lucre double-blinding? (Re: Crypto-making vs Crypto-breaking)

Ben Laurie ben at algroup.co.uk
Thu May 8 01:05:18 PDT 2003


Adam Back wrote:

> Yes I remember the introduction of a 2nd blinding factor, your other
> post in the thread where you reposted the remaining issues with
> taggability jogged my memory; just the terminology threw me.
> 
> (Probably more proper to call it the introduction of another blinding
> factor -- the result is just more effectively blinded -- Brands
> constructs use 3 blinding factors in some scenarios for example and
> that is still considered blinded not "triple-blinded") 

2-factor blinding might be a better way to express it.

> Brands has an optimization of his scheme where (as the user receiving
> a coin) you have the option of not bothering to perform one of the
> verifications, the weaker assurance being you are still assured that
> the bank can't distinguish between tagged coins, though it can
> distinguish an untagged coin from a tagged coin.
> 
> However as with Lucre I don't find this very convincing because the
> bank can still tag one person at a time.  If you add in the general
> lack of connection anonymity, it could certainly be used to confirm
> suspicions and probably to effectively tag multiple users at once.
> 
> So I would consider the lucre two blinding factor approach still
> flawed.

As I mentioned in another post, the bank either has to reveal its
subterfuge, or honour forged coins, so I'm not convinced. Anyway, the ZK
proof is available if you want to use it.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff





More information about the cypherpunks-legacy mailing list