On Sun, 22 Oct 1995, Bryce wrote:
Now it seems to me that any ecash scheme, whether cleared on-line or off-line, with or without double-spending-detection, will put the payee at risk of identification by a collusion of the payer and the
I can't remember off hand, but isn't blinding transitive? If so, there's an obvious way to get two way anonymity with an on-line system. If Alice wants to pay Bob $10, then Bob could prepare the usual squillion copies of the note, each with a serial number known only to Bob, then blind them and send them to Alice. Alice would then reblind them and send them to Nick, the banker. Nick would then pick one of the notes, and ask Alice for the blinders for the rest. Alice would then ask Bob for his blinders for the rejected notes, and would forward both sets on to Nick, who would check them, and if they're legit, sign the remaning copy, and return it to Alice. Alice cound then remove her blinding factor, and sent the result on to Bob. Bob then removes his blinding factor, and can now spend the coin. Since Alice doesn't know the serial number, she can't reveal it to Nick so that he can find out who deposits the coin. Also, since Nick doesn't know the serial number, he can't collaborate with Bob to find out who Alice is. Does this work, or am I missing something? Simon --- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))