[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Chaumian ecash without RSA



> 1:  A coin is almost twice the size of a coin in the RSA protocol

Nah, it can be the same size as in the RSA-based Digicash protocol.
(Pick x to be 128 bits, and repeatedly iterate SHA to get a 1024
bit y value, like Digicash does in their RSA-based Chaumian protocol.)

> 2:  Nobody except the bank can verify that a coin has face validity.

So your comment makes me glad I posted the scheme (even if it turns
out to be only of academic interest :-).

I claim that statement 2 is also true of Digicash's protocol as well.

Recall that Digicash is using an *online clearing* protocol-- so you
can't tell whether a coin is valid without consulting the bank.
Consulting the bank is absolutely necessary to prevent double spending.

So if you ever wrote an application which made a security-critical
decision based on whether the RSA signature verified correctly in the
Digicash protocol, and you didn't consult the bank re: double spending,
you'd be 100% vulnerable to a simple double spending attack.

In particular, I claim that the only reason the bank needs to publish
its RSA public exponent e is to allow you to blind the RSA signature:
it's specifically *not* intended for you to verify coin validity.

Everyone, feel free to jump in correct me if you disagree.

> For computer mediated management of contracts, transactions, and 
> credit ratings, we need contracts such that all intermediate 
> transactions can be reduced to locally verifiable cryptographic 
> protocols.

Well, if that's what you want, no currently shipping protocol gives
you that.  The current Digicash protocol does *not* let you do offline
clearing.

I don't claim to be able to solve the offline clearing problem; I just
hoped to point out that there is/(seems to be) nothing special about RSA.
(Indeed, one researcher has kindly emailed me to point out that several
well-known digital cash schemes use a El Gamal-based protocol.)