Chaum's unpatented ecash scheme

Ben Laurie ben at algroup.co.uk
Wed Aug 21 06:31:53 PDT 2002


Nomen Nescio wrote:
> David Chaum gave a talk at the Crypto 2002 conference recently in which
> he briefly presented a number of interesting ideas, including an approach
> to digital cash which he himself said would "avoid the ecash patents".
> 
> The diagram he showed was as follows:
> 
> 
>         Optimistic Authenticator
> 
>                                      z = x^s
> 
> Payer         f(m)^a z^b             Bank
>       ----------------------------->
> 
>             [f(m)^a z^b]^s
>       <-----------------------------
> 
>                m, f(m)^s
>       ----------------------------->
> 
> 
> It's hard to figure out what this means, but it bears resemblance to a
> scheme discussed on the Coderpunks list in 1999, a variant on a blinding
> method developed by David Wagner.  See
> http://www.mail-archive.com/coderpunks@toad.com/msg02323.html for a
> description, with a sketch of a proof of blindness at
> http://www.mail-archive.com/coderpunks@toad.com/msg02387.html and
> http://www.mail-archive.com/coderpunks@toad.com/msg02388.html.
> 
> In Chaum's diagram it is not clear which parts of the key are private and
> which public, although z is presumably public.  Since the bank's action
> is apparently to raise to the s power, s must be secret.  That suggests
> that x is public.  However Chaum's system seems to require dividing by
> (z^b)^s in order to unblind the value, and if s is secret, that doesn't
> seem possible.
> 
> In Wagner's scheme everything was like this except that the bank's key
> would be expressed as x = z^s, again with x and z public and s secret.
> f(m) would be a one-way function, which gets doubly-blinded by being
> raised to the a power and multiplied by z^b, where a and b are randomly
> chosen blinding factors.  The bank raises this to its secret power s,
> and the user unblinds to form f(m)^s.  To later deposit the coin he does
> as in the third step, sending m and f(m)^s to the bank.
> 
> For the unblinding, the user can divide by (z^b)^s, which equals z^(b*s),
> which equals (z^s)^b, which equals x^b.  Since x is public and the user
> chose b, he can unblind the value.  Maybe the transcription above of the
> Chaum scheme had a typo and it was actually similar to the Wagner method.

Sounds like it.

> 
> Chaum commented that the payer does not receive a signature in this
> system, and that he doesn't need one because he is protected against
> misbehavior by the bank.  This is apparently where the scheme gets
> its name.

Note that the scheme as described (and corrected) is vulnerable to 
marking by the bank, and so is not anonymous. This is discussed and 
fixed in my paper on Lucre 
(http://anoncvs.aldigital.co.uk/lucre/theory2.pdf).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com





More information about the cypherpunks-legacy mailing list