Re: Double-blinding

Subject: Re: Double-blinding
From: dmolnar (dmolnarhcs.harvard.edu)
Date: Mon Dec 13 1999 - 20:02:20 CST

• Next message: dmolnar: "Re: Double-blinding"
• Previous message: lcs Mixmaster Remailer: "Re: Double-blinding"
• In reply to: lcs Mixmaster Remailer: "Re: Double-blinding"
• Reply: dmolnar: "Re: Double-blinding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 13 Dec 1999, lcs Mixmaster Remailer wrote:

>
> As a countermeasure there could be a band of cypherpunks who constantly
> attempt anonymous deposits of junk coins. These would all fail, but
> they would provide cover. They would make it much more difficult for
> the bank to issue intentionally-bad coins with the expectation that it
> could recognize them at deposit time.

Now you need to make sure that whatever anonymous channel "der Bund" uses
is actually used for deposits by non-cypherpunks. Otherwise the bank
can bet that almost all such anonymous deposits are noise and just
disregard them entirely. Do we know that the "regular" users of the system
will be making anonymous deposits?

the catch-22 seems to be that if we try this denial of marking service
with non-anonymous deposits, then we all go to jail. oops. :-(

> But lacking such organized activity, it would be better for the withdrawer
> to be guaranteed that the bank had behaved correctly. If the ZK proof
> is used then the original Wagner blinding using one factor should be
> adequate.

For what it's worth, the withdrawer does not necessarily *need* to be the
one who performs the ZK proof with the bank. We could do the ZK proof at
deposit -- the bank must prove to the depositor that the coin is valid
before accepting it. This still allows the bank to mark cash as defective,
but now cannot do so silently. Such a proof could be made non-interactive
and then used to allow everyone to track the number of bad coins passing
through.

or we could have anyone come challenge the bank to show a coin is
valid, without actually depositing it. (there are issues here with
possibly running many proofs on the same coin in parallel?)
So a party could efficiently withdraw many coins, and then defer
validating them with the bank until a later date.

Let's call someone who challenges the bank to verify a coin a "validator."

The bank can still match an invalid coin to a validator, but if the
coin is valid, now the coin can circulate without fear of being marked.
It seems that we'd need to use another round of blinding for this
validation protocol, though, because otherwise the bank records
all the coins submitted for validation.

Best would be a proof protocol in which the bank proves correctness
or incorrectness of the coin, but never learns which applies to the coin.
Then even if the coin is "marked" by being incorrect, the bank could not
link that to the validator. I think Jakobsson and Yung have a paper on
"Agnostic and Blindfolded Provers" which may be useful for this...

ah - "Proving without Knowing" from CRYPTO '96, also at
http://www.bell-labs.com/user/markusj/

It's been a while since skimming it, but I'll start looking at it...

My point is that we may be able to manage the computations required for
verifying coins, in the sense that may be able to defer or delegate them
w/o endangering the withdrawer. This could make the system more
efficient, particularly if the verification can be done in scheduled
batches. Time to look for efficient batch exponentiation schemes...

Thanks,
-David Molnar

• Next message: dmolnar: "Re: Double-blinding"
• Previous message: lcs Mixmaster Remailer: "Re: Double-blinding"
• In reply to: lcs Mixmaster Remailer: "Re: Double-blinding"
• Reply: dmolnar: "Re: Double-blinding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Dec 13 1999 - 22:38:54 CST