Anonymous wrote:
In order to avoid this, the bank can prove that it operated correctly (that is, it raised its input to the same k power that g is raised to in the public g^k value) using a zero-knowledge proof. I believe the latest version of the Lucre software does this.
Actually, Lucre uses the double-blinding method to avoid this. The paper discusses the ZK proof as an alternate way of doing it, but I chose not to use it because of its potential interpretation as a blind signature. There is an implementation of the ZK proof included in Lucre just for fun, though. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff