1996-04-03 - Re: Chaumian ecash without RSA

Header Data

From: “D.A. Wagner” <daw27@newton.cam.ac.uk>
To: jamesd@echeque.com
Message Hash: 81c880a26d030eb9d46e1646be32f69cf0eac75b1dcfac012c72cba3bf46f69f
Message ID: <199604021555.QAA16166@jordan.newton.cam.ac.uk>
Reply To: <199604021544.HAA26145@dns2.noc.best.net>
UTC Datetime: 1996-04-03 08:40:30 UTC
Raw Date: Wed, 3 Apr 1996 16:40:30 +0800

Raw message

From: "D.A. Wagner" <daw27@newton.cam.ac.uk>
Date: Wed, 3 Apr 1996 16:40:30 +0800
To: jamesd@echeque.com
Subject: Re: Chaumian ecash without RSA
In-Reply-To: <199604021544.HAA26145@dns2.noc.best.net>
Message-ID: <199604021555.QAA16166@jordan.newton.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain


> 1:  A coin is almost twice the size of a coin in the RSA protocol

Nah, it can be the same size as in the RSA-based Digicash protocol.
(Pick x to be 128 bits, and repeatedly iterate SHA to get a 1024
bit y value, like Digicash does in their RSA-based Chaumian protocol.)

> 2:  Nobody except the bank can verify that a coin has face validity.

So your comment makes me glad I posted the scheme (even if it turns
out to be only of academic interest :-).

I claim that statement 2 is also true of Digicash's protocol as well.

Recall that Digicash is using an *online clearing* protocol-- so you
can't tell whether a coin is valid without consulting the bank.
Consulting the bank is absolutely necessary to prevent double spending.

So if you ever wrote an application which made a security-critical
decision based on whether the RSA signature verified correctly in the
Digicash protocol, and you didn't consult the bank re: double spending,
you'd be 100% vulnerable to a simple double spending attack.

In particular, I claim that the only reason the bank needs to publish
its RSA public exponent e is to allow you to blind the RSA signature:
it's specifically *not* intended for you to verify coin validity.

Everyone, feel free to jump in correct me if you disagree.

> For computer mediated management of contracts, transactions, and 
> credit ratings, we need contracts such that all intermediate 
> transactions can be reduced to locally verifiable cryptographic 
> protocols.

Well, if that's what you want, no currently shipping protocol gives
you that.  The current Digicash protocol does *not* let you do offline
clearing.

I don't claim to be able to solve the offline clearing problem; I just
hoped to point out that there is/(seems to be) nothing special about RSA.
(Indeed, one researcher has kindly emailed me to point out that several
well-known digital cash schemes use a El Gamal-based protocol.)





Thread