"Spoiling" digital cash
Anonymous
nobody at remailer.privacy.at
Mon Dec 10 17:46:04 PST 2001
"George" writes:
> Th idea is, when buying some good or service with
> digital cash, the customer first forwards the cash to the vendor
> in some transformed way such that the vendor
> can't yet spend it, but can verify that it is
> good cash of the correct amount, and that
> the customer will no longer be able to spend it.
>
> The idea is, if the vendor follows through on his side,
> the customer will supply the additional information the
> vendor will need to redeem the cash. The customer can still
> rip the vendor off by refusing to do so, but he has no incentive,
> the money's already gone for him. Conversely, an
> unscrupulous "vendor" could in principle trick a customer
> into throwing away money on nothing, but he would gain no profit
> in doing so.
Yep, see Marcus Jakobsson, "Ripping Coins for Fair Exchange",
http://www-cse.ucsd.edu/users/markus/rip.ps. The idea is analogous to
tearing a $100 bill in half and giving half to the taxi driver so he'll
wait while you go take care of some business. The two halves together
are worth $100, but either alone is worthless. Once you give him the
first half you're out $100, so you have no incentive to cheat him by
not giving the other half when you come back.
A simplification of Jakobsson's scheme works with Chaumian blinded cash
where the bank's RSA exponent e = e1*e2, where e1 > 1 is an odd integer
and e2 is prime.
The passenger (in the taxi example) withdrew the coin by choosing a
value x which had some special structure, blinding it and getting a
signature s on x such that s^e = x, mod n. To spend the coin normally
he would reveal x and s which the bank would accept as it satisfies this
relation.
To rip the coin, the passenger gives the taxi driver t = s^e1, along
with x. The driver can verify that t^e2 = s^(e1*e2) = s^e1 = x mod n
which tells him that it is a real coin. He also sends (t, x) to the
bank, which verifies that no such x has been spent before (no double
spending) and also stores x as a ripped coin such that only the driver
can spend it.
When the passenger comes back he gives the taxi driver s, the real RSA
signature, so the driver can now spend the coin for good. The passenger
can't renege and spend the coin himself because the driver has put a
block on that x value in the database.
More information about the cypherpunks-legacy
mailing list