[5698] in cryptography@c2.net mail archive
Re: Ecash without a mint
daemon@ATHENA.MIT.EDU (Wei Dai)
Mon Sep 20 18:55:41 1999
Date: Mon, 20 Sep 1999 11:56:23 -0700
From: Wei Dai <weidai@eskimo.com>
To: Adam Back <adam@cypherspace.org>
Cc: cypherpunks@cyberpass.net, cryptography@c2.net, dbs@philodox.com
Message-ID: <19990920115623.A762@eskimo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199909201446.PAA15824@server.cypherspace.org>; from Adam Back on Mon, Sep 20, 1999 at 03:46:39PM +0100
On Mon, Sep 20, 1999 at 03:46:39PM +0100, Adam Back wrote:
> How communication and computationally intensive is the ZK proof as a
> function of the coin list length? Could the proof be used in a
> practical system?
The complexity is polylog in the number of coins, but unfortunately it is
not practical yet because the (noninteractive) ZK proofs use generic ZK
constructions rather than known efficient ZK proof systems (though the
authors say they are working on a practical version).
> Couldn't one have a mintless method of injecting new coins into the
> system by using hashcash in a similar way to that proposed by Wei Dei
> in b-money [1]?
I propose as an alternative to the above that (when it becomes practical)
we use Sander and Ta-Shma's protocol as a subprotocol in b-money to obtain
payer-payee unlinkability. (Payers and payees in b-money are pseudonyms,
but in the basic protocol the pseudonyms can be linked by payer-payee
relationships.) Each round the Sander-Ta-Shma protocol is run, and whoever
wants to pay converts b-money into coins and send them to payees. Payees
must convert coins back into b-money during the same round (the coin
database is wiped between rounds). This way the size of the distributed
database is minimized.
BTW Sander and Ta-Shma's paper is available at
http://www.icsi.berkeley.edu/~sander/publications/audit.ps.
