Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:50
Anonymous (nobody@replay.com)
Wed, 10 Mar 1999 22:40:25 +0100 (CET)
> As was pointed out earlier, it is possible for the signer to avoid
> having a public key g^k. It only needs to choose a secret value k.
> There is no g value at all. There is just a public prime modulus p,
> and the secret value k.
This approach, which relies on Chaum's undeniable signature blinding,
(raise to the r power, then unblind by raising to 1/r power) has
a problem. It allows the bank to "mark" the cash.
The bank can use a different exponent k' instead of the exponent k it
is supposed to be using, on certain withdrawals. On every deposit, it
checks the incoming coin using both k and k', and is able to quietly
identify the marked withdrawals.
To solve this the bank needs to prove that it has properly exponentiated
the withdrawn coin using k and no other value. This is exactly what
Chaum's undeniable signature verification protocol is for. Unfortunately
this brings the whole ecash protocol under coverage by the undeniable
signature patent.
David Wagner's blinding method (http://x9.dejanews.com/getdoc.xp?AN=145097228)
appears to be immune to this problem. If the bank uses k', the
withdrawer gets (y g^b)^k' from the bank, and unblinds using
(y g^b)^k' (g^k)^{-b}, which equals y^k' (g^b)^(k'-k). At deposit
time the bank knows y, g, k and k', but without knowing b it can't
recognize invalid coins.
David's method does require that the bank choose a generator g and
publish g^k, so we are back to having a public key in the system.
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:50