There are also existantial forgeries. Ie choose random x, compute y = x^e mod n, now x looks like a signature on y because y^d = x mod n; and when he verifies the verifier will just do x^e and see that it is equal to y. These may also look like valid coins to this code! It's missing a step: the coin should have some structure. So it can't be a hash of a message chosen by the user but hashed by the signer (the normal practical RSA signature) because the server can't see that it or it would be linkable. What digicash did I think is something like c = [x||h(x)]. Then you can reject existential forgeries and unblinded coins because they won't have the right form. (If you look back to the post where I gave a summary of the math, you'll see I included that step.) Adam On Tue, Apr 29, 2003 at 06:02:01PM -0400, R. A. Hettinga wrote:
--- begin forwarded text
From: "Patrick"
To: Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal Sender: owner-lucrative-l@lucrative.thirdhost.com A quick experiment has confirmed the obvious: when a client reissues a coin at the mint, both the blinded and its unblinded cousin are valid instruments to the Lucrative mint.
Example: Alice uses the Mint's API to reissue a one-dollar note, blinding the coin before getting a signature, and unblinding the signature afterwards. She's left with both a blinded and a non-blinded version of the coin. The mint believes they are both valid. Instant, unlimited inflation.
I believe the solution to this is to have the mint track both spent coins and issued coins (that is, it automatically cancels coins it issues, before the client receives them). The client is left with no choice but to go through a blinding and unblinding process in order to have a usable coin.
This seems to make identity-agnostic cash difficult or impossible, at least with Lucrative: http://www.io.com/~cman/agnostic.html, http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Patrick
The Lucrative Project: http://lucrative.thirdhost.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com