The use of communications networks to increase personal privacy
关于网络的英语演讲稿
关于网络的英语演讲稿1. 有关网络的演讲稿英文Today I'd like to talk about internet. I believe everyone sitting here knows internet a lot, and some of you are on the internet all the day. Internet has change our life dramatically. Nowdyas, we use internet to help with our work, to communicate with our friends, to search for information, to shop online, and to do innumerous other things. So many things we can do on the internet that I think most of people here cannot live without it now. However, as it brings significant convenience to our daily life, what's the disadvantages it has? The first thing I'd like to mention, is its harm to our health. Why? Because thanks to internet, we can manage to do many things by simply staring at the screen and clicking the mouse, which, eventually, is very likely to result in bad eyesight and obesity. In other words, Internet is stealing our excercise time! Not only this? Oh, my, the radioactive emission from the devices used for suffering online could actually cause you cancer?! In addition, a lot of computer viruses are hidden after a lot of links on the websites. Be careful! Control your curiosity! Otherwise, it'd be lucky if you only spend hundreds of dollars in fixing your computer and just losing some datas in yourhardware. So, for your health concern, keep off the internet after using it for a while.Anyway, though sometimes the internet may sound a little scary, it's still a very useful tool. You just need to learn how to use it wisely. Thanks!2. 有关网络的英语演讲Before the widespread internetworking that led to the Internet, most communication networks were limited by their nature to only allow communications between the stations on the network, and the prevalent computer networking method was based on the central mainframe computer model. Several research programs began to explore and articulate principles of networking between separate physical networks, leading to the development of the packet switching model of digital networking. These research efforts included those of the laboratories of Donald Davies (NPL), Paul Baran (RAND Corporation), and Leonard Kleinrock's MIT and UCLA.The research led to the development of several packet-switched networking solutions in the late 1960s and 1970s,[1] including ARPANET and the X.25 protocols. Additionally, public access and hobbyist networking systems grew in popularity, including unix-to-unix copy (UUCP) andFidoNet. They were however still disjointed separate networks, served only by limited gateways between networks. This led to the application of packet switching to develop a protocol for inter-networking, where multiple different networks could be joined together into a super-framework of networks. By defining a simple common network system, the Internet protocol suite, the concept of the network could be separated from its physical implementation. This spread of inter-network began to form into the idea of a global inter-network that would be called 'The Internet', and this began to quickly spread as existing networks were converted to become compatible with this. This spread quickly across the advanced telecommunication networks of the western world, and then began to penetrate into the rest of the world as it became the de-facto international standard and global network. However, the disparity of growth led to a digital divide that is still a concern today.Following commercialisation and introduction of privately run Internet Service Providers in the 1980s, and its expansion into popular use in the 1990s, the Internet has had a drastic impact on culture and commerce. This includes the rise of near instant communication by e-mail, text based discussion forums, and the World Wide Web. Investor speculation in new markets providedby these innovations would also lead to the inflation and collapse of the Dot-com bubble, a major market collapse. But despite this, the Internet continues to grow.。
通信专业英语5
Optical fiber is typically a circular cross-section dielectric waveguide consisting of a dielectric material surrounded by another dielectric material with a lower refractive index. If you look closely at a single optical fiber, you will see that it is divided into three major parts as follows: Core - Thin glass center of the fiber where the light travels. Cladding - Outer optical material surrounding the core that reflects the light back into the core. Buffer coating - Plastic coating that protects the fiber from damage and moisture. Hundreds or thousands of these optical fibers are arranged in bundles in optical cables. The bundles are protected by the cable's outer covering, called a jacket.
Buffer
Core
Cladding
Since the core has a higher index of refraction than the cladding, light will be confined to the core if the angular condition for total internal reflection is met. The fiber geometry and composition determine the discrete set of electromagnetic fields which can propagate in the fiber. These fields are the fiber’s modes. There are two propagation modes: multi-mode and singlemode. They perform differently with respect to both attenuation and time dispersion. The single-mode fiber-optic cable provides much better performance with lower attenuation. A single-mode optical fiber (SMF) is an optical fiber designed to carry only a single ray of light (mode). Single mode fiber has relatively narrow diameter(a diameter of 8.3 to 10 microns), through which only one mode will propagate typically 1310 or 1550 nm. It carries higher bandwidth than multi-mode fiber, but requires a light source with a narrow spectral width. There are a number of special types of single-mode optical fiber which have been chemically or physically altered to give special properties, such as dispersion-shifted fiber and nonzero dispersion-shifted fiber.
中央电大2016年01月《1360高级商务英语阅读》开放本科期末考试真题及答案
them to persuade the buyer to spend his hard-earned money on something. Huh? When you try to extend traditional marketing logic into the world of social media , it simply doesn' t work. C
strategic to your firm is the customer' s network? How respected is she?
Help them build social capital. Practitioners of this new , community-oriented mark♂ ting
lifetime value , which is based only on purchases. There are many other measures of a customer's potential value , beyond the money they pay you. For example , how large and
Find your customer influencers. Many firms spend lots of resources puτsuing outside influencers who' ve gained following on the Web and through social media. A better approach is to find and cultivate customcr influ巳ncers and give them something great to talk about. This requires a new concept of customer value that goes way beyond customer
通信工程专业英语教案
Ancient systems and optical telegraphy
Early telecommunications included smoke signals and drums. Talking drums1 were used by natives in Africa, New Guinea and South America, and smoke signals in North America and China. Contrary to what one might think, these systems were often used to do more than merely announce the presence of a military camp.
Telephone
The electric telephone was invented in the 1870s; it was based on earlier work with harmonic (multi-signal) telegraphs. The first commercial telephone services were set up in 1878 and 1879 on both sides of the Atlantic in the cities of New Haven and London. Alexander Graham Bell held the master patent for the telephone that was needed for such services in both countries. All other patents for electric telephone devices and features flowed from this master patent.
通信简史从信鸽到6g读后感
通信简史从信鸽到6g读后感A Brief History of Communications: From Pigeons to 6G通信简史:从信鸽到6GReading this article about the evolution of communications, from the use of pigeons as messengers to the emergence of 6G technology, left me with a profound sense of amazement and appreciation.阅读这篇关于通信演变的文章,从信鸽作为信使的使用到6G技术的出现,让我深感惊奇和钦佩。
The journey from relying on birds to fly messages across vast distances to the instantaneous transmission of data through wireless networks is truly remarkable.从依赖鸟类飞越漫长距离传递信息,到通过无线网络即时传输数据,这一历程确实令人叹为观止。
It highlights the incredible advancements in technology that have occurred over the centuries and the way these advancements have transformed our lives.这突显了数世纪以来技术领域的惊人进步,以及这些进步如何改变了我们的生活。
The article also underscores the importance of continued innovation in the field of communications, as we move towards an even more connected and interdependent world.文章还强调了通信领域持续创新的重要性,因为我们正迈向一个更加互联和相互依存的世界。
专题05 中国迈入智能网驾驶新时代-2024届高中英语时文阅读外刊精选精练(解析版)
专题05中国迈入智能网驾驶新时代【原文·外刊阅读】China's intelligent connected driving industry enters new stage with faster pace(文章来源:Global Times)China's intelligent connected vehicle industry,which strives to integrate vehicles with road andcloud computing, has moved to a new stage featuringrapid technological and ecological development,instead of a small-scale testing stage, according towhite paper released by the National InnovationCenter of Intelligent and Connected Vehicles (CICV).It added that a technology roadmap for top-level design is needed at the seventh World Intelligence Congress (WIC) held in north China's Tianjin Municipality from Thursday to Saturday.China is promoting the commercial application of its intelligent connected vehicles. Till now, the country has built seven pilot zones of the Internet of vehicles, 16 pilot cities for coordinated development of smart city infrastructure and smart connected vehicles, and 17 national-level demonstration base to test intelligent connected cars.Miao Changxing, an official from the Ministry of Industry and Information, said on Tuesday in Beijing that over 2,000 road test and demonstration application licenses have been issued and 10,000 kilometers road opened to test driverless vehicles.New output value of the intelligent connected vehicle industry will reach 1.06 trillion yuan (about $151 billion) by 2025, and 2.8 trillion yuan (about $398.5 billion) by 2030, said Zheng Jihu, director of the CICV.Zheng added that developing the industry takes a very complicated process, which requires the integrated and coordinated advance of vehicles, roadside infrastructure, cloud control platforms, telecommunication networks, maps for high-precision positioning and security protection systems.China is leading the world in telecommunications and new energy vehicles, and the application in the intelligent connected vehicle industry will boost the development of vehicle, transport, communication and cloud computing, said Zheng.Autonomous driving in ChinaBloomberg anticipated in April that Elon Musk wants to test its full self-driving technology in China, as the country's artificial intelligence-powered autonomous-vehicle market is "showing serious promise."Accelerating the large-scale application of Level 4 autonomous driving – with Level 6 the highest – will be important in leading the development of the automobile industry and build a new competitive advantage of the country, according to a report issued by the China Academy of Information and Communications Technology during the WIC.However, there are still many challenges autonomous driving have to overcome. The report urged to provide safety guarantees for automatic driving and integrate it into transportation system;It added that the use of unmanned driving should be expanded, and a commercial closed loop of research and development, testing and operation created, it said.In addition, it advocated that policies and regulations be iterated and innovated to get autonomous driving protected by the law, and a positive and inclusive social environment built to accelerate commercial operation of autonomous driving service.【原创·语法填空】China is promoting the commercial 1 (apply) of intelligent connected vehicles. As of now, the country 2 (establish) 7 pilot areas for the Internet of Vehicles, 16 pilot cities for the coordinated3 (develop) of smart city infrastructure and intelligent connected vehicles, and 17 national level intelligent connected vehicle test and demonstration bases. Bloomberg predicted in April4 Elon Musk would like to test its fully automated driving technology in China, because China's artificial intelligence driven autonomous vehicle market "shows great prospects".According to a report 5 (release) by the China Institute of Information and Communication Technology during the WIC period, accelerating the large-scale application of Level 4 autonomous driving, with Level 6 being the highest, 6 (be) of great significance in leading the development of the automotive industry and establishing new national competitive advantages. 7 , there are still many challenges toovercome for autonomous driving. The report urges providing safety guarantees for autonomous driving and integrating it 8 the transportation system; It added that the use of unmanned driving should be expanded and a commercial closed-loop for research and development, testing, and operation should be established. In addition, 9 advocates for iterative and innovative policies and regulations to ensure legal protection for autonomous driving and establish 10 positive and inclusive social environment to accelerate the commercial operation of autonomous driving services.【答案】1. application2. has established3. development4. that5. released6. will be7. However8. into9. it 10. a【原创·阅读理解】1. What is the main meaning of the sixth paragraph?A. High precision positioning is extremely important.B. The promotion of new energy vehicles is very smooth.C. The development of the intelligent connected vehicle industry is complex.D. The application of fully autonomous driving technology is challenging.【答案】C【解析】细节理解题。
什么是IP地址
什么是IP地址IP地址称作网络协议地址,是分配给主机的一个32位地址,由4个字节组成,分为动态IP地址和静态IP地址两种。
接下来小编为大家整理了什么是IP地址,希望对你有帮助哦!IP地址(Internet Protocol Address)是一种在Internet上的给主机编址的方式,也称为网际协议地址。
由32位二进制数组成,为便于使用,常以XXX.XXX.XXX.XXX形式表现,每组XXX代表小于等于255的10进制数。
例如202.96.155.9。
Internet中,IP地址是唯一的。
目前IP技术可能使用的IP地址最多可有约42亿个。
骤看可能觉得很难会用尽,但由于早期编码上的问题,使很多编码实际上被丢空或不能使用。
加上因特网的普及,使每个家庭都至少有一部电脑,连同公司的电脑,以及连接每个网络的服务器,长此下去,专家担心随着Internet的发展,将不够用。
所以相应的科研组织正在研究128位的IP地址,其IP地址数量最高可达3.402823669 × 1038 个,地球上的每一粒沙子都可以拥有自己的IP地址,这种新版的IP地址技术叫IPv6。
An IP address (Internet Protocol address) is a unique number that devices use in order to identify and communicate with each other on a network utilizing the Internet Protocol standard. Any participating device —including routers, computers, time-servers, internet FAX machines, and some telephones —must have its own unique address. This allows information passed onwards on behalf of the sender to indicate where to send it next, and for the receiver of the information to know that it is the intended destination.The numbers currently used in IP addresses range from 1.0.0.0 to 255.255.255.255, though some of these values are reserved for specific purposes. This does not provide enough possibilities for every internet device to have its own permanentnumber. Subnet routing, Network Address Translation and the Dynamic Host Configuration Protocol (DHCP) server all allow local networks to use the same IP addresses as other networks elsewhere though both are connected to the Internet. Devices such as network printers, web servers and email servers are often allocated static IP addresses so they can always be found.IP addresses are conceptually similar to phone numbers, except they are used in LANs (Local Area Network), WANs (Wide Area Network), or the Internet. Because the numbers are not easy for humans to remember, the Domain Name System provides a service analogous to an address book lookup called "domain name resolution" or "name resolution". Special DNS servers on the internet are dedicated to performing the translation from a domain name to an IP address and vice versa.More detailThe Internet Protocol (IP) knows each logical host interface by a number, the IP address. On any given network, this number must be unique among all the host interfaces that communicate through this network. Users of the Internet are sometimes given a host name in addition to their numerical IP address by their Internet service provider.The IP addresses of users browsing the World Wide Web are used to enable communications with the server of the Web site. Also, it is usually in the header of email messages one sends. In fact, for all programs that utilize the TCP/IP protocol, the sender IP address and destination IP address are required in order to establish communications and send data.Depending on one's Internet connection the IP address can be the same every time one connects (called a static IP address), or different every time one connects, (called a dynamic IPaddress). In order to use a dynamic IP address, there must exist a server which can provide the address. IP addresses are usually given out through a server service called DHCP or the Dynamic Host Configuration Protocol. If a static address is used, it must be manually programmed into parameters of the device's network interface.Internet addresses are needed not only for unique enumeration of hosted interfaces, but also for routing purposes, therefore a high fraction of them are always unused or reserved.The unique nature of IP addresses makes it possible in many situations to track which computer — and by extension, which person — has sent a message or engaged in some other activity on the Internet. This information has been used by law enforcement authorities to identify criminal suspects; however dynamically-assigned IP addresses can make this difficult.IP version 4AddressingIn version 4 of the Internet protocol (IPv4), the current standard protocol for the Internet, IP addresses consist of 32 bits, which makes for 4,294,967,296 (over 4 billion) unique host interface addresses in theory. If all of these were used, that would be around one IP address per 21.3 square meters, or 70 square feet, of land. In practice, because addresses are allocated in blocks, many unused addresses are unavailable (much like unused phone numbers in a sparsely-populated area code), so that there is some pressure to extend the address range via IP version 6 (see below).IPv4 addresses are commonly expressed as a dotted quad, four octets (8 bits) separated by periods. The host known as currently has the number 3482223596,written as 207.142.131.236 in base-256: 3482223596 equals 207×2563 142×2562 131×2561 236×2560. (Resolving the name to its associated number is handled by Domain Name System servers.)IPv4 addresses were originally divided into two parts: the network and the host. A later change increased that to three parts: the network, the subnetwork, and the host, in that order. However, with the advent of classless inter-domain routing (CIDR), this distinction is no longer meaningful, and the address can have an arbitrary number of levels of hierarchy. (Technically, this was already true any time after the advent of subnets, since a site could elect to have more than one level of subnetting inside a network number.)AssignmentEach interface of a device is assigned, at least theoretically, a unique IP address. In practice, some interfaces may be unnumbered, and many addresses are not globally unique.The actual assignment of an address is not arbitrary. The fundamental principle of routing, that addresses encode information about a device's location within a network, implies that an address assigned to one part of a network will not function in another part of the network. A hierarchical structure, standardized by CIDR and overseen by the Internet Assigned Numbers Authority (IANA) and its Regional Internet Registries (RIRs), manages the assignment of Internet address worldwide. Each RIR maintains a publically searchable WHOIS database that provides information about IP address assignments; information from these databases plays a central role in numerous tools which attempt to locate IP addresses geographically.ExhaustionSome private IP address space has been allocated via RFC 1918. This means the addresses are available for any use by anyone and therefore the same RFC 1918 IP addresses can be reused. However they are not routable on the Internet. They are used extensively due to the shortage of registerable addresses. Network address translation (NAT) is required to connect those networks to the Internet.While a number of measures have been taken to conserve the limited existing IPv4 address space (such as the use of NAT and Private Addressing), the number of 32-bit IP addresses is not sufficient to accommodate the long-term growth of the Internet. For this reason, the plan is that the Internet 128-bit IPv6 addressing scheme will be adopted over the next 5 to 15 years.IP version 5What would be considered IPv5 existed only as an experimental non-IP real time streaming protocol called ST2, described in RFC 1819. In keeping with standard UNIX release conventions, all odd-numbered versions are considered experimental, and this version was never intended to be implemented; the protocol was not abandoned. RSVP has replaced it to some degree.IP version 6In IPv6, the new (but not yet widely deployed) standard protocol for the Internet, addresses are 128 bits wide, which, even with generous assignment of netblocks, should suffice for the foreseeable future. In theory, there would be exactly 2128, or about 3.403 × 1038 unique host interface addresses. If the earth were made entirely out of 1 cubic millimeter grains of sand, then you could give a unique address to each grain in 300 million planets the size of the earth. This large address space will besparsely populated, which makes it possible to again encode more routing information into the addresses themselves.AddressingA version 6 address is written as eight 4-digit hexadecimal numbers separated by colons. For readability, addresses may be shortened in two ways. Within each colon-delimited section, leading zeroes may be truncated. Secondly, one string of zeroes (and only one) may be replaced with two colons (::). For example, all of the following addresses are equivalent:1080:0000:0000:0000:0000:0034:0000:417A1080:0:0:0:0:34:0:417A1080::34:0:417AGlobal unicast IPv6 addresses are constructed as two parts: a 64-bit routing part followed by a 64-bit host identifier.Netblocks are specified as in the modern alternative for IPv4: network number, followed by a slash, and the number of relevant bits of the network number (in decimal). Example: 12AB::CD30:0:0:0:0/60 includes all addresses starting with 12AB00000000CD3.IPv6 has many improvements over IPv4 other than just bigger address space, including autorenumbering and mandatory support for IPsec.。
packetswitching名词解释
packetswitching名词解释Packet switching(数据包交换)是一种网络通信数据传输技术。
它将数据分割成多个较小的数据包,发送到目标地点,并通过网络的不同路径进行传输,再在目标地点重新组装成完整的数据。
1. Packet switching is the method used in computer networks to transmit data in the form of packets.数据包交换是计算机网络中传输数据的方法。
2. In packet switching, the data is divided into packetsof fixed size for transmission.在数据包交换中,数据被划分为固定大小的数据包进行传输。
3. Each packet in packet switching contains a header that includes the source and destination addresses.数据包交换中的每个数据包都包含一个头部,其中包括源地址和目标地址。
4. Unlike circuit-switching, packet switching allows multiple connections to share the same physical network links.与电路交换不同,数据包交换允许多个连接共享相同的物理网络链路。
5. Packet switching is more efficient than circuit-switching for transmitting bursty data traffic.对于传输突发性数据流量,数据包交换比电路交换更高效。
6. The Internet uses packet switching as its primary communication method.互联网使用数据包交换作为其主要通信方法。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
The Use of Communication Networks to Increase Personal Privacy In a HealthInsurance ArchitectureN. F. MaxemchukS. H. LowAT&T Bell LaboratoriesMurray Hill, New Jersey 079741. IntroductionIf a national health insurance plan is implemented, the government has an obligation to monitor its use and to discourage any abuses. Individuals, on the other hand, expect a high degree of privacy in their health records. Communication networks make it possible to achieve both monitoring and privacy by separating an individual’s identity and health records, and only associating the two when possible abuses are detected. Recent advances in computing and communications make it reasonable to assemble and process the vast amounts of information that would be needed to administer and monitor a national health insurance network. Using computing and communications technology to operate on medical information has many side advantages, such as making an individual’s complete health records available any place, almost instantaneously, and conducting research on correlations between treatments and diseases. However, once an individual’s medical information is made available, it may also be misused.Legislation may be used to eliminate uses of the information which are considered inappropriate. Society can decide that it is not appropriate to publish lists of individuals with communicable diseases, to provide medical histories to potential employers, or to sell information on diseases to medical supply houses for targeted advertizing, as is currently done with credit card purchases. However, legislation cannot prevent illegitimate uses of information. For instance, a system operator or computer snooper may obtain and resell medical information on celebrities or political candidates. In addition, flaws in an implementation may inadvertently release information.Traditionally, communication networks have been used to bring information together. Recently, it has been shown that the same networks can keep information apart and increase personal privacy1. The objective is to construct systems that require sensitive information to perform their functions, but to make the total information unavailable at any single location. In these systems, we trust the various parties in the network not to collude with one another to join the information that we are trying to separate. However, we assume that the trust that we place in the parties is not always warranted. The parties may be compromised and release the information that they are protecting either because of human intervention or implementation error. The number of parties that must collude in order to extract information is a measure of how well the system separates that information. In reference 2 collusion analysis is reduced to determining the shortest paths on a graph.A useful characteristic of these systems is that they can be designed to bring the information that has been separated together. The parties in the system are forced to collude by presenting them with the digital equivalent of a subpoena. The ability to subpoena information makes it reasonable to keep information private unless a law is violated. In effect, instead of deciding what information an individual has a right to keep private, and passing legislation to enforce that decision, an individual has the right to keep all information private unless the law is used to obtain that information.The first application of information separation is an anonymous credit card3. This credit card separates an individual’s identity and purchases. This mechanism can be used in electronic publishing4to preserve privacy except when a law is broken.A concern in electronic publishing is that a document recipient can easily copy and redistribute a document. In reference 5, a technique is demonstrated that makes each copy of an electronic document different, so that a publisher can register the document with the original recipient. If an illegitimate copy is found, the publisher can determine the original owner. The privacy concern is that publishers can compile readingprofiles on individuals. When the anonymous credit card is used to pay for the electronic document, the publisher does not know the recipient’s identity. However, if an illegitimate copy is found, the publisher can obtain a subpoena to determine the identity of the credit card holder.The anonymous credit card is a simpler version of the system that is being proposed to preserve privacy in a national health plan. Understanding the anonymous credit card can make the national insurance plan easier to understand. The architecture and functioning of the credit card is described in section 3.In section 4 a candidate architecture for a national health insurance plan is described. This architecture is used to:— make insurance payments from an employer, the government or an individual to an insurance carrier,— make medical historys available, at an individual’s discretion,— provide health care providers with a subset of a person’s medical history when that individual is unable to authorize access,— submit claims for services from an authorized health care providers,— make payments for services with a combination of insurance coverage and individual funds,— audit a individual’s or a health care provider’s complete medical history, and— identify the individuals or health care providers when grounds for insurance fraud are detected.With this architecture, an employer or the government does not know the insurance provider that an individual selects, the health care provider does not need to know the identity of an individual being treated, and insurance companies can pay valid claims without knowing the individual or the health care provider. This health care architecture is only one of a number of architectures that can perform these functions. Different types of information can be hidden and different degrees of protection against collusion can be designed into the system. The system can also be designed with different collusion paths, so that identities are not permanently hidden by corrupt or destroyed agents who do not reply to a subpoena. Implementing this type of system does not prevent a personal doctor-patient relationship. It just leaves it up to the patient to decide if she wants a personal relationship or privacy.2. Party-to-Party CommunicationsCommunications between two parties is conducted through an intermediary, using a double-locked box protocol. The use of intermediaries to hide information is an extension of a technique described in reference 6, in which an intermediary forwards electronic mail between two communicating parties. In the systems considered here, the intermediary— hides the identity of the source and destination of a message from one another,— hides the message destination from a vender or health care provider that owns the entry device being used by a customer or patient, and— transfers trust between unknown entities,— to move funds between two banks that do not know each other’s identity, or— to assure an insurance company that it is being billed by an unknown, but authorized health care provider, and that the charges are within the appropriate limits for the procedures performed.A funds transfer between account i in bank 1 to account j in bank 2 is demonstrated in figure 1. The customer deposits a double-locked box in his account i in Bank 1. The first box can only be opened by the federal reserve, and contains the name of Bank 2 and a second locked box. The second box can only be opened by bank 2 and contains the account number j. When bank 1 transfers amount M for the customer, itwithdraws the money from account i and sends message A to the federal reserve. The message instructs the federal reserve to deposit amount M in the account in the double-locked box. Bank 1 signs the message with its digital signature, so that the federal reserve can verify that it is from a bank that it trusts. The federal reserve opens the first box and sends a signed message to bank 2 to deposit amount M in the account in the locked box. The second bank verifies that the order was signed by the federal reserve, opens the second box, and deposits amount M in account j . The federal reserve is responsible for settling the accounts between banks..FederalReserve Customer Bank 1Acc i Bank 2Acc j Bank 2(FR)Acc j(B 2)M,Bank 2(FR)Acc j (B 2)Signed Bank 1Message A M,Acc j (B 2)Signed Federal ReserveMessage B Deposits Double Locked Box in Account iMay Trust the Customer Sends Funds to an Unknown AccountUnlocks First Box Trusts Bank 1Sends Funds to Bank 2Unlocks Second Box Trusts the Federal ReserveDeposits Funds in Account jFigure 1.The Double Locked Box ProtocolWhen a customer must store the double-locked box for an account in several different locations, he places a different random number in each box, in addition to the information. This makes the double locked box that he places in the different locations different. If the double locked boxes were the same, the different locations might realize that they were communicating with the same account, and would be able to join the information that they had about their accounts.The point-to-point communications between the parties and the communications exchange uses conventional cryptographic protocols. In this work, we do not explain these techniques, but assume that they can guarantee that:a. an eavesdropper who intercepts a message can not decrypt it to determine its content,b. the receiver is certain that the message was transmitted by the source, and not someone spoofing thesource,c. the receiver is certain that the message is not a replay of an earlier message,d. the receiver can identify messages that were modified after the source transmitted them, ande. the source is certain that the receiver has received the correct message.How these characteristics are achieved, and how the double-locked box is constructed using public key cryptography is discussed in reference 3. How to perform the same functions with shared secrets is discussed in reference 2.3. Anonymous Credit CardThe architecture for the anonymous credit card is shown in figure 2. The credit card company trusts the individual to repay his debt. Therefore, it is assumed that the credit card company will know the individual’s identity. The store knows the merchandise that is purchased. The objective is to distribute the information so that a number of players must collude in order to associate an individual’s purchases and identity.The credit card company places credits in the individual’s anonymous account using a double-locked box that the individual has placed in his credit card account. The bank with the anonymous account does not know or trust the individual. This bank trusts the federal reserve, which trusts the credit card company to pay the bill. At the end of the month, or when credit is exhausted, the bank with the anonymous account presents a bill to the credit card company, using a double-locked box that the individual has deposited in his account. The credit card company presents the individual with a bill, and when it is paid, deposits additional credits in the anonymous account.An individual makes purchases in two phases, first he convinces the bank with the anonymous account that he is authorized to draw on that account, then he instructs that bank to transfer funds to the store’s bank. Trust is transferred from the bank with the anonymous account, to the federal reserve, to the store’s bank. The store’s bank notifies the store that it as been paid. Since the store does not have to trust the individual to pay a bill, the store does not have to know the individual’s identity.In the anonymous credit card, a user must encrypt information at the store, and must use a double-locked box to communicate with the bank that maintains its anonymous account. It is assumed that a smart card7, or similar technology will be used. In order to use the card, the individual proves his identity to the card. This can be accomplished by providing a PIN, answering a random set of personal questions, the answers of which have been stored on the card, or providing a biometric identifier8, such as finger prints, that is stored in the card. Once activated by the authorized individual, the card can prove its identity to the bank. The card shares a secret key with the anonymous account. The card can prove its identity by encrypting a random number from the bank with the shared secret key. Communications between the customer at the store and his bank is through the communication exchange, and uses a double-locked box that can access the anonymous account. By communicating in this way, the customer does not reveal the identity of his bank to the store.The customer receives a bill from the store, and a double-locked box that can access the store’s bank account. He presents the bill to his bank. If there are enough credits left in the individual’s account, the bank transfers the credits to the store’s account, specified by the double-locked box. When the store’s bank receives the deposit, it notifies the store. When the store receive’s confirmation of the deposit, it gives the customer the goods.In addition to making purchases, with credit cards we expectacc acc accBANKSCREDIT CARDCOMPANYANONYMOUS ACCOUNTS STORE’S BANK x xCOMMUNICATIONEXCHANGE msg msg msgmsg FEDERAL RESERVETRUE ID PSEUDONYM INDIVIDUAL STORExx Figure 2. The Participants in an Anonymous Credit Card— to cancel lost cards,— to detect unusual spending patterns,— to receive detailed bills that augment our record keeping,— to be able to return purchases, and— to be able to challenge purchases that are charged to us.These functions can all be implemented within this framework, as described in reference 1.All of the messages in the credit card system that transfer funds are signed and must be uniquely identifiable. Otherwise, a replay attack that might cause funds to be transferred more than once. In addition, the source and destination of a message know each other’s identity. It is assumed that messages that transfer funds are saved for a period of time, as is the current banking practice. If the equivalent of an electronic subpoena is issued against an individual, tracing the billing messages that the credit card company receives can locate the anonymous account. Tracing the charging messages that the anonymous account receives can locate the stores. Similarly, a subpoena against a store can force the store’s bank to trace the messages transferring funds into the store’s account back to the customer’s anonymous accounts and from there back to the individuals. This is a secure tracking method, since the individual cannot erase messages in the trusted banks or the communication exchange.Two parties that have been compromised can only collude to combine information about an account, if the accounts at both parties have a common, unique piece of information. For instance, if an individual’s credit card account and anonymous account both kept his social security number, then the banks could determine that both accounts belong to the same individual. It is important to design the information distribution to eliminate as much common information as possible.It is assumed that banks have many account, and that there are many purchases or bills of the same amount. Knowing that an individual has an account in a specific bank is not sufficient to identify the account. Similarly, knowing that a purchase was made for a specific amount and a charge for the same amount occurred, at about the same time, is not sufficient to link the two. Under these assumptions, the information in the anonymous credit card is separated so that the only unique information that can link accounts is the messages that are exchanged.Figure 2 can be considered to be a graph. The nodes of the graph are the accounts in the banks, the store, and message exchanges in the communication exchange. The links of the graph are the lines that indicate that messages are passed. For each message that passes through the communication exchange, the communication exchange can associate the source of the message, the message that arrived from that source, the destination of the message and the message that was sent to that destination. At each bank, all of the messages that arrive at the bank or are transmitted to the bank are associated with a specific account. The bank that extends credit, also knows the individual’s identity. The store associates messages with purchases. If a bank colludes with the communication exchange, for each message that was received or transmitted, it can determine the party that the communication exchange forwarded the message to or from, and the specific message received from or transmitted to that party. If the bank next colludes with that other party, it can find any information that the other party associates with that message. From this graph, it can be seen that an individual’s identity and purchases can only be associated if all five parties, the credit card company, the communication exchange, the bank that maintains the anonymous account, the store’s bank, and the store collude.If the store eavesdrops on the customer, it can associate the customer’s message to its anonymous account with the purchase. This additional piece of information allows the customer’s identity and purchases to be linked when four parties, excluding the store’s bank, collude.4. National Health InsuranceIn this section we consider one architecture for introducing both privacy and accountability into the national health insurance plan. The primary objective is to make it possible for an individual to control access to his medical history. Auditing operations can be used to identify individuals who are making claims for excessive treatments, health care providers who are claiming excessive services or services that they are not certified to provide, and insurance companies who are making excessive profits. By minor modifications, different types of information can be made more difficult or easier to join. It is also possible to introduce redundancy into the system to make misuse more difficult to conceal. For instance, if there is one player who must cooperate in order to identify an individual, but that player has been corrupted, then it may not be possible to identify the individual. However, if there are two independent ways to learn an individual’s identity, then corrupting a single player will not hide the identity.The parties in the insurance plan are shown in figure 3. An individual has a personal account with an organization that knows his identity, and anonymous accounts with a health insurance company, a database of medical histories, and an organization that can provide access to his medical history during a medical emergency. The individual also has the accounts associated with an anonymous credit card. It is assumed that each individual has one and only one personal account, as with a social security or internal revenue accounts. The individual’s credit card company and employer are assumed to know the individual’s identity. The individual’s employer may have many employees and a health care provider may have many patients. Both place all of the information they have about a particular individual in an account.acc AnonymousCreditAccountacc Insurance Company accHealth Care Provider’s Bank Communication Exchangeacc ID Credit Card Company accID PersonalAccount acc Individual MedicalHistorysacc Health CareAuthenticatoracc EmergencyAccessAccounts Individual acc Health CareProvider accID Employer orGovernment Insurance Auditormsg Figure 3.The Participants in the National Health InsuranceEach health care provider has accounts with a bank and with a health care authenticator. The health care authenticator knows the health care provider’s identity, and is responsible for keeping track of the procedures he is licensed to perform and the history of the procedures that he has performed. In this architecture, a health care provider does not receive the same degree of privacy as an individual. However,if there is reason to give more privacy to the health care provider, the system can be made more symmetric.An insurance auditor examines the histories in the individual accounts and the health care providers accounts. It can detect excessive charges, abnormal numbers of treatments by providers or for individuals,individual treatments that are inconsistent with medical histories, or any other indicators in the histories that may indicate that the insurance system is being abused.In this architecture all of the payments to the insurance company and payments by the insurance company are made through the communication exchange. When funds transfers occur, the communication exchange operates as the federal reserve. The communication exchange has an account for each bank or organization that is authorized to transfer funds through it, and it is responsible for settling the accounts. By auditing an insurance company’s account, it should be possible to determine if the company is making excessive profits, without revealing any information on the individuals that the company covers.4.1 Paying for Insurance CoverageAn individual selects his own insurance company and coverage. The insurance company is given access to the individual’s medical history, but does not need to know his identity. When the individual opens an account with an insurance company, he places two double-locked boxes in that account, one that accesses his personal account and another that accesses his medical history account. He also places double-lockedboxes in his personal account and medical history account to access his insurance account.The insurance company uses the link with the medical history database to determine the insurance premiums and the link with the personal account to present a bill to the individual. A filter can be placed in the medical history database to remove any information that policy dictates cannot be used to determine insurance premiums. An employer or the government may deposit credits that can be used to purchase medical insurance in the individual’s personal account. Premiums for the health insurance are paid from the individual’s personal account to the insurance company using the double-locked box protocol. If an individual selects coverage that exceeds his benefits, he receives a bill from the personal account for the difference. The individual uses his anonymous credit card, in the normal manner, to pay for the additional coverage.The messages exchanged to pay insurance premiums are shown in figure 4. The messages indicated by dashed lines only exist if the coverage that a person selects exceeds his benefits. In this architecture, the organization that gives an individual medical benefits does not know which insurance company the individual selects. In addition to the functions that the communication exchange performs for funds transfer, it also verifies that the insurance company is a valid insurance provider when it communicates with the personal account or the medical history database, and assures the employer or government that it is placing insurance credits in a valid personal account. In a system in which funds are transferred between trusted parties, rather than being given to an individual, it is straightforward to guarantee that funds intended for health insurance are not used for other purposes.acc Anonymous Credit Accountacc Insurance Company accHealth Care Provider’s Bank Communication Exchange acc ID Credit Card Company acc ID PersonalAccount acc Individual MedicalHistorysacc Health CareAuthenticatoraccEmergencyAccessAccounts Individual acc Health CareProvider accID Employer orGovernment Insurance Auditormsg msg msg msg msgFigure 4.Paying for Insurance Coverage4.2 Receiving Medical TreatmentA person’s complete medical history is stored in an anonymous account in a medical history database.Since the database is connected to the communication network, the medical history is available anywhere,any time.When a person accesses the medical history database while at a health care provider’s location, he uses a smart card and proves his identity to the medical history database, the same way he did when using the anonymous credit card. The person does not have to make all of the information in this account available,but can pass the information through a personal filter that hides any information that the individual would rather keep private. Different filters can be used to provide different types of information to different health care providers. For instance, an individual need not provide his dentist with his psychiatric history. The health care provider gives the individual a double-locked box, which the individual passes along to the medical history database. The medical history database uses the health care provider’s double-locked box to deliver the filtered information. These messages are the solid lines in figure 5.acc Anonymous Credit Accountacc Insurance Company accHealth Care Provider’s Bank Communication Exchange acc ID Credit Card Company acc ID Personal Account acc Individual MedicalHistorysacc Health CareAuthenticatoraccEmergencyAccessAccounts Individual acc Health CareProvider accID Employer orGovernment Insurance Auditormsg msg msgmsgFigure 5.Receiving Medical TreatmentIn an emergency situation, if an individual does not have the smart card that enables him to access his medical history, or if he is unable to use it, his medical history is obtained through an emergency access account. The emergency access accounts associate a biometric identifier with the individual medical historys. A health care provider obtains an individual’s biometric identifier, and sends it to an emergency access account. The communication exchange certifies the health care provide, using a digital signature or shared secret, and forwards the message. The emergency access account uses the biometric identifier to find the individual’s medical history account and forwards the request for information to the medical history database. These communications are represented by the dashed lines in figure 5. The medicalhistory account returns information to the health care provider through a filter that can restrict the information that is provided during emergencies, at the individual’s discretion.4.3 Paying for Medical ServicesAfter services are rendered, the health care provider places a description of the symptoms and treatment in the individual’s medical history account, along with a bill and a double-locked box that can access his bank account. When the bill is passed through the communication exchange, the exchange accesses the health care provider’s account in the health care authenticator. The communication exchange verifies that the provider is approved to perform the services and that the charges are within the allowed range. The communication exchange also enters a copy of the procedures and charges in the provider’s account, which can be audited. The validation and bookkeeping services performed by the communication exchange are similar to the federal reserve functions that it must perform when transferring money between banks that don’t know each other’s identity. The health care authenticator can be part of the communication exchange, as is the federal reserve.The medical history account presents the bill to the insurance company, using the double-locked box that the individual stored in the medical history account. The insurance company checks the individual’s coverage, transfers the covered amount to the health care provider’s account, and forwards the bill and a statement of payments to the individual’s personal account. A notice is sent to the individual. If there is a balance due, the individual is responsible for contacting his anonymous account and transferring the additional funds. The health care provider’s bank informs him that all or part of the payment is made. If payments are not made, the health care provider uses a digital subpoena to identify the patient. The messages are shown in figure 6. As in the previous figures, the solid lines always occur and the dashed lines may or may not occur.4.4 Collusion AnalysisWhen two parties collude and have a unique piece of information associated with accounts, they can join the information in those accounts. However, if the no accounts in the agencies have information in common, or if the information that they have in common also appears in many other accounts, then the agencies cannot know which accounts belong to the same individual.The functions that the parties in the system perform are allocated so that they do not need to operate on the same unique information. Several parties have access to the bills for a medical treatment or insurance coverage, however, it is assumed that in a large system there will be many bills of the same amount. The underlying protocol makes the messages in the system unique, in order to prevent replay attacks. Messages are the unique information that two parties can use to collude. For instance, if an individual’s insurance company colludes with the medical history database, there is no common information in the two accounts belonging to a specific individual, and no way to join the information. However, if the insurance company colludes with the communication exchange, the message that it sent through the communication exchange to the medical history database can be used to determine which medical history database an individual’s history is in, and the unique message that was forwarded from the communication exchange to that database. This information can be associated with the individual’s account in the insurance company. If the insurance company now colludes with the medical history database, there is a unique message associated with the individual’s account in the insurance company and his account in the medical history database, and the information can be joined.All of the message communications in the system is shown in figure 7. The solid lines are messages that always occur, the dashed lines only exist if the individual makes parts of payments by credit card, or receives emergency treatment. The accounts within organization or banks, and the messages that pass through the communication exchange are the nodes in the collusion graph. The message paths are the links. Information in two accounts can be joined if the parties along any path between the accounts collude. The。