David Chaum is one of the earliest pioneers of digital currency.
Often referred to as the “father of digital cash,” Chaum was one of the leaders of the “cypherpunk” movement of the 1980s and 90s. The founder of the International Association for Cryptologic research, he made the world’s first real foray into digital cash with the digital currency eCash and its corporation DigiCash.
Earning his PhD in Computer Science from UC Berkeley, he went on to teach at NYU and the University of California Santa Barbara and in his 1982 paper “Blind signatures for untraceable payments,” Chaum was the first to introduce the concept of anonymous, cryptographic electronic money.
His new platform, Elixxir, seeks to realise his original vision and solve the problem of enormous transaction volumes by processing hundreds of thousands of transactions per second, and make the “critical leap from store-of-value to consumer-scale payment.”
Chaum’s interest in the space however, has always extended beyond the technical – and his warnings in the 1980s about the internet era and the dangers of a hyper-connected world now seem remarkably prescient in the age of Facebook and Cambridge Analytica.
I sat down with him to talk about these political predictions, privacy in the age of social media, the problems plaguing the current crop of crypto-assets, and what he believes is truly necessary for a cryptocurrency to succeed.
Avi Rosten: So you have been involved in this space for thirty years, and one of the things that concerned you early on was the privacy of the information age. What do you think about the current set of privacy coins? Do you think that they they’re meeting the requirements of a true privacy coin – or they have a way to go yet?
David Chaum: Without addressing any particular coin, I think that its best to address the technologies at play here…I think that in order for a coin to truly offer privacy protection, it must do two things: one – unlink the payers IP or phone MAC address from the transaction. And the second thing is that the transactions must be unlinked from each other.
And I’m not sure how well current offerings achieve both – and in fact the volume in these privacy coins of privacy protection payments is quite low. As you may know, privacy features are rarely opted for and the set of users among which you are private is really small – that makes it somewhat difficult to have meaningful privacy.
AR: You arguably predicted a lot of the problems pertaining to privacy that have come about as a result of the internet. The Cambridge Analytica-Facebook scandal, for example, has dominated headlines recently. Is that the kind of thing you had in mind in the 80s?
DC: Yes, in the 80s I was designing systems that would prevent anyone from getting a hold of such data.
By virtue of your ownership of keys that you created – you control access to your personal information.
This is also the subject of the Scientific American article and its predecessors, which are up on my website. So, in an “Achieving an Electronic Privacy” [Chaum, 1992] world – there is no special access to information about individuals that is held by organizations. Rather, individuals hold all the information about themselves by virtue of the keys that they’ve created…and when organizations want answers to queries about that personal data, they present the queries to the user, and if the user decides they wish to provide the answer – they can – in the form of what’s nowadays called a “zero knowledge proof.”
In other words, it essentially establishes the veracity of the reply to the query without revealing the underlying data that is needed to arrive at or substantiate the query.
AR: Do you think the cat’s out of the bag – are people too entrenched in social media that there’s no way back? Or do you think that that there’s a chance of the average user coming back from the brink?
DC: Well, you know, each successive flavour of social media has always seemed unstoppable, and that it would be permanently dominant…just before it was replaced by the next wave. And there’s a litany of – I don’t know – a dozen or more things that this has happened to.
One of the things that would make such transitions somewhat less of a rebirth, and more of just sort of a rehash, is the fact that most social media platforms attempt to capture the users’ contact information from the previous platform and instantiate it into the new form and they – arguably – ask for permission to do this.
But once they get permission, they shamelessly upload all that information, figure out the whole social network and then they even often relentlessly spam your friends asserting – sometimes disingenuously – that you’re trying to reach out to them.
So…one of the technical innovations that I personally have made is something which I will probably call a “Private User Discovery Protocol.” It’s not yet published, it was written up as a Master’s thesis and in future software projects I may actually use it…
It is a very clever use of existing known cryptography…you can agree to allow all your contacts to be used. However, none of them are uploaded. Encryptions are formed based on them and those are used interactively by your wallet – your client software – in such a way that the system cannot learn the social graph, and that the contacts are never uploaded. And yet, you are informed when your counter-parties allow your contacts to be so included. And in fact, a secure ‘tunnel’ is established in cryptographic communication between you and the counter-parties at that time.
So to come back to your broader question, that’s something that suggests to me that a new, more privacy-friendly social media system might actually leave a lot of the data and so on in the dust.
If you look at statistics from Facebook and the like about what sorts of communication takes place over their networks, it’s quite stunning that a very large share of it is discussion among friends and family about political matters. And this is probably the kind of thing where people would value a more secure mechanism, and it doesn’t need to mix with the baby pictures and the rest.
So no, I wouldn’t say that I’m pessimistic that new technologies will just continue these problems, I think they will allow for a clean break.
But I would say to my way of thinking, the key thing is the users become aware of the possibilities for the privacy technology to protect them and start to develop some expectation that this can work and should be available to them.
If you look back at the original eCash project – one of the key reasons I created it was that I had hoped that once consumers started to see that they could protect their own private information in these payment interactions, they would want to have similar related protections for other kinds of interactions – like borrowing library books or the user discovery protocols and so forth.
AR: What needs to be done to get users to actually adopt these kind of privacy technologies?
DC: I think you need maybe three things:
One, a way that there can be a short-term simple, effective technology delivering some unexpected level of privacy. Two, you then need consumers to start to appreciate that. And then the third thing is technical means that can provide for a much broader ongoing franchising of these sort of technologies.
That’s what I’m always looking for – a way through: low hanging fruit that you use to show people that they can actually take control of their information in a simple enough context that it’s useful and meaningful, without having to create a lot of infrastructure or elaborate applications.
Ideally, it’s a very common use like payments. And then to be able to follow along and say: “Well, this is not just a limited isolated, thing, but rather this payment system which you now like, can also be extended for various other purposes.”
AR: Another controversial topic in the crypto community at the moment seems to be centralization – and the degree to which any centralization is a problem. Do you think all centralization is “bad”: is it wrong to have some degree of centralization, if it aims to solve other problems such as scalability and speed in the process – for example EOS’ 21 block producers?
DC: I think that’s… a religious matter.
However, I think one should try to keep in mind that it may be quite difficult to operate large scale mining or other cryptocurrency operations when governments are dead set against it.
And so I think that should be taken into account when trying to evaluate what level of decentralization is appropriate, because it may be that no matter how decentralized you try to operate, if a government wants to just stop you out, then you may not be able to operate at all.
The purpose of decentralization is to stop censorship or stop governments from prohibiting operations – the way I understand it.
AR: Does a cryptocurrency have to be fully decentralized in your opinion? Is that just far too idealistic?
DC: The sorts of cryptocurrencies that I’d like to build would be considerably more decentralized than a lot of the current offerings. I’d like to see the actual users involved in some of the decision making and it may be hard to do but I think that’s that’s part of the Satoshi vision wasn’t it? That everyone who was using the system was also operating a node and doing a little mining on the side.
AR: Where do you see the crypto world heading – do you see bitcoin gaining widespread adoption, becoming a unit of account?
DC: I hope that there is a worthy digital currency that can serve as a unit of account and that will I think necessitate it being used also as a dominant payment system, and I don’t see current offerings having those characteristics. But I think that that is the way for a cryptocurrency to break through, go mainstream and have a real impact on the real world.
If cryptocurrencies – something I invented in the eighties – are to have a significant impact on the vast majority of people on the planet, then they must break through from being a store of value to being a medium of exchange.
That is the real question: whether this phenomenon will be just an isolated incident, compared to being something that will fundamentally change the way the majority of people live on the planet and really allow the networks to to reach their potential.
So to me, that’s the huge question: how can you create a currency that is suitable for being a global medium of exchange? And if you succeed at that – sure, it’ll be used as a measure of account. If you don’t, I don’t think it will be used commonly for that.
AR: What is needed to achieve this – to make a cryptocurrency the primary medium of exchange?
DC: I have laid out four necessary conditions for cryptocurrency to become a dominant medium of exchange.
One of them is the time to consummation of payment – referred to as ‘latency’: payment to finality needs to be in the order of 10 seconds, because that’s what the vast majority of people already expect.
Payments is very intimately related to messaging, you can send a message through a payment system, just by encoding your message in the amount of payments.
Similarly, if you want to make a secure payment system, you need a way to send the payment information securely, and perhaps anonymously. So payments and messaging are really very similar things. And in both cases, consumers expect a rapid consummation because of the smartphone platform experience. That bar is already pretty high.
Secondly, you need a scale that’s on the order of 100,000 transactions per second.
Now, there’s a whole “religious war” going on about how many transactions a second different people can do…
But I think that if you look at that more carefully, it betrays a very fragmented community that seems to be much more interested in warfare than truth.
The fact is, there’s about half a trillion electronic payment transactions per year globally, so that’s about one per person per week. You could do the math and figure out what the average rate is, and, in transaction processing systems, we have known for decades that you need to build in some margin, maybe a factor of 10 to deal with your peak performance capacity compared to your typical throughput. So, it’s a lot of complicated factors there, but you need some kind of serious transaction scale. And with those latencies. There’s nothing like that out there today.
Some people claim that they have it or that they’re working on it, you know I’ve heard this for years…
My analysis tells me that it is impossible to achieve those just those two without some very significant fundamental cryptographic advance.
You can’t just get it by combining existing things. It’s like – can you make a battery for a Tesla as as big as a bottle of coca cola? No, that would take a real breakthrough in physics, right?
Just look at the amount of computation and signature-signature checking etc. No can do. With a single server per node – no. If you want to build whole data centers per node – that’s a whole different game….but that’s not distributed at all.
Then there’s a third requirement, which I call “true privacy” in payments. And again, privacy in payments is not I think well explained to consumers…
Fundamentally, there are two necessary conditions for privacy. One is that the payment cannot be linked to the IP or MAC address of the (all phones have MAC addresses). Network addresses have to be fundamentally unlinked from payment transactions at a large scale.
Secondly, payment transactions have to be unlinked to other payments and not 1 to 3, but at a massive scale. Absent those strict requirements, I think you would be misleading people to tell them that you are offering them a privacy-protected payment system.
So if you just look at current privacy protected payment systems, they have zero chance of delivering on requirements one and two, because their volumes and latency these are far worse than the other, non-private systems.
So one, two, and three don’t look at all like there are achievable with current technology.
And then there’s a fourth requirement in my view, which is that if you’re going to create a global payment system it must be “secure.” To put it in the more sophisticated language of of security: it should be strongly resistant to rapid unanticipated modes of attack.
In other words, if someone is able to find that, “oh, this elliptic curve which was created by some academic somewhere, happens to have a trap door in it”, or is easy to break, like some of the ones that have been promulgated.
Or some kind of new quantum computer shouldn’t be able to just break all the signatures that all blockchains are based on… And if you say, well, “oh, well, we’ll use quantum resistant signatures”….Yeah, well, that’s gonna make one, two and three far more difficult to achieve.
I mean, if, if there were a systemic collapse in a consumer payment system it would create tremendous hardship and strife for society…If it came to dominate and it collapsed, people wouldn’t be able to buy food – street warfare with breakout. And it would be arguably the end of civilization. If it’s really successful, it’d be a huge problem if it were to collapse.
So to reiterate, if blockchain is going to actually have a chance to start to reach its it’s true potential, it needs to become a medium of exchange. And in order to do that, it probably needs to satisfy those four criteria. And currently, there are no candidates that credibly come anywhere near being able to achieve those. It looks pretty bleak…but watch this space.