From: solman@MIT.EDU
Date: Sun, 24 Jul 94 10:09:59 PDT
To: Hal <hfinney@shell.portal.com>
Subject: Re: Voice/Fax Checks
In-Reply-To: <199407241648.JAA26711@jobe.shell.portal.com>
Message-ID: <9407241709.AA27533@ua.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain


> From solman@MIT.EDU  Sat Jul 23 17:35:33 1994
> > Well I've skimmed the paper because this is non-intuitive to me, and I'm
> > impressed by the level of security that Chaum requires from his protocols.
> > He treats the absolutely impossible and the computationally infeasible
> > seperately. Determining whether the coin is one of yours falls into the
> > second category. In order to determine whether you have used a coin
> > previously (in a maximally secure scheme) you need the bank's secret key.
> > So you just wind up your 4096 bit number factoring machine, dump in the
> > modulus, and presto, out come your factors from which you compute the
> > secret key.
> 
> Yes, I remember that now.  My interpretation, though, was that with the
> bank's help you could tell when a coin had been re-used.  This could
> impair the anonymity of the cash.

So the problem we are now looking at is when a prior user and the bank team
up, the person who finally redeems the cash at the bank can be identified
as handling cash that the colluding user previously had. There is a simple
solution to this, if you are this paranoid, don't redeem the cash yourself,
just pass it to a non-bank. Once you do this NOTHING can be determined
about you unless you double spend. (Unless the bank's private key is
recovered.)

JWS