At 01:27 PM 12/12/95 -0800, you wrote:
From: ljo@ausys.se (Johansson Lars)
Does anyone know whether David Chaum's patent on blind digital signatures extends to this application?
I don't think it would. Chaum's blinding protocol has one major difference: the blinding factor is applied by a different person than the one doing the signing. The purpose of the blinding is different, too; in Chaum's case the idea is to end up with a signature which is unknown to the signer, while with Kocher's "defensive blinding" the signature (or decryption) is an ordinary RSA one, and the blinding is just done internally by the signer to randomize the timing.
One thing I haven't heard mentioned would be the possibility of using TWO blinding factors, by two different people, to blind the unsigned cash. As you may know, I'm interested in payee-anonymous systems as well as payer-anonymous ones, and such a feature might assist in this.