Re: Chaum on the wrong foot?
yes, i am replying to a message that is six weeks old. hal, chaum may be barking up the wrong tree, but that doesn't mean that his students are. i read a couple of digital cash papers last night and was struck by this statement in one of them: Techniques have been developed that ... allow the construction of off-line electronic cash systems that are secure for the bank, yet at the same time honest users of the system are guaranteed to remain completely anonymous. This holds in a very strong sense: the security of banks is not compromised even if all users and shops collaborate in such an attempt, and the privacy of honest users cannot be violated in any cryptanalytic way even under adversarial behavior of the bank in coalition with all the shops. Stefan Brands, CWI this is very encouraging: digital cash technology is very far advanced, and offers almost everything you might want. (i think the jury is still out on the question of k-spendability.) but then there is the bad news: the mathematics and the protocols underlying the technology are still too complex to be practical. but there is also good news: much of the current work intends to simplify the protocols and to lessen the computational requirements of digital cash systems. peter
peter honeyman writes:
i am replying to a message that is six weeks old.
hal, chaum may be barking up the wrong tree, but that doesn't mean that his students are. i read a couple of digital cash papers last night and was struck by this statement in one of them:
Techniques have been developed that ... allow the construction of off-line electronic cash systems that are secure for the bank, yet at the same time honest users of the system are guaranteed to remain completely anonymous. This holds in a very strong sense: the security of banks is not compromised even if all users and shops collaborate in such an attempt, and the privacy of honest users cannot be violated in any cryptanalytic way even under adversarial behavior of the bank in coalition with all the shops.
Stefan Brands, CWI
This could refer to observer based protocols. I don't see anything in the above paragraph to indicate that they have invented a digital coin. I don't see how offline non-observer based cash could possibly work. (e.g. I send a copy of my cash to someone in Europe and we "spend" them simultaneously) -- Ray Cromwell | Engineering is the implementation of science; -- -- EE/Math Student | politics is the implementation of faith. -- -- rjc@gnu.ai.mit.edu | - Zetetic Commentaries --
rjc@gnu.ai.mit.edu wrote:
This could refer to observer based protocols. I don't see anything in the above paragraph to indicate that they have invented a digital coin. I don't see how offline non-observer based cash could possibly work. (e.g.
The other paper at CWI "Single Term Off-Line Coins" (which I have read but haven't really studied in depth) isn't an observer based protocol. Ferguson represents cash as 3 numbers. When Alice wants to spend, she gets two RSA-signatures from the bank (which are derived from the hash functions and the 3 numbers). Alice pays by sending the 3 numbers to the store, which replies with a challenge, which she responds to using information derived from both signatures. She can spend several coins by using the same challenge and sending the product of her responses to the store. At the end of the day, the bank sends the 3 numbers, the challenge and response to the bank, which then verifies the credit. If Alice spends a coin twice, she allows the bank to determine her identity. (The bank must make sure the penalty is severe enough to discourage this behavior). One nice feature is that it is very difficult (infeasible) for the bank to frame Alice and claim she double spended. It seems from this paper, and I think one other I read, that offline protocols presented cannot prevent double spending but rather reveal the identity of such a person. -- Karl L. Barrus: klbarrus@owlnet.rice.edu keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 "One man's mnemonic is another man's cryptography" - my compilers prof discussing file naming in public directories
participants (3)
-
Karl Lui Barrus -
peter honeyman -
rjc@gnu.ai.mit.edu