Cryptography Reference
In-Depth Information
case. The bank learns from Bob only a subset of the secret, so it's not much
good for them. The check number won't help them either, because they hadn't
seen it when signing in Step 4 (which was the reason why Alice had to create
R
herself in Step 1). Finally, the hash sum was covered by the blinding factor
upon signing.
However, if Alice cheats, i.e., uses the same check twice for different mer-
chants, then her identity will be disclosed to the bank. This is the trick with
this protocol, and the most important step is the seventh. The bank verifies each
check submitted to see whether or not its number was already stored. If so, then
numbers
Z
in Step 7 are identical with a probability of 2
−
40
, i.e., roughly one
trillionth. This is seldom enough so that, at least in practice, there is at least one
i
in which bits
z
i
differ on the checks given to the two merchants. The bank
recovers Alice's identity number
I
by simple XOR from
a
i
and
a
i
⊕
I
. Should
check numbers
R
for different persons happen to be identical, then different
i
would most likely produce different
I
,or
I
would be nonsensical.
On the other hand, if Bob submits one check twice, he gives himself away
immediately. Identical checks (with the same data sequences from Step 7) are
even rarer than one in a billion checks.
Finally, Bob cannot 'invent' checks himself since the bank can verify their own
signature on the check.
'Remainder Problems'
We saw that the Chaum - Fiat - Naor protocol is cryptologically secure, and it
is anonymous as long as Alice, the bank, and Bob are the only participants.
However, if Mallory manages to wiretap the line, he can do things worse than
theft: he can intercept Alice's check and issue it instantly, making Alice an
impostor. He can listen in on the communication between Alice and Bob and
submit the check faster than Bob, making Bob an impostor. Either way, there
would be lack of evidence. For this reason, all data communications have to be
cryptologically secure, and additional measures have to be taken in the event
Mallory breaks into Alice's or Bob's computer.
In the procedure above, Alice remains anonymous, but some income is recorded
at Bob's end. This is actually nothing exciting. Every merchant accepting
checks discloses their income to their bank.
Alice incurs interest lost during the time from when the check is signed to
when it is submitted to the bank. This shouldn't be a major problem since such
