In his paper on Lucre ("2nd defence" against marking): http://anoncvs.aldigital.co.uk/lucre/ Ben Laurie gives this as a (possibly patent-free) blinding technique, where h is the message, and g is the public generator: r = blind(h) = h^y * g^b (mod p) To "sign", s = sign(r) = m^h To unblind, (s/g^k^b)^(1/y) (mod p) (where k is the signer's secret exponent. Of course, nobody but the signer can verify the signature). Unfortunately, this doesn't work with cut and choose where the signer signs the product of unrevealed documents, since the 1/y exponent above would distribute to all the internal terms: ((r * r * r ...)^k)^(1/y ) 1 2 3 1 ------------------------------ != (h * r * r ...)^k (mod p) (g^k)^b 1 2 3 1 Can anyone see how to get this to work? It doesn't matter for Ben's money system since he doesn't need cut and choose, but I'm working on a patent-free credential system where the issuer needs to cut and choose to keep the user from cheating. Alternatively, is there another way to get some sort of blind mark (that foils the issuer from adding subliminal information that would compromise the blinding) without stepping on Chaum's patent? I hear Chaum mentioned one himself at PET 2002, but I can't find anything about it online. -J