Is the following digicash protocol possible?

solman at MIT.EDU solman at MIT.EDU
Thu Sep 1 20:08:53 PDT 1994 

> A question about offline digicash:
> 
> Is it possible to arrange digicash as follows:
> 
> If A, the original issuer, issues a unit of digicash to 
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A,  --  and
> everyone colludes except C and D, it is impossible
> to prove that C got this unit from D.

I assume you mean the last line to read "to prove that D got
this unit from C".

Chaum has demonstrated (In a paper I discussed here a little
over a month ago) that when A, B and E collude they can be sure
that the cash D gave to E is part of the same banknote that B
gave to C.

HOWEVER, it is possible to design a protocol such that
it is NOT possible for A, B and E to be sure that C gave
his money directly to D. (i.e. a protocol can be designed
such that A, B and E can not rule out the possibility that
the cash went from C to F to G to H to I to J to D. Thus,
the solution for entities that are worried about having
their cash marked is to exchange banknotes anonymously
with randomly selected entities before using them again.

> If A, the original issuer, issus a unit of digicash to 
> to B, and B gives it to C, and C gives it to D, and D,
> gives it to E, and E cashes it with A,  --  and
> C double spends it to D', who then gives it to E'
> who then attempts to cash it with A, -- then A
> will detect the double spending and rebuff the attempt,
> E' will complain to D', and D', with information
> supplied by E' and A, can then prove that C dishonorably 
> double spent the money, without discovering that C gave 
> the money to D, and hence without discovering that D 
> gave the money to E.

Anonymous e-cash can be created such that the identity
of the cheat is immediatelly known as soon as the second
copy of the banknote (or of a part of the banknote)
reaches A. I should think that any protocol which requires
backtracking would be highly undesirable (i.e. D' and
idealy E' should not be bothered).

Cheers,

Jason W. Solinsky

More information about the Testlist mailing list