Re: Anonymous cash via blinded authentication

Robert Hettinga (rah@shipwright.com)
Sun, 7 Mar 1999 07:36:37 -0500

• Next message: Anonymous: "blind cash, baby"
• Previous message: Anonymous: "Anonymous cash via blinded authentication"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Anonymous: "Re: Anonymous cash via blinded authentication"

--- begin forwarded text

From: brands@xs4all.nl
Date: Sun, 07 Mar 1999 12:58:17 +0100
To: Digital Bearer Settlement List <dbs@philodox.com>
Subject: Re: Anonymous cash via blinded authentication
Sender: <dbs@philodox.com>
List-Subscribe: <mailto:requests@philodox.com?subject=subscribe%20dbs>

>Date: Fri, 5 Mar 1999 23:40:06 +0100
>From: Anonymous <nobody@replay.com>
>Subject: Anonymous cash via blinded authentication
>To: CodherPlunks@toad.com
>Sender: owner-CodherPlunks@toad.com
>
>Here's another online digital cash idea, a variant on Chaum's blind
>signatures.
>
>The Schnorr authentication protocol uses a discrete log public key
>system with prime p, generator "a" of prime order q, where q divides
>p-1. The secret key is s, and the public key is v = a^-s mod p.
>
> ...
>
>For digital cash purposes, we want to blind the protocol. For this we
>go back to interactive version. We will run the interactive version
>of the authentication protocol, and Victor will massage the values to
>produce a transcript (x', y') which satisfies the verification formula,
>but which Peggy will not recognize.

This is not a new protocol. It is known as the blind Schnorr signature scheme,
due to Okamoto; see "Provably Secure and Practical Identification Schemes and
Corresponding Signature Schemes," Crypto 92, LNCS vol. 740, pages = 31--53.
See also Okamoto and Ohta, "Divertible Zero Knowledge Interactive Proofs and
Commutative Random Self-Reducibility," Eurocrypt 89, LNCS vol. 434, pages =
134--149.

> ...
>The difference from Chaum's digital cash is that there is no digital
>signature involved. The bank only executes an authentication protocol.
>Chaum's protocol signs the hash of a value; this protocol does not do
>any signatures.

The user nevertheless obtains a digital signature, (x', y'), and so this
is a blind signature protocol a la Chaum. Note that in Chaum's RSA-based
blind signature protocol the action of the signer is not that of signing
either; computing the $e$-th root of an arbitrary message does not result
in an digital signature.

Stefan

--- end forwarded text

-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

• Next message: Anonymous: "blind cash, baby"
• Previous message: Anonymous: "Anonymous cash via blinded authentication"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: Anonymous: "Re: Anonymous cash via blinded authentication"