Anonymous (nobody@replay.com)
Sun, 7 Mar 1999 21:00:51 -0500
Stefan Brands writes:
> This is not a new protocol. It is known as the blind Schnorr signature scheme,
> due to Okamoto; see "Provably Secure and Practical Identification Schemes and
> Corresponding Signature Schemes," Crypto 92, LNCS vol. 740, pages = 31--53.
> See also Okamoto and Ohta, "Divertible Zero Knowledge Interactive Proofs and
> Commutative Random Self-Reducibility," Eurocrypt 89, LNCS vol. 434, pages =
> 134--149.
Yes, in a later message I mentioned that this was from the literature.
I'm not really trying to steal credit here; after all, I am Anonymous.
Actually I did develop my version independently, using multiplication
and division on the e' and y' values, while Okamoto uses addition and
subtraction. My version is somewhat slower, but they both end up doing
roughly the same blinding.
> >The difference from Chaum's digital cash is that there is no digital
> >signature involved. The bank only executes an authentication protocol.
> >Chaum's protocol signs the hash of a value; this protocol does not do
> >any signatures.
>
> The user nevertheless obtains a digital signature, (x', y'), and so this
> is a blind signature protocol a la Chaum.
This comes down to a matter of semantics and how we choose to define
signatures, a dispute perhaps better suited to lawyers than cryptographers.
To turn the Scnorr identification protocol into a signature, we typically
do two things. We replace the random challenge with a hash, and we
include the message in the hash calculation. In this case, we do the
first step but not the second. The question is whether you are left with
either a non interactive zero knowledge authentication, or a signature.
I argued that it is not a signature, because there is no message that
is signed. However you could also argue that it is a signature, just
on an empty message. Does a signature on an empty message make sense?
It's a matter of semantics. However there are a number of issues
regarding the interpretations of digital signatures, non-repudiation vs
acknowledgement vs authorship, etc., which would not seem to apply if
there is no signed message.
> Note that in Chaum's RSA-based
> blind signature protocol the action of the signer is not that of signing
> either; computing the $e$-th root of an arbitrary message does not result
> in an digital signature.
That's an interesting way to look at it. In that case Chaum's ecash is
not covered by his blind signature patent (US 4759063), since that has
as one of its steps,
signing each of said first messages by a signing party applying a public
key digital signature thereto to produce a corresponding plurality of
digital second messages;
So if the bank's not signing messages when it takes those e-th roots,
it doesn't infringe the patents.
More work for the lawyers; I'm sure Stefan has his own stories to tell
about experiences in the legal arena.
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:49