...

2: Nobody except the bank can verify that a coin has face validity.

At 04:55 PM 4/2/96 +0100, D.A. Wagner wrote:

I claim that statement 2 is also true of Digicash's protocol as well.

Recall that Digicash is using an *online clearing* protocol-- so you can't tell whether a coin is valid without consulting the bank. Consulting the bank is absolutely necessary to prevent double spending.

Suppose Alice generates an unsigned coin, blinds it, and shows Bob the usigned, blinded coin. Bob then has the bank sign it, and gives the signature to Alice. If we use RSA to sign the coin, Alice now knows she has a valid coin, because she can verify the coin herself without needing to show it to the bank. So Bob has paid Alice some money, and nobody can double spend the coin, because Alice, and only Alice, knows the blinding factor. So Alice does *not* need to check with the bank. Alice cannot do this with your protocol, so we cannot have payee anonymity with your protocol. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd@echeque.com