On Thu, Apr 24, 2003 at 11:10:20PM -0400, Patrick Chkoreff wrote:
All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place.
That I can see. I was starting to get the impression that somehow the Chaumian techniques were attempting to address the problem of preventing double spends even when doing a long chain of spends without contact with a server. In fact they are trying to address a more modest goal than that, and double spends are still something that must be detected by contact with the server.
So actually using Brands credentials which have an off-line fraud tracing option you could if you wished exchange coins peer-to-peer amongst users, who eventually after some number of peer-to-peer spends deposit their coin back at the bank. The bank checks deposited coins and can tell which users double spent coins if any after the fact. What you do about double spending when you detect a given user has done it is a policy question for the bank -- eg fine user, prosecute user for fraud to recuperate costs etc. (You can also use the same protocol for online checking, so the recipient has the choice of covenience of using peer-to-peer without going via the bank, or the choice to deposit now and get a fresh coin and be sure there won't be any dispute resolution later.) Adam
With the Chaumian techniques, the random coin bits are generated on the user side:
http://munitions.vipul.net/documents/cyphernomicon/chapter12/12.5.html
"The way the process works, with the blinding, is like this. The user chooses a random x. ...
So naturally the server cannot keep a list of the valid coins because their specific bits appear to be invented out there in the wild. Hence keeping the list of spent coins, since keeping a list of unspent coins is clearly impossible.
Well hell, that wasn't so hard.
-- Patrick http://fexl.com