In article <199703272018.MAA00322@crypt.hfinney.com>, Hal Finney <hal@rain.org> wrote:
It appears that MicroMint is jointly by Rivest and Shamir. It is described at:
http://theory.lcs.mit.edu/~rivest/RivestShamir-mpay.ps
This also describes PayWord. Both schemes are designed for lightweight payments. PayWord uses a chained hash concept similar to s/key and to Micali's lightweight signature revalidations. MicroMint is as I described, literally a "minting" of coins, with similar economies of scale to real mints.
Neither one appears suitable for anonymous payments.
Wow, a perfect straight line. I couldn't ask for better. Actually, I posted to sci.crypt.research a while ago about how to adapt Rivest and Shamir's PayWord scheme to do anonymous micropayments; see http://www.cs.berkeley.edu/~daw/my-posts/anon-micropayments In short, instead of asking the bank for a hash stick and a signature on the top of the stick, you get a blind signature on a top of a stick you've generated yourself. Then you patch up some issues (like double-spending) that the anonymity raises. Sadly, it's got a problem that'd probably be a killer for practical deployment -- it's got the same patent problems that ecash has. Sigh.