1.Blinded random large # (160 bits, so no collisions). Sig Alice (request for $100). 2.Sig bank_$100 (blinded(#)): signed by bank 3.Sig bank_$100 (#) 4.Sig bank_$100 (#) 5.OK from bank 6.OK from Bob AliceBob Bank 1 2 3 4 Anonymous online eCash 5 6 MINTING SPENDING SOURCE: GUY BLELLOCH
Chaum’s Double-Spending Protocol u = Alice’s account number (identifies her) r 0, r 1, …, r m-1 are m random numbers (ul i, ur i ) = a secret split of u over 2 pieces using r i so that both are required to recover u. E.g. (r i XOR u, r i ) ( XORing the pieces gives u) vl i = a bit commitment of ul i vr i = a bit commitment of ur i Coin contains: –Value –Unique ID (long random number) –(vl 0,vr 0 ), (vl 1,vr 1 ), …, (vl m-1,vr m-1 ) SOURCE: GUY BLELLOCH
1.2n blinded coins and Alice’s account # 2.A request to unblind and prove all bit commitments for n of the 2n coins (chosen at random) 3.The blinding factors and proofs of commitment for the n coins 4.Assuming step 3. passes, bank signs the other n coins AliceBank 1 2 Chaum’s Protocol: Minting 3 4 SOURCE: GUY BLELLOCH
1.A signed coin C (unblinded) 2.A random bit vector B of length m 3.For each i if bit B i = 0 return bit value for ul i else return bit value for ur i (not both) Include all “proofs” that the ul i or ur i match vl i or vr i Now the merchant checks that the coin is properly signed by the bank, and the ul or ur match the vl or vr AliceBob 1 2 Chaum’s Protocol: Spending 3 SOURCE: GUY BLELLOCH
1.The signed coin, bit vector B, values of ul i or ur i that Bob received from Alice. 2.An OK, or fail If fail, i.e., already returned: 1.If B matches previous order, the Merchant is guilty 2.Otherwise Alice is guilty and can be identified since for some i (where Bs don’t match) the bank will have (ul i, ur i ), which reveals her secret u (her identity). BobBank 1 2 Chaum’s Protocol: Depositing SOURCE: GUY BLELLOCH
Your consent to our cookies if you continue to use this website.