A Funeral Dirge for Ecash

Thu Jun 14 12:30:34 PDT 2001

Nice little piece on Digital Cash by Declan on Wired.

http://www.wired.com/news/ebiz/0,1272,44507,00.html

Then Declan tries to explain blind signatures.

> Chaum's method preserved anonymity through a statistical technique. It
> can be thought of this way: A customer of a virtual bank would create a
> $1 coin by sending, say, 100 coins with random serial numbers first
> stuffed into electronic envelopes.

> The bank randomly would open 99 of the 100 envelopes to verify that the
> denominations were in fact $1 and the customer wasn't trying to commit
> fraud. After the bank owner was satisfied that the last remaining
> envelope was likely to be a $1 denomination too, the bank would sign the
> envelope -- marking it as digital cash -- and return it unopened."

Blinding permits someone to present an encrypted document to someone else
for signing.  The original owner of the document can calculate the digital
signature that would have been created had the plaintext document been
signed, from the digital signature on the encrypted document.

This allows people to sign things without knowing their content, and
prevents the signer from later associating a document with the person who
asked that it be signed.

In digital cash systems, it permits banknotes to be signed, without the
bank seeing the serial numbers on them, so that the bank cannot later
recognize them when they are deposited.  This is what makes the system
anonymous, and prevents anyone from telling who paid for what.

What I find somewhat odd, is the protocol suggested here for the bank
making sure with a high degree of reliability, that it knows the
denomination of an encrypted banknote it is signing.

If I follow Declan's argument, should I wish the bank to sign a note for
$1, I send the bank 100 such notes each encrypted with a different key.

The bank then requests the decryption key for 99 of them, and after
verifying that they are in fact $1 notes, has only a 1/100 chance that
I've slipped a $1,000,000 note into the pile and they've missed it.

So in the DeclanCash system, every 100th dishonest transaction can rip the
bank off for $999,999, an average loss for the bank of approximately $10k
per dishonest transaction attempted.

It would seem far better for the bank to simply sign different
denominations with different keys.  The bank then need not worry at all
about the content of what is signed.  if a user pays the bank $100 to sign
something that is not in correct banknote format, then the user is out
$100 and has the bank's $100 signature attached to something he can't
spend.

In any case, I can't recall any digital cash systems which tell the bank
the amount of the note being signed, by sending lots of notes, and letting
the bank look at all but one.  So I was wondering if Chaum's patent
actually used this metaphor, or if Declan picked up the idea from
somewhere else.

-- 
Eric Michael Cordian 0+
O:.T:.O:. Mathematical Munitions Division
"Do What Thou Wilt Shall Be The Whole Of The Law"