On Thursday, April 24, 2003, at 06:47 PM, Adam Back wrote:
OK, that sounds like a potential problem, but I don't see how you can hide this information from the server ITSELF. When you present a coin to the server, it is going to know from which IP address it came, and I don't see a way around that.
That's where blinding comes into the picture. ...
This is helpful, Adam, thanks. Bill Frantz wrote:
The server is in a position to keep track of the money transfer by recording the serial numbers of the old and new coins as the exchanges take place. The server is perfectly capable of making the linkage. If you don't trust the server, then you must believe that all your transfers are know.
This is good too, Bill. All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place. That I can see. I was starting to get the impression that somehow the Chaumian techniques were attempting to address the problem of preventing double spends even when doing a long chain of spends without contact with a server. In fact they are trying to address a more modest goal than that, and double spends are still something that must be detected by contact with the server. With the Chaumian techniques, the random coin bits are generated on the user side: http://munitions.vipul.net/documents/cyphernomicon/chapter12/12.5.html
"The way the process works, with the blinding, is like this. The user chooses a random x. ...
So naturally the server cannot keep a list of the valid coins because their specific bits appear to be invented out there in the wild. Hence keeping the list of spent coins, since keeping a list of unspent coins is clearly impossible. Well hell, that wasn't so hard. -- Patrick http://fexl.com