[Lucrative-L] double spends, identity agnosticism, and Lucrative
Ben Laurie
ben at algroup.co.uk
Fri May 20 17:59:22 EDT 2005
James A. Donald wrote:
>>From: "Patrick" <patrick at lfcgate.com>
>>To: <lucrative-l at lucrative.thirdhost.com>
>>Subject: [Lucrative-L] double spends, identity agnosticism, and
>>Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal
>>Sender: owner-lucrative-l at lucrative.thirdhost.com
>>
>>
>> A quick experiment has confirmed the obvious: when a client
>>reissues a coin at the mint, both the blinded and its unblinded cousin
>>are valid instruments to the Lucrative mint.
>>
>> Example: Alice uses the Mint's API to reissue a one-dollar note,
>>blinding the coin before getting a signature, and unblinding the
>>signature afterwards. She's left with both a blinded and a non-blinded
>>version of the coin. The mint believes they are both valid. Instant,
>>unlimited inflation.
>>
>> I believe the solution to this is to have the mint track both
>>spent coins and issued coins (that is, it automatically cancels coins
>>it issues, before the client receives them). The client is left with
>>no choice but to go through a blinding and unblinding process in order
>>to have a usable coin.
>>
>> This seems to make identity-agnostic cash difficult or
>>impossible, at least with Lucrative:
>>http://www.io.com/~cman/agnostic.html,
>>http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Would do if it were true - this is exactly why unblinded lucre coins
have structure - that is, you can check that they are well-formed by
doing hash operations on them. Blinded coins will fail these checks.
I forget the exact form of lucre coins (read the paper), but consider
the construction x || H(x) - clearly only the unblinded version of this
will have the right form.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list