

How To Make A Mint: The Cryptography Of Anonymous Electronic Cash (1996) - ferdo
http://cryptome.org/jya/nsamint.htm

======
IvyMike
In 1995(?) I went to a talk by Chaum, and was convinced that e-cash was the
way of the future. It was awesome.

Then, in 1996(ish) I went to a talk by Simson Garfinkel, and asked him about
e-cash. This dashed my hopes for e-cash. He specifically raised an important
objection to all the e-cash schemes of the time: the "risk" of the system was
essentially essentially infinite. An e-cash mint could, if subverted by hook
or crook, print an infinite amount of e-cash, thus disrupting the entire
system. (Imagine terrorists with guns going into an e-cash mint and saying
"Print us one quadrillion dollars of money". In the e-cash systems of the
time, a few minutes later, they would say "here ya gone, one quadrillion
dollars of untraceable unrevokable money".)

I think the genius of the bitcoin system is that there is no central mint, and
the "proof-of-work" system eliminates the possibility of someone minting an
infinite amount of cash.

P.S. It's Saturday night and I'm not entirely sober. If you want to call me an
idiot based on the above, well, that seems fair. On the other hand, if you
want to argue with either Chaum or Garfinkel, please research and read what
they actually wrote rather than rely on my drunken recollection.

------
A1kmm
But I don't think the blinding scheme presented in section 3.2 can be trusted
if the bank logs all coins it signs and all coins it verifies.

When signing a coin to make a withdrawal, the bank is given

    
    
      (r^v · M (mod N)) - N and v is publicly known, M and r are only known to Alice.
    

The bank computes r · M^s (mod N) (using s, which only the bank knows).

Later, Bob supplies the bank with M', a message, and (r · M^s (mod N)) / r,
and the bank is not supposed to be able to link M' back to M.

But the bank can enumerate all (r_i^v · M_i (mod N)) that it signed, and
divide by M'; if M=M', the result is of the form r_i^v (mod N). The bank knows
the prime factorisation N = pq, so they can test r_i^v (mod p) and r_i^v (mod
q); for a prime modulus, computing a power residue is efficient, and for a
large enough p and q (as you want in cryptography) and a moderately high v,
this gives a high level of confidence that M=M'.

~~~
betterunix
Indeed; this is why provable security is so important:

[http://www1.icsi.berkeley.edu/~luby/PAPERS/blind.ps](http://www1.icsi.berkeley.edu/~luby/PAPERS/blind.ps)

[http://eprint.iacr.org/2011/316.pdf](http://eprint.iacr.org/2011/316.pdf)

[http://www.cs.umd.edu/~jkatz/papers/blind_sigs-
proc.pdf](http://www.cs.umd.edu/~jkatz/papers/blind_sigs-proc.pdf)

------
dcc1
tl:dr NSA invented Bitcoin?

~~~
Scaevolus
Their proposal requires a central bank. They discuss how to do "offline"
transactions without contacting this central authority, but double-spending
would only be detected when money is "deposited" back into the central bank.

~~~
betterunix
It is worth pointing out that the double spending is not merely detected in
these systems; the bank is able to compute a proof, that anyone can verify, of
a particular party's guilt. This allows the bank to create a blacklist, or to
use a legal system, etc.

