Nice little piece on Digital Cash by Declan on Wired. http://www.wired.com/news/ebiz/0,1272,44507,00.html Then Declan tries to explain blind signatures.
Chaum's method preserved anonymity through a statistical technique. It can be thought of this way: A customer of a virtual bank would create a $1 coin by sending, say, 100 coins with random serial numbers first stuffed into electronic envelopes.
The bank randomly would open 99 of the 100 envelopes to verify that the denominations were in fact $1 and the customer wasn't trying to commit fraud. After the bank owner was satisfied that the last remaining envelope was likely to be a $1 denomination too, the bank would sign the envelope -- marking it as digital cash -- and return it unopened."
Blinding permits someone to present an encrypted document to someone else for signing. The original owner of the document can calculate the digital signature that would have been created had the plaintext document been signed, from the digital signature on the encrypted document. This allows people to sign things without knowing their content, and prevents the signer from later associating a document with the person who asked that it be signed. In digital cash systems, it permits banknotes to be signed, without the bank seeing the serial numbers on them, so that the bank cannot later recognize them when they are deposited. This is what makes the system anonymous, and prevents anyone from telling who paid for what. What I find somewhat odd, is the protocol suggested here for the bank making sure with a high degree of reliability, that it knows the denomination of an encrypted banknote it is signing. If I follow Declan's argument, should I wish the bank to sign a note for $1, I send the bank 100 such notes each encrypted with a different key. The bank then requests the decryption key for 99 of them, and after verifying that they are in fact $1 notes, has only a 1/100 chance that I've slipped a $1,000,000 note into the pile and they've missed it. So in the DeclanCash system, every 100th dishonest transaction can rip the bank off for $999,999, an average loss for the bank of approximately $10k per dishonest transaction attempted. It would seem far better for the bank to simply sign different denominations with different keys. The bank then need not worry at all about the content of what is signed. if a user pays the bank $100 to sign something that is not in correct banknote format, then the user is out $100 and has the bank's $100 signature attached to something he can't spend. In any case, I can't recall any digital cash systems which tell the bank the amount of the note being signed, by sending lots of notes, and letting the bank look at all but one. So I was wondering if Chaum's patent actually used this metaphor, or if Declan picked up the idea from somewhere else. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"