ECC and blinding.

[Adam Back]

Fair enough.  But this is not Chaum's scheme, it is Wagners and it is
DH based (or ECDH based in your writeup).

You said earlier:

> Simple Chaumian blinding works fine on EC.  

and the above scheme is not Chaumian blinding.  Chaum never invented
DH blinding, if you read Brands thesis even you'll see that Chaum (who
was Brands PhD supervisor for some of the time) told Brands to forget
about trying to do DH based blinding because it's not possible.
Brands credits Chaum for setting the challenge :-) which led him to
find ways to do DH based blinding.  (And the private key certificate
which is a generalisation of DH blinding to multiple attributes and
selective disclosure of those attributes).

Adam

On Sun, Nov 02, 2003 at 08:16:45AM -0800, James A. Donald wrote:
> See:"Anonymous Electronic Cash"
> http://www.echeque.com/Kong/anon_transfer.htm
> 
> Lower case letters represent integers, capital letters elliptic
> curve points.
> 
> Let k be the banks secret key.
> 
> The bank promises to pay a specific sum of money for any secret
> of the form ( x, P), such that P = k * H(x) where H is a hash
> function mapping random integers onto points on an elliptic
> curve and k is a secret known only to the token issuer
> 
> Bob has an existing old used token of this form, and therefore
> knows that V= k * U even though he does not know k.
> 
> Bob invents the random numbers t and q, constructs an elliptic
> point R = t *U + Hash( q ) and pays the bank to construct T= k
> * R
> 
> He then calculates Q = T- t * V
> 
> He now has a new token ( q , Q) of the required form, even
> though the Bank did not generate Q, has never seen it before,
> and when it sees it will not recognize it as having any
> relationship to T or R. 
> 
>     --digsig
>          James A. Donald
>      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
>      ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S
>      4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR