ECC and blinding.
James A. Donald
jamesd at echeque.com
Sun Nov 2 08:16:45 PST 2003
--
James A. Donald:
> > Simple Chaumian blinding works fine on EC.
On 31 Oct 2003 at 15:26, Adam Back wrote:
> So Chaumian blinding with public exponent e, private exponent d, and
> modulus n is this and blinding factor b chosen by the client:
>
> blind:
> b^e.m mod n ->
> sign:
> <- (b^e.m)^d mod n
> = b.m^d mod n (simplifying)
>
> and divide by b to unblind:
> m^d mod n
>
> how are you going to do this over EC? You need an RSA like e and d to
> cancel.
See:"Anonymous Electronic Cash"
http://www.echeque.com/Kong/anon_transfer.htm
Lower case letters represent integers, capital letters elliptic
curve points.
Let k be the banks secret key.
The bank promises to pay a specific sum of money for any secret
of the form ( x, P), such that P = k * H(x) where H is a hash
function mapping random integers onto points on an elliptic
curve and k is a secret known only to the token issuer
Bob has an existing old used token of this form, and therefore
knows that V= k * U even though he does not know k.
Bob invents the random numbers t and q, constructs an elliptic
point R = t *U + Hash( q ) and pays the bank to construct T= k
* R
He then calculates Q = T- t * V
He now has a new token ( q , Q) of the required form, even
though the Bank did not generate Q, has never seen it before,
and when it sees it will not recognize it as having any
relationship to T or R.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S
4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR
More information about the cypherpunks-legacy
mailing list