From sergiolerner@pentatek.com Fri Jul 6 02:40:03 2018 From: Sergio Lerner To: cypherpunks-legacy@lists.cpunks.org Subject: Re: Question regarding common modulus on elliptic curve cryptosystems AND E-CASH Date: Fri, 06 Jul 2018 02:40:03 +0000 Message-ID: <172289061150.3849117.6541429380660121437.generated@mail.pglaf.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1021999894195164831==" --===============1021999894195164831== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit I've read some papers, not that much. But I don't mind reinventing the wheel, as long as the new protocol is simpler to explain. Reading the literature, I couldn't find a e-cash protocol which : - Hides the destination / source of payments. - Hides the amount of money transferred. - Hides the account balance of each person from the bank. - Allows off-line payments. - Avoids giving the same "bill" to two different people by design. This means that the protocol does not need to detect the use of cloned "bills". - Gives each person a cryptographic proof of owning the money they have in case of dispute. I someone points me out a protocol that manages to fulfill this requirements, I'd be delighted. I think I can do it with a commutative signing primitive, and a special zero-proof of knowledge. Regards, Sergio Lerner. On 22/03/2010 10:25 a.m., Jonathan Katz wrote: >That paper was from 1980. A few things have changed since then. =) > >In any case, my point still stands: what you actually want is some >e-cash system with some special properties. Commutative encryption is >neither necessary nor (probably) sufficient for what you want. Have >you at least looked at the literature (which must be well over 100 >papers) on e-cash? > >On Mon, 22 Mar 2010, Sergio Lerner wrote: > >>Commutativity is a beautiful and powerful property. See "On the power >>of Commutativity in Cryptography" by Adi Shamir. >>Semantic security is great and has given a new provable sense of >>security, but commutative building blocks can be combined to build >>the strangest protocols without going into deep mathematics, are >>better suited for teaching crypto and for high-level protocol design. >>They are like the "Lego" blocks of cryptography! >> >>Now I'm working on an new untraceable e-cash protocol which has some >>additional properties. And I'm searching for a secure commutable >>signing primitive. >> >>Best regards, >>Sergio Lerner. >> >> >>On 22/03/2010 09:56 a.m., Jonathan Katz wrote: >>>Sounds like a bad idea -- at a minimum, your encryption will be >>>deterministic. >>> >>>What are you actually trying to achieve? Usually once you understand >>>that, you can find a protocol solving your problem already in the >>>crypto literature. >>> >>>On Sun, 21 Mar 2010, Sergio Lerner wrote: >>> >>>> >>>>I looking for a public-key cryptosystem that allows commutation of >>>>the operations of encription/decryption for different users keys >>>>( Ek(Es(m)) = Es(Ek(m)) ). >>>>I haven't found a simple cryptosystem in Zp or Z/nZ. >>>> >>>>I think the solution may be something like the RSA analogs in >>>>elliptic curves. Maybe a scheme that allows the use of a common >>>>modulus for all users (RSA does not). >>>>I've read on some factoring-based cryptosystem (like Meyer-Muller >>>>or Koyama-Maurer-Okamoto-Vantone) but the cryptosystem authors say >>>>nothing about the possibility of using a common modulus, neither >>>>for good nor for bad. >>>> >>>>Anyone has a deeper knowledge on this crypto to help me? --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo(a)metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --===============1021999894195164831==--