Nomen Nescio wrote:
Ben Laurie wrote:
Actually, Lucre uses the double-blinding method to avoid this. The paper discusses the ZK proof as an alternate way of doing it, but I chose not to use it because of its potential interpretation as a blind signature.
Quoting from an anonymous post to coderpunks, around December 13, 1999:
There is still a potential problem with the double blinding that the ZK proof would fix. The bank may intentionally produce a bogus coin by returning junk in the withdrawal transaction.
While this is not as useful as being able to specifically mark coins and recognize them at deposit time, it could still be used in practice if people don't very often try depositing junk. After all, why should they do so, since it will never work.
In that case the bank may be able to do a "sting" operation by producing junk at deposit time and then assuming that anyone who attempts to deposit a garbage coin is likely to have been the recipient of the junk coin. If such garbage deposit attempts are few, then this will allow the bank to effectively link the deposit to the withdrawal. The bank can even "eat" the cost of the bad coin and the depositor will never know he's been tagged.
The bank, of course, has to choose a withdrawer to tag, or a small subset of withdrawers, or this doesn't work. Note that the depositor is not tagged, the withdrawer is. And if the withdrawer has simply done an exchange anonymously, nor is she.
As a countermeasure there could be a band of cypherpunks who constantly attempt anonymous deposits of junk coins. These would all fail, but they would provide cover.
Why would they fail? Since the bank cannot tell its own junk signature from the invented junk signatures, the bank would have to honour these requests. This sounds to me like a bank that is going bust fast.
They would make it much more difficult for the bank to issue intentionally-bad coins with the expectation that it could recognize them at deposit time.
But lacking such organized activity, it would be better for the withdrawer to be guaranteed that the bank had behaved correctly. If the ZK proof is used then the original Wagner blinding using one factor should be adequate.
If a bank wants to cheat, it can do so despite a ZK proof - it simply refuses to cash the coins - claiming, for example, a double-spend, or just saying "no". So, given that marking coins with junk signatures is: a) Only effective if you want to mark a small subset b) Costs you a fortune if anyone finds out you are doing it, I am not entirely convinced by this argument. Nevertheless, the ZK option is implemented in Lucre (and documented in the paper) should any mint wish to use it. Cheers, Bven. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff