Apologies for indirect routing :-)

Date: Tue, 28 Nov 2000 22:41:07 -0500 From: Adam Back To: cypherpunks@cyberpass.net

Unfortunately both Brands' and Chaum's ecash and credential schemes are patented. David Wagner et al also had some ideas about an ecash coin [3] composed roughly of a public key based MAC (ie the user can't verify the validity of the coin directly -- only the bank can do that), plus a zero-knowledge proof that the bank hasn't marked the coin. This may be unpatened in that it's not directly a certificate, it's a MAC, plus a zero-knowledge proof so it seems like a fairly different process. I don't think you can do efficient offline ecash with Wagner et al's mechanism -- I'd guess it's more comparable with the functionality offered by Chaum's blind signature.

I'm not sure what you think the requirements for "efficient offline ecash" are, but I should note that the double-blinded version of lucre doesn't require the ZKP, and there's also a non-interactive variant of the ZKP for the single-blinded variant. They are both described in the current version of the paper (at least, I'm sure the first as, and somewhat sure the second is). Cheers, Ben.

[3] Ben Laurie has a paper describing Wagner et al's MAC + ZKP ecash / credential protocol as theory2.pdf.

http://anoncvs.aldigital.co.uk/lucre/

Adam

Disclaimer: As always my comments are my own.

--- end forwarded text

-- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff