[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Chaumian ecash without RSA




>> 2:  Nobody except the bank can verify that a coin has face validity.

At 04:55 PM 4/2/96 +0100, D.A. Wagner wrote:
> I claim that statement 2 is also true of Digicash's protocol as well.
>
> Recall that Digicash is using an *online clearing* protocol-- so you
> can't tell whether a coin is valid without consulting the bank.
> Consulting the bank is absolutely necessary to prevent double spending.

Suppose Alice generates an unsigned coin, blinds it, and shows Bob the
usigned, blinded coin.

Bob then has the bank sign it, and gives the signature to Alice.  

If we use RSA to sign the coin, Alice now knows she has a valid 
coin, because she can verify the coin herself without needing to
show it to the bank.  So Bob has paid Alice some money, and 
nobody can double spend the coin, because Alice, and only Alice, 
knows the blinding factor.

So Alice does *not* need to check with the bank.

Alice cannot do this with your protocol, so we cannot have payee 
anonymity with your protocol.
 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   [email protected]