Attack on Magic Money and Chaum cash

Hal hfinney at shell.portal.com
Sun Feb 6 20:36:08 PST 1994


A quick follow-up: I suppose a cut-and-choose protocol in the withdrawal
would prevent this attack.  Instead of sending in one blinded coin to be
signed you'd send in 100 blinded candidates, then the bank would pick 99
and you'd reveal the r's for the others (remember, they are blinded with
r^e) so the bank can verify they are of the proper form.  The bank would
then sign the one remaining one and return it to you.

What a pain!  I hope someone can come up with something better, or show that
the attack doesn't work.

Hal






More information about the cypherpunks-legacy mailing list