1994-09-02 - Re: Is the following digicash protocol possible?

Header Data

From: solman@MIT.EDU
To: jamesd@netcom.com (James A. Donald)
Message Hash: 93494e366c0be8b11a372c10955cc10a4a940112c29df4e6041a15c8b655ed08
Message ID: <9409020308.AA10953@ua.MIT.EDU>
Reply To: <199409012115.OAA16764@netcom8.netcom.com>
UTC Datetime: 1994-09-02 03:08:53 UTC
Raw Date: Thu, 1 Sep 94 20:08:53 PDT

Raw message

From: solman@MIT.EDU
Date: Thu, 1 Sep 94 20:08:53 PDT
To: jamesd@netcom.com (James A. Donald)
Subject: Re: Is the following digicash protocol possible?
In-Reply-To: <199409012115.OAA16764@netcom8.netcom.com>
Message-ID: <9409020308.AA10953@ua.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain


> A question about offline digicash:
> 
> Is it possible to arrange digicash as follows:
> 
> If A, the original issuer, issues a unit of digicash to 
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A,  --  and
> everyone colludes except C and D, it is impossible
> to prove that C got this unit from D.

I assume you mean the last line to read "to prove that D got
this unit from C".

Chaum has demonstrated (In a paper I discussed here a little
over a month ago) that when A, B and E collude they can be sure
that the cash D gave to E is part of the same banknote that B
gave to C.

HOWEVER, it is possible to design a protocol such that
it is NOT possible for A, B and E to be sure that C gave
his money directly to D. (i.e. a protocol can be designed
such that A, B and E can not rule out the possibility that
the cash went from C to F to G to H to I to J to D. Thus,
the solution for entities that are worried about having
their cash marked is to exchange banknotes anonymously
with randomly selected entities before using them again.

> If A, the original issuer, issus a unit of digicash to 
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A,  --  and
> C double spends it to D', who then gives it to E'
> who then attempts to cash it with A, -- then A
> will detect the double spending and rebuff the attempt,
> E' will complain to D', and D', with information
> supplied by E' and A, can then prove that C dishonorably 
> double spent the money, without discovering that C gave 
> the money to D, and hence without discovering that D 
> gave the money to E.

Anonymous e-cash can be created such that the identity
of the cheat is immediatelly known as soon as the second
copy of the banknote (or of a part of the banknote)
reaches A. I should think that any protocol which requires
backtracking would be highly undesirable (i.e. D' and
idealy E' should not be bothered).

Cheers,

Jason W. Solinsky





Thread