Wagner-style blinding without a ZK proof

R. A. Hettinga rah at shipwright.com
Mon May 28 19:00:14 EDT 2001

--- begin forwarded text

To: coderpunks at toad.com
Path: not-for-mail
From: iang at paip.net (Ian Goldberg)
Newsgroups: isaac.lists.coderpunks
Subject: Wagner-style blinding without a ZK proof
Date: 28 May 2001 14:56:05 GMT
Organization: ISAAC Group, UC Berkeley
Lines: 25
Distribution: isaac
NNTP-Posting-Host: abraham.cs.berkeley.edu
NNTP-Posting-Date: 28 May 2001 14:56:05 GMT
Originator: iang at abraham.cs.berkeley.edu (Ian Goldberg)
Sender: owner-coderpunks at toad.com

In Wagner-style blinding, we normally need to use a ZK proof in order
for the user to be convinced that the coin he got is valid (and
"unmarked").  But we don't really need to do that, if we work in a group
in which the Decisional Diffie Hellman problem is easy (though the
Computational Diffie Hellman problem is (presumed) hard).

[Examples of such groups have been found by Joux and Nguyen:
"Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic
groups".  <http://eprint.iacr.org/2001/003/>.  Also see Boneh &
Franklin, "Identity-Based Encryption from the Weil Pairing",
<http://crypto.stanford.edu/~dabo/abstracts/ibe.html>, to appear in
Crypto 2001.]

The user can simply verify for himself in such a group whether
DL(a,a^x) == DL(g,g^x), even though he doesn't know x, and can't
calculate a^x by himself.

Unfortunately, this likely can't be used in Lucre, since one could
argue (as in section 18 of Stefan Brands' tech report at
<http://www.cwi.nl/ftp/brands/CS-R9323.ps>) that in a group where
DDH is easy but DH is hard, the above construction really *is*
a digital signature, and so Chaum's blinding patent would seem
to apply.

   - Ian

--- end forwarded text

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list