At 10:23 PM +0200 10/20/05, Daniel A. Nagy wrote:
The referred 1988 paper proposes an off-line system
Please. You can just as easily do an on-line system, and still have blind signatures, including m=m=2 shared secret signature hiding to prevent double spending. In fact, the *only* viable way to do blind signatures with any security is to have an *on-line* system, with redemption and reissue of certificates on every step, and the underwriter not honoring any double spent transaction. So, you still get the benefits of non-repudiation, you get functional anonymity (because audit trails become a completely superfluous cost -- all you need to keep is a single-field database of spent notes against a possible second spend, deletable on an agreed-upon date), and (I claim :-)) you get the resulting transaction cost benefit versus book-entry transactions as well. Sigh. I really wish people would actually read what people have written about these things for the last, what, 20 years now... BTW, you can exchange cash for goods, or other chaumian bearer certificates -- or receipts, for that matter, with a simple exchange protocol. Micali did one for email ten years ago, for instance. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'