RE: Magic Money questions
-----BEGIN PGP SIGNED MESSAGE----- Magic Money is available from csn.org in the same directory as pgptools. Be sure to add in the fast mp_inv posted here. It speeds up the unblinding of a 1024-bit coin from 2 minutes to 3 seconds. Thanks to whoever posted that code. I will include it in the next release, as soon as some people shake down the current one for bugs. fb@cyberg.win.net wrote:
A few questions. Since the client which generates the proto-coins is under the control of the consumer, the bank has no way of making sure that he is not running his own code, or that the RNG he is using is cryptographically strong, or even that he is not distributing modified client programs to other users.
If his RNG is bad, he is only hurting himself. If he gets the same coin as another person, and that coin has already been spent, his coins will bounce, costing him money. Same is true if he corrupts his packets - the server looks for the ASN string, and if it's not there, bounces the transaction. He can run his own code if he wants to.
How does the bank deal with collisions in the 16 byte values of coins?
There shouldn't be any, except for deliberate double-spending. The coins are 128-bits, so you'd need 2^64 of them before the odds favor a collision. The odds of a coin collision are equal to the odds of two messages having the same PGP signature.
What if the user picks the numeric values for the server to sign in a way which leaks information about the banks private key? RSA is much more secure when signing random-esque data, like a message digest, than it is when signing numbers provided to it by some outside party.
This is a problem, if this attack is feasible. The coins won't spend if they don't have the proper ASN string in them, but the server has no way to see what it is signing. Can someone produce values which will reveal the private key? I've heard of attacks which involve getting signatures on factors of a message, and multiplying them to get a forged signature. These won't work here, because each coin value is signed with a different d. All you could do is multiply several invalid coins of value x to get one valid coin of the same value. But a signature leaking the private key - that is a new one for me. Please tell me about this attack. How would one prevent it without using a cut-and-choose protocol? Applied Cryptography suggests (page 106) that it is okay to dispense with the cut-and-choose portion of a blind signature in cases (such as this one) where the user is motivated not to provide a corrupted coin. The coins use different e's from the bank's PGP key, so a coin could not be used to forge a message from the bank.
Similarly, how can the consumer trust the bank's representation that money has already been spent? Surely the bank should be required to publish a list of cancelled coins and timestamps with a running MD5 hash periodically for inspection by the unwashed masses.
There is no punishment for double-spending. The transaction is simply thrown out. The bank, in fact, has no way to identify the customer. What could the bank hope to accomplish by claiming that a coin was already spent? It can print more coins at any time, so it has no reason to cheat. A server will have to protect its reputation by not printing too much money or otherwise making its users angry. If you want to put in an MD5, it wouldn't be hard.
What do you do about lost messages from the server to the client. Once coins have been recorded as spent, they cannot be redeemed again. Yet the mail message containing the new coins may have been lost in transit.
What can be done? The server can hold onto outgoing messages for a while, and can have a means of remailing those which are lost. Or the message can be mailed back to the user through two different routes, to increase the reliability of the system. But one cash-like property of digital money is that, if you lose the data, you're SOL. I don't claim the system is perfect. But it's a start, and in my opinion, that is what digicash needs right now: a start. These Clipper postings have me worried. It seems as though the government is in a big hurry to get Clipper on the market. They only have one shot at this. What needs coded now? A menu-driven PGP? Any ideas for new projects? Pr0duct Cypher -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLVNAjcGoFIWXVYodAQHtgwP+OTFcxAbZL8uvVeBbwwn4/N1jnLGeHFRB lw7U3Y3ciESs0PBRDu1JO4hOqzpW7Ch+GkY1z+ueWD8m4+EoroacJMcTI28EKGm3 +2eV0KpQsKfcfsPCfMFVKhqBRAzcwJhFdziFbPvG9g4CU9/Huz4ff8KiSud8zdWO n8odZHk5zTs= =6Yw2 -----END PGP SIGNATURE-----
On Sat, 5 Feb 1994 catalyst-remailer@netcom.com wrote: [ Stuff deleted ]
Similarly, how can the consumer trust the bank's representation that money has already been spent? Surely the bank should be required to publish a list of cancelled coins and timestamps with a running MD5 hash periodically for inspection by the unwashed masses.
There is no punishment for double-spending. The transaction is simply thrown out. The bank, in fact, has no way to identify the customer. What could the bank hope to accomplish by claiming that a coin was already spent? It can print more coins at any time, so it has no reason to cheat. A server will have to protect its reputation by not printing too much money or otherwise making its users angry. If you want to put in an MD5, it wouldn't be hard.
[ more stuff deleted ] False! If digital coins represent some kind of value the bank will "earn" something by not accepting a coin presented for deposit. The bank will not have to provide the value or the service the depositor is entitled to. This was also pointed out by someone else posting to this list. I haven't studied the maths and protocols of the original post to closely, but just to show that it is possible to *prove* double spending I present a deposit protocol. I don't know if this protocol fits in the implementation discussed here. If I remember correctly, some of Chaum's (?) digital coin systems proved double spending by using a protocol resembling the one below: 1) Depositor presents a part of the coin to the bank and asks "Is this coin already deposited?" 2) The bank answers "yes" and proves this by revealing some information about the coin which it should now know unless the coin has already been deposited. The "no" answer together with the information presented by the depositor is signed by the bank and is a *commitment* by the bank to accept the coin when the "real" deposit takes place. 3) The depositor sends the rest of the coin to the bank if the answer was a "no". This is taken from memory -- I could probably produce some references if someone is interested. By the way -- I don't think you should use the "digicash" word to describe this implementation. David Chaum's company carries that name! -- Rolf ---------------------------------------------------------------------- Rolf Michelsen Phone: +47 73 59 87 33 SINTEF DELAB Email: rolf.michelsen@delab.sintef.no 7034 Trondheim Office: C339 Norway ----------------------------------------------------------------------
participants (2)
-
catalyst-remailer@netcom.com -
Rolf Michelsen