double-spending prevention w. spent coins (Re: [Lucrative-L] lucrative accounts revisited)

Adam Back adam at cypherspace.org
Thu Apr 24 15:47:21 PDT 2003


> Although I have read some material on blinding etc., I do not see a 
> need for it in my system.

Your system as described is not in the slightest bit anonymous or
private.  Or at least the user has no cryptographic assurances that
the server is not logging everything, or that some adversary isn't
logging everything that goes over the connection even though the
server is not.

> OK, if someone put a gun to my head and said "put in some code to
> log everything" then they might be able to discern some pattern like
> "this coin was issued to this IP address, and then three days later
> that coin was swapped from this other IP address."  

Right that is the linkability problem.  Plus of course as mentioned
above the user has no reason to trust the server.  Or at least he
would prefer a protocol where he did not need to trust the server.

> OK, that sounds like a potential problem, but I don't see how you
> can hide this information from the server ITSELF.  When you present
> a coin to the server, it is going to know from which IP address it
> came, and I don't see a way around that.

That's where blinding comes into the picture.

Probably the simplest one to understand is Chaum's original scheme,
though there are others such as Brands, and Wagner's online system.

serial-no               = (b^e).[R||h(R)] mod n
proto-coin              = serial-no^d mod n
                        = b.[R||h(R)]^d mod n
coin                    = proto-coin . b^-1 mod n
                        = [R||h(R)]^d mod n
check-valid-coin(c)     = c^e mod n is of form [x||h(x)]
check-double-spent(c)   = bank records spent coins
trace-payee(c)          = payer gives bank b, bank records proto-coins as well

so a blind signature in this scheme is that the bank has an RSA
modules n, private key d, and public exponent e.

The user sends b^e.M mod n to the bank (where b is a random blinding
factor), the bank computes (b^e.M)^d mod n (a standard RSA siganture)
and sends back to the user.  The user then unblinds by dividing by b,
which works because:

(b^e.M)^d = b^{e.d}.M^d = b.M^d mod n

and b.M^d/b = M^d mod n

plus some other detais to avoid existential forgeries.

and so the bank can recognize it's signature later on a coin (because
it's a valid RSA signature made with it's private key d), but it won't
know which unspent coin it corresponds to because it doesn't know the
blinding factors b.

Adam





More information about the cypherpunks-legacy mailing list