1994-09-02 - Re: Is the following digicash protocol possible?
Header Data
From: solman@MIT.EDU
To: jamesd@netcom.com (James A. Donald)
Message Hash: 93494e366c0be8b11a372c10955cc10a4a940112c29df4e6041a15c8b655ed08
Message ID: <9409020308.AA10953@ua.MIT.EDU>
Reply To: <199409012115.OAA16764@netcom8.netcom.com>
UTC Datetime: 1994-09-02 03:08:53 UTC
Raw Date: Thu, 1 Sep 94 20:08:53 PDT
Raw message
From: solman@MIT.EDU
Date: Thu, 1 Sep 94 20:08:53 PDT
To: jamesd@netcom.com (James A. Donald)
Subject: Re: Is the following digicash protocol possible?
In-Reply-To: <199409012115.OAA16764@netcom8.netcom.com>
Message-ID: <9409020308.AA10953@ua.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain
> A question about offline digicash:
>
> Is it possible to arrange digicash as follows:
>
> If A, the original issuer, issues a unit of digicash to
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A, -- and
> everyone colludes except C and D, it is impossible
> to prove that C got this unit from D.
I assume you mean the last line to read "to prove that D got
this unit from C".
Chaum has demonstrated (In a paper I discussed here a little
over a month ago) that when A, B and E collude they can be sure
that the cash D gave to E is part of the same banknote that B
gave to C.
HOWEVER, it is possible to design a protocol such that
it is NOT possible for A, B and E to be sure that C gave
his money directly to D. (i.e. a protocol can be designed
such that A, B and E can not rule out the possibility that
the cash went from C to F to G to H to I to J to D. Thus,
the solution for entities that are worried about having
their cash marked is to exchange banknotes anonymously
with randomly selected entities before using them again.
> If A, the original issuer, issus a unit of digicash to
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A, -- and
> C double spends it to D', who then gives it to E'
> who then attempts to cash it with A, -- then A
> will detect the double spending and rebuff the attempt,
> E' will complain to D', and D', with information
> supplied by E' and A, can then prove that C dishonorably
> double spent the money, without discovering that C gave
> the money to D, and hence without discovering that D
> gave the money to E.
Anonymous e-cash can be created such that the identity
of the cheat is immediatelly known as soon as the second
copy of the banknote (or of a part of the banknote)
reaches A. I should think that any protocol which requires
backtracking would be highly undesirable (i.e. D' and
idealy E' should not be bothered).
Cheers,
Jason W. Solinsky
Thread
Return to September 1994
- Return to “Hal <hfinney@shell.portal.com>”
- Return to “jamesd@netcom.com (James A. Donald)”
Return to “solman@MIT.EDU”
- 1994-09-01 (Thu, 1 Sep 94 14:15:13 PDT) - Is the following digicash protocol possible? - jamesd@netcom.com (James A. Donald)
- 1994-09-01 (Thu, 1 Sep 94 16:29:46 PDT) - Re: Is the following digicash protocol possible? - Hal <hfinney@shell.portal.com>
- 1994-09-02 (Thu, 1 Sep 94 20:08:53 PDT) - Re: Is the following digicash protocol possible? - solman@MIT.EDU