It's been a while since I looked at the Lucre white paper but extrapolating from the Chaum context doesn't double blinding mean the payer and payee have to be simultaneously online with the bank? Adam On Tue, May 06, 2003 at 10:43:42AM +0100, Ben Laurie wrote:
Anonymous wrote:
In order to avoid this, the bank can prove that it operated correctly (that is, it raised its input to the same k power that g is raised to in the public g^k value) using a zero-knowledge proof. I believe the latest version of the Lucre software does this.
Actually, Lucre uses the double-blinding method to avoid this. The paper discusses the ZK proof as an alternate way of doing it, but I chose not to use it because of its potential interpretation as a blind signature.
There is an implementation of the ZK proof included in Lucre just for fun, though.