On Tue, Apr 09, 2002 at 06:45:43AM -0700, Mike Rosing wrote: > On Tue, 9 Apr 2002, Adam Back wrote: > > If you use the normal approach of putting the identity in the coin, > > you can't double-spend anonymously. > > But it's not until the coin goes back online, you need the minter's secret > key to decode the chain (maybe I have that wrong?).
You don't need the minter's secret key to identify the double-spender. Anyone who happens to see two coin transcripts answering different challenges with the same coin private key can recover all the attributes of the coin, including the identity attribute. This is described on p23 of [1]. Adam [1] "A Technical Overview of Digital Credentials", Stefan Brands, to appear International Journal on Information Security http://www.xs4all.nl/~brands/overview.pdf
