[Lucrative-L] double spends, identity agnosticism, and Lucrative
There are also existantial forgeries. Ie choose random x, compute y = x^e mod n, now x looks like a signature on y because y^d = x mod n; and when he verifies the verifier will just do x^e and see that it is equal to y. These may also look like valid coins to this code! It's missing a step: the coin should have some structure. So it can't be a hash of a message chosen by the user but hashed by the signer (the normal practical RSA signature) because the server can't see that it or it would be linkable. What digicash did I think is something like c = [x||h(x)]. Then you can reject existential forgeries and unblinded coins because they won't have the right form. (If you look back to the post where I gave a summary of the math, you'll see I included that step.) Adam On Tue, Apr 29, 2003 at 06:02:01PM -0400, R. A. Hettinga wrote:
--- begin forwarded text
From: "Patrick"
To: Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal Sender: owner-lucrative-l@lucrative.thirdhost.com A quick experiment has confirmed the obvious: when a client reissues a coin at the mint, both the blinded and its unblinded cousin are valid instruments to the Lucrative mint.
Example: Alice uses the Mint's API to reissue a one-dollar note, blinding the coin before getting a signature, and unblinding the signature afterwards. She's left with both a blinded and a non-blinded version of the coin. The mint believes they are both valid. Instant, unlimited inflation.
I believe the solution to this is to have the mint track both spent coins and issued coins (that is, it automatically cancels coins it issues, before the client receives them). The client is left with no choice but to go through a blinding and unblinding process in order to have a usable coin.
This seems to make identity-agnostic cash difficult or impossible, at least with Lucrative: http://www.io.com/~cman/agnostic.html, http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Patrick
The Lucrative Project: http://lucrative.thirdhost.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
Adam Back wrote:
There are also existantial forgeries.
Ie choose random x, compute y = x^e mod n, now x looks like a signature on y because y^d = x mod n; and when he verifies the verifier will just do x^e and see that it is equal to y.
These may also look like valid coins to this code!
It's missing a step: the coin should have some structure. So it can't be a hash of a message chosen by the user but hashed by the signer (the normal practical RSA signature) because the server can't see that it or it would be linkable.
What digicash did I think is something like c = [x||h(x)]. Then you can reject existential forgeries and unblinded coins because they won't have the right form.
(If you look back to the post where I gave a summary of the math, you'll see I included that step.)
This is also what Lucre (and hence Lucrative) does. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
From: "Patrick"
To: Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal Sender: owner-lucrative-l@lucrative.thirdhost.com A quick experiment has confirmed the obvious: when a client reissues a coin at the mint, both the blinded and its unblinded cousin are valid instruments to the Lucrative mint.
Example: Alice uses the Mint's API to reissue a one-dollar note, blinding the coin before getting a signature, and unblinding the signature afterwards. She's left with both a blinded and a non-blinded version of the coin. The mint believes they are both valid. Instant, unlimited inflation.
I believe the solution to this is to have the mint track both spent coins and issued coins (that is, it automatically cancels coins it issues, before the client receives them). The client is left with no choice but to go through a blinding and unblinding process in order to have a usable coin.
This seems to make identity-agnostic cash difficult or impossible, at least with Lucrative: http://www.io.com/~cman/agnostic.html, http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Since the patent expires shortly, the legal reason for identity agnostic cash has expired. Today, if you don't want the overheads of tracking your customers, the solution is that you can refrain from tracking your customers. Whatever happened to Lucky Green's patent party - I keep sending him emails, get no response. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
James A. Donald wrote:
From: "Patrick"
To: Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal Sender: owner-lucrative-l@lucrative.thirdhost.com A quick experiment has confirmed the obvious: when a client reissues a coin at the mint, both the blinded and its unblinded cousin are valid instruments to the Lucrative mint.
Example: Alice uses the Mint's API to reissue a one-dollar note, blinding the coin before getting a signature, and unblinding the signature afterwards. She's left with both a blinded and a non-blinded version of the coin. The mint believes they are both valid. Instant, unlimited inflation.
I believe the solution to this is to have the mint track both spent coins and issued coins (that is, it automatically cancels coins it issues, before the client receives them). The client is left with no choice but to go through a blinding and unblinding process in order to have a usable coin.
This seems to make identity-agnostic cash difficult or impossible, at least with Lucrative: http://www.io.com/~cman/agnostic.html, http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Would do if it were true - this is exactly why unblinded lucre coins have structure - that is, you can check that they are well-formed by doing hash operations on them. Blinded coins will fail these checks. I forget the exact form of lucre coins (read the paper), but consider the construction x || H(x) - clearly only the unblinded version of this will have the right form. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
participants (4)
-
Adam Back
-
Ben Laurie
-
James A. Donald
-
R. A. Hettinga