Re: Microsoft patent

Robert Hettinga (rah@shipwright.com)
Fri, 26 Jun 1998 10:11:45 -0400

• Next message: acpizer@mach.unseen.org: "Re: MS Access 2.0"
• Previous message: Mullen, Patrick: "FreeSpeech.Com Organizes Petition Against WIPO Treaty"

Okay. Looks like I stand corrected. Helps if I look at the patent's filing
date :-/. I was in a hurry yesterday to get out the door when John and
Ian's messages came up in my mailbox, and I figured I'd queue it out there
for clueful comment when I got back on the net later.

So, if this is indeed just Microsoft Cash 95 (TM), then, certainly, it's
*not* untraceable, much less blinded. If this is the same cash protocol I
saw Simon present at the MIT Media Lab back then, the only way to get
untraceable cash with SimonCash is to purchase some on the secondary
market, *after* the primary certificate has been underwritten to the net.

Of course, given that the only rational way to underwrite a bearer
certificate while both collateralizing and paying for it out of book-entry
banks of deposit leaves you completely observed bringing money on and off
the net anyway (you can't have book-entry settlement without audit trails,
no matter what jurisdiction they go through), we might have an effort here
by Microsoft to do the old, "get it to market, it's good enough", gag that
they did with the graphical user interfaces, speaking of politics and
unrealistic expectations getting the the way of marketing the best product.
:-).

Chaumian cash still allows you to have a blinded purchase as far as any
net-side observation goes, if you have a tunneling mechanism, ala
Cybercash, through the underwriter/trustee net/meatspace financial gate.
Simonian (:-)) cash doesn't do that at all. It's open kimono all the way.

I expect that, eventually, once the blind signature patent is free, or at
least resonably priced, the economic value of untraceability, that is, the
innecessity of processing or even storing audit trails, will overcome even
Microsoft Cash 95's "path-dependent" position in any cash protocol market.
Oddly enough, it might be that the old MicroFUD denial-of-market attack
("we're shipping a cash protocol in 2002; just wait until then") will
backfire on Redmond this time. In the worst case, people may just sit it
out even longer and wait for blind signatures to expire in 2007.

God. How depressing. There has to be some way to get DigiCash to wake up
and start licensing their patents to people who actually code for a living
sooner than that.

Ah. Right. We're working on that, aren't we? More on the Digital Bearer
Transaction Settlement Symposium this afternoon when I finish writing the
final call. :-).

Cheers,
Bob Hettinga

At 8:15 PM -0400 on 6/25/98, Wei Dai wrote:

> Actually Dan Simon's system doesn't use blinding at all. The abstract
> below specificly says the coin is in an unblinded form. I think you can
> get Dan's Crypto '96 paper on the Microsoft Research web page at
> research.microsoft.com, but it seems to be down right now. The paper has a
> much better description of the system.
>
> On Thu, Jun 25, 1998 at 08:30:57AM -0400, Robert Hettinga wrote:
> > Microsoft patents blinding.
> >
> > Looks like we get to wait another 20 years...
> >
> > Cheers,
> > Bob Hettinga
> >
> > --- begin forwarded text
> >
> >
> > Sender: <dbs@philodox.com>
> > Date: Thu, 25 Jun 1998 08:54:30 +0200
> > From: Ian Grigg <iang@systemics.com>
> > Organization: Systemics
> > MIME-Version: 1.0
> > To: dbs@philodox.com
> > CC: "Muller, John D." <JMuller@brobeck.com>
> > Subject: Microsoft patent
> > Precedence: Bulk
> > List-Subscribe: <mailto:requests@philodox.com?subject=subscribe%20dbs>
> > X-Web-Archive: http://www.philodox.com/dbs-archive/
> >
> > Muller, John D. wrote:
> >
> > > And now for something completely different: Microsoft recently received
> > > a U.S. patent for an untraceable electronic cash protocol. Check out
> > > http://www.patents.ibm.com/details?patent_number=5768385.
> >
> > It has always been my view that the patents held by DigiCash afforded
> > no protection to the company, it was all smoke and mirrors, which had
> > even the most cynical befuddled and applauding.
> >
> > Now that Microsoft has a patent on "blinding" one wonders what next?
> > Suing M$ is not really a rational option except as a prelude for a
> > takeover. Having said that, a takeover by M$ of DigiCash would
> > represent a very good solution for the company, in all respects.
> >
> > iang
> >
> > For reference, the salient details. Any cryptographers care to
> > translate this into a human-readable description of the algorithm?
> > ===================================
> >
> >
> > INVENTORS: Simon; Daniel R., Redmond, WA
> > ASSIGNEES: Microsoft Corporation, Redmond, WA
> > ISSUED: June 16, 1998
> >
> > FILED: Aug. 29, 1995
> > SERIAL NUMBER: 521124
> > ...
> >
> >
> > ABSTRACT: An electronic cash protocol including the steps of using a
> > one-way function f1 (x) to generate an image f1 (x1) from a preimage
> > x1 ; sending the image f1 (x1) in an unblinded form to a second party;
> > and receiving from the second party a note including a digital
> > signature, wherein the note represents a commitment by the second
> > party to credit a predetermined amount of money to a first presenter
> > of the preimage x1 to the second party.
> >
> > References {9 Chaum patents}
> >
> >
> > What is claimed is:
> >
> > 27. A method of implementing an electronic cash protocol comprising
> > the steps of:
> >
> > * obtaining a first image f(x1) and a first preimage x1, wherein
> > said first preimage x1 has a predetermined monetary value associated
> > therewith;
> >
> > * selecting a plurality of preimages xi, wherein I is an integer
> > index that runs from 1 to n, where n is a positive integer;
> >
> > * using a second one-way function f2 (x) to generate a plurality of
> > images f2 (xi) from the second preimages xi ;
> >
> > * sending the first preimage x1 and an unblinded form of all of the
> > images f2 (xi) to the second party; and
> >
> > * receiving from the second party a plurality of each including a
> > digital signature, said plurality of notes equal in number to the
> > plurality of images f2 (xi) and representing a plurality of
> > predetermined amounts, each of said plurality of notes representing a
> > commitment by the second party to credit a corresponding different one
> > of said plurality of predetermined amounts of money to a first
> > presenter of the corresponding preimage xi to the second party,
> > wherein the total of said plurality of predetermined amounts of money
> > equals said predetermined monetary value.
> >
> > References, etc...
> >
> > --- end forwarded text
> >
> >
> > -----------------
> > Robert A. Hettinga
> > Philodox Financial Technology Evangelism
> > 44 Farquhar Street, Boston, MA 02131 USA
> > "... however it may deserve respect for its usefulness and antiquity,
> > [predicting the end of the world] has not been found agreeable to
> > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> > Philodox: <http://www.philodox.com>, e$: <http://www.shipwright.com/>
> > <mailto: rah@philodox.com> <mailto: rah@shipwright.com>

-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Philodox Symposium on Digital Bearer Transaction Settlement
  July 23-24, 1998: <http://www.philodox.com/symposiuminfo.html>

• Next message: acpizer@mach.unseen.org: "Re: MS Access 2.0"
• Previous message: Mullen, Patrick: "FreeSpeech.Com Organizes Petition Against WIPO Treaty"