James A. Donald (jamesd@echeque.com)
Tue, 09 Mar 1999 17:50:55 -0800
Wei Dai wrote:
>> http://x9.dejanews.com/getdoc.xp?AN=145097228) based on Diffie-Hellman.
At 07:20 PM 3/8/99 +0100, Anonymous wrote:
> This can be thought of as a blinded version of Chaum's
> undeniable signature.
No it is not, for the bank cannot prove to any third party that it signed
the token.
Wagner appears to think that his protocol is covered by Chaum's patents,
but this is not apparent to me.
> The resulting "signature" cannot be verified by
> third parties. The signer can verify it, [...]
The signer (token issuer) can prove it to himself, but not to third parties.
If the token issuer issued a signed document proclaiming the blinded token
to be valid, the token purchaser can prove that the unblinded token
corresponds to the blinded token, but no one, including the token issuer,
can prove that blinded token was in fact correctly formed, he cannot prove
that the blinded token was issued according to the protocol and is not just
a random number. Thus it is not any kind of signature, by any stretch of
the word signature.
> You could distance yourself a little more from the undeniable signature
> by noting that with Chaum's blinding, there is no need for the client to
> know the public key of the bank. He just needs to know the prime modulus.
> Hence the setup for the bank is different; it chooses a secret exponent
> x but never publishes g^x. This changes the informational structure of
> the protocol and makes it harder to argue that the coin is a signature
> of any sort.
>
> One problem with this is that there is no way to be sure that the bank
> didn't cheat when it issued the coin. The bank would have to sign a
> transcript of the protocol
The bank would have to "clear sign" the transcript. Let us use the word
"clear sign" so that people will not get confused between Chaum's blinded
signatures, and the ordinary clear signatures which are necessary for other
parts of the protocol.
-----------------------------------------------------
We have the right to defend ourselves and our property, because
of the kind of animals that we are. True law derives from this
right, not from the arbitrary power of the omnipotent state.
http://www.jim.com/jamesd/ James A. Donald
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:50