Re: ECC and blinding.
-- James A. Donald:
Simple Chaumian blinding works fine on EC.
On 31 Oct 2003 at 15:26, Adam Back wrote:
So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client:
blind: b^e.m mod n -> sign: <- (b^e.m)^d mod n = b.m^d mod n (simplifying)
and divide by b to unblind: m^d mod n
how are you going to do this over EC? You need an RSA like e and d to cancel.
See:"Anonymous Electronic Cash" http://www.echeque.com/Kong/anon_transfer.htm Lower case letters represent integers, capital letters elliptic curve points. Let k be the banks secret key. The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k. Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R He then calculates Q = T- t * V He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR
Fair enough. But this is not Chaum's scheme, it is Wagners and it is DH based (or ECDH based in your writeup). You said earlier:
Simple Chaumian blinding works fine on EC.
and the above scheme is not Chaumian blinding. Chaum never invented DH blinding, if you read Brands thesis even you'll see that Chaum (who was Brands PhD supervisor for some of the time) told Brands to forget about trying to do DH based blinding because it's not possible. Brands credits Chaum for setting the challenge :-) which led him to find ways to do DH based blinding. (And the private key certificate which is a generalisation of DH blinding to multiple attributes and selective disclosure of those attributes). Adam On Sun, Nov 02, 2003 at 08:16:45AM -0800, James A. Donald wrote:
See:"Anonymous Electronic Cash" http://www.echeque.com/Kong/anon_transfer.htm
Lower case letters represent integers, capital letters elliptic curve points.
Let k be the banks secret key.
The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer
Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k.
Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R
He then calculates Q = T- t * V
He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R.
--digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR
participants (2)
-
Adam Back
-
James A. Donald