Will ECC work with blinding (Chaum, Brands, etc.) techniques? Just curious. -- Neil Johnson http://www.njohnsn.com PGP key available on request.
At 5:41 PM -0600 10/27/03, Neil Johnson wrote:
Will ECC work with blinding (Chaum, Brands, etc.) techniques?
I've heard serious people discuss it with a straight face, at least. Chaumian blinding is simply big number multiplication, right? And Chaum's double-spending detection is an M-of-N hash where M=N=2. So doing that to an ECC message/public-key shouldn't be hard... Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
There are two variants of Brands schemes: over RSA or DH. The DH variant can be used with the EC. People don't do RSA over EC because the security argument doesn't work (ie I believe you can do it technically, but the performance / key size / security arguments no longer work). So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA). There are other blinding schemes also such as David Wagner's blind MAC approach, and that should work over EC as it is DH based. Adam On Mon, Oct 27, 2003 at 05:41:11PM -0600, Neil Johnson wrote:
Will ECC work with blinding (Chaum, Brands, etc.) techniques?
Just curious.
-- On 28 Oct 2003 at 13:49, Adam Back wrote:
So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA).
Simple Chaumian blinding works fine on EC. Some more complex schemes, such as some of Brand's, do not. But I do not see any demand for the more complex schemes. The simplest scheme is already complicated enough, that some of the complexities afflict the end user. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG aKHDMdj+9gnBr65YtX0qhoydEhjayKgfhkQHEAzr 4mclgavEBK5DyZ0aLB/l/EnYG2RizakxZ8mZUlz+E
On Thu, Oct 30, 2003 at 09:06:10AM -0800, James A. Donald wrote:
On 28 Oct 2003 at 13:49, Adam Back wrote:
So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA).
Simple Chaumian blinding works fine on EC.
So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client: blind: b^e.m mod n -> sign: <- (b^e.m)^d mod n = b.m^d mod n (simplifying) and divide by b to unblind: m^d mod n how are you going to do this over EC? You need an RSA like e and d to cancel.
Some more complex schemes, such as some of Brand's, do not.
Brands DH based blinding scheme works in EC. ECDH is directly analogous, the usual conversion from discrete log (g^x mod p) to the EC analog (x.G over curve E) works. Adam
participants (4)
-
Adam Back -
James A. Donald -
Neil Johnson -
R. A. Hettinga