Crypto-making vs Crypto-breaking
Ben Laurie
ben at algroup.co.uk
Tue May 6 02:43:42 PDT 2003
Anonymous wrote:
> In order to avoid this, the bank can prove that it operated correctly
> (that is, it raised its input to the same k power that g is raised to
> in the public g^k value) using a zero-knowledge proof. I believe the
> latest version of the Lucre software does this.
Actually, Lucre uses the double-blinding method to avoid this. The paper
discusses the ZK proof as an alternate way of doing it, but I chose not
to use it because of its potential interpretation as a blind signature.
There is an implementation of the ZK proof included in Lucre just for
fun, though.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the cypherpunks-legacy
mailing list