Double spending, i.e. X in S == not X not in S

[R. A. Hettinga]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 4:51 PM -0400 4/24/03, Patrick Chkoreff wrote:
>No, which indicates there is one huge unshared premise at work here.

Okay. I think I understand what's happened, here.

It's a function of whether or not you're blinding, and the blinding
protocol you're using.

If you're doing Chaumian blinding, part of the double-spending
prevention is bound up in the blinding protocol itself. Since
Lucrative is done in Wagner blinding, maybe that's not the case, but
I wouldn't think so, on a first approximation. Wagner's too smart.
:-).


For non-blinded notes, you still keep a copy of the ones that come
in, (or a sample of them, for "streaming" coins where a large number
of coins are statistically dependent, like between IP addresses in a
P2P streaming network) but you *still* you don't care about the ones
that haven't come back yet.

Because, and note this, one more time: they're not *spent* yet.
You're trying to *prove* double spending, remember? If someone comes
back with a note you *don't* have, it may make for a smaller list,
and, hey, if it's not on your list, you don't let it in. But you want
to keep some kind of *proof* that the coin's already come in, besides
simply saying, "nope. Not here". Instead, you want to say things like
"nope. this one's double spent.", and provide whatever information
you've agreed to as proof. (timestamp, or IP address, or whatever.
Not pretty) 

That's why Chaum did what he did. You munge the two hashes you now
have in double-spent note and out pops the *signature* of the double
spender, and so you only have to keep the notes that have come in.
You can't even *decipher* the notes you've issued, because, hey,
they're blinded. They're complete gibberish to the mint, and equally
useless. The blinding happens on the client with a secret blinding
factor, right?

Now I have to go back and look at what Wagner said myself :-), and
figure out if he did something like that as well. I expect that by
"blinding", he meant the getting same kind of result that Chaum was
after, or people wouldn't have been offering it as an alternative to
Chaum all these years. Wagner did it with Diffie-Hellman, so the math
operators are different than RSA, but I bet you get the same effect,
or again, people wouldn't call it "blinding."


There's certainly something to be said for learning by answering
questions, and I thank you for giving me the opportunity for personal
growth ;-), but, really, Patrick, go *read* these protocols to see
how they work before proposing new ones.

Most of the time, people haven't the bandwidth to repeat what's been
said, on especially on cypherpunks in particular, and on the net in
general, many times before.

So, again I ask, Patrick, have you gone and looked at blind signature
protocols in the CRC Handbook of Applied Crypto? or Applied
Cryptography?

The CRC book is more technical than Applied Crypto, which is the more
readable of the two, but the CRC book is actually available in PDF on
the net, for free, if you go look for it. 

Google is Your Friend, Patrick, and Crypto is Hard. 

Don't invent any if you really don't have to.

Cheers,
RAH

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

iQA/AwUBPqhkEsPxH8jf3ohaEQKqjwCgmMF7t/K/Ljitmz8+MWPhYlrMkiwAoMZX
oIstn0atLxrPvXzQZWTP2rkT
=8voZ
-----END PGP SIGNATURE-----

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'