Hal Finney <hfinney@shell.portal.com> writes:

I have heard it claimed that when you make a payment with Digicash ecash, the identity of the payee is encoded or embedded into the cash somehow. This is an anti-theft measure (among other things, perhaps). The bank checks that the embedded identity in deposited cash matches the account name which is doing the deposit.

Where have you heard that? Everything I've heard from DigiCash seems to indicate that no such "payee encoding" is performed.

My question is, how could this be done? How can the payor, at payment time, without communicating with the bank, embed a payee name irreversibly into the cash so that a thief cannot strip it out and replace it with his own name?

It is possible though with other (teoretical) protocols, such as Chaum, Fiat and Naor's off-line cash scheme (briefly described in Schneirer's book 'Applied Cryptography') and especially the (off-line) cash system, developed by Stefan Brands. In these systems, when Alice spends a coin at Bob's shop she has to respond to a random challenge, sent to her by Bob. This random challenge could possibly be a hash of Bob's identity and some other values. My impression though is that this is not a feature of the current implementation of ecash.

Off-list there has been some discussion about the role of certificates in ecash, and in cash systems in general. It would be interesting to know if this anti-theft provision of Digicash is actually provided by means of a certificate.

It is conceivable to think of the above mentioned methods in that way, yes /Lars Johansson ljo@ausys.se