A stab at the sealer in E

hal@finney.org hal@finney.org
Tue, 9 Nov 1999 14:59:21 -0800

Tyler Close wrote:
> Hal Finney wrote:
> > If you did blinded cash, you might want to think about the resulting
> > object as being something like a "sturdyref", where you can turn it
> > into a real capability.  At the time it was transformed in this way,
> > the object to which it was a capability would have to be created, unlike
> > with a regular sturdyref where the object already exists.  I don't know
> > how well this would work with the rest of the system, though.
> Close.
> Rather than created, an object would have to be removed from
> a pool in which another (or the same) object was placed when
> the blinded token was signed.

I would think you could do it either way.  Create the object at the time
the blind token is created, and put it in a pool, then return one of
the objects when the token is presented.  Or else, wait and create the
object at the time the token is presented.  With the latter approach,
you could increment a count of outstanding objects at issuance time,
if you wanted to check for the possibility of there being more tokens
presented than outstanding objects, which shouldn't happen.

Either way the tricky part is that you need to recognize when a presented
token matches one you've already seen, and return the same object you
gave out previously for that particular token.  Or perhaps in some cases
you would want to cause an exception if the same token is presented more
than once, but you still have to recognize that fact.

> Using the ERTP protocol, you could create a 'blinding agent'
> that would sign blinded tokens in return for Purses
> containing erights. Later, these signed tokens could be
> redeemed for another Purse containing the represented number
> of erights.

Yes, I see, that makes sense.

One minor point; signing is not the only way to implement blinding.
It's a delicate issue because the field has several patents, and
it becomes something of a gray area whether various algorithms are
covered by the patents.  David Wagner has an approach described in
http://www.deja.com/getdoc.xp?AN=145097228 which creates a blind token
that can be verified only by the issuer, and is arguably not a digital
signature.  It's really a blinded Diffie-Hellman key exchange rather
than a blind signature.

There is some work going on to use this as the basis for a patent free
cash system (http://ecoin.net/mmdh/), although I suspect that the issue
will eventually have to be tested in court.