Wagner-style blinding without a ZK proof
R. A. Hettinga
rah at shipwright.com
Mon May 28 19:00:14 EDT 2001
--- begin forwarded text
To: coderpunks at toad.com
Path: not-for-mail
From: iang at paip.net (Ian Goldberg)
Newsgroups: isaac.lists.coderpunks
Subject: Wagner-style blinding without a ZK proof
Date: 28 May 2001 14:56:05 GMT
Organization: ISAAC Group, UC Berkeley
Lines: 25
Distribution: isaac
NNTP-Posting-Host: abraham.cs.berkeley.edu
NNTP-Posting-Date: 28 May 2001 14:56:05 GMT
Originator: iang at abraham.cs.berkeley.edu (Ian Goldberg)
Sender: owner-coderpunks at toad.com
In Wagner-style blinding, we normally need to use a ZK proof in order
for the user to be convinced that the coin he got is valid (and
"unmarked"). But we don't really need to do that, if we work in a group
in which the Decisional Diffie Hellman problem is easy (though the
Computational Diffie Hellman problem is (presumed) hard).
[Examples of such groups have been found by Joux and Nguyen:
"Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic
groups". <http://eprint.iacr.org/2001/003/>. Also see Boneh &
Franklin, "Identity-Based Encryption from the Weil Pairing",
<http://crypto.stanford.edu/~dabo/abstracts/ibe.html>, to appear in
Crypto 2001.]
The user can simply verify for himself in such a group whether
DL(a,a^x) == DL(g,g^x), even though he doesn't know x, and can't
calculate a^x by himself.
Unfortunately, this likely can't be used in Lucre, since one could
argue (as in section 18 of Stefan Brands' tech report at
<http://www.cwi.nl/ftp/brands/CS-R9323.ps>) that in a group where
DDH is easy but DH is hard, the above construction really *is*
a digital signature, and so Chaum's blinding patent would seem
to apply.
- Ian
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list