[Email Reply]

Clipper Chip Banking

by J. Orlin Grabbe

Sandia National Laboratories have created the digital cash equivalent of the Clipper chip: an "anonymous" digital cash system that would give participants privacy from all viewers, except for the government agencies that would control the secret keys required for backdoor access.

Just as the "Clipper" proposal (the Escrowed Encryption Standard) is a system of encrypted communication with a Big Brother peephole, so is Sandia e-cash a system of digital cash with a Big Brother peephole. It was designed that way.

Why is Sandia interested in digital cash systems? Well, Sandia is responsible for all non-nuclear components of nuclear weapons. The security of nuclear weapons depends partly on cryptology. The code- breaking National Security Agency (NSA), for example, is responsible for the communication security of the Minuteman missile, as well as the codes by which the President must identify himself to authorize a nuclear strike.

The use of nuclear weapons is normally based on a trustee system: two or more people are necessary to give the complete authorization code. The NSA used this idea as the basis for the Clipper chip: two designated trustee agents would each have knowledge of one-half the chip-specific unique key by which to decode the session key that encoded a particular communication passing through the chip. The Clipper chip was originally proposed for incorporation into every digital communication device: computer, fax, and cable TV.

The sales aspect of Clipper was a new encryption algorithm based on 80- bit encryption keys. Financial and other institutions had begun to worry about the security of the Data Encryption Standard (DES) which uses 56- bit keys. An 80-bit key space would be 2^24 times as large as the DES key space. The catch was that acceptance of the new algorithm would involve acceptance of the NSA backdoor. At the present time, the financial industry has said, "No, thank you," and is focusing on triple-DES, which has the security equivalent of 112-bit encryption keys, and no backdoor.

Sandia e-cash is a simple extension of the trustee notion. Sandia e-cash was announced as "the first electronic cash system that incorporates trustee-based tracing, while provably protecting user anonymity". The trustees in this case are key-escrow agents, and a minimal subset of them (say three out of five) would be able to combine their knowledge to trace an individual's electronic transactions. The fact that several agents would need to act in concert "protects users from the possibility that one or two trustees might be corrupt". (In other words, depending on the level of official corruption, the system would either be somewhat secure, or totally insecure.)

Anonymity or privacy in financial transactions generally means an inability to determine an individual's spending patterns. Anonymity requires first and foremost protection from the prying eyes of the bank.

If the bank knows what is going on in your account, then potentially so can anyone else: the records can be seized, or surreptitiously accessed by computer, or a bank employee can be bribed to make them available. (In this respect, it is useful to note that the system of Swiss numbered accounts was created to protect bank customers from bank employees. Bank employees, observing what occurred in a customer's account, could possibly subject the customer to blackmail.)

Anonymity involves several aspects, including "unlinkability" and "untraceability".

"Unlinkability" refers to the inability of a bank (even colluding with merchants) to determine that two payments were made by the same user. To understand this, consider the opposite case: your monthly American Express or credit card bill. Such a statement contains a set of transactions which are all linked by a common element--your AMEX or credit card account number. Because these payments are linked, they present a limited picture (a subset) of your behavior, movements, and habit patterns. Your private behavior is potentially public information. Unlinkability is therefore an aspect of anonymity. Because linkability in anonymous digital cash involves cryptological protocols, it is actually a probability concept: how probable is it that two payments can be accurately identified as having been made by the same user? Unlinkability means such probability is negligible.

"Untraceability" refers to the inability of a bank to match withdrawals of digital cash with subsequent payments. To have untraceability, the information a person reveals about himself by making payments must be statistically independent of the information a person reveals about himself by making withdrawals. Of course if the bank, even when colluding with merchants, can't link or trace a person's transactions--even in probability terms --then neither can FINCEN or the NSA. Anonymity and privacy thus ultimately hinges on concealing this type of information from the bank itself.

But such anonymity, naturally, raises the issue of the selectively- enforced money-laundering laws. The prevention of money-laundering is stated as a principal raison d'etre for Sandia's e-cash system of non-anonymous "anonymity":

"Money laundering . . . is hampered by physical cash and would be made easier by a completely anonymous electronic counterpart. . . . With anonymous e-cash, money- laundering would be as simple as depositing one set of electronic "coins" in an account under an assumed name and withdrawing another set from the same account." (Peter S. Gemmel, "Traceable e-cash," Technology and the Electronic Economy, IEEE Spectrum, February 1997.)

To prevent such nefarious activity, Sandia even envisions one future world in which individuals would be required to submit regular reports of their financial transactions to the government:

"In a different trustee-based e-cash system, the users' "wallet" software would require them to supply the authorities from time to time with transaction records stored in their electronic wallets and encrypted with their tracing keys." (Ibid.)

This proposal is somewhat similar to a requirement to regularly send one's bank statements to the IRS for filing, with a committee controlling access to the file cabinet.

While Sandia ponders the future needs of Big Brother government, over at the Treasury, meanwhile, Robert Rubin has appointed the Comptroller of the Currency, Eugene Ludwig, as the point man to oversee government efforts to keep a peephole into every bank account. To this end, Ludwig--when he is not attending Clinton coffee-klatsches--coordinates the electronic cash spying plans of FINCEN, U.S. Customs, the IRS, the Secret Service, ATF, and the Office of Foreign Assets Control.

February 27, 1997
Web Page: http://www.aci.net/kalliste/