[Cryptography] Checkoin: physical crypto-cash

Camille Harang mammique at garbure.org
Sun Jul 16 19:35:33 EDT 2017 

Hello again Ray,

Le 16/07/2017 à 23:33, Ray Dillinger a écrit :
> Don't ask for review and then ignore or refuse to acknowledge people who
> honestly point out real bugs in your protocol.  Aside from being rude,

Sorry Ray but I think you've missed the beginning of the thread, the
term "SUCKER" was used by Ron as an example, it was fun, nothing rude there.

> it reveals a way of thinking that you must overcome.  If you fail to see
> or refuse to acknowledge vulnerabilities, you will never be able to
> produce ANYTHING that is secure.

Vulnerabilities have been pointed out in the past, and fixed, I
acknowledge them, I'm looking for them. We were simply clearing here
what we were talking about with Ron. It turns out that there were a
misunderstanding between a fake coin produced by a legit factory, and a
fake coin produce by a counterfeiter to imitate a legit factory. I think
we've cleared that point. We can safely say that legit factories are not
likely to produce fake coins (that's why we check signatures), and focus
on the second part of the protocol which is detecting fakes made by
counterfeiters that pretends to be produced by the legit factory.

> Don't assume that something must be perfect just because it was you that
> thought of it or made it.  Don't let your pride be the chain that holds
> you back. Everyone has to learn.

Sure, I know it's not perfect, I've already improved it today, it's
never perfect. Sorry if I missed/overlooked some comments or make you
feel that I didn't want to hear any critics, I'm starving for them.

> The bug in the protocol is that the protocol does not detect (invalid)
> copies of a (valid) physical object.  A signature on information checks
> that the information is unchanged. It does not check that the media on
> which the information appears is the original copy.

Of course it does check that it's the original copy :-) That's the whole
point of the protocol. I think you've missed previous posts, I bet
that's the source of our misunderstanding, I don't want to sound rude or
anything, I think everyone is doing their best here, just please take a
look at the previous posts (and the initial one), as well as the
specifications.

Thank you very much,

Camille.

>
> You propose to secure a token which actually has value if it is the
> original copy, by a means which checks only that the information on it
> matches the original information.  But it is possible for an attacker to
> copy the information without copying the value.  This protocol fails as
> follows:
>
>
>
> ---> Protocol proceeds normally, a valid token with full signatures is
> issued to the counterfeiter who pays for it normally.
>
> ---> Counterfeiter takes a valid token, looks at it, produces copies of
> it including copies of all the signatures.  Writes "SUCKER" on the
> inside, seals it up, and spends it six times.
>
> ---> Payees receive counterfeit token, check signature, see that it
> corresponds to a key recorded in the immutable record, and accept the
> token.
>
> ---> Protocol has failed.
>
>
>
>
> Countermeasures have pretty much the same security, tradeoffs, and
> costs as anti-counterfeiting measures for any currency.  Before very
> many more years we may see currency with embedded RFIDs and private
> keys, depending on how cheaply they can be made.
>
>
> 				Bear
>

More information about the cryptography mailing list