Chaum's unpatented ecash scheme

Nomen Nescio nobody at dizum.com
Tue Aug 20 16:00:06 PDT 2002 

David Chaum gave a talk at the Crypto 2002 conference recently in which
he briefly presented a number of interesting ideas, including an approach
to digital cash which he himself said would "avoid the ecash patents".

The diagram he showed was as follows:


        Optimistic Authenticator

                                     z = x^s

Payer         f(m)^a z^b             Bank
      ----------------------------->

            [f(m)^a z^b]^s
      <-----------------------------

               m, f(m)^s
      ----------------------------->


It's hard to figure out what this means, but it bears resemblance to a
scheme discussed on the Coderpunks list in 1999, a variant on a blinding
method developed by David Wagner.  See
http://www.mail-archive.com/coderpunks@toad.com/msg02323.html for a
description, with a sketch of a proof of blindness at
http://www.mail-archive.com/coderpunks@toad.com/msg02387.html and
http://www.mail-archive.com/coderpunks@toad.com/msg02388.html.

In Chaum's diagram it is not clear which parts of the key are private and
which public, although z is presumably public.  Since the bank's action
is apparently to raise to the s power, s must be secret.  That suggests
that x is public.  However Chaum's system seems to require dividing by
(z^b)^s in order to unblind the value, and if s is secret, that doesn't
seem possible.

In Wagner's scheme everything was like this except that the bank's key
would be expressed as x = z^s, again with x and z public and s secret.
f(m) would be a one-way function, which gets doubly-blinded by being
raised to the a power and multiplied by z^b, where a and b are randomly
chosen blinding factors.  The bank raises this to its secret power s,
and the user unblinds to form f(m)^s.  To later deposit the coin he does
as in the third step, sending m and f(m)^s to the bank.

For the unblinding, the user can divide by (z^b)^s, which equals z^(b*s),
which equals (z^s)^b, which equals x^b.  Since x is public and the user
chose b, he can unblind the value.  Maybe the transcription above of the
Chaum scheme had a typo and it was actually similar to the Wagner method.

Chaum commented that the payer does not receive a signature in this
system, and that he doesn't need one because he is protected against
misbehavior by the bank.  This is apparently where the scheme gets
its name.

More information about the cypherpunks-legacy mailing list