Laurie's blinding w/cut and choose?
Jason Holt
jason at lunkwill.org
Wed Jun 5 12:37:34 PDT 2002
In his paper on Lucre ("2nd defence" against marking):
http://anoncvs.aldigital.co.uk/lucre/
Ben Laurie gives this as a (possibly patent-free) blinding technique,
where h is the message, and g is the public generator:
r = blind(h) = h^y * g^b (mod p)
To "sign",
s = sign(r) = m^h
To unblind,
(s/g^k^b)^(1/y) (mod p)
(where k is the signer's secret exponent. Of course, nobody but the
signer can verify the signature). Unfortunately, this doesn't work with cut
and choose where the signer signs the product of unrevealed documents, since
the 1/y exponent above would distribute to all the internal terms:
((r * r * r ...)^k)^(1/y )
1 2 3 1
------------------------------ != (h * r * r ...)^k (mod p)
(g^k)^b 1 2 3
1
Can anyone see how to get this to work? It doesn't matter for Ben's
money system since he doesn't need cut and choose, but I'm working on a
patent-free credential system where the issuer needs to cut and choose to keep
the user from cheating.
Alternatively, is there another way to get some sort of blind mark
(that foils the issuer from adding subliminal information that would
compromise the blinding) without stepping on Chaum's patent? I hear Chaum
mentioned one himself at PET 2002, but I can't find anything about it online.
-J
More information about the cypherpunks-legacy
mailing list