Anonymous cash via blinded authentication

New Message Reply About this list Date view Thread view Subject view Author view

Anonymous (nobody@replay.com)
Fri, 5 Mar 1999 23:40:06 +0100


Here's another online digital cash idea, a variant on Chaum's blind
signatures.

The Schnorr authentication protocol uses a discrete log public key
system with prime p, generator "a" of prime order q, where q divides
p-1. The secret key is s, and the public key is v = a^-s mod p.

Based on Schneier's description, to authenticate herself as the holder
of a specific public key y, Peggy picks a random r < q and computes
x = a^r mod p, and sends it to Victor. Victor sends Peggy a random
value e. Peggy returns the value y = (r + se) mod q. Victor verifies
that x = a^y*v^e mod p.

As is typical in such challenge-based proofs, it can be made non-interactive
by replacing the challenge with a hash. Instead of Victor sending Peggy
the random value e, e can be defined as Hash(x), where the hash might be
SHA-1. Now Peggy can execute the entire protocol herself, and output
the values (x, y) as a transcript of the protocol.

This (x, y) transcript is a somewhat peculiar object. It could only have
been done by Peggy; only someone who knew the secret key could create
it. But it doesn't assert anything, or sign anything. It just sits
there, a record that Peggy once ran the computation.

For digital cash purposes, we want to blind the protocol. For this we
go back to interactive version. We will run the interactive version
of the authentication protocol, and Victor will massage the values to
produce a transcript (x', y') which satisfies the verification formula,
but which Peggy will not recognize.

Victor creates two random blinding values, z and w. He participates in
the interactive protocol. He gets x from Peggy, and defines x'=x^z * a^w.
He then sets his challenge value as e = Hash(x') / z, and sends this
to Peggy. Peggy returns y, and Victor sets y' = y*z + w. Now (x', y')
is the blinded transcript that we want. It satisfies the verification
formula: x' = a^y'*v^e' (where e' = Hash(x')), but it is not linkable
to the values which Peggy saw.

Given the ability to blind the authentication protocol, we can use these
blinded transcripts (x', y') as digital coins. Peggy is the bank, and
Victor is the customer. Withdrawing a coin is a matter of running the
blinded authentication protocol. When the coin is later deposited,
the bank checks the verification relation, and puts it on a list of
spent coins to prevent double-spending.

The difference from Chaum's digital cash is that there is no digital
signature involved. The bank only executes an authentication protocol.
Chaum's protocol signs the hash of a value; this protocol does not do
any signatures.

This particular method is not suitable for commercial use, as the Schnorr
authentication protocol is patented (US4995082). Schnorr is relatively
aggressive with his patents and in fact has engaged in a campaign to show
that the DSA infringes on this patent. However if another authentication
algorithm could be shown to be blindable, it would offer a possible way
to implement anonymous digital cash without infringing on patents.


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:49