On Thu, Oct 30, 2003 at 09:06:10AM -0800, James A. Donald wrote:
On 28 Oct 2003 at 13:49, Adam Back wrote:
So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA).
Simple Chaumian blinding works fine on EC.
So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client: blind: b^e.m mod n -> sign: <- (b^e.m)^d mod n = b.m^d mod n (simplifying) and divide by b to unblind: m^d mod n how are you going to do this over EC? You need an RSA like e and d to cancel.
Some more complex schemes, such as some of Brand's, do not.
Brands DH based blinding scheme works in EC. ECDH is directly analogous, the usual conversion from discrete log (g^x mod p) to the EC analog (x.G over curve E) works. Adam