Re: Double-blinding

Subject: Re: Double-blinding
From: lcs Mixmaster Remailer (mixanon.lcs.mit.edu)
Date: Wed Dec 15 1999 - 19:20:04 CST

• Next message: lcs Mixmaster Remailer: "Re: Double-blinding"
• Previous message: staymaccessdata.com: "Re: Double-blinding"
• Maybe in reply to: Ben Laurie: "Double-blinding"
• Reply: dmolnar: "Re: Double-blinding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Molnar writes:
> Two things I'm not clear on :
>
> 1) The concern is that the bank will "mark" coins by purposely
> invalidating them at withdrawal time. To conceal such marking, the
> bank may even treat them as "valid" at deposit time, but note
> the identity of the depositor.
>
> So unless the bank does a ZKP to show the new coin is correctly
> formed, the bank can exchange a bad coin for a bad coin. Then exchange
> doesn't seem to protect against marking. So the bank *must* do a ZKP
> at exchange time?

Yes, that seems correct, assuming that other proposed countermeasures
are not practical (like the frequent attempts at anonymous exchanges of
bogus coins).

> 2) If the bank issues a new coin iff the old coin is valid, does this
> count as "verifying" the old coin? Since a third party
> could be the exchanger, does this bring the protocol closer to
> Chaum's patent? or would the bank have to explicitly give a ZKP
> that the _old_ coin is correctly formed in order for this to count
> as "signature verification" ?

It's not clear that even the latter would necessarily infringe either
of the relevant patents. It is probably closest to the blind version
of the undeniable signature patent, but technically infringing would
require that the bank be prepared to prove either of two things: that
the coin is good, or that the coin is bad.

We have been talking about the bank proving that a coin is good, but
not that the coin is bad. It is probably adequate to simply take the
bank's word for it on bad coins. Given the way the protocol is used,
and assuming clients are anonymous some of the time, then it would
seem that there is no need for the bad-coin ZK proof. In that case the
protocol arguably escapes the letter of the undeniable signature patent.
If you ever did need a bad-coin ZK proof, then you would have very
serious problems with this patent.

With the blind signature patent, the claim language requires that the
client end up with a "public key digital signature" which is "checkable
using a public key". Obviously this language could be interpreted
broadly or narrowly, and no doubt we can all guess which choice the
patent holder would prefer.

One distinction you could draw between successful deposit of a coin vs
some kind of ZK proof that it is good, is that the former does not require
a public key, while the latter undoubtedly does. The equivalent of the
public key in the Wagner blinding protocol is the public g^k value,
but this value is not used by the bank in verifying deposited coins.
However it would presumably have to be used in a ZK proof that a coin
is valid. Hence the latter is somewhat closer to making the coin
"checkable using a public key". But once you are splitting hairs this
fine, it could really go either way.

> In any case, I like the suggestion a good deal...especially if a way can
> be found to efficiently exchange and prove validity of many coins at once.

The ZK proofs are somewhat costly, roughly doubling the amount of work
which must be done if several coins are exchanged at once, compared to
not using a ZK proof.

• Next message: lcs Mixmaster Remailer: "Re: Double-blinding"
• Previous message: staymaccessdata.com: "Re: Double-blinding"
• Maybe in reply to: Ben Laurie: "Double-blinding"
• Reply: dmolnar: "Re: Double-blinding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Wed Dec 15 1999 - 21:38:09 CST