Re: Crypto-making vs Crypto-breaking
Anonymous wrote:
In order to avoid this, the bank can prove that it operated correctly (that is, it raised its input to the same k power that g is raised to in the public g^k value) using a zero-knowledge proof. I believe the latest version of the Lucre software does this.
Actually, Lucre uses the double-blinding method to avoid this. The paper discusses the ZK proof as an alternate way of doing it, but I chose not to use it because of its potential interpretation as a blind signature. There is an implementation of the ZK proof included in Lucre just for fun, though. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
It's been a while since I looked at the Lucre white paper but extrapolating from the Chaum context doesn't double blinding mean the payer and payee have to be simultaneously online with the bank? Adam On Tue, May 06, 2003 at 10:43:42AM +0100, Ben Laurie wrote:
Anonymous wrote:
In order to avoid this, the bank can prove that it operated correctly (that is, it raised its input to the same k power that g is raised to in the public g^k value) using a zero-knowledge proof. I believe the latest version of the Lucre software does this.
Actually, Lucre uses the double-blinding method to avoid this. The paper discusses the ZK proof as an alternate way of doing it, but I chose not to use it because of its potential interpretation as a blind signature.
There is an implementation of the ZK proof included in Lucre just for fun, though.
Adam Back wrote:
It's been a while since I looked at the Lucre white paper but extrapolating from the Chaum context doesn't double blinding mean the payer and payee have to be simultaneously online with the bank?
Lucre coins can _only_ be verified by the bank. However, only the payee needs to be talking to the bank (the payer gives the payee an unblinded coin), and can, at their own risk, defer that conversation (the risk being a double-spend, of course). Double-blinding refers to a method using two blinding factors, not any other weird combination you might have thought of :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
participants (2)
-
Adam Back -
Ben Laurie