[E-Lang] Hash Chaining & Capabilities, Proposal #2d: Deputizing Remote Vats

[Nikita Borisov]

Ben Laurie writes:
>> Alice and Bob talks to the bank.  The offline payment systems that I'm
>> familiar with rely on auditable double spending; i.e. the protocol is
>> payer anonymous if a coin has been spent only once, but the payer's
>> identity is revealed in the case of double spending.
>
>Interesting. How does that work?

The basic construction is that the payment protocol involves answering a
random challenge, which verifies the validity of the coin, in such a
manner that answering two different challenges with the same coin will
reveal the secret.  Very roughly, in the original construction, due to
Chaum, Fiat, and Naor (Crypto '88), the bank signs a bunch of pairs
h(h(x1),h(x2)), where h() is a hash function, and x1 XOR x2 reveals your
identity.  For each pair, the merchant chooses a one-bit challenge, and
the payer reveals x1,h(x2) or h(x1),x2 based on the value of the bit.
Brands has much more practical constructions; you can read about them in
his book ("Rethinking Public Key Infrastructures and Digital
Certificates: Building In Privacy").  I won't retell the details of
either scheme, as I would almost surely make a mistake, and they would
probably be off-topic to the list anyway.  I hope the references will
provide sufficient information.

- Nikita