lucre double-blinding? (Re: Crypto-making vs Crypto-breaking)

Adam Back adam at cypherspace.org
Wed May 7 13:09:04 PDT 2003


Yes I remember the introduction of a 2nd blinding factor, your other
post in the thread where you reposted the remaining issues with
taggability jogged my memory; just the terminology threw me.

(Probably more proper to call it the introduction of another blinding
factor -- the result is just more effectively blinded -- Brands
constructs use 3 blinding factors in some scenarios for example and
that is still considered blinded not "triple-blinded") 

Brands has an optimization of his scheme where (as the user receiving
a coin) you have the option of not bothering to perform one of the
verifications, the weaker assurance being you are still assured that
the bank can't distinguish between tagged coins, though it can
distinguish an untagged coin from a tagged coin.

However as with Lucre I don't find this very convincing because the
bank can still tag one person at a time.  If you add in the general
lack of connection anonymity, it could certainly be used to confirm
suspicions and probably to effectively tag multiple users at once.

So I would consider the lucre two blinding factor approach still
flawed.

Adam

On Wed, May 07, 2003 at 10:00:02AM +0200, Nomen Nescio wrote:
> A Back asks:
> > It's been a while since I looked at the Lucre white paper but
> > extrapolating from the Chaum context doesn't double blinding mean the
> > payer and payee have to be simultaneously online with the bank?
> 
> No, this is something else.  It just means that two random numbers rather
> than one are used to blind the data when it is sent to the bank to be
> signed (oops, "transformed").  Doing this makes it impossible for the bank
> to recognize deposited coins even if it misbehaves.  Earlier proposals
> that used a single random blinding factor were shown to be inadequate.





More information about the cypherpunks-legacy mailing list