From: Hal <hfinney@shell.portal.com>
Date: Wed, 7 Dec 94 08:45:06 PST
To: cypherpunks@toad.com
Subject: Re: Ideal digital cash system?
In-Reply-To: <Chameleon.4.00.941206225809.jcorgan@.netcom.com>
Message-ID: <199412071644.IAA19261@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Johnathan Corgan <jcorgan@netcom.com> writes:

>The authors consider this the first ideal untraceable electronic cash
>system.

>T. Oamoto and K. Ohta, Universal Electronic Cash
>Advances in Cryptology--CRYPTO '91 Proceedings
>Berlin: Springer-Verlag 1992 pp. 324-337

(This should be Okamoto & Ohta.)

This paper is not available electronically as far as I know.  The crypto
proceedings can be found in good university libraries.

I believe the Okamoto scheme has the problem that payments by a person
are all linkable.  Basically when you open an account with the bank you
get a "license" number B which you keep for all the time (and which the
bank doesn't know).  But every time you spend you have to send B.  So all
of the payments from a person will use the same B.

True, this doesn't reveal his identity, but it allows a given pseudonym's
spending patterns to be recorded and studied, which may be almost as bad.

Okamoto forgot unlinkability in his laundry list of ideal cash
characteristics.

Hal