1995-10-25 - RE: How can e-cash, even on-line cleared

Header Data

From: agermain@cmp.com (Germain Arthur)
To: weidai@eskimo.com (Wei Dai)
Message Hash: 4c3540a27e1a56f50b94ef059ca56b773b65a4fc987d67cd6061670f0953a0a5
Message ID: <1995Oct25.093010.1151.341066@smtpgate.cmp.com>
Reply To: N/A
UTC Datetime: 1995-10-25 13:30:01 UTC
Raw Date: Wed, 25 Oct 95 06:30:01 PDT

Raw message

From: agermain@cmp.com (Germain Arthur)
Date: Wed, 25 Oct 95 06:30:01 PDT
To: weidai@eskimo.com (Wei Dai)
Subject: RE: How can e-cash, even on-line cleared
Message-ID: <1995Oct25.093010.1151.341066@smtpgate.cmp.com>
MIME-Version: 1.0
Content-Type: text/plain



I have unsubscribed from this mailing list. Please remove my name from   
your personal address lists. Thanks.

ahg3

 ----------
From:  Wei Dai[SMTP:weidai@eskimo.com]
Sent:  Tuesday, October 24, 1995 1:55 PM
To:  Hal
Cc:  cypherpunks
Subject:  Re: How can e-cash, even on-line cleared, protect payee   
identity?


On Mon, 23 Oct 1995, Hal wrote:

> This is an interesting idea but it is more complicated than necessary,   
I
> think.  The denomination can be carried in the exponent, in which case
> there is no need for cut and choose and nobody can cheat the bank.  A
> coin suitable for deposit is a signed number of some special form.  To
> pay Bob, Alice does not withdraw anything ahead of time.  Rather, Bob
> gives her a blinded coin, which she reblinds and gives to the bank.   
 The
> bank signs it (debiting Alice's account) and gives it back to her.  She
> strips off her blinding and gives it to Bob.  He strips off his own
> blinding and verfifies that he is left with a signed number of the
> appropriate form.

Using the above protocol, payee anonymity will not be compromised by
collusion between the bank and the payer, but the payee and the bank can
collude to identify the payer!  (This reverses the situation in normal
Chaumian ecash, and of course in certain circumstances may be   
preferable.)

This collusion can succeed even if Alice (the payer) reblinds the coin
she gets from Bob before asking the bank to sign it, because Alice must
withdraw the coin after Bob gives it to her and before returning it to   
Bob.
Bob can ask the bank to record the names of everyone who withdrew money
during that period, and after two or three repeated transactions can
narrow the list of possible payers down to one person.  (This is   
reminescent
of the time-correlation attack on remailers.)  In the original protocol
this isn't possible because Alice can withdraw the money ahead of time.

Wei Dai







Thread