Question regarding common modulus on elliptic curve cryptosystems AND E-CASH
Sergio Lerner
sergiolerner at pentatek.com
Mon Mar 22 08:09:16 PDT 2010
I've read some papers, not that much. But I don't mind reinventing the
wheel, as long as the new protocol is simpler to explain.
Reading the literature, I couldn't find a e-cash protocol which :
- Hides the destination / source of payments.
- Hides the amount of money transferred.
- Hides the account balance of each person from the bank.
- Allows off-line payments.
- Avoids giving the same "bill" to two different people by design. This
means that the protocol does not need to detect the use of cloned "bills".
- Gives each person a cryptographic proof of owning the money they have
in case of dispute.
I someone points me out a protocol that manages to fulfill this
requirements, I'd be delighted.
I think I can do it with a commutative signing primitive, and a special
zero-proof of knowledge.
Regards,
Sergio Lerner.
On 22/03/2010 10:25 a.m., Jonathan Katz wrote:
>That paper was from 1980. A few things have changed since then. =)
>
>In any case, my point still stands: what you actually want is some
>e-cash system with some special properties. Commutative encryption is
>neither necessary nor (probably) sufficient for what you want. Have
>you at least looked at the literature (which must be well over 100
>papers) on e-cash?
>
>On Mon, 22 Mar 2010, Sergio Lerner wrote:
>
>>Commutativity is a beautiful and powerful property. See "On the power
>>of Commutativity in Cryptography" by Adi Shamir.
>>Semantic security is great and has given a new provable sense of
>>security, but commutative building blocks can be combined to build
>>the strangest protocols without going into deep mathematics, are
>>better suited for teaching crypto and for high-level protocol design.
>>They are like the "Lego" blocks of cryptography!
>>
>>Now I'm working on an new untraceable e-cash protocol which has some
>>additional properties. And I'm searching for a secure commutable
>>signing primitive.
>>
>>Best regards,
>>Sergio Lerner.
>>
>>
>>On 22/03/2010 09:56 a.m., Jonathan Katz wrote:
>>>Sounds like a bad idea -- at a minimum, your encryption will be
>>>deterministic.
>>>
>>>What are you actually trying to achieve? Usually once you understand
>>>that, you can find a protocol solving your problem already in the
>>>crypto literature.
>>>
>>>On Sun, 21 Mar 2010, Sergio Lerner wrote:
>>>
>>>>
>>>>I looking for a public-key cryptosystem that allows commutation of
>>>>the operations of encription/decryption for different users keys
>>>>( Ek(Es(m)) = Es(Ek(m)) ).
>>>>I haven't found a simple cryptosystem in Zp or Z/nZ.
>>>>
>>>>I think the solution may be something like the RSA analogs in
>>>>elliptic curves. Maybe a scheme that allows the use of a common
>>>>modulus for all users (RSA does not).
>>>>I've read on some factoring-based cryptosystem (like Meyer-Muller
>>>>or Koyama-Maurer-Okamoto-Vantone) but the cryptosystem authors say
>>>>nothing about the possibility of using a common modulus, neither
>>>>for good nor for bad.
>>>>
>>>>Anyone has a deeper knowledge on this crypto to help me?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list