[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is the following digicash protocol possible?

To: [email protected] (James A. Donald)
Subject: Re: Is the following digicash protocol possible?
From: [email protected]
Date: Thu, 01 Sep 1994 23:08:35 EDT
Cc: [email protected]
In-Reply-To: Your message of "Thu, 01 Sep 1994 14:15:19 PDT." <[email protected]>
Sender: [email protected]

> A question about offline digicash:
> 
> Is it possible to arrange digicash as follows:
> 
> If A, the original issuer, issues a unit of digicash to 
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A,  --  and
> everyone colludes except C and D, it is impossible
> to prove that C got this unit from D.

I assume you mean the last line to read "to prove that D got
this unit from C".

Chaum has demonstrated (In a paper I discussed here a little
over a month ago) that when A, B and E collude they can be sure
that the cash D gave to E is part of the same banknote that B
gave to C.

HOWEVER, it is possible to design a protocol such that
it is NOT possible for A, B and E to be sure that C gave
his money directly to D. (i.e. a protocol can be designed
such that A, B and E can not rule out the possibility that
the cash went from C to F to G to H to I to J to D. Thus,
the solution for entities that are worried about having
their cash marked is to exchange banknotes anonymously
with randomly selected entities before using them again.

> If A, the original issuer, issus a unit of digicash to 
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A,  --  and
> C double spends it to D', who then gives it to E'
> who then attempts to cash it with A, -- then A
> will detect the double spending and rebuff the attempt,
> E' will complain to D', and D', with information
> supplied by E' and A, can then prove that C dishonorably 
> double spent the money, without discovering that C gave 
> the money to D, and hence without discovering that D 
> gave the money to E.

Anonymous e-cash can be created such that the identity
of the cheat is immediatelly known as soon as the second
copy of the banknote (or of a part of the banknote)
reaches A. I should think that any protocol which requires
backtracking would be highly undesirable (i.e. D' and
idealy E' should not be bothered).

Cheers,

Jason W. Solinsky

References:
- Is the following digicash protocol possible?
  - From: [email protected] (James A. Donald)

Prev by Date: Did I send you this???????
Next by Date: Re: State Declaration of Ind.
Prev by thread: Re: Is the following digicash protocol possible?
Next by thread: Re: $10M breaks MD5 in 24 days
Index(es):
- Date
- Thread