1996-04-03 - Re: Chaumian ecash without RSA

Header Data

From: jamesd@echeque.com
To: daw@cs.berkeley.edu
Message Hash: d3d25928671c9fe163bcb468684ef31a59c15be97a712ad8ba99f00448c34670
Message ID: <199604030633.WAA06128@mail1.best.com>
Reply To: N/A
UTC Datetime: 1996-04-03 11:49:26 UTC
Raw Date: Wed, 3 Apr 1996 19:49:26 +0800

Raw message

From: jamesd@echeque.com
Date: Wed, 3 Apr 1996 19:49:26 +0800
To: daw@cs.berkeley.edu
Subject: Re: Chaumian ecash without RSA
Message-ID: <199604030633.WAA06128@mail1.best.com>
MIME-Version: 1.0
Content-Type: text/plain



>> 2:  Nobody except the bank can verify that a coin has face validity.

At 04:55 PM 4/2/96 +0100, D.A. Wagner wrote:
> I claim that statement 2 is also true of Digicash's protocol as well.
>
> Recall that Digicash is using an *online clearing* protocol-- so you
> can't tell whether a coin is valid without consulting the bank.
> Consulting the bank is absolutely necessary to prevent double spending.

Suppose Alice generates an unsigned coin, blinds it, and shows Bob the
usigned, blinded coin.

Bob then has the bank sign it, and gives the signature to Alice.  

If we use RSA to sign the coin, Alice now knows she has a valid 
coin, because she can verify the coin herself without needing to
show it to the bank.  So Bob has paid Alice some money, and 
nobody can double spend the coin, because Alice, and only Alice, 
knows the blinding factor.

So Alice does *not* need to check with the bank.

Alice cannot do this with your protocol, so we cannot have payee 
anonymity with your protocol.
 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd@echeque.com






Thread