Saturday, December 22, 2007

Ron Paul for President

This blog has never before expressed an opinion about a specific political election. Unenumerated takes a long view and electioneering is generally not the most effective means of political action. Occasionally, however, there is a remarkable exception. Ron Paul's candidacy for President of the United States is the most remarkable such exception of our era.

Among the makeup-encrusted crop of TV-hyped politicians, Ron Paul stands alone in working, not to propagate mass media mythologies, but to preserve and restore our genuine freedoms and our highly evolved traditions. Where other politicians go on and on about "freedom" in order to justify wars and suppressions that deprive people of their lives, liberties, and properties, Ron Paul throughout his long career has labored to preserve and restore our freedoms. Ron Paul has worked to heal the wounds to liberty and the damages to our essential institutions that were inflicted by barbaric politics over the last century: the wars, the ethnic cleansings, the nationalizations, and the corruptions that have worked in tandem to destroy many of the freedoms our forefathers held dear. From property rights to privacy, the rights to bear arms and defend ourselves and our loved ones, rights to speak freely via technology old and new, rights to be free from false arrest and torture, the list of freedoms we once held but are now losing is long. Without a libertarian surge, a rising of people to rebuke the evils of the century now thankfully over, the barbarity of that century will have become fixed as the only reality we know, and we will be plunged into a long dark age.

Because Ron Paul is the only presidential candidate who puts a high priority on preserving and restoring property rights, the bedrock institution of modern economies, it is no surprise that he recently raised more money in a single day than any other person in U.S. political history. Ron Paul is the only presidential candidate in touch both with our highly evolved past and our networked future. He has moved beyond the mass-media prejudices that caused the twentieth century to march lock-step into genocidal wars and nationalization. So it is no surprise that Ron Paul's main strength is on the Internet and his main weakness is in the mass media.

Even if, as mass media polls currently imply, Ron Paul does not win the 2008 Republican nomination, his staying power and independence give him the potential to exert a libertarian influence on United States politics far beyond recent experience. Even if he doesn't win a single state, Paul is demonstrating that he has a substantial and loyal following. He will stay in the race to the very end, and Republicans will have to make valuable concessions to prevent him from becoming an independent candidate who would throw the election. No one man can heal the many injuries that freedom has suffered, nor the many damages that have been done to our highly evolved institutions. But Ron Paul's success will inspire many more lovers of our once and future liberties to step forward and make that future.

United States politics is delicately balanced between the traditional poles of right and left and may only need a small shove to push it in the orthogonal libertarian direction. This is particularly true with respect to the institution with the most impact on our freedoms: the Supreme Court. If Paul falls short of becoming the Republican candidate I recommend to him that he request one or more Supreme Court nominees of his choice as the price of his support for the non-libertarian Republican candidate. On the Supreme Court there are four justices on the traditional left and four on the traditional right. As a result the one moderate justice, Justice Kennedy, exerts an overwhelmingly disproportionate influence. Four years of libertarian influence on the Presidency, with two or three seats on the Court up for grabs, could tilt the Court quite heavily towards a restoration of our libertarian Constitution, a restoration of life, liberty, and property rights in the United States.

Uniquely among mainstream politicians, Ron Paul thinks beyond mass media hype. He remembers and cares about the basic institutions that have made the United States a bastion of world liberty for most of the last 231 years, and will make it a "Shining City on a Hill" again in the future if we work to make it so. For those who love our once and future freedoms, now is the time to strike. Work and vote to elect Ron Paul for President in 2008.

Friday, October 19, 2007

Calveley nukes Amazon one-click patent

Peter Calveley has succeeded in getting the U.S. Patent and Trademark Office (USPTO) to throw out most of the claims in Amazon's infamous one-click patent, including the broadest claims. Amazon now has an opportunity to respond and convince the USPTO to change its mind, but its prospects are dim. From Peter's report:
In a recent office action, the USPTO has rejected the claims of the Amazon.com one-click patent following the re-examination request that I filed on 16 February 2006.

My review resulted in the broadest claims of the patent being ruled invalid.

In its Office Action released 9 October 2007, the Patent Office found that the prior art I found and submitted completely anticipated the broadest claims of the patent, U.S. Patent No. 5,960,411.

I had only requested the USPTO look at claims 11, 14, 15, 16, 17, 21 and 22 but the Office Action rejects claims 11-26 and claims 1-5 as well!

I reported on this soon after it got started and am proud to have assisted Peter in this endeavor. Here is Peter's full report.

Tuesday, October 09, 2007

The new gigaprojects

A new era of commercial gigaprojects is upon us, and the source is almost entirely our insatiable demand for hydrocarbons. Despite high political risks, global warming and "peak oil" fears, and shortages of skilled employees, there are dozens of energy-related projects in the works or on the drawing boards in the multi-billion dollar range, with several topping $10 billion. Is it the sign of a petroleum bubble, or does it simply reflect the new reality of a long-term higher worldwide demand for hydrocarbons? Here are some of the more interesting projects. Note that the dollar cost of these projects is often a bit higher than quoted here because of depreciation of the dollar versus most currencies since the cost quotes in my sources were made.

One of the biggest expansions into relatively new territory is that of tar sands. It is estimated that over $100 billion will be invested in Canadian tar sands projects over the next decade. Two of these projects are Petro-Canada's Fort Hills Project($25 billion) and the Chinese/Canadian Northern Lights Project ($4.5 billion).

Many of the biggest projects are to extract natural gas (methane). $11 billion of investment was recently completed for Qatargas II, and China is cooperating with Iran on the $16 billion project to develop the Iranian North Pars field. Woodside Corp.'s $9 billion investment in the Pluto project is expected to eventually top out at over $30 billion. Sakhalin 2 is a $20 billion project of Shell and Gazprom to extract oil and gas from beneath the coast of Sakhalin Island, along the east coast of Russia.

Oil tends to be a bit more dispersed than natural gas, and consequently inidividual oil projects tend to be smaller. But in total, OPEC countries have projects underway or plans for $254 billion worth of oil field development and expansion. The largest projects tend to be pipelines: a proposed pipeline from Siberia to China and the Sea of Japan for $12-$16 billion, Malaysia wants to build a $7 billion pipeline to save oil tankers from the troubles and risks of sailing through the Straits of Malacca, and a $4 billion pipeline is being built between Chad and Cameroon. But other oil-related gigaprojects are in the works. Kuwait is planning a $14 billion monster oil refinery. CONOOC and Shell have agreed to build a $4.3 billion plastics (ethylene and propylene) factory in Guandong Province, China. Investors have ponied up more than $1 billion simply to search for oil in New Zealan's Great South Basin. And oil revenues have allowed Saudi Arabians to dream of building a city from scratch for a cool $26 billion. But topping our list of gigaprojects, the overall cost of developing the Kashagan fields in Kazakhistan is now estimated at $136 billion, which may make it economically unviable.

Meanwhile, there are also numerous offshore oil operations being developed in the $500 million - $2 billion range, with a few such projects (such as the Hebron field off Newfoundland, $5.6 billion) surpassing that range. More on deep sea projects -- now including not just oil, but diamonds and other minerals -- here.

Friday, September 28, 2007

Secure time broadcast

From my article Advances in Distributed Security:
Broadcasts using sound or radiation, from sources such as bell towers, radio towers, satellites, and pulsars, must send out the same value to every receiver. A remote beacon such as a pulsar has perfect security: the access structure is any party, and its complement, the attack structure, is the empty set. For human controlled broadcasts, the attack structure consists only of the broadcaster and the access structure is any receiver.

Natural broadcasts are thus immune to the problem, described in the discussion of the Byzantine Generals problem below, of a transmitter sending different values to different receivers. Indeed, as we will see below, distributed researchers have gone to great lengths just to recreate this simple property on the Internet with logical broadcast protocols.

Nature provides clocks that are oblivious to the malicious intentions of any outside parties. In the case of a remote high-energy system such as a pulsar, this means anybody. Pulsars are many orders of magnitude more accurate than random delays that face attackers on the Internet. If critical Internet servers were synchronized to natural clocks in a secure and timely fashion, they would be immune to attacks that relied on uncertainties in timing.

More here.

Detecting pulsars is still, alas, a difficult process, but not so hard that amateurs have had no success doing so. Amateurs have had some success tracking pulsars with software defined radio and quagi antennas combined with digital signal processing.

Wednesday, September 19, 2007

Real options analysis for space projects

For the purposes of estimating the value of a project, risk has for simplicity often been treated as spread out evenly over the life of a project. For normal projects these risks can usually be fairly approximated by estimating risk per unit time. This occurs in, for example, the net present value (NPV) formula for estimating the value of a project where a constant interest rate risk premium is used. In a typical space mission, however, risk tends to be concentrated at particular events such as launches, burns, flybies and landings. Just floating out in space is relatively quite low risk, which is why we can fly to Jupiter and Saturn with failure rates not significantly greater than missions to the moon or Mars. All four of the spacecraft that have so far intentionally been flown beyond Saturn -- Pioneers 10 and 11, and Voyagers 1 and 2 -- had many initial glitches. But since passing beyond Saturn they have travelled on for nearly two decades, far beyond Pluto, with no substantial and unexpected failure. The Voyagers continue to send back valuable data on the very edge of the solar system, where the solar wind gives way to the interstellar influence -- more than 80 times as far from the sun as our own earth.

There is a small risk of component failure that tends to obey a Poisson distribution that grows over time. But the risk in even earth-orbiting satellites is dominated by launch and orbit-insertion failures, and other failures at the start of the satellite's lifetime, which are unrelated to the satellite's expected lifetime.

Thus the vast majority of the risk of most space projects does not grow exponentially with their duration, and indeed is usually not closely correlated to their duration in any way. We would thus get an exponentially wrong answer by a line of reasoning that estimated the risk of a generic deep space mission as X%/year, and deduce by plugging that risk into the net present value (NPV) equation that, for example, an 8 year mission is substantially costlier (due to a risk that grows exponentially over time) than a 2 year mission. An example of this fallacy is NPV analysis that assumes a constant risk premium for comparison of futuristic lunar and asteroid mining scenarios. All such papers that I've seen (e.g. this one) fall victim to this fallacy. To use NPV properly we need to account for the risks of particular events in the mission (in the mining scenario primarily launches, burns, and mining operations) to estimate a total risk, and divide that total risk by the duration of the mission to get a risk premium. The risk premium per year for the longer mission will thus probably be substantially lower than for a shorter mission (implying an overall risk slighly higher for the longer mission, all other things being equal).

An even more accurate method for evaluating risk in space projects is called real options analysis. It has changed valuation from the old static NPV model to a dynamic model based on specific risks. One improvement this brings is removing the assumption of constant risk, which we've seen is wildly inappropriate for deep space missions. Another idea real options brings us is that designing a project to postpone choices adds value to the project when there will be better information in the future. A science mission example: if a scientific event could occur at either target A or target B, it's best to postpone the choice of target until we know where the event is going to occur. If that's possible, we now have a scientifically more valuable mission.

Orbital planning for deep space missions tends to plan for a fixed mission ahead of time. Real options analysis says that the project gains value if we design in options to change the project's course in the future. For orbital mechanics that means designing the trajectory to allow retargeting at certain windows, even at some cost of delta-v and time. (Whether the tradeoff is worth it can be analyzed using real options mathematics, if we can make comparison estimates of different scientific targets using a common utilitarian scale).

In the context of an Jupiter orbiter swinging by various Jovian moons, such options might include hanging around an interesting moon longer or changing the trajectory to target. The idea is instead of plotting a single trajectory, you plot a tree of trajectories, with various points where the mission controllers can choose trajectory A or trajectory B based on mission opportunies.

A shorthand way to think of real options analys is that the project is modeled as a game tree with each node on the tree representing a choice (i.e. a real option) that can be made by the project managers. The choices are called "real options" because the math is the same as for financial options (game trees, Black-Scholes, etc.) but they represent real-world choices, for example the option of a vineyeard to sell its wine this year or let it age at least another year, the option of a mine to open or close, or expand or shrink its operations, etc.

The orbital planning I've seen tends to plan for a fixed mission ahead of time. Real options analysis says that the project may gain value if we design in options to change the project's course in the future. For orbital mechanics that means designing the trajectory to allow retargeting at certain windows, even at some cost of delta-v and time. (Whether the tradeoffs between delta-v, time, and particular real options are worth it can be analyzed using real options mathematics, if we can compare different scientific targets using a common utilitarian scale).

In the context of the Jovian moons project, such options might include hanging around Europa longer if a volcano is going there (like the one discovered on the similar moon Enceladus) or if some evidence of life is found (or leaving it sooner if not), or changing the trajectory so that the next target is Europa instead Ganymede if a volcano suddenly springs up on Europa, or to Io if an interesting volcano springs up there. The idea is instead of plotting a single trajectory, we plot a tree of trajectories, with various points where the mission controllers can choose trajectory A or trajectory B (sometimes with further options C, D, etc.) based on mission opportunities. Other trajectory options might include hanging around a particular moon for longer or changing the view angle to the target. We may trade off extra delta-v, extra time, or both in order to enable future changes in the trajectory plan.

Here is more on real options analysis. Real options analysis is also quite valuable for the research and developoment phase of a project. Here is a good paper on real options analysis for space mission design. My thanks to Shane Ross and Mark Sonter for their helpful comments on space project evaluation and planning.

UPDATE: This post is featured in the Carnival of Space #22.

Sunday, September 16, 2007

Tamper evident numbers

From The Playdough Protocols:
Evolving beyond clay tokens, accounting was the first use of the external marks and started to take a familiar form. Along with the tamper evident clay, the Sumerians developed a kind of virtual tamper evidence. It took the form of two sets of numbers. On the front of the tablet, each group of commodities would be recorded separately -- For example on the front would be recorded 120 pots of wheat, 90 pots of barley, and 55 goats. On the reverse would simply be recorded "265" -- the same objects counted gain, probably in a different order, and without bothering to categorize them. The scribe, or an auditor, would then verify that the sum was correct. If not, an error or fraud had occured. Note the similarity to tamper evident seals -- if a seal is broken, this meant that error or fraud had occured. The breaker of the seals, or the scribe who recorded the wrong numbers, or the debtor who paid the wrong amounts of commodities would be called on the carpet to answer for his or her discrepancy.

Checksums still form the basis of modern accounting. Indeed, the principle of double entry bookeeping is based on two sets of independently derived numbers that must add up to the same number. Below, we will see that modern computers, using cryptographic methods, can now compute unspoofable checksums.

Sunday, September 09, 2007

Mining the vasty deep (iii)

In the first two parts of this series I described undersea oil and diamond mining operations. In addition at least two startup companies, Neptune Minerals and Nautilus Minerals, are moving into mining the seafloor for metals. They're planning to dig into extinct black smokers for copper, and possibly also zinc, gold, silver, and other minerals. David Heydon, CEO of Nauilus Minerals, says of the remarkably high quality of the ores, "we haven’t seen these types of mineral deposits since the beginning of modern mining."

Nautilus and Neptune don't plan to mine live black smokers, which would be dangerous (black smokers are hot springs with temperatures well above 200 centigrade, although not boiling because at high pressure) and environmentally questionable (live black smokers team with exotic chemosynthetic life). Rather, they plan to mine the probably far greater number of extinct and lifeless black smokers that populate the oceans.
autilus paydirt:
Cutting of an extinct black smoker at 1,600 meters.


Geologist Steven Scott, a longtime advocate of sea mining, describes the geology of seafloor massive sulfides (SMS's). "These deposits are essentially metalliferous mud formed from hot, dense brines." They form within and around black smokers, the famous deep-sea vents discovered in 1979. Black smokers deposit "sinter-like mounds and chimneys of metal sulfides, oxides, silica and sulfates. Veins, disseminations and stockworks of relatively low metal grade impregnate the underlying lavas."

Curiously, we may already be mining black smokers: billion-year-old, long-extinct black smokers whose remains now lie on dry land. "The [current live black smoker] deposits have similarities to so-called volcanogenic massive sulfide ores being mined on land in Canada and elsewhere and which formed in ancient oceans as much as 2700 million years ago. Elements of potential commercial interest in both the modern and ancient deposits are copper, zinc, lead, silver, gold and barium. About 150 seafloor sites are known, most of which lie between 1500 and 3500 meters water depth."

Neptune paydirt, topside.

Both Neptune and Nautilus recently performed assays of several promising extinct smokers. Nautilus' assay was performed by two methods: a drill based on a ship (but dropped through 1600 meters of water) and a remotely operated vehicle (ROV) that took cutting samples. Here are at least some of the results. Heydon observes that "with 97% of the ocean floor yet to be extensively explored, it is likely that numerous deposits remain undiscovered."

Here is more from Steven Scott.

Business Plans

Nautilus estimates that it could cost as much as $300 million to ramp up to full-scale mining. Its plans include a $120 million specialized mining ship, the Jules Verne. This ship is similar to the FPSO used for deep sea oil, but will separate ore from sludge and water rather than oil from water. A large ROV, based on the trencher ROV used to lay pipes in the deep sea oil industry, but adding a large rotating drum scraper like those used in coal mining, will scrape the smokers creating sludge which will be pumped up to the Jules Verne and processed. Since the most expensive FPSOs can cost upwards of $800 million, the $120 million is a relative bargain. Indeed, the basic mothership/ROV setup is taken straight from the deep sea oil industry FPSO/ROV methodology.
Nautilus will contribute $120 million to develop undersea tools, including pumps, pipes and two subsea crawler-miners. It will also partner with a group of engineering companies with expertise in drilling and geophysics. If Jules Verne is in place by 2009, it could stay at the Papua New Guinea site until 2014, before moving on to exploit other deposits. Nautilus estimates that it will be able to mine 6000 tonnes a day from its target site.

Although there are technological hurdles to be overcome, ... 'the technology already exists; it just hasn't been integrated in this way. One beauty of the sea floor model is that a floating equipment production chain is our one main investment. Once we have the chain we can easily bring it up and redeploy it to another area.'
(More on Nautilus' plans here).

Nautilus' ROV with cutting arm to take samples.

Like many start-ups, Nautilus has a speculative and risky business plan, but the payoff could be vast:
[Nautilus] doesn't expect to reach first-scale production until 2009. There's no comparable traditional mining business model, since many of the individual deposits underwater are too small to be economically viable if they were on land. But because offshore drilling operations can move, whereas mines on land are stuck, the combined value of deposits in a wider area makes the operation worthwhile.
...
The worth of the oil, gas and minerals in the world's oceans is estimated to be in the trillions of dollars. If Mr. Heydon's estimates are correct, deep sea mining could have the potential to supply the world's growing demand for gold, copper and silver, among other metals. The resulting revenue could be in the billions of dollars for deep sea mining companies, of which only two currently exist.
...
Disputes over who owns what in the ocean have been a fact of global politics for decades. For reasons of security, potential resources and sometimes just pride, countries are constantly claiming control over new chunks of underwater property. As an indicator of just how rare it is to be able to mine hassle-free in the ocean, the exploration licence Papua New Guinea granted Nautilus was a world first.
More here. See also here.

In forthcoming posts in this series, we will look at some of the technological, environmental, political, and legal considerations involved in this new endeavor.

Saturday, September 08, 2007

Partial and total orders

From Advances in Distributed Security:
A basic issue of security and fault tolerance that must be resolved is the secure determination of which order events occured in. If a contract specifies a deadline and it goes down to the wire, how can a relying party or third party adjudicator determine whether the deadline was met? The outcome itself, and its fairness, may rest on fairly deciding who came first. If Alice tries to double-spend a piece of digital cash [C82], only the recipient who checks with the bank first is entitled to its value. But if the bank servers are replicated, which of the two recipients Bob or Charles checked with the bank first? In the case of a replicated property title service [S98] we have a similar problem -- if Alice transfers her title to two other owners, which new owner actually received the deed? If property is homesteaded on a first-come first-serve basis, which of two or more "land rushers" competing for a lucrative parcel is entitled to the land?

Lamport (Causal) Order

Imagine a network where computers don't know how to keep time very well -- they are always getting out of synchronization. (Alas, all you have to really think of here is the actual Internet with PCs). Such a network, called an asynchronous network, lacks an accurate and secure global clock time by which computers can determine the order in which events, which might be messages sent or instructions executed on a particular local machine, have happened. Lamport [L78] was among the first to tackle the problem of how to determine the order of events in such a network.

A partial order means that we know in what order some of the elements are, but we aren't sure about some of the others, or some of the others may be equal. An example is the "less than or equal to" relationship among a group of integers, some of which can repeat. Some of the integers we know are less than some others, but an integer paired with itself is equal. A total order, on the other hand, is like the "less than" relationship among unique integers -- we can always tell when one integer is less than another -- there is no ambiguity left. In the case of events, a partial order means for some pairs of events we know whether one occured before another, and for some others we don't know. We use the same symbols as we would use for the analogous case of the integers, so that "x <= y" means "x either occured before y or we don't know whether it occured before or after y". In a total of events, we know for any two events which one happened first. We write "x < y" meaning "x occured before y."

Lamport's answer to the event ordering problem was to show that parties (or, we use the terms equivalently here, nodes on the network) can agree on a partial order of events based on causal relationships between these events -- or at least the subset of events where we can determine that causation could occur. On a network, parties influence each other by talking to each other -- in other words, by sending each other messages. Lamport used these messages as the basic building block for constructing his partial order, according to the following rules:

  • 1. If an event is local to node P, every nonfaulty node agrees on P's opinion of it.
  • 2. Every correct node agrees that every message was sent before it was received.
  • 3. If we agree that event A occured before event B and that event B occured before event C, then we agree that event A occured before event C. In other words, this partial order is transitive.

Breaking Ties -- Creating a Fair Total Order

The partial order leaves us with the need to agree on how to break ties -- how to resolve the ambiguities where we can't agree which event took place first -- and thus create a total order of events. We want to do so in a way that is fair, in other words, in a way that cannot be manipulated to the advantage of any particular party.

An unfair way to create a total order would be to impose a certain predictable rule for breaking ties. For example, we could decide on a total order for the processes and break ties in the causal order by referring to this total order.

However, such a procedure creates a bias that may, depending on the application, favor certain servers over others, and therefore allow those servers to favor certain clients over others.

One way to break ties fairly is have the participants toss fair coins -- in other words, generate random numbers in a way that cannot be manipulated and then assign those random numbers to events. There are several ways to toss fair coins over a network and we describe one such way below.

Another way to break ties fairly is to have the participants agree to a global clock time that is more accurate than the message delays faced by those who would manipulate timing in favor of some party. This entails using a network with very predictable message lag for the clock synchronization protocol and a less predictable one for the other services.
More here.

Thursday, September 06, 2007

Institutional changes prerequisite to the industrial revolution

In the ongoing debate at Marginal Revolution over Gregory Clark's new book A Farewell to Alms -- which I highly recommend, despite my criticisms -- he wrote the following:

"The widespread impression that between 1300 and 1800 England experienced significant institutional improvements is just wrong. There were changes, yes. But not improvements."

To which I responded:
Some important institutional changes -- some of them arguably radical improvements -- in England between 1300 and 1800:

* The mechanical clock, 14th century. The resulting rise of clock culture and the time wage may have slowly but radically improved the coordination and work habits of Europeans. Earlier adaptation to clock culture, a process that may take centuries to evolve, may explain the large discrepencies between European and many non-European laborer work habits that Clark cites.

* The printing press and the rise of book consciousness, which radically decreased the costs of teaching economically important knowledge to both children and adults. The rise of book consciousness, reflected in the literacy and book cost data Clark graphs, explains the most prominent puzzle revealed by Clark's data: the fact that skills and innovation rose dramatically even as the rewards to skills were stagnant or declined.

* Nationalization the Church in England and secularization of family law, 16th century.

* The incorporation of the Lex Mercatoria into the common law, and the resulting rise of modern contract law, 18th century. Indeed, much of this occured in the same decades as the start of the industrial revolution.

* The "Romanization" of property law, rendering land more freely saleable, divisible, and mortgageable, which Adam Smith noted was an important improvement still in process at his time.

* The rise of marine insurance (e.g. Lloyd's of London) and the associated rise of colonialism and world trade, 17th-18th century.

* The decline of guilds and monopolies, 16th-18th centuries. Medieval England was certainly not a highly competitive market economy. Commerce in goods was dominated rather by monopolies and a variety of price and quality controls instituted by guilds and towns.
Here is more of the debate at MR.

Tuesday, September 04, 2007

Secure property titles

From Secure Property Titles with Owner Authority:
In all cases of property rights there is a defined space, whether a namespace or physical space, and the task is to agree on simple attributes of or rights to control subdivisions of that space. In some cases a name or other symbol corresponds to a person or object owned or controlled by that person. For example, Internet users must agree on which domain name corresponds to which web site operator. In other cases we are simply concerned with control over a subdivision of the space. With real estate we must agree on who owns various rights (to occupy the surface, to mine the minerals under, etc.) to a piece of land. With radio spectrum we must agree on who owns what range of frequencies and in what physical space (or transmitting power as an easily observed approximation of physical space used).

...all such [multiparty problems of] control over the semantics of symbols, to be made and respected across trust boundaries, are problems of agreeing on and maintaining property rights...

...New advances in replicated database technology will give us the ability to securely maintain and transfer ownership for a wide variety of kinds of property, including not only land but chattels, securities, names, and addresses. This technology will give us public records which can "survive a nuclear war", along the lines of the original design goal of the Internet. While thugs can still take physical property by force, the continued existence of correct ownership records will remain a thorn in the side of usurping claimants...

The ideal title database would have the following properties:

(1) Current owner Alice should be able transfer her title to only a single relying counterparty (similar to the "double spending" problem in digital cash)

(2) Servers should not be able to forge transfers

(3) Servers should not be able to block transfers to or from politically incorrect parties.

...Using these results [of Byzantine quorum systems] it looks like we can approach our ideal title database as follows:

(1) Alice signs the title and Bob's public key, and sends this message to 2f+1 servers, committing her to transfer title to Bob. Bob checks at least 2f+1 servers before relying on Alice's transfer.

(2) No collusion of servers can forge Alice's signature (we achieve at least this property ideally!)

(3) A conspiracy of >=(1/4)n servers can block a transfer. Alice's recourse is to use some other channels to broadcast her intention, demonstrating that the registry did not follow her wishes, and hoping the alternative channels are more reliable. Bob only has similar recourse if he signed a document with Alice demonstrating their intentions to transfer title from Alice to Bob. The most basic recourse is a correct subset of servers which exits the property club and establishes a new one, then advertises its correctness (and proves the incorrectness of its rival group) as described above.

More here.

Sunday, September 02, 2007

Bilinear group cryptography

An important recent development in public key cryptography is the bilinear group, which for abstract algebra wonks is defined as follows (if you're not into abstract algebra feel free to skip to below):
Bilinear groups are a set of three abstract algebraic groups, G1, G2 and GT , together with a deterministic function e, called a bilinear map, that takes as input one element from G1 and one element from G2 and outputs an element in GT . Suppose all three groups have order Q, element g1 generates group G1, and element g2 generates group G2. Then, one special property called bilinearity of the map e is that for all a, b < Q, we have that e(g1^a , g2^b) = e(g1, g2)^ab. This new element, e(g1, g2)^ab, is in group GT . The key observation is what happens to the exponents, a and b, during the mapping: they are multiplied. The group GT is distinct from both G1 or G2; thus the output of the mapping cannot be fed back into the map e as input.
Elliptic curves are generally used for the groups, although bilinear schemes in at least some other algebras are also possible.

Two of the main applications of bilinear groups are proxy re-signatures and proxy re-encryption. In proxy re-signatures, a semi-trusted party transforms Alice's public key signature into Bob's. The proxy does not have, cannot derive, and thus cannot sign with either Bob's secret key or with Alice's, but can only transform Alice's signature into Bob's. The proxy re-signer is thus "semi-trusted" -- it is trusted with some things we normally would trust a proxy signer with, but not with others. For example it is not trusted with either Alice's or Bob's private key, only with a special key that allows the signature transformation.

The target signature could also be a group signature. Thus, for example, Alice could sign her e-mail with her own digital signature, and a proxy re-signer sitting on the corporate e-mail firewall could re-sign the e-mail with the corporate group signature.

Proxy re-signers can be chained in a series, so that signature A is transformed by proxy AB into signature B, which is transformed by proxy BC into signature C, and so on. The last signature Z proves that the message was signed by each proxy in the chain in order. Proxy re-signers can also be chained together in a tree or directed acyclic graph. (Note that threshold signatures by contrast do not require or prove that the signatures took place in a particular order).

Proxy re-encryption is the same idea for public key encryption, with the added bonus that the re-encryptor can't read the message. So, for example, we could have the following scheme to restrict the distribution of content:

(1) Content owner Alice encrypts her content with her public key and publishes it to proxies P1, P2, etc., along with re-encryption keys AC1, AC2, etc. for each customer.

(2) Proxy allows customer to access the content only if paid. When paid, the proxy re-encrypts to the customer using the re-encryption key for that customer.

The proxies themselves are trusted neither with an ability to view the content nor with the discretion to distribute to additional customers not desired by content owner Alice. The proxy is trusted only to restrict access to a customer. (I present this scheme mainly just to illustrate what proxy re-encryption does. As an application, this particular content distribution scheme seems to me to only be useful if it somehow lowers transaction costs to route all payments through proxies rather than paying Alice directly, the latter which could be done by normal public-key cryptography, and of course it doesn't protect against a cheating customer re-publishing the content to the world).

I suspect proxy re-encryption could simplify the design of digital mix schemes like onion routing -- this is left as an exercise for the cryptographically inclinded reader.

This thesis is my source for most of this blog post; it discusses bilinear group cryptography for proxy re-encryption, proxy re-signing, and for reducing the trust needed for blinded offline digital cash.

Legal caveat: many, if not most protocols based on bilinear groups seem to have been recently patented.

Thursday, August 30, 2007

Money and the problem of cooperation

From "Shelling Out: The Origins of Money":
Evolutionary psychology starts with a key mathematical discovery of John Maynard Smith [D89]. Using models of populations of co-evolving genes, from the well-developed area of population genetics, Smith posited genes that can code for strategies, good or bad, used in simple strategic problems (the "games" of game theory). Smith proved that these genes, competing to be propagated into future generations, will evolve strategies that are Nash equilibria to the strategic problems presented by the competition. These games include the prisoner's dilemma, a prototypical problem of cooperation, and hawk/dove, a prototypical problem of aggression and its mitigation.

Critical to Smith's theory is that these strategic games, while played out between phenotypes proximately, are in fact games between genes at the ultimate level -- the level of competition to be propagated. The genes -- not necessarily the individuals -- influence behavior as if they were boundedly rational (coding for strategies as optimal as possible, within the limits of what phenotypes can express given the biological raw materials and previous evolutionary history) and "selfish" (to use Richard Dawkins' metaphor). Genetic influences on behavior are adaptations to the social problems presented by genes competing through their phenotypes. Smith called these evolved Nash equilibria evolutionary stable strategies..

The "epicycles" built on top of the earlier individual selection theory, such as sexual selection and kin selection, disappear into this more general model which, in a Copernican manner, puts the genes rather than individuals at the center of the theory. Thus Dawkins' metaphorical and often misunderstood phrase, "selfish gene", to describe Smith's theory.

Few other species cooperate on the order of even Paleolithic humans. In some cases -- brood care, the colonies of ants, termites, and bees, and so forth, animals cooperate because they are kin -- because they can help copies of their "selfish genes" found in their kin. In some highly constrained cases, there is also ongoing cooperation between non-kin, which evolutionary psychologists call reciprocal altruism. As Dawkins describes it [D89], unless an exchange of favors is simultaneous (and sometimes even then), one party or the other can cheat. And they usually do. This is the typical result of a game theorists call the Prisoner's Dilemna -- if both parties cooperated, both would be better off, but if one cheats, he gains at the expense of the sucker. In a population of cheaters and suckers, the cheaters always win. However, sometimes animals come to cooperate through repeated interactions and a strategy called Tit-for-Tat: start cooperating and keep cooperating until the other party cheats -- then defect yourself. This threat of retalation motivates continued cooperation.

The situations where such cooperation in fact occurs in the animal world are highly constrained. The main constraint is that such cooperation is restricted to relationships where at least one of the participants is more or less forced to be in the proximity of the other. The most common case is when parasites, and hosts whose bodies they share, evolve into symbiotes. If the interests of the parasite and the host coincide, so that both working together would be more fit than either on their own, (i.e. the parasite is also providing some benefit to the host), then, if they can play a successful game of Tit-for-Tat, they will evolve into symbiosis -- a state where their interests, and especially the exit mechanism of genes from one generation to the next, coincides. They become as a single organism. However, there is much more than cooperation going on here -- there is also exploitation. They occur simultaneously. The situation is ananalogous to an institution humans would develop -- tribute -- which we will analyze below.

Some very special instances occur that do not involve parasite and host sharing the same body and evolving into symbiotes. Rather, they involve non-kin animals and highly constrained territory. A prominent example Dawkins describes are cleaner fish. These fish swim in and out of the mouths of their hosts, eating the bacteria there, benefiting the host fish. The host fish could cheat -- it could wait for the cleaner to finish its job, then eat it. But they don't. Since they are both mobile, they are both potentially free to leave the relationship. However, the cleaner fish have evolved a very strong sense of individual territoriality, and have stripes and dances that are difficult to spoof -- much like a difficult to forge brand logo. So the host fish know where to go to get cleaned -- and they know that if they cheat, they will have to start over again with a new distrustful cleaner fish. The entrance costs, and thus the exit costs, of the relationship are high, so that it works out without cheating. Besides, the cleaner fish are tiny, so the benefit of eating them is not large compared to the benefit of a small number of, or even one, cleaning.

One of the most pertinent examples.is the vampire bat. As their name suggests, they suck the blood of prey mammals. The interesting thing is that, on a good night, they bring back a surplus; on a bad night, nothing. Their dark business is highly unpredictable. As a result, the lucky (or skilled) bats often share blood with the less lucky (or skilled) bats in their cave. They vomit up the blood and the grateful recipient eats it.

The vast majority of these recipients are kin. Out of 110 such regurgitations witnessed by the strong-stomached biologist G.S. Wilkinson, 77 were cases of mothers feeding their children, and most of the other cases also involved genetic kin. There were, however, a small number that could not be explained by kin altruism. To demonstrate these were cases of reciprocal altruism, Wilkinson combined the populations of bats from two different groups. Bats, with very rare exception, only fed old friends from their original group. [D89]. Such cooperation requires building a long-term relationship, where partners interact often, recognize each other, and keep track of each other's behavior. The bat cave helps constrain the bats into long-term relationships where such bonds can form.

We will see that some humans, too, chose highly risky and discontinuous prey items, and shared the resulting surpluses with non-kin. Indeed, they accomplished this to a far greater extent than the vampire bat. How they did so is the main subject of our essay. Dawkins suggests, "money is a formal token of delayed reciprocal altruism", but then pursues this fascinating idea no further. We will.

Among small human groups, public reputation can supercede retaliation by a single individual to motivate cooperation in delayed reciprocation. However, reputational beliefs can suffer from two major kinds of errors -- errors of about which person did what, and errors in appraising the value or damages caused by that act.

The need to remember faces and favors is a major cognitive hurdle, but one that most humans find relatively easy to overcome. Recognizing faces is easy, but remembering that a favor took place when such memory needs to be recalled can be harder. Remembering the specifics about a favor that gave it a certain value to the favored is harder still. Avoiding disputes and misunderstandings can be improbable or prohibitively difficult.

The appraisal or value measurement problem is very broad. For humans it comes into play in any system of exchange -- reciprocation of favors, barter, money, credit, employment, or purchase in a market. It is important in extortion, taxation, tribute, and the setting of judicial penalties. It is even important in reciprocal altruism in animals. Consider monkeys exchanging favors -- say pieces of fruit for back scratches. Mutual grooming can remove ticks and fleas that an individual can't see or reach. But just how much grooming versus how many pieces of fruit constitutes a reciprocation that both sides will consider to be "fair", or in other words not a defection? Is twenty minutes of backscratching worth one piece of fruit or two? And how big a piece?

Even the simple case of trading blood for blood is more complicated then it seems. Just how do the bats estimate the value of blood they have received? Do they estimate the value of a favor by weight, by bulk, by taste, by its ability to satiate hunger, or other variables? Just the same, measurement complications arise even in the simple monkey exchange of "you scratch my back and I'll scratch yours".

For the vast majority of potential exchanges, the measurement problem is intractible for animals. Even more than the easier problem of remembering faces and matching them to favors, the ability of both parties to agree with sufficient accuracy on an estimate of the value of a favor in the first place is probably the main barrier to reciprocal altruism among animals.

Just the stone tool-kit of even early Paleolithic man that has survived for us to find was in some ways too complicated for brains of our size. Keeping track of favors involving them -- who manufactured what quality of tool for whom, and therefore who owed whom what, and so on -- would have been too difficult outside the boundaries of the clan. Add onto that, quite likely, a large variety of organic objects, ephemeral services (such as grooming), and so on that have not survived. After even a small fraction of these goods had been transferred and services performed our brains, as inflated as they are, could not possibly keep track of who owed what to whom. Today we often write these things down -- but Paleolithic man had no writing. If cooperation occured between clans and even tribes, as the archaeological record indicates in fact occured, the problem gets far worse still, since hunter-gatherer tribes were usually highly antagonistic and mutually distrustful.

If clams can be money, furs can be money, gold can be money, and so on -- if money is not just coins or notes issued by a government under legal tender laws, but rather can be wide variety of objects -- then just what is money anyway? And why did humans, often living on the brink of starvation, spend so much time making and enjoying those necklaces when they could have been dong more hunting and gathering? Nineteenth century economist Carl Menger [M1892] first described how money evolves naturally and inevitably from a sufficient volume of commodity barter. In modern economic terms the story is similar to Menger's.

Barter requires a coincidence of interests. Alice grows some pecans and wants some apples; Bob grows apples and want some pecans. They just happen to have their orchards near each other, and Alice just happens to trust Bob enough to wait between pecan harvest time and apple harvest time. Assuming all these conditions are met, barter works pretty well. But if Alice was growing oranges, even if Bob wanted oranges as well as pecans, they'd be out of luck -- oranges and apples don 't both grow well in the same climate. If Alice and Bob didn't trust each other, and couldn't find a third party to be a middleman [L94] or enforce a contract, they'd also be out of luck.

Further complications could arise. Alice and Bob can't fully articulate a promise to sell pecans or apples in the future, because, among other possibilities, Alice could keep the best pecans to herself (and Bob the best apples), giving the other the dregs. Comparing the qualities as well as the quantities of two different kinds of goods is all the more difficult when the state of one of the goods is only a memory. Furthermore, neither can anticipate events such as a bad harvest. These complications greatly add to the problem of Alice and Bob deciding whether separated reciprocal altruism has truly been reciprocal. These kinds of complications increase the greater the time interval and uncertainty between the original transaction and the reciprocation.

A related problem is that, as engineers would say, barter "doesn't scale". Barter works well at small volumes but becomes increasingly costly at large volumes, until it becomes too costly to be worth the effort. If there are n goods and services to be traded, a barter market requires n^2 prices. Five products would require twenty-five prices, which is not too bad, but 500 products would require 250,000 prices, which is far beyond what is practical for one person to keep track of. With money, there are only n prices -- 500 products, 500 prices. Money for this purpose can work either as a medium of exchange or simply as a standard of value -- as long as the number of money prices themselves do not grow too large to memorize or change too often. (The latter problem, along with an implicit insurance "contract", along with the lack of a competitive market may explain why prices were often set by long-evolved custom rather than proximate negotiation).

Barter requires, in other words, coincidences of supply or skills, preferences, time, and low transaction costs. Its cost increases far faster than the growth in the number of goods traded. Barter certainly works much better than no trade at all, and has been widely practiced. But it is quite limited compared to trade with money.

Primitive money existed long before large scale trade networks. Money had an even earlier and more important use. Money greatly improved the workings of even small barter networks by greatly reducing the need for credit. Simultaneous coincidence of preference was far rarer than coincidences across long spans of time. With money Alice could gather for Bob during the ripening of the blueberries this month, and Bob hunt for Alice during the migration of the mammoth herds six months later, without either having to keep track of who owed who, or trust the other's memory or honesty. A mother's much greater investment in child rearing could be secured by gifts of unforgeable valuables. Money converts the division of labor problem from a prisoner's dilemma into a simple swap.

The proto-money used by many hunter-gatherer tribes looks very different from modern money, now serves a different role in our modern culture, and had a function probably limited to small trade networks and other local institutions discussed below. I will thus call such money collectibles instead of money proper. The terms used in the anthropological literature for such objects are usually either "money", defined more broadly than just government printed notes and coins but more narrowly than we will use "collectible" in this essay, or the vague "valuable", which sometimes refers to items that are not collectibles in the sense of this essay.

Reasons for choosing the term collectible over other possible names for proto-money will become apparent. Collectibles had very specific attributes. They were not merely symbolic. While the concrete objects and attributes valued as collectible could vary between cultures, they were far from arbitrary. The primary and ultimate evolutionary function of collectibles was as a medium for storing and transfering wealth. Some kinds of collectibles, such as wampum, could be quite functional as money as we moderns know it, where the economic and social conditions encouraged trade. I will occasionally use the terms "proto-money" and "primitive money" interchangeably with "collectible" when discussing pre-coinage media of wealth transfer.
More here.

Tuesday, August 28, 2007

Why the industrial revolution?

There is currently a hot debate at Marginal Revolution and elsewhere over Gregory Clark's new book, A Farewell to Alms. I can't do Clark justice with a short explanation, but in brief he posits that the rich outbred the poor so quickly in medieval England that a eugenic effect occurred, giving the English traits of temperament such as harder work, longer time preferences, etc. that made the industrial revolution possible. I find the political incorrectness of Clark's explanation refreshing, but I'm not convinced, given that the rich tended to outbreed the poor during most eras and in most cultures of history prior to the industrial revolution. Even worse, Clark's theory can't explain why England fell behind most of the rest of Western Europe, and later most of the rest of the industrial world, in industrial and later economic progress after about 1870. Genetic change doesn't work nearly that fast.

I've argued that the printing press, combined with a free market in books and the resulting spread of literate culture and the rise of national languages, gave Europe an institutional superiority over other cultures of that era that is now hard to fathom. As the term "literate culture" does not connote the radical shift in our very thought processes that occurred, I call this effect "book consciousness."

This led, in the first instance, to Western European conquest of the world's seas and colonization all over the planet -- a conquest that has been substantially reversed and could not be duplicated today because now most of the world shares book consciousness. It also led to a radical change in the way work skills were taught to children, which along with the scientific revolution and other fruits of the printing press led to the industrial revolution.

Clark's own data on wages and productivity can best be explained, I believe, by the radical changes in child investment strategy reflected in Protestant Reformation and a central aspect of book consciousness.

Finally, the industrial revolution occurred first in England rather than other parts of Western Europe due to the security advantages of being an island. Not at all coincidentally, England was by 1800 the leading colonial power. England was protected at low cost by its navies from most of the organized violence that ravaged the continent. This allowed it to develop a more secure regime of property rights, which in turn lowered the risks of the large capital outlays needed for industrialization. For a similar reason Japan initially outpaced its continental Asian rivals in industrialization.

Here's a link to the debate at Marginal Revolution.

Mutually private computation

From my article, The God Protocols:

Imagine the ideal protocol. It would have the most trustworthy third party imaginable — a deity who is on everybody's side. All the parties would send their input to this god. God would reliably determine the results and return the output. In addition, God, being the ultimate in confessional discretion, would ensure that no party would learn anything more about the other party's input than they could learn from their own input and the output.

Alas, in our temporal world we deal with humans rather than deities. Yet, too often we are forced to treat people in a nearly god-like manner because our infrastructure lacks the security needed to protect ourselves.



To an astonishing extent, network security theorists have recently solved this problem. They have developed protocols that create virtual machines between two or more parties. Multi-party secure computation allows any number of parties to share a computation, each learning only what can be inferred from their own input and the output of the computation. These virtual machines have the exciting property that each party's input is held in strict confidence from the other parties. The program and the output are shared by the parties.



For example, we could run a spreadsheet across the Internet on this virtual computer. We would agree on a set of formulas and set up the virtual computer with these formulas. Each participant would have their own input cells, which remain blank on the other participants' computers. The participants share output cell(s). Each participant inputs their own private data into their input cells. Alice could only learn as much about the other participants' input cells as she could infer from her own inputs and outputs.

I go on to briefly describe applications such as confidential auditing and auctions with private bids, here.

Related articles: confidential auditing, secure time-stamping, advances in distributed security.

Some outside links to papers: secure time-stamping, multiparty secure computation.

Friday, August 24, 2007

Blind signatures

The following, from a larger article of mine, serves as an introduction to the idea of blind signatures and their use in digital cash and other digital bearer certificates:

Introduction

Meet the greatest simple equation since e=mc2:
gSf(m) = S(m)
S is a digital signature, f is the blinding function, and g an unblinding function. The blinding functions are usually based on a secret random number called the "blinding factor". m is another random number, a unique identifier which can, for example, refer to an instance of some object.

The idea is very clever but very simple. It may be counterintuitive because the simplest physical world metaphor of this highly useful e-commerce primitive sounds worse than useless: Alice can get Carol to sign a blank check! Here's how:

(1) Alice generates m and blinds it. "Blinding" is just a one-time-pad encryption to oneself, f(m). She sends this to Carol. This is like taking a piece of paper and sealing it inside an envelope which Carol can't open or see through.

(2) Carol signs it: Sf(m), and sends this back to Alice. This is like Carol signing the outside of the envelope.

(3) Alice unblinds it: gSf(m) = S(m). Carol has also signed the paper Alice put inside the envelope!

The genius behind this discovery: cryptography guru David
Chaum. The brilliance lies in step 3: Chaum discovered that
some signatures have the property of being "commutative"
with the blinding functions: Alice can strip off the blinding
in the reverse order which the blinding and signature
were applied, leaving just Alice's signature of n. It is as if
Alice put a piece of carbon paper inside the envelope.

In particular for RSA signatures, with public key (pq, e)
and private key d, the blind signature functions are the following
modulo pq:
S(x) = xd
g(x) = xk-1
f(x)= xke
We can check that the blind signature property holds:
gSf(m) = (m(ke))d * k-1
= md * k * k-1
= md
which is the valid RSA signature of private key d on m.

Unlinkable Transfers

Distinguish between either a counter or third party tracing one person's true name, via lack of or weak communications mix, and a third party linking two entities (whether nyms, use-more-than-once-addresses, account numbers, or true names) as being involved in the same transaction. By unlinkability herein we mean the latter. The goal where true names are used (this occurs, for example, when using true name accounts or not using good communications mixes), is to prevent third party linking of two people doing business with each other. Where nyms are used the goal is to minimize the release of traffic information, to prevent the unwanted accumulation of unique behavior patterns, which could be used to link nyms (including to their true names), or could augment other means of breaching privacy. Blinding especially helps where rights holders want to keep third party or public accounts denominated in generic rights. In that case a communications mix doesn't even in principle give us what blinding does.

Besides protecting against the transfer agent, Chaum's transferor-, transferee-, and double-blinding protocols protect against collusion of a party with a transfer agent to identify the countparty account or nym.

Unlinkability can be provided by combining a list of cleared certificates with blind signatures and a delay-mixing effect. Enough instances of a standardized contract [or specifically with digital cash, standard denominations of money] are issued over a period of time to create a mix. Between the issuing and clearing of a certificate, many other certificates with the same signature will be cleared, making it highly improbable that a particular clearing can be linked to a particular issue via the signature. There is a tradeoff between the mixing effect and the exposure to the theft of a "plate" for a particular issue: the smaller the issue, the smaller the exposure but the greater the linkability; a larger issue has both greater exposure and greater confidentiality.

Blind signatures can be used to make certificate transfers unlinkable via serial number. Privacy from the transfer agent can take the form of transferee- unlinkability, transferor-unlinkability, or "double blinded" where both transferor and transferee are unlinkable by the transfer agent or a collusion of a transfer agent and counterparty.

A use-once-address communications mix plus foreswearing any reputation gain from keeping accounts, in theory also buys us unlinkability, but a communications mix is weak and very expensive.

Bearer certificates come in an "online" variety, cleared during every transfer, and thus both verifiable and observable, and an "offline" variety, which can be transferred without being cleared, but is only verifiable when finally cleared, by revealing any the clearing name of any intermediate holder who transferred the object multiple times (a breach of contract).

This unlinkability is often called "anonymity", but the issue of whether accounts are issued to real names or pseudonyms, and whether transferor and transferee identify themselves to each other, is orthogonal to unlinkability by the transfer agent in the online model. In the off-line model, account identification (or at least a highly reputable and/or secured pseudonym) is required: passing an offline certificate a second time reveals this identity. Furthermore, communications channels can allow Eve to link transferor and transferee, unless they take the precaution of using an anonymous remailer. Online clearing does make lack of identification a reasonable option for many kinds of transactions, although common credit and warrantee situations often benefit from or even require identification.

When confronting an attempted clearing of a cleared serial number, we face an error-or-fraud dilemma similar to the one we encountered above in double entry bookkeeping. The ecash(tm) protocol from DigiCash actually takes advantage of on purpose to recover from a network failure. When certificates are lost over the net it is not clear to the transferor whether they have been received and cleared by the transferee or not. Second-transferring directly with the transfer agent resolves the ambiguity. This only works with the online protocol. The issue of distinguishing error from fraud is urgent in the offline protocol, but there is as yet no highly satisfactory solution. This problem is often intractable due to the subjectivity of intent.

With ideal two-way anonymous communications between use-once keys, and completely accountless clearing, unlinkability via blind signatures becomes redundant. This ideal case has yet to be even closely approached with implemented technology, and necessarily involves long communications delays which are often intolerable. Real imperfect communications mixes and less expensive blinded tokens complement each other.

Wednesday, August 22, 2007

Personal jurisdiction before sovereignty

Today the concept of personal jurisdiction -- the freedom of a government to take action against a particular person for the purposes of enforcing a law -- is largely based around the idea that a "sovereign state" has personal jurisdiction over the persons and activities within its territory. But in many times and places this has not been so. Under the system of political property rights in most of medieval Western Europe, for example, the kings had their political property rights, and the lords had theirs. Both were governed by the same basic laws of property, including laws of right (title), trespass, and inheritance. The result was a sophisticated system of jurisdiction based on property rights rather than sovereign rule.

Both kings and lords had an incentive to respect each other's political and economic property. This is illustrated by a speech that Shakespeare puts into the mouth of Duke of York in Richard II, when King Richard is threatening to (under somewhat dubious legal arguments) confiscate the exiled Duke of Hereford's estates and franchises (i.e. both his economic and political property rights). Indeed, a major theme of the tragedy is that since the king failed to respect political property rights, his own end up being overturned. Note that "royalties" and "franchises" are synonyms used for political property rights -- they are the same kinds of property rights as the king himself holds, and alliterative redundant pairs like (e.g. "royalties and rights") were common in legal language as well as in Shakespeare:

O my liege,
Pardon me, if you please; if not, I, pleased
Not to be pardon'd, am content withal.
Seek you to seize and gripe into your hands
The royalties and rights of banish'd Hereford?
....
Take Hereford's rights away, and take from Time
His charters and his customary rights;
Let not to-morrow then ensue to-day;
Be not thyself; for how art thou a king
But by fair sequence and succession?

The king's own rights to his realm are, in other words, based on the same property law as the jurisdictions of the dukes, burghers, and other franchise owners. Abrogate the law for others and it could easily be abrogated for the king. But the long era of political property rights would end with the coming of republicansim and democracy because Parliament and other legislatures do not share this coincidence of interests. Only the dawn of an independent court saved economic property rights in England and America -- but it was insufficient to save political property rights, especially those of jurisdiction which the "sovereign" courts seized for themselves.

The late medieval English case of Upton v. Le Mazerer provides a great illustration of personal jurisdiction based on political property rights rather than sovereignty. To get the most out of the following you should have a basic idea what a life estate and reversion are. The basic issue of the case is whether the the tenant holds property of the lord as a "sokeman" tenant (in which case the lord has jurisdiction) or whether the lord had granted the tenant a release from jurisdiction, making the tenant a "frank" tenant which meant the king had jurisdiction. The meanings of all these will become clearer as you read through the following description of the case, taken from my paper "Jurisdiction as Property."

Our cast has several players:

(1) Lord Hugh, ancestor of the current lord.

(2) Hugh, a tenant of the Lord Hugh. As the curtain opens on the facts of the case, Hugh is a sokeman tenant of Hugh the lord, and thus Hugh the lord starts with personal jurisdiction over Hugh the tenant.

(3) The current lord, heir of Lord Hugh.

(4) The current tenant, heir of Hugh the tenant.

In Upton v. Le Mazerer a “writ of right according to the custom of the manor,” a dispute over lands of the manor, was removed...from the manorial court because the tenant party claimed to hold in frank-fee rather than as a sokeman of the lord of the manor. If this was the case the king, not the lord of the manor had personal jurisdiction over the tenant.

The agreed facts were that Hugh, ancestor of the current lord, had granted to Hugh, a sokeman tenant (i.e. a tenant then under the jurisdiction of Hugh the lord), the same lands that Hugh already held of his lord, but in “frank,” thus releasing Hugh the tenant from the lord’s to the king’s jurisdiction. The current tenant, a successor to the tenant Hugh, claimed the grant was frank-fee, i.e. [in the king's jurisdiction] “for all time”, while the current lord, an heir to Hugh the lord, agreed that it was a grant of freedom from the lord’s jurisdiction but argued that the grant was only for “a term of life.” The current lord, heir of Hugh the lord, argued that “we are claiming these tenements as ancient demesne from the seisin of [our] ancestor, which is higher in time than this deed” In modern terms, the lord of the manor was claiming that the tenant now held only the reversion of the life estate, which was just the original sokeman fee held of the lord of the manor, and thus that the lord of the manor had regained jurisdiction over the tenant. The outcome of the case thus hinged on whether the grant adding to the tenancy freedom from the lord’s jurisdiction was for a term of life or a perpetual fee. The outcome of this factual issue was not reported, but the reporter observed that “if it be found that Hugh [the tenant] had fee, the original writ, which remained in the lord’s court, would abate...[a]nd if it be found that he only had for a term of life, then the parties shall go back to the lord’s court, and plead with regard to the original etc.” The personal jurisdiction of each court was entirely contingent on the outcome of the property issue: as one Scrope (either a justice favorable to the lord, or one of the lord’s barristers) observed, “[t]he scope of the averment is only to determine whether the tenements ought to be tried here or sent back to the lord’s court.” The reporter also noted main property law issue on which jurisdiction hinged: “[w]hen a man recovers tenements from his ancestor’s seisin, he shall recover the tenements in the state wherein his ancestors held them, and all deeds made in the meantime between the ancestor’s recovery and the seisin will be defeated by this recovery.”

Monday, August 20, 2007

Smart contracts watch

Cell phones can be used to monitor and pay for parking. This system and this one are pretty clumsy in terms of all the gratuitous user input required, but as has occurred with prepaid cell phones I expect this to become quite a bit more user-friendly in the future. It will be very nice to be able to top up the parking meter without having to return to the car.

As usual remember that any information recorded (here, where and when you park) "can and will be used against you." For example it can generally be subpoenad for use in court, as also occurs with credit card records, phone records, and automated toll systems. My old boss David Chaum, his student Stefan Brands, and others in the advanced cryptography community have designed many protocols that would preserve privacy in these scenarios, but the deployers of these technologies are usually not terribly interested in your privacy. Your recourse -- keep using physical cash, and take the trouble to go back to your car to check and stuff your parking meter.

In my original writing on smart contracts I talked about trading derivatives and constructing synthetic assets with low transaction costs:
Very complex term structures for payments (ie, what payments get made when, the rate of interest, etc.) can now be built into standardized contracts and traded with low transaction costs, due to computerized analysis of these complex term structures. Synthetic assets allow us to arbitrage the different term structures desired by different customers, and they allow us to construct contracts that mimic other contracts, minus certain liabilities. As an example of the latter, synthetic assets have been constructed that mimic the returns of stocks in German companies, without requiring payment of the tax foreigners must pay to the German government for capital gains in German stocks.
A bit later I figured out that the primary barrier to such activity is mental transaction costs. These costs throw a monkey wrench into what is otherwise the very good idea of consumer derivatives. One can imagine a wide variety of consumer derivatives, such as buying insurance against air fare changes and the growing business of selling sports tickets based on personal seat licenses (PSLs). I have sketched some possible solutions to the mental transaction problem, such as the market translator. The main problem is designing an automated agent that can figure out user preferences without bothering the user -- usually by recording and analyzing the user's normal behavior. If this can be fully automated the bottom drops out, so to speak, and even nanobarter becomes possible.

Smart contracts, based on digital property, open up a vast new space of possibilities. Many of the digital machines you own can obtain good information about your usage and their own status, from which they could at least crudely estimate what you want to buy. Take parking, for example. A suitably smart car and parking meter system should be able to figure out where you want to park and how much you want to pay for it, with minimal user intervention. I'm not talking anything like "AI" here, just computerized cars and parking meters that have sufficient sensors, can communicate with each other, and use known algorithms. As you are driving down the street, you tell your car that you want to find a parking place. The price of open parking spots ahead starts popping up on your dashboard. You choose and agree to pay the fee by simply parking in the spot.

Along with this future urban lifesaver, parking spot derivatives would be very useful. For the same reasons as stadium owners sell PSLs -- to receive revenue up-front to help pay the cost of building the infrastructure -- owners of parking spaces could sell parking space licenses (PSL again, oops :-). The owner of the PSL, in turn -- or said owner's car acting as his agent -- could sell the hours or minutes that the car is not using. You could buy a PSL and thereby reserve that sweet spot right next to your downtown office for the year. Then sell off the parking rights for the weekends. You could reserve a spot next the your favorite club and sell off all the times except Thursday through Saturday night. And if you are away from the office or staying in for the evening, your car's market translator can price and offer the space and it will become open and start popping up on driver's dashboards.

This kind of thing is just the tip of the iceberg as far as the potential of smart contracts is concerned.

Finally I will report on a digital cash system from no less than our frequent commentor Daniel Nagy. Nagy makes the following observation:
While everyone with a cellular or a touch-tone telephone, a web-browser or email client in its readily available, out-of-box configuration is able to transmit short messages (up to a few hundred bits), performing complex calculations involving strong asymmetric cryptography requires additional tools which not everyone possesses or can afford to run. The fact that it is impossible to transact without performing complex calculations in real time is a far more serious obstacle than the need to contact the issuer for each transaction.
This is an interesting approach, but I suspect may be correct only in the limited sense that these devices and software don't come built-in with the particular cryptographic protocols needed for strongly private cash (e.g. Chaumian blinding). But they don't come built-in with digital cash software either. Thus, the main advantage of Nagy's scheme, which may or may not make up for its reduced privacy features, comes from the ability to use it without having to install any extra software at all -- to just, for example, cut and paste the cash from an e-mail where you received it from one person to an e-mail where you pay it to another. Your word processor can be your wallet. If this is an important use-case, then Nagian cash may succeed where Chaumian cash failed.

Another payment system of note is WebMoney, which recently started up a gold-backed currency, a competitor to the troubled e-gold. (HT: Financial Cryptography)

Thursday, August 16, 2007

Exit and freedom

Why did the early United States have much stronger property rights and far lower taxes than today, even though it is nominally governed by the same political form and a constitution that has undergone only a few amendments? Why do Hong Kong and Singapore currently lead the world in economic freedom? Why did the fall of the Berlin Wall spell the end of European communist states? What political changes or changes to our own lives would give us stronger property rights and lower taxes?

What stands out about Singapore and Hong Kong --and other entities that have the most economic freedom in their region, such as Bahrain in the Arab Middle East -- is that they specialize in international trade. To encourage business travel, they must put few restrictions and tax penalties on travel. Large proportions of their population have strong international social ties. Large proportions of the population of these countries could easily move out of the country if their local rights were violated. Strong international personal and business ties allow them to quickly reestablish themselves in a different, but not so foreign, country.

In other words, when a small country specializes in mediation of international trade, the exit costs for the people from whom it collects most of its tax revenue is low. To maintain their tax revenues they must maintain a productive international trade business, and to maintain international trade these governments must thus maintain low exit costs for a large proportion of their population.

Laffer curve of tax rate versus tax revenue (black) and corresponding curve of GDP (green). When governments maximize tax revenue the prosperity and economic freedom of their taxpayers suffer. Credit: Mark Byron.

Governments of almost any form try to maximize their tax revenues, and government employees also often gain personal satisfaction from being able to control the lives and property of others (this goes under various euphemisms, such as the ambitions to "change the world" and "make a difference.") This process is facilitated primarily by high exit costs and is limited almost only by limits on governmental ability to increase exit costs. The maximum point on theLaffer curve -- the most tax that a government can collect -- is lower and occurs at a lower percentage tax rate in countries where exit costs are low. Thus the tax rates inHong Kong, Singapore, and Bahrain are lower than among their culturally similar neighbors that do not specialize in as internationalimermediaries.

At the other end of the spectrum from Hong Kong and Singapore are countries with isolated populations, with poor access to world communications and travel. Add to this countries where tax revenues can be gained from taxing agricultural land or minerals rather than potentially mobile "human capital." These countries tend to have the fewest freedoms. Even among highly developed countries, those with more homogeneous populations that speak a tongue seldom spoken outside the country -- and thus far stronger internal than international social ties -- tend to tax their "human capital" the most, e.g. the Scandinavian countries.

In other words:

(1) the governments of Singapore and Hong Kong have to encourage free travel to and from many other countries, to encourage the constant human interchange that is essential to international trade, making it impractical to set up onerous travel restrictions,

(2) most residents of Singapore and Hong Kong have strong social ties -- both business and personal -- outside the country, and

(3) the vast majority of residents of almost all other countries are tied to their territories by strong internal social networks and the lack of external social networks that could support them if they needed to escape. That makes it easy for governments to tax, regulate, and control the residents, for the same reason that it's easy for prison guards to abuse inmates -- it's hard to escape.

The American colonies and the early American republic both had remarkably strong property rights and very low taxes by our standards, despite sharp changes in the form of government. With few changes in the form of government since, taxes have risen almost tenfold and property rights often now mean little more than the right to keep after-tax capital gains.

The answer to this American puzzle is again exit costs. Farmland was the dominant form of wealth in the 18th and early 19th century, and practically free yet very good farmland was available in America on the western frontier. Any oppression, any high taxes or other violations of property rights could be countered by pulling up stakes and moving west. If you didn't want your local farmers to leave you had to respect their rights, in sharp contrast to the traditional form of agriculture where serfs were stuck on the land. On the other hand, black slaves in the U.S. provide a sharp contrast to the remarkably free white farmers -- a condition explained by state and federal fugitive slave laws, which spread a virtual Iron Curtain for slaves across the entire vast expanse of the United States, in free states as well as slave states.

Human capital is very easy to tax when it gathers in large organizations, such as modern corporations, as these organizations must be audited, and auditing provides the information needed for the income tax, by far the most lucrative form of tax ever developed. When America's frontier disappeared, when the good agricultural land was claimed and industrial wealth became more important than agricultural wealth, and industrial wealth was flowed in easily audited forms through corporations and to their employees, taxes rose and property rights for all started to erode, a process that continues to this day.

Countries that depend on human capital, as almost every country these days does, often throw up legal barriers to exit. Countries that worry about "brain drain" sometimes charge extortionate passport fees. These are examples of countries erecting virtual Berlin walls in order to raise the exit costs of their countries, suppress jurisdictional competition, and thus increase their tax revenues. Another form of this are long-arm statutes, especially when used to collect taxes on companies that have only "minimal contacts" with a jurisdiction.

Why are governments imposed on us rather than chosen? Why can't we shop for countries like we shop for cars? Why has progress in jurisdiction shopping movements such as the Free State Project been so slow? Because interstate travel is considered a fundamental right under U.S. law, the exit costs imposed by law on moving from state to state are very low. The slow progress of the Free State Project points up several factors:

(1) that many, if not most, taxes and other violations of property rights considered onerous come from federal rather than local governments, and moving just from state to state within the United States does not avoid these,

(2) that no state, not even New Hampshire, is so remarkably better than any other state to motivate many people to move, and

(3) that local social ties -- whether for personal or business relationships -- are much more expensive for most people to break than the gains to be had from increased economic freedom between one state and another.

In the United States and today in most of the world, exit costs are imposed primarily by the ways we live our lives -- and in particular by our personal and business networks -- not by artificial Berlin wall like barriers. Modern deprivations of liberty have much more to do with this fact than with the oftenexaggerated differences in forms of government or with supposedly crucial rights such as the right to vote. Today, never in the United States have so many people had the right to vote, yet never in the United States have we had so high taxes and so few property rights.

With the fall of communism, for most people in the world government restrictions on exit are no longer the dominant barrier to exit. Our lack of liberty has rather to do with the fact that the vast majority of our strong social ties lie within a territory monopolized by a nation-state. Any form of large modern nation-state that we can practically expect to encounter, as well as any state of any size that restricts emigration, will engage in extortionate deprivations of property that many people in many earlier times and places, such as colonial America, did not tolerate.

How, then, can one best protect one's rights? By living one's life in a way that makes exit costs low:
Be prepared to vote with your feet. Add interstate and international diversity to your social networks -- both personal and business. Lower your costs of exiting, if the need should arise, the jurisdictions that impose on the territories wherein you reside. Repeatedly in history -- from the old American frontier to the fall of the Berlin Wall to modern jurisdictions that specialize in international trade -- low exit costs have not only enabled liberty for the individual and the small group, but they have more than any other factor motivated the larger jurisdiction to provide the most important rights and freedoms for those who stay put. Grow interpolitical roots so that no single polity can chop down your tree. The good news is that modern communications, travel, and standardization of international languages (mostly on English) have made diversifying our social networks -- growing international roots - far easier than ever before in history.
Despite the closing of physical frontiers, which has had an extremely deleterious impact on freedom, other trends may be bringing about the lowering of exit costs. International communications networks and the international standardization on a few languages (and perhaps even just one, which quite fortunately for my readers is the one I'm currently writing in), combined with low international travel costs, are leading to the development of more strong personal and business social ties that cross borders. Multinational small businesses are joining multinational corporations in developing cross-border business ties.

But there are also many threats by governments to re-establish or increase exit costs by throwing up virtual Berlin walls and fugitive taxpayer networks. Extraterritorial assertions of jurisdiction, especially of tax jurisdiction, threaten to throw up enforcement networks akin to the old fugitive slave laws in the antebellum United States. Freedom of travel is being threatened by paranoid responses to the overblown threat of terrorism -- but at least one good group is fighting to counter this threat. To counteract these threats, basic freedoms must be protected by our courts from encroachment by other governmental branches. The U.S. Supreme Court counts both voting and interstate travel as fundamental rights. Of these fundamental rights, travel -- but especially international travel -- the right to pass through the airports and Brandenburg Gates and Checkpoint Charlies of the world -- is by far the more important.