On Thu, Apr 11, 2002 at 08:30:07AM +0200, Anonymous wrote: > > > Are you saying that if Alice pays Bob, he can anonymously exchange the > > > coins and end up with new fresh coins with ALICE's identity in them? > > > That's great, he can double spend all he wants and she ends up going > > > to the pokey. No thanks. > > > > No that is prevented. > > [Description of how the final payee refreshes his 0-value coin up to > > the value of the transaction, without identifying himself] > > Okay, that sounds pretty good. But it's specific to Brands cash, right? > The generic transferable off-line cash you described earlier can't > do that.
I think the only extra requirement is: you need the owner of a coin to be able to prove that it's his coin. With normal Ferguson extension "single term off-line" to Chaum's coins you can't as there is no coin private key as with Brands. However I don't think it would be hard to add one. I may have said this in an earlier message: I think you would just for example replace what is currently a random value by the hash of a per coin public key. Then a signature from the corresponding private key on the challenge (which is the hash of the 0-valued coin) would have the same effect. Also Okamoto et al's scheme uses the same generic transferable technique, but their scheme is in addition divisible, though has the limitation that you can recognize the divided coins as coming from the same original coin. So it is somewhat generic for off-line ecash systems if they either already have a coin private key allowing proof of ownership and binding one coin to the next 0-value coin, or if you can introduce a private key for that purpose. So that would be at least Okahmoto et al, I think Ferguson's off-line-variant of Chaum's plus of course Brands'. Adam -- http://www.cypherspace.org/adam/