Wei Dai (weidai@eskimo.com)
Sun, 7 Mar 1999 19:58:16 -0500
On Sun, Mar 07, 1999 at 12:58:17PM +0100, brands@xs4all.nl wrote:
> This is not a new protocol. It is known as the blind Schnorr signature scheme,
> due to Okamoto; see "Provably Secure and Practical Identification Schemes and
> Corresponding Signature Schemes," Crypto 92, LNCS vol. 740, pages = 31--53.
> See also Okamoto and Ohta, "Divertible Zero Knowledge Interactive Proofs and
> Commutative Random Self-Reducibility," Eurocrypt 89, LNCS vol. 434, pages =
> 134--149.
Thanks for the references. Anonymous did later say that the scheme was
already published, but didn't give a reference.
> The user nevertheless obtains a digital signature, (x', y'), and so this
> is a blind signature protocol a la Chaum. Note that in Chaum's RSA-based
> blind signature protocol the action of the signer is not that of signing
> either; computing the $e$-th root of an arbitrary message does not result
> in an digital signature.
In online ecash systems based on blind signature schemes, the mint's
public key doesn't really need to be used by anyone except the mint
itself. So maybe it would be possible to create a blind ecash system based
on symmetric cryptography, for example with a blind MAC analogous to blind
signature. I don't know if such a thing (blind MAC) exists, but if it does
perhaps it might not be covered by the blind signature patents.
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:49