James A. Donald wrote:
From: "Patrick"
To: Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal Sender: owner-lucrative-l@lucrative.thirdhost.com A quick experiment has confirmed the obvious: when a client reissues a coin at the mint, both the blinded and its unblinded cousin are valid instruments to the Lucrative mint.
Example: Alice uses the Mint's API to reissue a one-dollar note, blinding the coin before getting a signature, and unblinding the signature afterwards. She's left with both a blinded and a non-blinded version of the coin. The mint believes they are both valid. Instant, unlimited inflation.
I believe the solution to this is to have the mint track both spent coins and issued coins (that is, it automatically cancels coins it issues, before the client receives them). The client is left with no choice but to go through a blinding and unblinding process in order to have a usable coin.
This seems to make identity-agnostic cash difficult or impossible, at least with Lucrative: http://www.io.com/~cman/agnostic.html, http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Would do if it were true - this is exactly why unblinded lucre coins have structure - that is, you can check that they are well-formed by doing hash operations on them. Blinded coins will fail these checks. I forget the exact form of lucre coins (read the paper), but consider the construction x || H(x) - clearly only the unblinded version of this will have the right form. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com