1995-10-24 - Re: How can e-cash, even on-line cleared, protect payee identity?

Header Data

From: Wei Dai <weidai@eskimo.com>
To: Hal <hfinney@shell.portal.com>
Message Hash: 01089afa80924642f7912ac0d922d0fab384b2691f5d072961619b57dbba7b3c
Message ID: <Pine.SUN.3.91.951024133910.26964D-100000@eskimo.com>
Reply To: <199510232350.QAA17025@jobe.shell.portal.com>
UTC Datetime: 1995-10-24 21:04:22 UTC
Raw Date: Tue, 24 Oct 95 14:04:22 PDT

Raw message

From: Wei Dai <weidai@eskimo.com>
Date: Tue, 24 Oct 95 14:04:22 PDT
To: Hal <hfinney@shell.portal.com>
Subject: Re: How can e-cash, even on-line cleared, protect payee identity?
In-Reply-To: <199510232350.QAA17025@jobe.shell.portal.com>
Message-ID: <Pine.SUN.3.91.951024133910.26964D-100000@eskimo.com>
MIME-Version: 1.0
Content-Type: text/plain

On Mon, 23 Oct 1995, Hal wrote:

> This is an interesting idea but it is more complicated than necessary, I
> think.  The denomination can be carried in the exponent, in which case
> there is no need for cut and choose and nobody can cheat the bank.  A
> coin suitable for deposit is a signed number of some special form.  To
> pay Bob, Alice does not withdraw anything ahead of time.  Rather, Bob
> gives her a blinded coin, which she reblinds and gives to the bank.  The
> bank signs it (debiting Alice's account) and gives it back to her.  She
> strips off her blinding and gives it to Bob.  He strips off his own
> blinding and verfifies that he is left with a signed number of the
> appropriate form.

Using the above protocol, payee anonymity will not be compromised by 
collusion between the bank and the payer, but the payee and the bank can 
collude to identify the payer!  (This reverses the situation in normal 
Chaumian ecash, and of course in certain circumstances may be preferable.)

This collusion can succeed even if Alice (the payer) reblinds the coin 
she gets from Bob before asking the bank to sign it, because Alice must 
withdraw the coin after Bob gives it to her and before returning it to Bob.  
Bob can ask the bank to record the names of everyone who withdrew money 
during that period, and after two or three repeated transactions can 
narrow the list of possible payers down to one person.  (This is reminescent 
of the time-correlation attack on remailers.)  In the original protocol 
this isn't possible because Alice can withdraw the money ahead of time.

Wei Dai