lucre double-blinding? (Re: Crypto-making vs Crypto-breaking)
A Back asks:
It's been a while since I looked at the Lucre white paper but extrapolating from the Chaum context doesn't double blinding mean the payer and payee have to be simultaneously online with the bank?
No, this is something else. It just means that two random numbers rather than one are used to blind the data when it is sent to the bank to be signed (oops, "transformed"). Doing this makes it impossible for the bank to recognize deposited coins even if it misbehaves. Earlier proposals that used a single random blinding factor were shown to be inadequate.
Yes I remember the introduction of a 2nd blinding factor, your other post in the thread where you reposted the remaining issues with taggability jogged my memory; just the terminology threw me. (Probably more proper to call it the introduction of another blinding factor -- the result is just more effectively blinded -- Brands constructs use 3 blinding factors in some scenarios for example and that is still considered blinded not "triple-blinded") Brands has an optimization of his scheme where (as the user receiving a coin) you have the option of not bothering to perform one of the verifications, the weaker assurance being you are still assured that the bank can't distinguish between tagged coins, though it can distinguish an untagged coin from a tagged coin. However as with Lucre I don't find this very convincing because the bank can still tag one person at a time. If you add in the general lack of connection anonymity, it could certainly be used to confirm suspicions and probably to effectively tag multiple users at once. So I would consider the lucre two blinding factor approach still flawed. Adam On Wed, May 07, 2003 at 10:00:02AM +0200, Nomen Nescio wrote:
A Back asks:
It's been a while since I looked at the Lucre white paper but extrapolating from the Chaum context doesn't double blinding mean the payer and payee have to be simultaneously online with the bank?
No, this is something else. It just means that two random numbers rather than one are used to blind the data when it is sent to the bank to be signed (oops, "transformed"). Doing this makes it impossible for the bank to recognize deposited coins even if it misbehaves. Earlier proposals that used a single random blinding factor were shown to be inadequate.
Adam Back wrote:
Yes I remember the introduction of a 2nd blinding factor, your other post in the thread where you reposted the remaining issues with taggability jogged my memory; just the terminology threw me.
(Probably more proper to call it the introduction of another blinding factor -- the result is just more effectively blinded -- Brands constructs use 3 blinding factors in some scenarios for example and that is still considered blinded not "triple-blinded")
2-factor blinding might be a better way to express it.
Brands has an optimization of his scheme where (as the user receiving a coin) you have the option of not bothering to perform one of the verifications, the weaker assurance being you are still assured that the bank can't distinguish between tagged coins, though it can distinguish an untagged coin from a tagged coin.
However as with Lucre I don't find this very convincing because the bank can still tag one person at a time. If you add in the general lack of connection anonymity, it could certainly be used to confirm suspicions and probably to effectively tag multiple users at once.
So I would consider the lucre two blinding factor approach still flawed.
As I mentioned in another post, the bank either has to reveal its subterfuge, or honour forged coins, so I'm not convinced. Anyway, the ZK proof is available if you want to use it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
participants (3)
-
Adam Back -
Ben Laurie -
Nomen Nescio