1996-04-03 - Re: Chaumian ecash without RSA
Header Data
From: “D.A. Wagner” <daw27@newton.cam.ac.uk>
To: jamesd@echeque.com
Message Hash: 81c880a26d030eb9d46e1646be32f69cf0eac75b1dcfac012c72cba3bf46f69f
Message ID: <199604021555.QAA16166@jordan.newton.cam.ac.uk>
Reply To: <199604021544.HAA26145@dns2.noc.best.net>
UTC Datetime: 1996-04-03 08:40:30 UTC
Raw Date: Wed, 3 Apr 1996 16:40:30 +0800
Raw message
From: "D.A. Wagner" <daw27@newton.cam.ac.uk>
Date: Wed, 3 Apr 1996 16:40:30 +0800
To: jamesd@echeque.com
Subject: Re: Chaumian ecash without RSA
In-Reply-To: <199604021544.HAA26145@dns2.noc.best.net>
Message-ID: <199604021555.QAA16166@jordan.newton.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain
> 1: A coin is almost twice the size of a coin in the RSA protocol
Nah, it can be the same size as in the RSA-based Digicash protocol.
(Pick x to be 128 bits, and repeatedly iterate SHA to get a 1024
bit y value, like Digicash does in their RSA-based Chaumian protocol.)
> 2: Nobody except the bank can verify that a coin has face validity.
So your comment makes me glad I posted the scheme (even if it turns
out to be only of academic interest :-).
I claim that statement 2 is also true of Digicash's protocol as well.
Recall that Digicash is using an *online clearing* protocol-- so you
can't tell whether a coin is valid without consulting the bank.
Consulting the bank is absolutely necessary to prevent double spending.
So if you ever wrote an application which made a security-critical
decision based on whether the RSA signature verified correctly in the
Digicash protocol, and you didn't consult the bank re: double spending,
you'd be 100% vulnerable to a simple double spending attack.
In particular, I claim that the only reason the bank needs to publish
its RSA public exponent e is to allow you to blind the RSA signature:
it's specifically *not* intended for you to verify coin validity.
Everyone, feel free to jump in correct me if you disagree.
> For computer mediated management of contracts, transactions, and
> credit ratings, we need contracts such that all intermediate
> transactions can be reduced to locally verifiable cryptographic
> protocols.
Well, if that's what you want, no currently shipping protocol gives
you that. The current Digicash protocol does *not* let you do offline
clearing.
I don't claim to be able to solve the offline clearing problem; I just
hoped to point out that there is/(seems to be) nothing special about RSA.
(Indeed, one researcher has kindly emailed me to point out that several
well-known digital cash schemes use a El Gamal-based protocol.)
Thread
Return to April 1996
- Return to ““D.A. Wagner” <daw27@newton.cam.ac.uk>”
Return to “jamesd@echeque.com”
- 1996-04-02 (Tue, 2 Apr 1996 07:44:44 -0800 (PST)) - Re: Chaumian ecash without RSA - jamesd@echeque.com
- 1996-04-03 (Wed, 3 Apr 1996 16:40:30 +0800) - Re: Chaumian ecash without RSA - “D.A. Wagner” <daw27@newton.cam.ac.uk>