Anonymous (nobody@replay.com)
Mon, 8 Mar 1999 19:20:52 +0100 (CET)
Wei Dai wrote:
> I'll try to stop answering my own posts, but apparently David Wagner did
> propose a blind MAC scheme (see
> http://x9.dejanews.com/getdoc.xp?AN=145097228) based on Diffie-Hellman.
> This also answers the original Anonymous request for a blind variant of
> something not covered by patents. The Diffie-Hellman patent has expired,
> but I don't know if blind DH is covered by a patent or not.
Very interesting. This can be thought of as a blinded version of Chaum's
undeniable signature. The resulting "signature" cannot be verified by
third parties. The signer can verify it, which makes it suitable for use
as a coin. The undeniable signature protocol shows how the signer can
prove to a third party that the signature is valid or invalid.
Chaum has a patent issued in 1990 on undeniable signatures, which mentions
the possibility of a blinded undeniable signature. This is shown at
http://www.patents.ibm.com/details?pn=US04947430; click to see the images,
and look at page 5. Chaum uses a simpler blinding method, where the value
to be blinded is raised to a random power r. The signer raises it to its
secret exponent, and then the client unblinds by raising to the 1/r power.
However the full undeniable signature protocol described in the
patent includes the proof by the signer as to whether the message is
properly signed. Since no such step would be included in the digital
cash application, this protocol would arguably escape coverage by the
undeniable signature patent.
Whether it would be covered by the blind signature patent might depend on
whether the bank's actions could be characterized as signing, and whether
the resulting value should be thought of as a signature. It's not
a normal signature, because it can't be verified by third parties.
Unfortunately the terminology is such that it can be considered an
undeniable signature, which semantically might seem to imply that it is
a signature by definition. I don't know how this would work out in court.
You could distance yourself a little more from the undeniable signature
by noting that with Chaum's blinding, there is no need for the client to
know the public key of the bank. He just needs to know the prime modulus.
Hence the setup for the bank is different; it chooses a secret exponent
x but never publishes g^x. This changes the informational structure of
the protocol and makes it harder to argue that the coin is a signature
of any sort.
One problem with this is that there is no way to be sure that the bank
didn't cheat when it issued the coin. The bank would have to sign a
transcript of the protocol and then be confronted with it later if the
coin wasn't accepted.
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:50