[Lucrative-L] double spends, identity agnosticism, and Lucrative
Adam Back
adam at cypherspace.org
Tue Apr 29 18:36:21 EDT 2003
There are also existantial forgeries.
Ie choose random x, compute y = x^e mod n, now x looks like a
signature on y because y^d = x mod n; and when he verifies the
verifier will just do x^e and see that it is equal to y.
These may also look like valid coins to this code!
It's missing a step: the coin should have some structure. So it can't
be a hash of a message chosen by the user but hashed by the signer
(the normal practical RSA signature) because the server can't see that
it or it would be linkable.
What digicash did I think is something like c = [x||h(x)]. Then you
can reject existential forgeries and unblinded coins because they
won't have the right form.
(If you look back to the post where I gave a summary of the math,
you'll see I included that step.)
Adam
On Tue, Apr 29, 2003 at 06:02:01PM -0400, R. A. Hettinga wrote:
>
> --- begin forwarded text
>
>
> From: "Patrick" <patrick at lfcgate.com>
> To: <lucrative-l at lucrative.thirdhost.com>
> Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative
> Date: Tue, 29 Apr 2003 14:46:48 -0600
> Importance: Normal
> Sender: owner-lucrative-l at lucrative.thirdhost.com
>
>
> A quick experiment has confirmed the obvious: when a client
> reissues a coin at the mint, both the blinded and its unblinded cousin
> are valid instruments to the Lucrative mint.
>
> Example: Alice uses the Mint's API to reissue a one-dollar note,
> blinding the coin before getting a signature, and unblinding the
> signature afterwards. She's left with both a blinded and a non-blinded
> version of the coin. The mint believes they are both valid. Instant,
> unlimited inflation.
>
> I believe the solution to this is to have the mint track both
> spent coins and issued coins (that is, it automatically cancels coins it
> issues, before the client receives them). The client is left with no
> choice but to go through a blinding and unblinding process in order to
> have a usable coin.
>
> This seems to make identity-agnostic cash difficult or
> impossible, at least with Lucrative:
> http://www.io.com/~cman/agnostic.html,
> http://cypherpunks.venona.com/date/1995/09/msg00197.html .
>
>
> Patrick
>
>
> The Lucrative Project: http://lucrative.thirdhost.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list