Crypto-making vs Crypto-breaking

Ben Laurie ben at algroup.co.uk
Wed May 7 09:10:22 PDT 2003 

Nomen Nescio wrote:

> Ben Laurie wrote:
> 
>>Actually, Lucre uses the double-blinding method to avoid this. The paper
>>discusses the ZK proof as an alternate way of doing it, but I chose not
>>to use it because of its potential interpretation as a blind signature.
> 
> 
> Quoting from an anonymous post to coderpunks, around December 13, 1999:
> 
> There is still a potential problem with the double blinding that the ZK
> proof would fix.  The bank may intentionally  produce a bogus coin by
> returning junk in the withdrawal transaction.
> 
> While this is not as useful as being able to specifically mark coins and
> recognize them at deposit time, it could still be used in practice if
> people don't very often try depositing junk.  After all, why should they
> do so, since it will never work.
> 
> In that case the bank may be able to do a "sting" operation by producing
> junk at deposit time and then assuming that anyone who attempts to deposit
> a garbage coin is likely to have been the recipient of the junk coin.
> If such garbage deposit attempts are few, then this will allow the bank
> to effectively link the deposit to the withdrawal.  The bank can even
> "eat" the cost of the bad coin and the depositor will never know he's
> been tagged.

The bank, of course, has to choose a withdrawer to tag, or a small
subset of withdrawers, or this doesn't work. Note that the depositor is
not tagged, the withdrawer is. And if the withdrawer has simply done an
exchange anonymously, nor is she.

> As a countermeasure there could be a band of cypherpunks who constantly
> attempt anonymous deposits of junk coins.  These would all fail, but
> they would provide cover.

Why would they fail? Since the bank cannot tell its own junk signature
from the invented junk signatures, the bank would have to honour these
requests. This sounds to me like a bank that is going bust fast.

>  They would make it much more difficult for
> the bank to issue intentionally-bad coins with the expectation that it
> could recognize them at deposit time.
> 
> But lacking such organized activity, it would be better for the withdrawer
> to be guaranteed that the bank had behaved correctly.  If the ZK proof
> is used then the original Wagner blinding using one factor should be
> adequate.

If a bank wants to cheat, it can do so despite a ZK proof - it simply
refuses to cash the coins - claiming, for example, a double-spend, or
just saying "no". So, given that marking coins with junk signatures is:

a) Only effective if you want to mark a small subset

b) Costs you a fortune if anyone finds out you are doing it,

I am not entirely convinced by this argument. Nevertheless, the ZK
option is implemented in Lucre (and documented in the paper) should any
mint wish to use it.

Cheers,

Bven.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

More information about the cypherpunks-legacy mailing list