Digital Cash ============ These protocols are described in "Applied Cryptography" by Bruce Schneier. Principals: + The spender (A, Alice) + The merchant (B, Bob) + The financial institution (F, Frank) Properties: + Alice can spend cash anonymously; neither Bob nor Frank can identify Alice. + Neither Alice nor Bob can copy the cash and spend/deposit it twice. - Note if Bob tries to deposit the cash twice, Alice remains anonymous. + No additional authority besides Frank is needed to validate transactions (compare with Bitcoin). Protocol #1 ----------- 1. Alice prepares 100 anonymous money orders for \$1000 each. 2. Alice blinds each money order and sends them all to Frank. 3. Frank requests the blinding factors for 99 envelopes selected by him at random and confirms that each unblinded money order is properly formated. 4. Frank blind signs the remaining money order and deducts \$1000 from Alice's account. 5. Alice unblinds the money order and spends the money with Bob. 6. Bob checks Frank's signature to convince himself the money is good. 7. Bob takes the money to Frank. 8. Frank checks the signature and adds \$1000 to Bob's account. This does not solve the double spending problem. Protocol #2 ----------- 1. Alice prepares 100 anonymous money orders for \$1000 each. On each money order she writes a uniqueness string long enough to make the chance of it ever being reused negligible. 2. Alice blinds each money order and sends them all to Frank. 3. Frank requests the blinding factors for 99 envelopes selected by him at random and confirms that each unblinded money order is properly formated. 4. Frank blind signs the remaining money order and deducts \$1000 from Alice's account. 5. Alice unblinds the money order and spends the money with Bob. 6. Bob checks Frank's signature to convince himself the money is good. 7. Bob takes the money to Frank. 8. Frank checks the signature and checks his database to ensure the uniqueness string has never been used before. Frank adds \$1000 to Bob's account and records the uniqueness string in the database. Frank detects double spending, but can't tell who is trying to cheat, Alice or Bob. Protocol #3 ----------- 1. Alice prepares 100 anonymous money orders for \$1000 each. On each money order she writes a uniqueness string long enough to make the chance of it ever being reused negligible. 2. Alice blinds each money order and sends them all to Frank. 3. Frank requests the blinding factors for 99 envelopes selected by him at random and confirms that each unblinded money order is properly formated. 4. Frank blind signs the remaining money order and deducts \$1000 from Alice's account. 5. Alice unblinds the money order and spends the money with Bob. 6. Bob checks Frank's signature to convince himself the money is good. 7. Bob asks Alice to write a random identity string on the money order. Alice complies. 7. Bob takes the money to Frank. 8. Frank checks the signature and checks his database to ensure the uniqueness string has never been used before. Frank adds \$1000 to Bob's account and records both the uniqueness string and the identity string in the database. If Frank sees a repeated uniqueness string he knows the money order is a duplicate. If the identity string is repeated he knows Bob tried to make a copy; otherwise if the identity string is unique, Alice made the copy. This assumes Bob can't change the identity string once Alice writes it. Alice can frame Bob by using the same identity string multiple times, making it appear as if Bob copied the money. Bob needs to interact with Frank while Alice waits or else he runs the risk of being left with bad money after Alice walks away with the goods. Protocol #4 ----------- ...