Question regarding common modulus on elliptic curve cryptosystems AND E-CASH

Mon Mar 22 08:09:16 PDT 2010

I've read some papers, not that much. But I don't mind reinventing the 
wheel, as long as the new protocol is simpler to explain.
Reading the literature, I couldn't  find a e-cash protocol which :

- Hides the destination / source of payments.
- Hides the amount of money transferred.
- Hides the account balance of each person from the bank.
- Allows off-line payments.
- Avoids giving the same "bill" to two different people by design. This 
means that the protocol does not need to detect the use of cloned "bills".
- Gives each person a cryptographic proof of owning the money they have 
in case of dispute.

I someone points me out a protocol that manages to fulfill this 
requirements, I'd be delighted.
I think I can do it with a commutative signing primitive, and a special 
zero-proof of knowledge.

Regards,
 Sergio Lerner.

On 22/03/2010 10:25 a.m., Jonathan Katz wrote:
>That paper was from 1980. A few things have changed since then. =)
>
>In any case, my point still stands: what you actually want is some 
>e-cash system with some special properties. Commutative encryption is 
>neither necessary nor (probably) sufficient for what you want. Have 
>you at least looked at the literature (which must be well over 100 
>papers) on e-cash?
>
>On Mon, 22 Mar 2010, Sergio Lerner wrote:
>
>>Commutativity is a beautiful and powerful property. See "On the power 
>>of Commutativity in Cryptography" by Adi Shamir.
>>Semantic security is great and has given a new provable sense of 
>>security, but commutative building blocks can be combined to build 
>>the strangest protocols without going into deep mathematics, are 
>>better suited for teaching crypto and for high-level protocol design. 
>>They are like the "Lego" blocks of cryptography!
>>
>>Now I'm working on an new untraceable e-cash protocol which has some 
>>additional properties. And I'm searching for a secure  commutable 
>>signing primitive.
>>
>>Best regards,
>>Sergio Lerner.
>>
>>
>>On 22/03/2010 09:56 a.m., Jonathan Katz wrote:
>>>Sounds like a bad idea -- at a minimum, your encryption will be 
>>>deterministic.
>>>
>>>What are you actually trying to achieve? Usually once you understand 
>>>that, you can find a protocol solving your problem already in the 
>>>crypto literature.
>>>
>>>On Sun, 21 Mar 2010, Sergio Lerner wrote:
>>>
>>>>
>>>>I looking for a public-key cryptosystem that allows commutation of 
>>>>the operations of encription/decryption for different users keys
>>>>( Ek(Es(m)) =  Es(Ek(m)) ).
>>>>I haven't found a simple cryptosystem in Zp or Z/nZ.
>>>>
>>>>I think the solution may be something like the RSA analogs in 
>>>>elliptic curves. Maybe a scheme that allows the use of a common 
>>>>modulus for all users (RSA does not).
>>>>I've read on some factoring-based cryptosystem (like Meyer-Muller 
>>>>or Koyama-Maurer-Okamoto-Vantone) but the cryptosystem authors say 
>>>>nothing about the possibility of using a common modulus, neither 
>>>>for good nor for bad.
>>>>
>>>>Anyone has a deeper knowledge on this crypto to help me?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE