Tyler Close wrote:
> Hal Finney wrote:
> > If you did blinded cash, you might want to think about the resulting
> > object as being something like a "sturdyref", where you can turn it
> > into a real capability. At the time it was transformed in this way,
> > the object to which it was a capability would have to be created, unlike
> > with a regular sturdyref where the object already exists. I don't know
> > how well this would work with the rest of the system, though.
> Rather than created, an object would have to be removed from
> a pool in which another (or the same) object was placed when
> the blinded token was signed.
I would think you could do it either way. Create the object at the time the blind token is created, and put it in a pool, then return one of the objects when the token is presented. Or else, wait and create the object at the time the token is presented. With the latter approach, you could increment a count of outstanding objects at issuance time, if you wanted to check for the possibility of there being more tokens presented than outstanding objects, which shouldn't happen.
Either way the tricky part is that you need to recognize when a presented token matches one you've already seen, and return the same object you gave out previously for that particular token. Or perhaps in some cases you would want to cause an exception if the same token is presented more than once, but you still have to recognize that fact.
> Using the ERTP protocol, you could create a 'blinding agent'
> that would sign blinded tokens in return for Purses
> containing erights. Later, these signed tokens could be
> redeemed for another Purse containing the represented number
> of erights.
Yes, I see, that makes sense.
One minor point; signing is not the only way to implement blinding. It's a delicate issue because the field has several patents, and it becomes something of a gray area whether various algorithms are covered by the patents. David Wagner has an approach described in http://www.deja.com/getdoc.xp?AN=145097228 which creates a blind token that can be verified only by the issuer, and is arguably not a digital signature. It's really a blinded Diffie-Hellman key exchange rather than a blind signature.
There is some work going on to use this as the basis for a patent free cash system (http://ecoin.net/mmdh/), although I suspect that the issue will eventually have to be tested in court.