Declan McCullagh reports in Wired Online, http://www.wired.com/news/ebiz/0,1272,44507,00.html: The more important patent for digital cash, titled "Blind signature systems," was granted in July 1988 and expires in July 2005. Chaum's method preserved anonymity through a statistical technique. It can be thought of this way: A customer of a virtual bank would create a $1 coin by sending, say, 100 coins with random serial numbers first stuffed into electronic envelopes. The bank randomly would open 99 of the 100 envelopes to verify that the denominations were in fact $1 and the customer wasn't trying to commit fraud. After the bank owner was satisfied that the last remaining envelope was likely to be a $1 denomination too, the bank would sign the envelope -- marking it as digital cash -- and return it unopened. Of course this is a completely incorrect description of Chaum's cash system as it has been fielded in DigiCash and eCashTechnologies. It is a botched attempt to describe the "cut and choose" mechanism. But that was only designed for an offline cash system. The purpose of cut and choose was to check that the customer had properly encoded *his identity* in the cash, not that the denomination was correct as is described here. The reason the customer encoded his identity was that if he then double-spent, the bank could determine after the fact which customer had done it because double-spending would reveal his identity. But of course DigiCash was always implemented as an online system, where double-spending is not possible, since coins are always verified at the time they are spent. It never used a cut and choose mechanism for withdrawals, which would have been painfully inefficient. Instead, the customer simply sent one "enveloped" version of a random serial number to the bank. The bank signed the envelope, and the type of signature determined the denomination of the coin. The customer then took the serial number out of the envelope to get his cash. It's far simpler than the description above would suggest. The article also contains a recap of the Chaum/Brands patent wars. It would have been more interesting if there were some reference to new approaches to ecash that avoid the patents, such as the Lucre software by Ben Laurie, based on David Wagner's blinding (http://anoncvs.aldigital.co.uk/lucre/), or the recent proposal at Eurocrypt for a cash/credential system based on zero knowledge proofs without blinding (http://eprint.iacr.org/2001/019.ps or .pdf).
On Thu, Jun 14, 2001 at 07:00:21PM -0000, lcs Mixmaster Remailer wrote:
It is a botched attempt to describe the "cut and choose" mechanism.
Right, it was an attempt to describe "cut and choose" in three sentences or so. It's a news article, not a technical paper. Deal.
The article also contains a recap of the Chaum/Brands patent wars. It would have been more interesting if there were some reference to new approaches to ecash that avoid the patents, such as the Lucre software by Ben Laurie, based on David Wagner's blinding (http://anoncvs.aldigital.co.uk/lucre/
The point of that section of the article was to talk about available patents. Wagner's scheme appears to reply on Chaum's (original) patents, so it wasn't relevant. -Declan
A little behind on mail, but I figure some of this is sufficiently misleading to dig up again: On Thu, Jun 14, 2001 at 03:33:03PM -0400, Declan McCullagh wrote:
On Thu, Jun 14, 2001 at 07:00:21PM -0000, lcs Mixmaster Remailer wrote:
It is a botched attempt to describe the "cut and choose" mechanism.
Right, it was an attempt to describe "cut and choose" in three sentences or so. It's a news article, not a technical paper. Deal.
The point is Chaums ecash never did deploy cut and choose. So whether the description of cut and choose was unclear or not it was irrelevant, and confused to describe it at all.
The article also contains a recap of the Chaum/Brands patent wars. It would have been more interesting if there were some reference to new approaches to ecash that avoid the patents, such as the Lucre software by Ben Laurie, based on David Wagner's blinding (http://anoncvs.aldigital.co.uk/lucre/
The point of that section of the article was to talk about available patents. Wagner's scheme appears to reply on Chaum's (original) patents, so it wasn't relevant.
According to who? You? Care to elaborate on your thinking? So far your analysis of the patent discussion around Wagner's scheme looks like just spurious uninformed dismisive comments. The point of Wagner's scheme is that it is not a blind signature but a MAC coupled with a zero-knowledge proof of non-coin marking. I'd say it's more accurate to say it's not clear whether it is covered by something in the patent minefield or not. There was a comment on dbs list that a lawyer at berkeley had offered the opinion that it was not. Chaum offers the opinion that it is covered by his blind signature patents. I find that unlikely as it is not a signature as it fails one of the main aspects of a signature -- that there is something that is verifiable by the holder and usually others relating to some message. There are of course other opinions also, but I find your dismissive comments misleading. Also this comment :
appears to be unpatented." Right. Whatever. You can take that anonymous claim to the bank.
I don't think anyone was claiming you would proceed in any patented area without legal advise. I don't think anonymous comments should hold less weight. Yet you were presuming to dismiss Wagner's approach as clearly covered by patents which appears to be an uninformed and probably incorrect opinion. Adam
Anonymous comments like the ones I dismissed can be dismissed easily enough. I never said the approach was "clearly covered," but I suspect it is probably covered. If you can point me to authority to the contrary, I would be delighted to read it. I suspect you can't. -Declan On Thu, Jul 05, 2001 at 02:49:07PM -0400, Adam Back wrote:
I don't think anyone was claiming you would proceed in any patented area without legal advise. I don't think anonymous comments should hold less weight. Yet you were presuming to dismiss Wagner's approach as clearly covered by patents which appears to be an uninformed and probably incorrect opinion.
Adam
On Thu, Jul 05, 2001 at 03:28:09PM -0400, Declan McCullagh wrote:
I never said the approach was "clearly covered," but I suspect it is probably covered.
I am not sure why you suspect it is covered by Chaum's patents. You said in response to anonymous and I quote: | Wagner's scheme appears to reply on Chaum's (original) patents, so it | wasn't relevant. I explained to you in the post you are replying to why I don't think this claim is accurate. Wagner's scheme was designed explicitly to avoid being covered by Chaum's patents by people who have read Chaum's patents. Wagner's scheme is clearly not a signature, blind or otherwise.
If you can point me to authority to the contrary, I would be delighted to read it. I suspect you can't.
I have not personally asked a lawyer for an opinion. Neither have you I take it. This was why I suggested "unclear" was a better description of the current understanding than "appears to rely on Chaum's patents" which you appear to have made up. Perhaps the berkeley lawyers opinion could be tracked down? Adam
In article <20010705161012.A8485@economists.cryptohill.net>, Adam Back <adam@cypherspace.org> wrote:
Perhaps the berkeley lawyers opinion could be tracked down?
I personally don't remember the Berkeley lawyers ever getting involved. [Thank God. Dealing with that office is just Not Fun.] I think the OP of this factoid was confusing it with the position of Stanford's lawyers regarding SRP. - Ian
In article <20010705161012.A8485@economists.cryptohill.net>, Adam Back <adam@cypherspace.org> wrote:
Perhaps the berkeley lawyers opinion could be tracked down?
I personally don't remember the Berkeley lawyers ever getting involved. [Thank God. Dealing with that office is just Not Fun.] I think the OP of this factoid was confusing it with the position of Stanford's lawyers regarding SRP. - Ian
On Fri, Jul 06, 2001 at 10:15:04AM -0400, Ian Goldberg wrote:
Adam Back <adam@cypherspace.org> wrote:
Perhaps the berkeley lawyers opinion could be tracked down?
I personally don't remember the Berkeley lawyers ever getting involved. [Thank God. Dealing with that office is just Not Fun.]
I think the OP of this factoid was confusing it with the position of Stanford's lawyers regarding SRP.
So I asked Bob Hettinga as I thought I saw the comment on one of his lists, and with Ben Laurie who apparently made one of the comments and it appears there was confusion surrounding the comment by either Ben or Bob. Which doesn't alter my opinion about Declan's comments about Wagner's blinding method, but I thought I'd track it down and set the record straight on the mythical berkeley law prof. Adam
participants (4)
-
Adam Back -
Declan McCullagh -
iang@abraham.cs.berkeley.edu -
lcs Mixmaster Remailer