In article <DGyIMI.KM9@sgi.sgi.com>, Hal <hfinney@shell.portal.com> writes:
tomw@orac.engr.sgi.com (Tom Weinstein) writes:
Perhaps the problem is that Bob insists that Alice's coin was not signed by the bank. In that case, how about this modification? Alice should first show Bob the doubly blinded coin she gave to the bank and the signed doubly blinded coin she received back. Bob can verify the signature and then Alice can give him the blinding factor so he can unblind it himself. Bob also needs to sign the singly blinded coin that he gives to Alice so that Alice can later show that she gave him the correct blinding factor if Bob tries to claim that she didn't.
The problem with this is that Bob and the bank can now collude to trace Alice, since he sees what she sent to the bank. This is not as bad as in the forward traceability case of regular ecash, because it happens after Alice has completed her bank transaction, rather than before, but it would be better to be untraceable since that is the whole point of this variation.
Good point. To guard against this, Alice needs to double blind what she sends to the bank. She can then remove one layer of blinding and show the results to Bob. Of course Bob and the bank can still colude because of the timing of the transactions. This seems to be a fundamental weakness of this reverse e-cash scheme. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@engr.sgi.com