1995-10-25 - Re: How can e-cash, even on-line cleared, protect payee identity?

Header Data

From: tomw@orac.engr.sgi.com (Tom Weinstein)
To: cypherpunks@toad.com
Message Hash: 22b68d45b37e0d5fd2d4169dfe3d881309c50b27cd81cd77b0da814be854421e
Message ID: <199510251303.GAA04029@orac.engr.sgi.com>
Reply To: <199510232023.OAA10038@nag.cs.colorado.edu>
UTC Datetime: 1995-10-25 13:03:41 UTC
Raw Date: Wed, 25 Oct 95 06:03:41 PDT

Raw message

From: tomw@orac.engr.sgi.com (Tom Weinstein)
Date: Wed, 25 Oct 95 06:03:41 PDT
To: cypherpunks@toad.com
Subject: Re: How can e-cash, even on-line cleared, protect payee identity?
In-Reply-To: <199510232023.OAA10038@nag.cs.colorado.edu>
Message-ID: <199510251303.GAA04029@orac.engr.sgi.com>
MIME-Version: 1.0
Content-Type: text/plain

In article <DGyIMI.KM9@sgi.sgi.com>, Hal <hfinney@shell.portal.com> writes:

> tomw@orac.engr.sgi.com (Tom Weinstein) writes:
>> Perhaps the problem is that Bob insists that Alice's coin was not signed
>> by the bank.  In that case, how about this modification?  Alice should
>> first show Bob the doubly blinded coin she gave to the bank and the
>> signed doubly blinded coin she received back.  Bob can verify the
>> signature and then Alice can give him the blinding factor so he can
>> unblind it himself.  Bob also needs to sign the singly blinded coin that
>> he gives to Alice so that Alice can later show that she gave him the
>> correct blinding factor if Bob tries to claim that she didn't.

> The problem with this is that Bob and the bank can now collude to trace
> Alice, since he sees what she sent to the bank.  This is not as bad as in
> the forward traceability case of regular ecash, because it happens after
> Alice has completed her bank transaction, rather than before, but it
> would be better to be untraceable since that is the whole point of this
> variation.

Good point.  To guard against this, Alice needs to double blind what she
sends to the bank.  She can then remove one layer of blinding and show
the results to Bob.  Of course Bob and the bank can still colude because
of the timing of the transactions.  This seems to be a fundamental
weakness of this reverse e-cash scheme.

Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw@engr.sgi.com