[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected] (James A. Donald)*Subject*: Re: Is the following digicash protocol possible?*From*: [email protected]*Date*: Thu, 01 Sep 1994 23:08:35 EDT*Cc*: [email protected]*In-Reply-To*: Your message of "Thu, 01 Sep 1994 14:15:19 PDT." <[email protected]>*Sender*: [email protected]

> A question about offline digicash: > > Is it possible to arrange digicash as follows: > > If A, the original issuer, issues a unit of digicash to > to B, and B gives it to C, and C gives it to D, and D, > gives it to E, and E cashes it with A, -- and > everyone colludes except C and D, it is impossible > to prove that C got this unit from D. I assume you mean the last line to read "to prove that D got this unit from C". Chaum has demonstrated (In a paper I discussed here a little over a month ago) that when A, B and E collude they can be sure that the cash D gave to E is part of the same banknote that B gave to C. HOWEVER, it is possible to design a protocol such that it is NOT possible for A, B and E to be sure that C gave his money directly to D. (i.e. a protocol can be designed such that A, B and E can not rule out the possibility that the cash went from C to F to G to H to I to J to D. Thus, the solution for entities that are worried about having their cash marked is to exchange banknotes anonymously with randomly selected entities before using them again. > If A, the original issuer, issus a unit of digicash to > to B, and B gives it to C, and C gives it to D, and D, > gives it to E, and E cashes it with A, -- and > C double spends it to D', who then gives it to E' > who then attempts to cash it with A, -- then A > will detect the double spending and rebuff the attempt, > E' will complain to D', and D', with information > supplied by E' and A, can then prove that C dishonorably > double spent the money, without discovering that C gave > the money to D, and hence without discovering that D > gave the money to E. Anonymous e-cash can be created such that the identity of the cheat is immediatelly known as soon as the second copy of the banknote (or of a part of the banknote) reaches A. I should think that any protocol which requires backtracking would be highly undesirable (i.e. D' and idealy E' should not be bothered). Cheers, Jason W. Solinsky

**References**:**Is the following digicash protocol possible?***From:*[email protected] (James A. Donald)

- Prev by Date:
**Did I send you this???????** - Next by Date:
**Re: State Declaration of Ind.** - Prev by thread:
**Re: Is the following digicash protocol possible?** - Next by thread:
**Re: $10M breaks MD5 in 24 days** - Index(es):