to a financial
quantity that must be determined, such as the income collected
in a year or the amount of a sales transaction. When money
flows only between two parties, how will the government
determine how much money has changed hands or even know that
a transaction has occurred at all?


            M.1.4 Cross-Border Movements of Funds

   Governments find it desirable as an instrument of policy to
be able to track money flows across their borders. Today, the
"cross-border" movement of funds does not really transfer
cash. Instead, messages direct actions in, for example, two
banks in the United States and two banks in the United Kingdom
to complete a transaction involving dollars-to-pounds
conversion. Moving cash outside national borders has effects
on the economy, so governments will have to come to terms with
these effects.


    M.2 CRYPTOGRAPHY FOR PROTECTING INTELLECTUAL PROPERTY


   Much of the interest in a global information infrastructure
comes from the prospect of transporting digitized information
objects over communications lines without the need for
transport of physical matter. At the same time, concerns are
raised about the fact that digital information objects can be
retransmitted in the same way by the receiving party. Thus,
for example, the entertainment industry looks forward to the
possibility of large-scale distribution of its products
electronically but is concerned about how to ensure receipt of
appropriate compensation for them. Even today, cable
television vendors encrypt their transmissions domestically
for that very reason. The software industry is concerned about
the theft that occurs when a person buys one copy of a
software package and duplicates it for resale. Thus, a global
information infrastructure raises many questions about how
best to compensate authors and producers of intellectual
property for each use, as well as how to prevent piracy of
intellectual property.(2)

   One approach to protecting digital representations of
intellectual property involves the use of cryptography to
scramble a digital information object.(3) Without the
appropriate decryption key, the encrypted object is worthless.
The basic notion is that vendors can distribute large digital
objects in an encrypted form to users, who would then pay the
vendor for the decryption key. Since the decryption key is in
general much smaller than the digital object, the cost of
transmitting the decryption key is much lower and, for
example, could be performed over the telephone upon submission
of a credit card number.

   The Administration's Working Group on Intellectual Property
Rights concluded the following:

   Development of an optimal NII [national information
   infrastructure] and GII [global information infrastructure]
   requires strong security as well as strong intellectual
   property rights. Copyright owners will not use the NII or
   GII unless they can be assured of strict security to
   protect against piracy. Encryption technology is vital
   because it gives copyright owners an additional degree of
   protection against misappropriation.(4)

   Using cryptography to protect intellectual property raises
questions related to the skength of algorithms used to encrypt
and decrypt digital objects. Specifically, the use of weak
cryptography to protect exported digital objects could well
result in considerable financial damage to the original
creators of intellectual property.(5) If it proves reasonable
to protect intellectual property through encryption, pressures
may well grow to allow stronger cryptography to be deployed
worldwide so that creators of intellectual property can market
their products safely and without fear of significant
financial loss.

   Cryptography may also support the embedding of digital
"watermarks" into specific pieces of intellectual property to
facilitate tracing the theft to an original copy. Such a
scheme would insert information that would not affect the use
of the object but could be subsequently identified should
ownership of that work be called into question. For example,
a digital watermark might embed information into a digital
representation of a photograph in such a way that it did not
affect the visual presentation of the photograph;
nevertheless, if the photograph were copied and distributed,
all subsequent copies would have that hidden information in
them.

----------

   (2)  See Information Infrastructure Task Force (IITF),
Working Group on Intellectual Property Rights, *Intellectual
Property and the National Information Infrastructure*, U.S.
Government Printing Office, Washington, D.C., 1995.

   (3)  For example, see Carl Weinschenk, "Cablevision to Test
Anti-Theft System," *Cable World*, February 6, 1995, page 22.

   (4)  IITF, *Intellectual Property and the National
Information Infrastructure*, 1995.

   (5)  For example, an article in the *Wall Street Journal*
reports that pirates of direct digital satellite television
broadcasts are able to obtain decoders that are capable of
decrypting encrypted signals that are received, thus allowing
these individuals to avoid the monthly fee for authorized
service. See Jeffrey Trachtenberg and Mark Robichaux, "Crooks
Crack Digital Codes of Satellite TV," Wall Street Journal,
January 12, 1996, page B-1.

____________________________________________________________

BOX M.1 Characteristics of Digital Cash Tokens

   +    Monetary value. Electronic tokens must have a monetary
value; they must represent either cash (currency), a
bank-authorized credit, or a bank-certified electronic check.

   +    Exchangeability. Electronic tokens must be
exchangeable as payment for other electronic tokens, paper
cash, goods or services, lines of credit, deposits in banking
accounts, bank notes or obligations, electronic benefits
transfers, and the like.

   +    Storability and retrievability. Electronic tokens must
be able to be stored and retrieved. Remote storage and
retrieval (e.g., from a telephone or personal communications
device) would allow users to exchange electronic tokens (e.g.,
withdraw from and deposit into banking accounts) from home or
office or while traveling. The tokens could be stored in any
appropriate electronic device that might serve as an
electronic "wallet."

   +    Tamper-resistance. Electronic tokens should be
tamper-proof and be difficult to copy or forge. This
characteristic prevents or detects duplication and double
spending. Counterfeiting poses a particular problem, since a
counterfeiter may, in network applications, be anywhere in the
world and consequently be difficult to catch without
appropriate international agreements. Detection is essential
to determine whether preventive measures are working.

----------

SOURCE: Adapted from Cross Industry Working Team, *Electronic
Cash, Tokens, and Payments in the National Information
Infrastructure*, 1994.

____________________________________________________________

BOX M.2 Essential Properties of a Digital Cash System

   It is widely accepted that a digital cash system must have
the following properties:

   +    Authentication. Users must be assured that digital
cash tokens cannot be easily forged or altered and that, if
they are altered, evidence of this tampering will be apparent
immediately.

   +    Nonrefutable. Users must also be able to verify that
exchanges have taken place between the intended parties,
despite any complications that may result from delivery of
services over long periods of time, interruptions in service,
or differences in billing and collection policies of various
service providers. ("Nonrepudiable" is the term used in
traditional computer and network security work.)

   +    Accessible and reliable. Users must find the exchange
process to be accessible, easy to effect, quick, and available
when necessary, regardless of component failures in other
parts of the system.

   +    Private. Users must be assured that knowledge of
transactions will be confidential within the limits of policy
decisions made about features of the overall system. Privacy
must be maintained against unauthorized parties.

   +    Protected. Users must be assured that they cannot be
easily duped or swindled, or be falsely implicated in a
fraudulent transaction. Users must be protected against
eavesdroppers, impostors, and counterfeiters. For many types
of transactions, trusted third-party agents will be needed to
serve this purpose.

   All of these features depend on cryptography and secure
hardware in varying degrees.

----------

SOURCE: Cross Industry Working Team, *Electronic Cash, Tokens,
and Payments in the National Information Infrastructure*,
1994.

____________________________________________________________

BOX M.3 A Perfect Crime Using Digital Cash

   Anonymous digital cash provides the user with anonymity and
untraceability, attributes that could be used, in theory, to
commit a "perfect crime" -- that is, a crime in which the
financial trail is untraceable and therefore useless in
identifying and capturing the criminal.

   A famous kidnapping case in Tokyo in the early 1970s serves
to illustrate the concept. A man opened a bank account under
the false name Kobayashi and obtained a credit card drawing on
the account. He kidnapped the baby of a famous actor and
demanded that a 5 million yen ransom be deposited in the
account. The police monitored automated teller machines (ATMs)
drawing on Kobayashi's bank, and when Kobayashi later tried to
withdraw the ransom money using his card, they arrested him.

   Kobayashi's use of a physical token, the credit card,
unambiguously linked him to the account. Anonymous digital
cash presents the opportunity to eliminate this link. Creation
of anonymous cash involves a set of calculations performed in
turn by the user who requests the cash and a bank. The user's
calculations involve a blinding factor, chosen and known only
by him or her. These procedures yield digital cash that the
merchant and bank can verify is valid when it is presented for
a purchase, while simultaneously making it impossible to trace
the cash to the user who originally requested it from the
bank.

   Ordinarily, the procedures by which digital cash is created
occur in a real-time transaction between the user's and the
bank's computers. However, a criminal such as the kidnapper
Kobayashi could choose a set of blinding factors, perform the
subsequent calculations, and mail the results to the bank
along with the ransom demand. Kobayashi could insist that the
bank perform its portion of the calculations and publish the
results in a newspaper. He could then complete the procedures
on his own computer. This would give Kobayashi valid,
untraceable cash, without the need for any direct link to the
bank (such as a visit to an ATM or a dial-in computer
connection) that could reveal him to waiting authorities.

----------

SOURCE: Adapted from Sebastiaan von Solms and David Naccache,
"On Blind Signatures and Perfect Crimes," *Building in Big
Brother*, Lance J. Hoffman (ed.), Springer-Verlag, New York,
1995, pages 449-452.

____________________________________________________________

[End appendix M]




