[Lucrative-L] double spends, identity agnosticism, and Lucrative
Ben Laurie
ben at algroup.co.uk
Wed Apr 30 10:02:30 EDT 2003
Adam Back wrote:
> There are also existantial forgeries.
>
> Ie choose random x, compute y = x^e mod n, now x looks like a
> signature on y because y^d = x mod n; and when he verifies the
> verifier will just do x^e and see that it is equal to y.
>
> These may also look like valid coins to this code!
>
> It's missing a step: the coin should have some structure. So it can't
> be a hash of a message chosen by the user but hashed by the signer
> (the normal practical RSA signature) because the server can't see that
> it or it would be linkable.
>
> What digicash did I think is something like c = [x||h(x)]. Then you
> can reject existential forgeries and unblinded coins because they
> won't have the right form.
>
> (If you look back to the post where I gave a summary of the math,
> you'll see I included that step.)
This is also what Lucre (and hence Lucrative) does.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list