But actually another solution is much simpler, which is to do blinding as just h * g^b, without a y factor. That works fine as long as the bank is known not to be misbehaving. Ben's paper shows how the bank can use a ZK proof to show that it is raising to the same power k every time, basically again that same ZK proof regarding discrete logarithms. If the bank uses such a proof then you can use simpler blinding without a y factor, and you can recover the signature on the product of your h values by dividing by g^k^(sum of b's).
Somewhere I got the idea that that was patented, but looking at undeniable signatures, they're actually much closer to (h^y)(g^b), so your suggestion should work great. Thanks! Anybody know of other patents which might get in the way? I'm worried about Chaum's blind signature and undeniable signature patents, and want to present as patent-free a system as possible. One more thing. If the issuer returns the signature: (h1*g^b1 *h2*g^b2 *h3*g^b3...)^k Can I separate out any of the h^k values? My system relies on that being hard. If I replace h1 with (g^b0) and get the issuer to sign: ((g^b0)*g^b1 *h2*g^b2 *h3*g^b3...)^k I should be able to divide the two results and get h1^k. But part of the cut-and-choose protocol will be to require that the n/2 checked documents are all valid and different from any previous instances of the protocol. So it should be extremely hard for the user to sneak lots of previously used values and fake h's (which are really blinding factors) into the unrevealed documents. But are there other ways to separate out signatures on individual h's? -J
Maybe you could say more about the details of your credential system. Such a system built on Wagner blinding might be very interesting.
I've been thinking it would be nice to post my entire paper here (and maybe on sci.crypt.research) before sending it off to the journals. What are the issues surrounding that, though? The academic folks here seem uncomfortable when I talk about it, like I'd be leaking something secret. AFAICT, nobody else would be able to apply for a patent on the idea without telling a lot of lies in the process. So that leaves the possibility that somebody whips out another paper on the topic before mine's all the way done. Are the journals going to be snippy about copyright issues? Why haven't I seen other papers published on usenet and such before going to press?
If I replace h1 with (g^b0) and get the issuer to sign:
((g^b0)*g^b1 *h2*g^b2 *h3*g^b3...)^k
I should be able to divide the two results and get h1^k. But part of the cut-and-choose protocol will be to require that the n/2 checked documents are all valid and different from any previous instances of the protocol. So it should be extremely hard for the user to sneak lots of previously used values and fake h's (which are really blinding factors) into the unrevealed documents. But are there other ways to separate out signatures on individual h's?
You're really going to remember all the discarded h values from all the previous instances of credential issuing? Seems like it might be a lot of data. How many h values do you typically expect?
I get around that by having the issuer issue a new random value for each issuing session which gets hashed several times along with some other data before going into the blinded messages. You have to prove that the value properly descends from the issuer's random value, which makes it tough to reuse values from a previous session. -J
On Tue, 11 Jun 2002, Jason Holt wrote:
copyright issues? Why haven't I seen other papers published on usenet and such before going to press?
???? This is a joke right? Copyright, they want it as the exclusive distributor which they can't do if it's been published somewhere else. -- ____________________________________________________________________ When I die, I would like to be born again as me. Hugh Hefner ravage@ssz.com www.ssz.com jchoate@open-forge.org www.open-forge.org --------------------------------------------------------------------
Jason Holt wrote:
Are the journals going to be snippy about copyright issues?
Most journals don't like papers to have been published elsewhere first. Screw 'em, I say. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
participants (3)
-
Ben Laurie -
Jason Holt -
Jim Choate