-- James A. Donald:
Simple Chaumian blinding works fine on EC.
On 31 Oct 2003 at 15:26, Adam Back wrote:
So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client:
blind: b^e.m mod n -> sign: <- (b^e.m)^d mod n = b.m^d mod n (simplifying)
and divide by b to unblind: m^d mod n
how are you going to do this over EC? You need an RSA like e and d to cancel.
See:"Anonymous Electronic Cash" http://www.echeque.com/Kong/anon_transfer.htm Lower case letters represent integers, capital letters elliptic curve points. Let k be the banks secret key. The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k. Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R He then calculates Q = T- t * V He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR