Withdrawal and Exchange

 

The consumer generates a public key pair to use with each withdrawal. The public half of the pair is used to form . The steps of the this protocol are given in Figure1.

 

   

Figure 1: Token withdrawal protocol.

At the end of the protocol, the consumer can form the token by unblinding . The contents of specify the public key Q (including modulus), whose private half is known only to C.

A token may be anonymously exchanged for a new token in a similar fashion by replacing the consumer's public key with the token's single-use key. The token exchange steps are given in Figure 2.

 

 

Figure 2: Token exchange protocol.

The following is an example protocol using a specific blinding technique. The bank has an RSA public key pair with modulus , public exponent 3, and private exponent . The bank has also made public a cryptographic hash function h.

1. C generates a desired public key pair Q,q with modulus
2. C selects a random number
3. 1.
4. B computes
5. 2.
6. C computes and then
7. C has

The bank may use multiple signature keys for its blind signature, corresponding to different brands of tokens. The brand of a token determines its denomination and its withdrawal date. Having token brands is important for limiting the data logging requirements for the bank: until a brand of blinded token is withdrawn from use, the bank must maintain a database containing auditing information proving that expended tokens have been spent in order to prevent double spending (see Section 5). By a priori declaring that tokens will be worthless after the brand withdrawal date, the bank limits its data logging obligations; furthermore, brand withdrawal will also limit risk, since it limits the amount of time attackers will have to attack the key. Next, we discuss how the blind-signed token obtained above is used in the purchase protocol.