[1408] in cryptography@c2.net mail archive
Re: Online bets without trusted third parties
daemon@ATHENA.MIT.EDU (Steve Schear)
Wed Sep 3 11:05:30 1997
Date: Tue, 2 Sep 1997 19:18:13 -0700
To: valdeez@juno.com (Anonymous Remailer), cryptography@c2.net
From: Steve Schear <azur@netcom.com>
>The idea is that each party withdraws cash using blinding provided by
>the other party. They then prove to the other party that they have
>done so and have a signature from the bank on the supplied blind
>value, using a zero knowledge proof. This is analogous to giving half
>a bank note to the other person.
>
>The key idea here is that the only way one party can give the other a
>credible zero knowledge proof that they have a signature on the
>blinded ecash value is if they actually interacted with the bank and
>got their account debited for the specified amount. But since they
>don't know the blinding value used, they can't do anything with that
>signature. As far as they are concerned, it is a signature on a
>random number. Neither party by themselves has the information needed
>to acquire the value of the withdrawn cash. It will be necessary to
>know both the blinding factor and the signature in order to make the
>cash worth something.
>
>Once the bet is decided, the losing party reveals the bank's signature
>on the blinded cash, to allow the other party to unblind the cash he
>was given, and also provides the blinding factors to allow the other
>party to unblind the cash he withdrew. This is analogous to giving
>the two half bank notes to the winner.
Might this be an enabling technology for idea futures markets/anonymous
betting pools?
>The protocol works as follows. Bob chooses a random value k, and
>gives Alice r = k^e mod n. Alice challenges with a random value c <= e.
>Bob responds with s = k * sign(v)^c. Alice verifies that s^e = r * v^c.
>This protocol gives Bob a 1/e chance of cheating, so it may have to be
>repeated a few times depending on the value of e used by the bank.
This looks relatively easy to add to ecash, but of course it might also
enable anonymous extortion etc. ;-)
-Steve
