RE: Anonymous cash via blinded authentication

Anonymous (nobody@replay.com)
Wed, 10 Mar 1999 20:24:32 +0100 (CET)

• Next message: Anonymous: "RE: Anonymous cash via blinded authentication"
• Previous message: Dave Del Torto: "[ANNOUNCE] 990313 March Cypherpunks Physical Meeting (SF Bay)"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Anonymous: "RE: Anonymous cash via blinded authentication"
• Reply: Anonymous: "RE: Anonymous cash via blinded authentication"
• Reply: James A. Donald: "RE: Anonymous cash via blinded authentication"

James A. Donald wrote:

> David Wagner's tokens can only be checked with the private key. There is
> no relevant public key that plays any role in the protocol, thus Chaum's
> patent on undeniable signatures appears irrelevant.

This is not quite true. If the secret key is k and the public key is
g^k, David Wagner shows how to get a signature on a value y which is of
the form y^k. This is exactly the same as Chaum's undeniable signature.

To prove that the signature is valid, the signer runs a protocol to show
that the exponent in the supposedly signed value y^k is the same as
the exponent in his public key, g^k. This is the (now) standard zero
knowledge protocol for showing possession of a discrete log, used for
both sets of values. The fact that the verification works for both sets
of values proves that the discrete log is the same in each case, namely k.

Even though verifying these signatures is possible with the aid of the
signer, it is questionable whether the original blind signature patent
would apply. As James points out, the language there refers to digital
signatures "checkable using a public key". In this case the digital
signatures are only checkable with the assistance of the signer, but
the checking process does use the public key.

As was pointed out earlier, it is possible for the signer to avoid
having a public key g^k. It only needs to choose a secret value k.
There is no g value at all. There is just a public prime modulus p,
and the secret value k.

Undeniable signature verification is impossible without a public key.
This modification would make the protocol even more dissimilar from
Chaum's blinded and undeniable signature patents.

P.S.

Here is the signature verification protocol. We want to prove that the
exponent k on the public key g^k and the signed value y^k is the same.
The signer chooses a random value r, and sends over commitments u = g^r
and v = y^r. The verifier responds with a challenge c. The signer
answers the challenge with w = c*k + r. The verification is that
g^w = (g^k)^c * u, and that y^w = (y^k)^c * v.

• Next message: Anonymous: "RE: Anonymous cash via blinded authentication"
• Previous message: Dave Del Torto: "[ANNOUNCE] 990313 March Cypherpunks Physical Meeting (SF Bay)"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Anonymous: "RE: Anonymous cash via blinded authentication"
• Reply: Anonymous: "RE: Anonymous cash via blinded authentication"
• Reply: James A. Donald: "RE: Anonymous cash via blinded authentication"