[13146] in cryptography@c2.net mail archive
Re: [Lucrative-L] double spends, identity agnosticism, and Lucrative
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Apr 30 14:49:17 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 30 Apr 2003 15:02:30 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Adam Back <adam@cypherspace.org>
Cc: "R. A. Hettinga" <rah@shipwright.com>,
Digital Bearer Settlement List <dbs@philodox.com>,
cryptography@metzdowd.com, cypherpunks@lne.com
In-Reply-To: <20030429233621.A8391604@exeter.ac.uk>
Adam Back wrote:
> There are also existantial forgeries.
>
> Ie choose random x, compute y = x^e mod n, now x looks like a
> signature on y because y^d = x mod n; and when he verifies the
> verifier will just do x^e and see that it is equal to y.
>
> These may also look like valid coins to this code!
>
> It's missing a step: the coin should have some structure. So it can't
> be a hash of a message chosen by the user but hashed by the signer
> (the normal practical RSA signature) because the server can't see that
> it or it would be linkable.
>
> What digicash did I think is something like c = [x||h(x)]. Then you
> can reject existential forgeries and unblinded coins because they
> won't have the right form.
>
> (If you look back to the post where I gave a summary of the math,
> you'll see I included that step.)
This is also what Lucre (and hence Lucrative) does.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
