outline for a simpler virtual currency

[diogenes]

Ok, so I've been reading about bitcoin and following discussions on this forum for a few weeks.  While I was initially enthusiastic that bitcoin could replace cash I quickly cooled as the problems with the currency came more into focus.  Sorry to disappoint you all but bitcoin in its current form has some really major hurdles.  The main ones being:  anonymity is the exception not the norm and that it takes too long for transactions be to confirmed.   These two issues have of course been discussed here many times.  There is also two other lesser issues that are important that aren't as often mentioned: each transaction will have a fee involved and it relies on internet connectivity.

These are show stopping problems-- bitcoin in its current form will *not* replace printed currency unless you can overcome them.


Pondering about bitcoin and virtual currency has made wonder how I would implement a virtual currency.  This is what I've come up with:

1) Anyone can download the transaction software and install it on as many machines as they wish-- as long as the computer and its operating system is reliable and trustworthy and that it can prove to other machines that it is trustworthy.  The software allows the user to create any number of accounts on their machines.  An account is basically a secure store of single non-negative number that represents the amount of currency held.  Each account is created with a zero balance.

2) Everyone who participates in the system may bootstrap exactly one account of their choosing with 1000 coins.  This is the only way that new coins are minted.  ie: everybody is given the same initial cash holding as a reward for joining the system- thus this encourages people to trial the currency since it allows them to immediately undertake transactions without any cost to them while at the same time boot-strapping the whole system.  This mechanism is fair to the participants because everybody is treated equally and given the exact same initial starting amount.  This boot-strapping mechanism controls/limits the overall money supply in the economy.

3) Besides the initial bootstrap transactions all further transactions occur between exactly two accounts -- the account receiving money is debited (ie: its balance is increased by the amount of the transaction) the other sending the money is credited (ie: its balance is decreased).  The transaction amount can be a small fraction of a coin, let's say down to one millionth.  A transaction will only proceed if the controlling software of both accounts have mutually successfully acknowledged that the machine and software of the other account is trustworthy and also that the account to be credited has a balance greater or equal than transaction amount. (Note: the two accounts may be on the same machine. eg, someone transferring their own money between their own accounts).  There is no need to record these transactions only the final balance of the two accounts matters, there is no external entity (either central or distributed) that needs to confirm the validity of the transactions.  

4) If a general transaction involves two accounts on different machines the software can use any secure network that connects them to negotiate the details, eg: from local connections like near-field to wide intercontinental TCP/IP connections.

That's it, that's the system in a nutshell!  A very simple, intuitive and efficient system.  Transactions in this system are truly anonymous, the transactions are settled immediately (ie: there is no delay involving p2p network confirmation), the general transactions have no fees/cost involved,the system is robust and has no single point of failure nor a single controlling entity.

On top of this system you can easily build other services such as an escrow services, banks, exchanges, etc.
 
So tell me what you think-- is bitcoin better or worse than this and why is it?



-----------------------------------------------------------------------------------------------------------------------


PS: At this point you may be asking, "Can we actually implement this?  Do the necessary technologies already exist?".  Well today we don't have the necessary infrastructure to deploy it, however it is quite believable that in the very near future (less than a couple of years) the required technology will be available and commonly deployed.  

Let's work through what technology we need for this and what we've currently got:

# Firstly regarding the technology required for installing and running the standard transaction software :  
What we need:
  -We need a base kernel that is trust worthy and widely deployed.
  -We need to be sure that the device boots the kernel securely in a tamper free way.
  -We need the device to assert that it is trustworthy to the software.
  -We need a way to securely distribute the software to the end users and a method to be able to securely install it.
  -We need the interacting instances of the software through the use of hardware/OS provided mechanisms to be able to attest to each other that they are trustworthy.
  -We need a way to securely store the accounts on the device and a way for devices to securely communicate over the network.

What we've got:  
  - We've half got these needs covered: for the case of the base kernel requirement we have the OKL4 kernel which is extremely trustworthy and widely deployed in mobiles (over a *billion* deployments).  As for the secure storage and networking requirements standard encryption techniques and protocols cover these.  Also, it is already common practice to securely distribute software over the internet. Unfortunately, solutions to cover the other requirements are currently quite lacking and the situation needs considerable improvement before we can safely deploy the currency.  However, it is not all that bad because these improvements are already under way--extremely secure booting and software attestation in mobiles are areas that are advancing very rapidly because phone manufacturers have recognised that rock solid digital rights management is a very pressing requirement generally.  Widely deployed solutions are only a matter of a year or two away.  (This currency is really nothing more than managing a digital right-- so the improvements currently in the pipeline for general digital rights management on mobiles lend themselves to the implementation of this currency.)

# Secondly regarding the requirements for the special initial bootstrap transactions:
What we need:
  -We need to be able to prevent the same person from multiple registrations with the system-- they should only be allowed to collect the 1000 coin reward once.
What we've got:
  -We can cover this requirement by implementing a p2p system similar to the way that bitcoin works by creating a network that validates that a given user has not already joined the system.  This would work by assigning each user exactly one unique global ID.  The nodes in this network would race to complete blocks containing new user IDs not already known to the network.  When the user wants to collect the 1000 coin trial incentive they ask the transaction software to give it them, the transaction software ask the p2p network if the userID associated with the user is already registered and if not then register ID.  Once the network has added the userID into the block chain and its been confirmed the transaction software rewards the user with 1000 coin minus a small processing fee that goes to the miner. Obviously if the userID is already registered the transaction software refuses the user's request for the reward.  
  While this p2p system is more than possible to deploy today it leads to the problem of how to associate a unique ID with a real person and how to prohibit that person from obtaining more than one ID.  This is a general problem that has plagued the internet for quite a while with no real leading solution.  We could base our solution to this on existing technology such as openID or a web-of-trust scheme, or we create a novel solution based on p2p and crowd sourcing*, or some combination of these technologies, etc.


* This is an rough outline of my ideas for a crowd sourced solution to problem of assigning a global unique ID to each user:
The system has three types of participants:
1) the client- who is person seeking a globally unique user ID so they can claim the 1000 coin reward,  
2) the ID provider- this is a trusted software service which establishes that the client is who they say they are and assigns the globally unique user ID to them,  
3) verifiers- who are the set of the people that actually decide that the client is who they say they are.  Anyone can on the internet can join-up to be a verifier.  When they join they state what sort of documents they are proficient at identifying.

For each possible nationality of a client there is type of document that is agreed upon across the system as a required document that must be provided as evidence in their claims of identity.  This document must have a unique ID amongst all the documents of that type and a person must only be able to obtain one of them.  eg: for most nationalities this would be a current passport of their country.

The process of assigning the client their ID runs as follows:
1: the client pays a small fee to the ID provider-- this is to pay for the verifiers' time and also for the cost of running the provider.  A competitive market amongst providers will determine this fee.  The client also lodges a bond in escrow with the ID provider which will be destroyed if the verifiers think the person is a fraud else it will be returned.  This bond should be a sizeable part of the reward, say 500 coins.  They could borrow these monies off a friend or may have already earned it by selling stuff.
They then fill out a web-form from the provider stating who they claim to be and what the type of documents will be produced as evidence and what the ID from the required document is.
2: the provider checks amongst its peers that the required document's unique ID has not already be registered with the system.  If it is it informs the client and returns the money else it proceeds.
3: the client uploads to the provider a short video they have created about themselves and shots of supporting documentation.  This video should have enough details to prove to the verifiers that there exists a person with certain credentials- such as name, address, etc., and that person is indeed the person in the video, and that there exists a genuine required document with the same ID as in the clients form and it is for the same person as the other documents.  eg: they first film themselves with photo ID documents of themselves such as drivers licence and any other identifying data they wish such as bills, birth-certificates, facebook, etc. this establishes that there is indeed a person with those credentials who exists and that person is the person in the video. They then do a detailed filming of the specific required document with its unique ID.  They have to film this with enough detail to prove that it describes the same person as the other documents and that the document is not a forgery  (eg: in the case of a passport they film the it overall, film the main page as well as close-ups of the visible anti-tamper features).
4: this video is then distributed to twenty randomly selected verifiers who are familiar with the types of documents provided.  The verifiers watch the video and decide-- a)there is not enough evidence to make a decision b)the evidence is good enough and they've decided that the person is a fraud or c)there's good evidence and the person matches it.  They inform the provider of their decision.
5: the provider collects the decisions- if +80% agree that the person is who they say they it gives them a global unique user ID, registers the required document ID with its peers and returns the bond; if +80% say that they are a fraud then it destroys the bond (it just subtracts the amount from its own account); otherwise it returns the bond.  The provider then pays verifiers.
6: On top of this basic verification process we add another mechanism-- the verifiers each deposits an amount equal to the verification payment prior to each round of verification.  After the decisions are in, those verifiers in the majority agreement receive the deposit of the other verifiers.   e.g.: if 45% voted fraud,  35% insufficient evidence and 20% voted genuine the fraud voters would win the deposits off the others.  This enforces self regulation of the verifiers, after a while certain standards will naturally develop as everyone tries to vote the same way for a given collection of evidence.  Also, the video can be sent out to inexperienced verifiers who can practice their verification skills against the pros-- these learners don't have to lodge coins to practice.  They get to see the final result from the real verifiers to compare how they going, once they're confident enough they may join in the real process.

You may see that there is a slight flaw with this above-- some people have multiple passports and nationalities so they could successfully be issued with multiple userIDs and claim the reward a few times.  Admittedly there is not much you can do about this-- personally I'm happy to ignore it and say "lucky them ".  You may have also noticed that you still need to bootstrap this process, ie. how does the very first person join the system-- you could hard-wire into the software that the very first account made is created with a 1000 coin opening balance and then use that to pay for the first bonds and fee of the verification system.

[1714116295]

1714116295

[1714116295]

1714116295

[wumpus]

How is this any simpler? With your scheme you need all the verification, mutual trust, trusted machines, user IDs, and so on.

Bitcoin: simply download and start the client, ask a friend to send you some coins (or use the faucet) and you can play

[FooDSt4mP]

2) Everyone who participates in the system may bootstrap exactly one account of their choosing with 1000 coins.  This is the only way that new coins are minted.  ie: everybody is given the same initial cash holding as a reward for joining the system- thus this encourages people to trial the currency since it allows them to immediately undertake transactions without any cost to them while at the same time boot-strapping the whole system.  This mechanism should be considered fair to the participants because everybody is treated equally and given the exact same initial starting amount.  This boot-strapping mechanism controls/limits the overall money supply in the economy.



....



You may see that there is a slight flaw with this above-- some people have multiple passports and nationalities so they could successfully be issued with multiple userIDs and claim the reward a few times.  Admittedly there is not much you can do about this-- personally I'm happy to ignore it and say "lucky them  ".  You may have also noticed that you still need to bootstrap this process, ie. how does the very first person join the system-- you could hard-wire into the software that the very first account made is created with a 1000 coin opening balance and then use that to pay for the first bonds and fee of the verification system.

This.  There is no reliable way to uniquely identify an individual.  You will just cap your value at (cost of forged passport)*0.95/1000 and people will make 5% by creating identities to feed your system.  Also, new users don't add value to the economy, new merchants do.

[marcus_of_augustus]

global unique ID ... is this the puke symbol   

how much more facist do you want to make the money than it already is ?

[sortedmush]

You lost me at "as long as the computer and its operating system is reliable and trustworthy"

[Alex Beckenham]

as long as the computer and its operating system is reliable and trustworthy and that it can prove to other machines that it is trustworthy.

I'm sorry I stopped reading after this.

[FooDSt4mP]

as long as the computer and its operating system is reliable and trustworthy and that it can prove to other machines that it is trustworthy.

I'm sorry I stopped reading after this.

Yeah... I barely trust my computer, and I certainly don't trust yours.

[sortedmush]

I thought I'd give it another chance ..

You lost me at "Everyone who participates in the system may bootstrap exactly one account of their choosing with 1000 coins."

[diogenes]

How is this any simpler? With your scheme you need all the verification, mutual trust, trusted machines, user IDs, and so on.

Bitcoin: simply download and start the client, ask a friend to send you some coins (or use the faucet) and you can play

From the users point of view the system I've outlined it is no different from what you describe for bitcoin.  You just download the software onto you phone, start it and your away.  You may also collect a one-off bonus of 1000 coins if you wish by registering with the system.

When I say it is simpler, I mean it is a simpler protocol and also simpler from the computational point of view than bitcoin.  When a transansation occurs in this system it *doens't* require miners on a p2p network over the internet to confirm the transaction.  There is no extra cost, time nor energy spent by anyone except the two computers involved in the transaction.  The transactions happens immediately-- basically one computer gives the other a number, the first computer decreases an account by that amount by and the second increases an account by that amount.  It is an *extremely* simple protocol when compared to bitcoin.


By the way: bitcoin forces you to implicitly assume mutual trust and trustworthy machines,  eg: when someone stores a coin on their computer they assume that their computer is trustworthy enough to securely store it.  When someone transfers some coins to an escrow or anonymising sevice they must trust the other party's computer.  
My system makes these trust obligations explicit and *demands* that the machines involved are trustworthy instead of just assuming that they are.

[Pieter Wuille]

Bitcoin does indeed require some trust, as every trade does; if you pay someone for something, you still need to receive what you've paid for.

However, bitcoin does *not* require trust that the other party will store his coins securely. If he doesn't, they may be stolen, lost or scammed, but that is his problem.

[diogenes]

global unique ID ... is this the puke symbol    

how much more facist do you want to make the money than it already is ?

Maybe I didn't do a very good job of explaining how th global ID works.  Rest assured-- the ID isn't linked to your identity.  It is just a authorization token (basically it would be a long string of numbers- much like a bitcoin address: the numbers would be such that a piece of software can interpret them as being a valid token).  By presenting a valid token to any software client of my system you may ask the client to reward you with 1000 coins to one of your accounts (or someone else's account).  The software then presents *just* the token to the p2p bootstrap transaction network to check if it has already been presented or not.  The network doesn't have *any* means to trace the token to your identity!   The coin reward network stores *only* a record of presented tokens.

Also, the other p2p network which I suggest could be used to generate your userID token in the first place *doesn't* keep much a record of your identity (eg: no name, anddress etc), it only stores the ID of the presented required document (normally something like your passport number).  This number by itself is very hard to trace back to you, hackers would be able to do very little with this number.

It should be noted that there is no record kept of which required document ID was used to grant a given global user ID token,  ie: there is no record of the link at all on the system between the two IDs-- the only person aware of the link is the user.

[BitLex]

While I was initially enthusiastic that bitcoin could replace cash ..

are you serious?
think about what cash is.
cash is not even a currency, it's just one way of transfering a currency, which can be also done bitcoin-backed.
print some bitcoin-QRcodes on paper-bucks and use that as cash,
if you give those paper-bucks to me, transfer is instant and doesn't need any internet-connection, nor confirmations.

Rest assured-- the ID isn't linked to your identity.

and how do you keep any identity from linking a hundred IDs then and claim 1000 coins 100times?
if it's not linked to my identity, why not just create a few more identities? i am lots!

[diogenes]

as long as the computer and its operating system is reliable and trustworthy and that it can prove to other machines that it is trustworthy.

I'm sorry I stopped reading after this.

Yeah... I barely trust my computer, and I certainly don't trust yours.

I agree, I don't at all feel that my machine is trustworthy.  My computer that I'm typing this on is running Kubuntu and let me tell you-- linux security is a heap of sh*t.  I wouldn't leave my money in the hands of it.  

However there are OS kernels that are trustworthy and reliable and I would have no calms at all with them protecting my money or life: kernels such as OKL4 (or its sibling sel4-- which is *completely* trustworthy-- its been formally verified),  or Greenhills Integrity, QNX, etc.  You may never have heard of these kernels-- in the real world you will find these kernels deployed where reliability is paramount-- such as flight control system in jet airlines.   No-one *ever* puts linux in a flight control system.  (I should remark that reliable and trustworthy are two different properties of a kernel-- but they are usually found hand-in-hand side-by-side)

It turns out that many mobile phones (about one *billion*) have one of these kernels inside them- namely OKL4.  Even though it is a full mirco kernel, inside phones it is normally deployed as a hypervisor and another OS runs on top.  For example, *many* (if not most) android phones actually run on top OKL4-- because Android is so insecure and unreliable that the phone operators will not place it in a trusted situation.  The phone manufactures use OKL4 as a hypervisor to prevent Android from doing any of the actual telecommunication stuff.  The fact that such a trustworthy kernel OKL4 is on so many phones leads to many possibilites in the future-- such as a virtual currency.


PS: by the way-  your choice of language reveals that you are probably not well versed in computer security literature.  In the field of computer security a machine that you "trust" is a machine that you are forced to use-- one that you have no option but to use (eg: the computer in an ATM terminal is a trusted machine-- you must use this computer to withdraw your money even if the machine is easily hacked).  A machine that you have confidence in is a "trustworthy" machine.  So you statement "I barely trust my computer" if your writing as a security expert would have been-- My own machine is barely trustworthy,  and I certainly don't think yours is.

[vuce]

If I understand this correctly, my balance is saved somewhere on my computer only. What does prevent me from not increasing this balance?

[titeuf_87]

If I understand this correctly, this will be a form of DRM used to securely store your account balance.

This does sound nice in theory: everyone knows what their balance is and they can't tamper with it as it's secured by the software, the kernel (which is software too), and the hardware.

But this will fail for the simple reason that people -will- find a way to change their account balance: they'll break the encryption, break the trustworthiness to make it look as if they're trusted. If that happens, and it will, how will this system prevent that? Everyone is trusting the clients to not cheat. A broken client will obviously still claim to be trustworthy.

If you think that software is unbreakable, then look up the various DRM scheme used in games: often claimed to be unbreakable too, till someone figures it out. Just like with the PS3: it was supposed to be unbreakable...
And if you get the best programmers that don't write any bugs at all to make the perfect DRM scheme that won't fail at all, you still won't be safe: people will start playing with the hardware in order to break it.

Hope this help explain stuff a bit,
Titeuf.

[vuce]

If I understand this correctly, this will be a form of DRM used to securely store your account balance.

This does sound nice in theory: everyone knows what their balance is and they can't tamper with it as it's secured by the software, the kernel (which is software too), and the hardware.

But this will fail for the simple reason that people -will- find a way to change their account balance: they'll break the encryption, break the trustworthiness to make it look as if they're trusted. If that happens, and it will, how will this system prevent that? Everyone is trusting the clients to not cheat. A broken client will obviously still claim to be trustworthy.

If you think that software is unbreakable, then look up the various DRM scheme used in games: often claimed to be unbreakable too, till someone figures it out. Just like with the PS3: it was supposed to be unbreakable...
And if you get the best programmers that don't write any bugs at all to make the perfect DRM scheme that won't fail at all, you still won't be safe: people will start playing with the hardware in order to break it.

Hope this help explain stuff a bit,
Titeuf.

exactly. Any kind of hardcoded encryption is bound to get reverse engineered at some point.

[Anonymous]

Would this unique ID be tattooed on your arm at all  ?
 

[hazek]

I just love it when people like the OP think they are smarter then the market! 

But guess what! No matter what you, or I or any other individual thinks it's all irrelevant. The only thing that matters is what the marketplace as a collective thinks of Bitcoin. And I guarantee you if the marketplace thinks it's useful and good it's going to be used and it will grow and if not, well I guess it wont.

But your opinion sir, is irrelevant.

[diogenes]

Rest assured-- the ID isn't linked to your identity.

and how do you keep any identity from linking a hundred IDs then and claim 1000 coins 100times?
if it's not linked to my identity, why not just create a few more identities? i am lots!

Below I've detailed the bootstrap transaction process in greater detail so that you can see that you can't claim the bootstrap reward transaction as often as you want.

Ok, so lets assume that a new user has downloaded the transaction software, installed it and has created some accounts on their phone.  They now want to claim the bootstrap new user reward.  Here is the process in detail:

1) The user asks his instance of the transaction software for a global user ID.
2) The transaction software contacts the authentication system hands the user over to it and requests "If you have never seen this user before please create a new global userID for them"  (The authentication system -whatever it is: it may be like my hypothetical crowd sourceed p2p system or based on openID or web-of-trust or something completely different or a mixture of these- is a completely separate system from the transaction software system.)
3) The authentication system then proceeds to verify the user.  If it has never seen the user before it adds a record of them to its system (under my proposal it records the ID from some from particular document provided as evidence by the user-- such as their passport ID).  It then creates a new unique global ID and returns a global ID to the user.  It creates the global ID in a non-forgable way that proves that it came from authentication system.
4) The user takes their userID and presents it to their transaction software-- this software then contacts the bootstrap p2p system and asks it if has ever seen the ID before.  This system checks if it is a valid token from the authentication sysytem (it does this by examining the token itself) and then checks if it hasn't seen it before.  If it is a new ID it then it records the ID by a p2p block-chain system similar to bitcoin.  Then it informs the transaction software whether it has or hasn't seen the ID before.
5) If the transaction software is told that it is a new ID then it creates 1000 coin in which-ever account the user chooses.

That's basically it.  Note that the authenication system never gives identity details to the transaction software.  The user ID doesn't contain any of the user's identity credentials in an accessible way (although it is possible that the userID creation process may be based on some credential of the user but this is always done by one-way functions: eg, the creation of the userID may involve the cryptographic hash of the user passport ID).

Also note the user ID is just a token that authorises the transaction software to create a bootstrap transaction in an account.  The user could indeed give the ID to any other user and the second user would be then able to use it (provided it hasn't already been used-- it is strictly a use once token).

[Anonymous]

It sounds like a beauracratic nightmare.

You're free of course to create your own system and if its better people will support it.