[17238] in cryptography@c2.net mail archive
Re: [Lucrative-L] double spends, identity agnosticism, and Lucrative
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri May 20 22:43:44 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 20 May 2005 22:59:22 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com, cypherpunks@lne.com
In-Reply-To: <42732C3B.16317.3BBC5C3@localhost>
James A. Donald wrote:
>>From: "Patrick" <patrick@lfcgate.com>
>>To: <lucrative-l@lucrative.thirdhost.com>
>>Subject: [Lucrative-L] double spends, identity agnosticism, and
>>Lucrative Date: Tue, 29 Apr 2003 14:46:48 -0600 Importance: Normal
>>Sender: owner-lucrative-l@lucrative.thirdhost.com
>>
>>
>> A quick experiment has confirmed the obvious: when a client
>>reissues a coin at the mint, both the blinded and its unblinded cousin
>>are valid instruments to the Lucrative mint.
>>
>> Example: Alice uses the Mint's API to reissue a one-dollar note,
>>blinding the coin before getting a signature, and unblinding the
>>signature afterwards. She's left with both a blinded and a non-blinded
>>version of the coin. The mint believes they are both valid. Instant,
>>unlimited inflation.
>>
>> I believe the solution to this is to have the mint track both
>>spent coins and issued coins (that is, it automatically cancels coins
>>it issues, before the client receives them). The client is left with
>>no choice but to go through a blinding and unblinding process in order
>>to have a usable coin.
>>
>> This seems to make identity-agnostic cash difficult or
>>impossible, at least with Lucrative:
>>http://www.io.com/~cman/agnostic.html,
>>http://cypherpunks.venona.com/date/1995/09/msg00197.html .
Would do if it were true - this is exactly why unblinded lucre coins
have structure - that is, you can check that they are well-formed by
doing hash operations on them. Blinded coins will fail these checks.
I forget the exact form of lucre coins (read the paper), but consider
the construction x || H(x) - clearly only the unblinded version of this
will have the right form.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
