Adam Back wrote:

There are also existantial forgeries.

Ie choose random x, compute y = x^e mod n, now x looks like a signature on y because y^d = x mod n; and when he verifies the verifier will just do x^e and see that it is equal to y.

These may also look like valid coins to this code!

It's missing a step: the coin should have some structure. So it can't be a hash of a message chosen by the user but hashed by the signer (the normal practical RSA signature) because the server can't see that it or it would be linkable.

What digicash did I think is something like c = [x||h(x)]. Then you can reject existential forgeries and unblinded coins because they won't have the right form.

(If you look back to the post where I gave a summary of the math, you'll see I included that step.)

This is also what Lucre (and hence Lucrative) does. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com