>From Eurocrypt:
Abstract. We consider the question of protecting the privacy of
customers buying digital goods. More specifically, our goal is
to allow a buyer to purchase digital goods from a vendor without
letting the vendor learn what, and to the extent possible also when
and how much, it is buying. We propose solutions which allow the
buyer, after making an initial deposit, to engage in an unlimited
number of priced oblivious-transfer protocols, satisfying the
following requirements: As long as the buyer's balance contains
sufficient funds, it will successfully retrieve the selected item
and its balance will be debited by the item's price. However, the
buyer should be unable to retrieve an item whose cost exceeds its
remaining balance. The vendor should learn nothing except what must
inevitably be learned, namely, the amount of interaction and the
initial deposit amount (which imply upper bounds on the quantity
and total price of all information obtained by the buyer). In
particular, the vendor should be unable to learn what the buyer's
current balance is or when it actually runs out of its funds.
