Re: Anonymous cash via blinded authentication

Anonymous (nobody@replay.com)
Sat, 6 Mar 1999 17:40:21 -0500

• Next message: Wei Dai: "Re: Anonymous cash via blinded authentication"
• Previous message: Lewis McCarthy: "Re: blind cash, baby"
• In reply to: Anonymous: "blind cash, baby"
• Next in thread: Anonymous: "Re: Anonymous cash via blinded authentication"

> Never mind, I figured it out. x'=x^(e'/e)*a^(y'-y*e'/e) holds for any
> r,x,e,y such that x=a^r and y=r+se, so Peggy is not able to use it to link
> x',e',y' to any particular x,e,y she saw earlier.

I developed that blinding scheme independently (it's in the literature)
but later saw the same potential flaw, that linkage would appear to be
possible. Luckily someone else pointed out my mistake and I realized
that it was actually OK.

An easy way to see this is to note that the transcript can also be
stored as (e, y) rather than (x, y) where e = Hash(x). The verification
is then to calculate x as a^y*v^e mod p and verify that e = Hash(x).

For the blinded form, we have e' = e*z and y' = y*z + w. You can
construct any nonzero (e', y') from a given (e, y) by exactly one choice
of z and w. Hence no linkage can be possible.

Another blinding method is to for Victor to receive x from Peggy, and
define x' = x * a^z * v^w. e' = Hash(x'). e = e' - w is what he sends
to Peggy as the challenge. Peggy returns y = r + s*e, and Victor
calculates y' = y + z. The transcript is then (x', y') or (e', y').

• Next message: Wei Dai: "Re: Anonymous cash via blinded authentication"
• Previous message: Lewis McCarthy: "Re: blind cash, baby"
• In reply to: Anonymous: "blind cash, baby"
• Next in thread: Anonymous: "Re: Anonymous cash via blinded authentication"