Re: Chaumian blinding in ECC and ElGamal?

Anonymous (nobody@replay.com)
Mon, 8 Feb 1999 17:22:26 +0100

• Next message: Michael Motyka: "Re: quantum cryptanalysis"
• Previous message: James A. Donald: "Re: Chaumian blinding in ECC and ElGamal?"
• In reply to: Lucky Green: "Chaumian blinding in ECC and ElGamal?"
• Next in thread: Paulo Barreto: "Re: Chaumian blinding in ECC and ElGamal?"

> I am told that one can do Chaumian blinding of electronic cash coins not
> only using RSA, but also using ECC or DH/ElGamal. Would somebody here be so
> kind and show me exactly how this would be done?

Here is a description that was posted a while back for the discrete-log
based Schnorr signature. Possibly the technique could be adapted to
other discrete log sigs.

Schnorr signature:

Keying:

Signer has public parameters prime p, with generator "a" of subgroup
of order q (where q divides p-1). Secret key is exponent s, public
key is v = a^(-s) mod p.

Signing message m:

1. Signer chooses random r < q, computes x = a^r mod p.

2. Signer computes e = hash(m, x)

3. Signer computes y = r + s*e mod q. Signature is (e, y).

4. Verifier computes x' = a^y * v^e. (x' should be equal to x above).
        Confirms that e = hash(m, x').

Schnorr cooperative signature:

In this algorithm, Signer never sees message m. He cooperates with the
Verifier to produce a valid signature on m. However it is still not a
fully blind signature.

1. Signer chooses random r < q, computes x = a^r mod p, sends x to Verifier.

2. Verifier computes e = hash(m, x), sends to Signer.

3. Signer computes y = r + s*e mod q, sends signature (e, y) to Verifier.

4. Verifier confirms that x = a^y * v^e. If so (e, y) is a good Schnorr
signature.

This is not fully blinded because Signer sees e and y although he did not see
m.

Schnorr blind signature (the primed variables are only seen by Verifier):

1. Signer chooses random r < q, computes x = a^r mod p, sends x to Verifier.

2. Verifier chooses two random blinding factors i and j, computes
        x' = x^i * a^j.

3. Verifier computes e' = hash(m', x') and e = e'/i mod q, sends e to Signer.

4. Signer computes y = r + s*e mod q, sends (e, y) to Verifier.

5. Verifier confirms that x = a^y * v^e, so Signer did his part right.

6. Verifier computes y' = i*y + j mod q. Now

7. Now (e', y') is a Schnorr signature on m', as can be verified by:

        x'' = a^y' * v^e'
            = a^(i*y + j) * v^(e*i)
            = (a^y)^i * a^v * (v^e)^i
            = (a^y * v^e)^i * a^v
            = x^i * a^v
            = x'

        and therefore e' = hash(m', x') = hash (m', x'')

        and the signature is confirmed.

This is a fully blind signature; e', y' and m' are unlinkable by the
signer to the values he saw, e and y.

• Next message: Michael Motyka: "Re: quantum cryptanalysis"
• Previous message: James A. Donald: "Re: Chaumian blinding in ECC and ElGamal?"
• In reply to: Lucky Green: "Chaumian blinding in ECC and ElGamal?"
• Next in thread: Paulo Barreto: "Re: Chaumian blinding in ECC and ElGamal?"