[Lucrative-L] double spends, identity agnosticism, and Lucrative

Adam Back adam at cypherspace.org
Tue Apr 29 15:36:21 PDT 2003


There are also existantial forgeries.

Ie choose random x, compute y = x^e mod n, now x looks like a
signature on y because y^d = x mod n; and when he verifies the
verifier will just do x^e and see that it is equal to y.

These may also look like valid coins to this code!

It's missing a step: the coin should have some structure.  So it can't
be a hash of a message chosen by the user but hashed by the signer
(the normal practical RSA signature) because the server can't see that
it or it would be linkable.

What digicash did I think is something like c = [x||h(x)].  Then you
can reject existential forgeries and unblinded coins because they
won't have the right form.

(If you look back to the post where I gave a summary of the math,
you'll see I included that step.)

Adam

On Tue, Apr 29, 2003 at 06:02:01PM -0400, R. A. Hettinga wrote:
> 
> --- begin forwarded text
> 
> 
> From: "Patrick" <patrick at lfcgate.com>
> To: <lucrative-l at lucrative.thirdhost.com>
> Subject: [Lucrative-L] double spends, identity agnosticism, and Lucrative
> Date: Tue, 29 Apr 2003 14:46:48 -0600
> Importance: Normal
> Sender: owner-lucrative-l at lucrative.thirdhost.com
> 
> 
> 	A quick experiment has confirmed the obvious: when a client
> reissues a coin at the mint, both the blinded and its unblinded cousin
> are valid instruments to the Lucrative mint.
> 
> 	Example: Alice uses the Mint's API to reissue a one-dollar note,
> blinding the coin before getting a signature, and unblinding the
> signature afterwards. She's left with both a blinded and a non-blinded
> version of the coin. The mint believes they are both valid. Instant,
> unlimited inflation.
> 
> 	I believe the solution to this is to have the mint track both
> spent coins and issued coins (that is, it automatically cancels coins it
> issues, before the client receives them). The client is left with no
> choice but to go through a blinding and unblinding process in order to
> have a usable coin.
> 
> 	This seems to make identity-agnostic cash difficult or
> impossible, at least with Lucrative:
> http://www.io.com/~cman/agnostic.html,
> http://cypherpunks.venona.com/date/1995/09/msg00197.html .
> 
> 
> Patrick
> 
> 
> The Lucrative Project: http://lucrative.thirdhost.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com





More information about the cypherpunks-legacy mailing list