[13142] in cryptography@c2.net mail archive
Re: [Lucrative-L] double spends, identity agnosticism, and Lucrative
daemon@ATHENA.MIT.EDU (Adam Back)
Tue Apr 29 21:06:13 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 29 Apr 2003 23:36:21 +0100
From: Adam Back <adam@cypherspace.org>
To: "R. A. Hettinga" <rah@shipwright.com>
Cc: Digital Bearer Settlement List <dbs@philodox.com>,
cryptography@metzdowd.com, cypherpunks@lne.com,
Adam Back <adam@cypherspace.org>
In-Reply-To: <E19AdEC-0008FS-00@smtp10.atl.mindspring.net>; from rah@shipwright.com on Tue, Apr 29, 2003 at 06:02:01PM -0400
There are also existantial forgeries.
Ie choose random x, compute y = x^e mod n, now x looks like a
signature on y because y^d = x mod n; and when he verifies the
verifier will just do x^e and see that it is equal to y.
These may also look like valid coins to this code!
It's missing a step: the coin should have some structure. So it can't
be a hash of a message chosen by the user but hashed by the signer
(the normal practical RSA signature) because the server can't see that
it or it would be linkable.
What digicash did I think is something like c = [x||h(x)]. Then you
can reject existential forgeries and unblinded coins because they
won't have the right form.
(If you look back to the post where I gave a summary of the math,
you'll see I included that step.)
Adam
On Tue, Apr 29, 2003 at 06:02:01PM -0400, R. A. Hettinga wrote:
>
> --- begin forwarded text
>
>
> From: "Patrick" <patrick@lfcgate.com>
> To: <lucrative-l@lucrative.thirdhost.com>
> Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative
> Date: Tue, 29 Apr 2003 14:46:48 -0600
> Importance: Normal
> Sender: owner-lucrative-l@lucrative.thirdhost.com
>
>
> A quick experiment has confirmed the obvious: when a client
> reissues a coin at the mint, both the blinded and its unblinded cousin
> are valid instruments to the Lucrative mint.
>
> Example: Alice uses the Mint's API to reissue a one-dollar note,
> blinding the coin before getting a signature, and unblinding the
> signature afterwards. She's left with both a blinded and a non-blinded
> version of the coin. The mint believes they are both valid. Instant,
> unlimited inflation.
>
> I believe the solution to this is to have the mint track both
> spent coins and issued coins (that is, it automatically cancels coins it
> issues, before the client receives them). The client is left with no
> choice but to go through a blinding and unblinding process in order to
> have a usable coin.
>
> This seems to make identity-agnostic cash difficult or
> impossible, at least with Lucrative:
> http://www.io.com/~cman/agnostic.html,
> http://cypherpunks.venona.com/date/1995/09/msg00197.html .
>
>
> Patrick
>
>
> The Lucrative Project: http://lucrative.thirdhost.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
