1995-10-23 - Re: How can e-cash, even on-line cleared, protect payee identity?

Header Data

From: Bryce <wilcoxb@nag.cs.colorado.edu>
To: Simon Spero <ses@tipper.oit.unc.edu>
Message Hash: e41e7d8642b7742380f4df20b7f1c9e22ad7b6c3330a1457b8685f7e96347d1a
Message ID: <199510232023.OAA10038@nag.cs.colorado.edu>
Reply To: <Pine.SOL.3.91.951022233806.16282B-100000@chivalry>
UTC Datetime: 1995-10-23 20:24:32 UTC
Raw Date: Mon, 23 Oct 95 13:24:32 PDT

Raw message

From: Bryce <wilcoxb@nag.cs.colorado.edu>
Date: Mon, 23 Oct 95 13:24:32 PDT
To: Simon Spero <ses@tipper.oit.unc.edu>
Subject: Re: How can e-cash, even on-line cleared, protect payee identity?
In-Reply-To: <Pine.SOL.3.91.951022233806.16282B-100000@chivalry>
Message-ID: <199510232023.OAA10038@nag.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain


 An entity calling itself "Simon Spero" <ses@tipper.oit.unc.edu> 
 allegedly wrote:
> I can't remember off hand, but isn't blinding transitive?

Blinding and unblinding is just multiplication and division in
modular arithmetic, right?  So it oughta be transitive, right?
I actually don't know, and I am eager to find out.

 "'Simon Spero'":
> If so, there's 
> an obvious way to get two way anonymity with an on-line system. If Alice 
> wants to pay Bob $10, then Bob could prepare the usual squillion copies 
> of the note, each with a serial number known only to Bob, then blind them 
> and send them to Alice. 
> Alice would then reblind them and send them to Nick, the banker. Nick
> would then pick one of the notes, and ask Alice for the blinders for the
> rest. Alice would then ask Bob for his blinders for the rejected notes,
> and would forward both sets on to Nick, who would check them, and if
> they're legit, sign the remaning copy, and return it to Alice.  
> Alice cound then remove her blinding factor, and sent the result on to
> Bob. Bob then removes his blinding factor, and can now spend the coin. 

You mean he can now deposit the note with the bank for credit?  
Although he won't actually deposit it until later, some random 
amount of time after this transaction is finished.
  He *could* give the note to Charles, who would deposit it, but
Charles would not be able to protect his own identity when
accepting it.  Bob might as well just turn it in to the bank.

 "'Simon Spero'":
> Since Alice doesn't know the serial number, she can't reveal it to Nick 
> so that he can find out who deposits the coin. Also, since Nick doesn't 
> know the serial number, he can't collaborate with Bob to find out who 
> Alice is. 
> Does this work, or am I missing something?

It sounds good to me.  Bob will check the note for the bank's sig
after he has unblinded it.  Thus he knows that Alice didn't cheat

Can a more astute mathematician than myself evaluate this scheme for


signatures follow

            "To strive, to seek, to find and not to yield."   
    <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html">

                          bryce@colorado.edu                   </a>

Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01