RE: Anonymous cash via blinded authentication

New Message Reply About this list Date view Thread view Subject view Author view

Anonymous (nobody@replay.com)
Wed, 10 Mar 1999 20:24:32 +0100 (CET)


James A. Donald wrote:

> David Wagner's tokens can only be checked with the private key. There is
> no relevant public key that plays any role in the protocol, thus Chaum's
> patent on undeniable signatures appears irrelevant.

This is not quite true. If the secret key is k and the public key is
g^k, David Wagner shows how to get a signature on a value y which is of
the form y^k. This is exactly the same as Chaum's undeniable signature.

To prove that the signature is valid, the signer runs a protocol to show
that the exponent in the supposedly signed value y^k is the same as
the exponent in his public key, g^k. This is the (now) standard zero
knowledge protocol for showing possession of a discrete log, used for
both sets of values. The fact that the verification works for both sets
of values proves that the discrete log is the same in each case, namely k.

Even though verifying these signatures is possible with the aid of the
signer, it is questionable whether the original blind signature patent
would apply. As James points out, the language there refers to digital
signatures "checkable using a public key". In this case the digital
signatures are only checkable with the assistance of the signer, but
the checking process does use the public key.

As was pointed out earlier, it is possible for the signer to avoid
having a public key g^k. It only needs to choose a secret value k.
There is no g value at all. There is just a public prime modulus p,
and the secret value k.

Undeniable signature verification is impossible without a public key.
This modification would make the protocol even more dissimilar from
Chaum's blinded and undeniable signature patents.

P.S.

Here is the signature verification protocol. We want to prove that the
exponent k on the public key g^k and the signed value y^k is the same.
The signer chooses a random value r, and sends over commitments u = g^r
and v = y^r. The verifier responds with a challenge c. The signer
answers the challenge with w = c*k + r. The verification is that
g^w = (g^k)^c * u, and that y^w = (y^k)^c * v.


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:50