[Lucrative-L] double spends, identity agnosticism, and Lucrative

Ben Laurie ben at algroup.co.uk
Wed Apr 30 10:02:30 EDT 2003

Adam Back wrote:

> There are also existantial forgeries.
> Ie choose random x, compute y = x^e mod n, now x looks like a
> signature on y because y^d = x mod n; and when he verifies the
> verifier will just do x^e and see that it is equal to y.
> These may also look like valid coins to this code!
> It's missing a step: the coin should have some structure.  So it can't
> be a hash of a message chosen by the user but hashed by the signer
> (the normal practical RSA signature) because the server can't see that
> it or it would be linkable.
> What digicash did I think is something like c = [x||h(x)].  Then you
> can reject existential forgeries and unblinded coins because they
> won't have the right form.
> (If you look back to the post where I gave a summary of the math,
> you'll see I included that step.)

This is also what Lucre (and hence Lucrative) does.



http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list