Hack DigiCash: Payee Anonymity
Well, Sameer is offering a "Hack DigiCash" promotion, in the same spirit as the hack Netscape and Microsoft offer. However, Chaum is a fairly experienced cryptographer, and I doubt that there are any major security flaws in the system. The trial version used RSAREF, so that code at least was open for your inspection. There is still the possibility of bugs creeping in when porting to different platforms tho... I think the most interesting hack to pursue is to eliminate the payee-nonanonymity problem. The current software uses the following protocol: The <--(blinding)--- Client Bank --(unblinding)-> Client --> Merchant(non-anonymous) --> deposit in bank The client is anonymous to the bank because of the blinding. What we want is for the client to be able to pay someone money, and have the recipient be able to spend the money anonymously. That is, there must be blinding between the payer and the payee: The <--(blinding)--- payer <--(blinding)--- payee Bank --(unblinding)-> payer --(unblinding)-> payee --> payee spends money The payee generates some digital coins, blinds them, and sends them to the payer. The payer then makes a withdrawl from his bank account, blinds the coins again (or not, it really doesn't matter) and sends them to the bank. The bank signs them, and returns them to the payer. The payer removes his blinding (if any) and sends them to the payee. The payee unblinds the coins and spends them at his leisure. Privacy for all involved.
David R. Conrad <drc@russell.moore.com> wrote:
If the payer doesn't add a blinding factor, then the only blinding factor is the one known to the payee. The payee could reveal this blinding factor to the bank, destroying the payer's anonymity.
Right. Both payer and payee should introduce their own blinding factors. Now all we need is to do is get some specs on how DigiCash's software works so that we can code this. I expect that this method will become quite popular. To withdraw DigiCash, one must come up with $250 to start, sign a bunch of forms, etc. I suspect that most people would rather change money in lesser amounts, probably under $50. This opens up a huge market for Blacknet money exchangers. I would gladly pay Tim's Internet Cash Exchange a commission to exchange $50 worth of greenbacks for Digicash instead of dealing with Mark Twain and shelling out $250 to start..
On Tue, 24 Oct 1995, Name Withheld by Request wrote:
The <--(blinding)--- payer <--(blinding)--- payee Bank --(unblinding)-> payer --(unblinding)-> payee --> payee spends money
The payee generates some digital coins, blinds them, and sends them to the payer. The payer then makes a withdrawl from his bank account, blinds the coins again (or not, it really doesn't matter) and sends them to the bank.
If the payer doesn't add a blinding factor, then the only blinding factor is the one known to the payee. The payee could reveal this blinding factor to the bank, destroying the payer's anonymity. Right?
The bank signs them, and returns them to the payer. The payer removes his blinding (if any) and sends them to the payee. The payee unblinds the coins and spends them at his leisure. Privacy for all involved.
David R. Conrad, conrad@detroit.freenet.org, http://www.grfn.org/~conrad Hardware & Software Committee -- Finger conrad@grfn.org for public key Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50 No, his mind is not for rent to any god or government.
nobody@replay.com (Name Withheld by Request) writes:
Now all we need is to do is get some specs on how DigiCash's software works so that we can code this. I expect that this method will become quite popular. To withdraw DigiCash, one must come up with $250 to start, sign a bunch of forms, etc. I suspect that most people would rather change money in lesser amounts, probably under $50. This opens up a huge market for Blacknet money exchangers. I would gladly pay Tim's Internet Cash Exchange a commission to exchange $50 worth of greenbacks for Digicash instead of dealing with Mark Twain and shelling out $250 to start..
I don't believe this $250 is correct. The only place I see such a number is on the application form, in the following clause: "A maintenance fee of the foreign equivalent of $10 will be imposed each statement period if the balance in your account falls below the foreign equivalent of $250 on any day of the period." This is for a "WorldCurrency Access Interest Account", which I don't think is what is used for ecash. For ecash the account opening fee is $11 and the per-month fee is $5. I don't see any reference to required account minimums. As far as the issue of coding up a payee-blinding cash system compatible with this ecash, I agree that it would be good to see some specs now that ecash is for real. IMO Chaum has been getting a free ride based on his reputation, with many people assuming that anything he is associated with must be done right. It is time for him to open his hand and reveal his protocols so that people know exactly what they are trusting their money to. Hal
-----BEGIN PGP SIGNED MESSAGE----- Hello cypherpunks@toad.com ...
I think the most interesting hack to pursue is to eliminate the payee-nonanonymity problem. ...
The <--(blinding)--- payer <--(blinding)--- payee Bank --(unblinding)-> payer --(unblinding)-> payee --> payee spends money
The payer would want to check the proto-coins for values which show through the blinding. Are there any such values? To guard agains unknown possibilities in this area, the payer might want to check that the proto-coins are valid (at least). ...
Privacy for all involved.
How about the bank? Given that the thing's patented, the bank might conceivably wish to remain anonymous :-) Jiri - -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMI3pNixV6mvvBgf5AQGWRgP/fiv5UlZ/9V5qavCNdLzxJr0/M0M4lTCN ITx8nsGBr7kt345v55LP63nQB54tvp8Zpx1BWtkYDN4WyHdF/+wnziCP2AMVUDhI ZX9fG1p8WjCg8eqsboQmeerLCDq5oR7ic0ui86jU0nW4jJ4aLwnoXCCdHyEsi5oR qCZnNG43JhY= =YNgV -----END PGP SIGNATURE-----
participants (5)
-
anon-remailer@utopia.hacktic.nl -
David R. Conrad -
Hal -
Jiri Baum -
nobody@replay.com