From: daw@cs.berkeley.edu (David Wagner)
Date: Thu, 3 Apr 1997 18:06:04 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: No, it's PayWord, no, it's MicroMint, no, it's...
In-Reply-To: <199703272018.MAA00322@crypt.hfinney.com>
Message-ID: <5i1ncg$v8m@joseph.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


In article <199703272018.MAA00322@crypt.hfinney.com>,
Hal Finney  <hal@rain.org> wrote:
> It appears that MicroMint is jointly by Rivest and Shamir.  It is described
> at:
> 
> http://theory.lcs.mit.edu/~rivest/RivestShamir-mpay.ps
> 
> This also describes PayWord.  Both schemes are designed for lightweight
> payments.  PayWord uses a chained hash concept similar to s/key and to
> Micali's lightweight signature revalidations.  MicroMint is as I described,
> literally a "minting" of coins, with similar economies of scale to real
> mints.
> 
> Neither one appears suitable for anonymous payments.

Wow, a perfect straight line.  I couldn't ask for better.

Actually, I posted to sci.crypt.research a while ago about how to adapt
Rivest and Shamir's PayWord scheme to do anonymous micropayments; see
	http://www.cs.berkeley.edu/~daw/my-posts/anon-micropayments

In short, instead of asking the bank for a hash stick and a signature on
the top of the stick, you get a blind signature on a top of a stick you've
generated yourself.  Then you patch up some issues (like double-spending)
that the anonymity raises.

Sadly, it's got a problem that'd probably be a killer for practical
deployment -- it's got the same patent problems that ecash has.  Sigh.