From: Jiri Baum <jirib@cs.monash.edu.au>
Date: Fri, 3 Nov 1995 15:55:51 +0800
To: bigmac@digicash.com (Marcel van der Peijl)
Subject: Re: Re: Chaum's cash: backup?
In-Reply-To: <199510241312.OAA00644@digicash.com>
Message-ID: <199511030729.SAA03867@molly.cs.monash.edu.au>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Hello Marcel van der Peijl,
> From: "Marcel van der Peijl" <bigmac@digicash.com>
> Date:          Tue, 24 Oct 1995 14:10:58 +0100

Sorry about taking so long to reply... I'll quote more than usual
to make up for it.

> > > I could give a hint: your random state initializer is not the too-often 
> > > used srand( time( NULL ) ) but user-chosen during installation.

> > This sounds great... Will the bank be running crack against the proto-coins
> > it gets? (Say, at the behest of a LEA?)

> It is not the bank's intention to screw the clients, but mostly the 
> other way around.

I was referring to the claim that the system is payer-anonymous.

Thinking of it again now, what's to stop Eve the eavesdropper from spying
on the proto-coins, running crack against it, and then (later) 
eavesdropping on the bank-signed coins and unblinding/depositing them 
before Alice/Bob does?

(No, being encrypted by the bank's public key is not enough.)

> If the bank wants to screw the clients the easiest 
> way is to change their account balance. Remember, you trust them with 
> your money. That's why they're a bank.

Yes, but is the bank really interested in protecting privacy?

> > Is there any way for the user to re-initialize the random state?
> > > Write that initializer down and you can re-generate all coins.
> > ...
> > That's going to be one hell of a valuable piece of paper.
> > (Certainly to your enemies/prosecutors - it reveals the blinding factors
> > for every coin you ever spent.)

> You may choose to burn it or change random state and have no 
> recoverability. What do you value more? Your privacy or your money? 
> Each user will have too choose.

a) It would be nice if the protocol didn't require this choice.

b) This choice should be made explicit to the user.

c) As I noted above, wouldn't it also strongly reduce security?


See you!

Jiri
- --
<jirib@cs.monash.edu.au>     <jiri@melb.dialix.oz.au>     PGP 463A14D5

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMJnEeCxV6mvvBgf5AQF2BwP/XdMn6ktMGjToDltqo014kT1i3Z/GGXPr
HPW1gBN3RT3Ba9F2Ac+24IVVFqauo1sT+Ecc872UrlQzoF8S524oZfhjh3IW5xRF
mpZX48tnQn5nJE/U4XgvcuQ6yw5JOhc2eEVPs2PnKT+RdUogNb9UDAXOKn6+EILc
nqosNXK+aMU=
=geHb
-----END PGP SIGNATURE-----