Chaum's unpatented ecash scheme

Nomen Nescio nobody at dizum.com
Tue Aug 20 19:00:06 EDT 2002 

David Chaum gave a talk at the Crypto 2002 conference recently in which
he briefly presented a number of interesting ideas, including an approach
to digital cash which he himself said would "avoid the ecash patents".

The diagram he showed was as follows:


        Optimistic Authenticator

                                     z = x^s

Payer         f(m)^a z^b             Bank
      ----------------------------->

            [f(m)^a z^b]^s
      <-----------------------------

               m, f(m)^s
      ----------------------------->


It's hard to figure out what this means, but it bears resemblance to a
scheme discussed on the Coderpunks list in 1999, a variant on a blinding
method developed by David Wagner.  See
http://www.mail-archive.com/coderpunks@toad.com/msg02323.html for a
description, with a sketch of a proof of blindness at
http://www.mail-archive.com/coderpunks@toad.com/msg02387.html and
http://www.mail-archive.com/coderpunks@toad.com/msg02388.html.

In Chaum's diagram it is not clear which parts of the key are private and
which public, although z is presumably public.  Since the bank's action
is apparently to raise to the s power, s must be secret.  That suggests
that x is public.  However Chaum's system seems to require dividing by
(z^b)^s in order to unblind the value, and if s is secret, that doesn't
seem possible.

In Wagner's scheme everything was like this except that the bank's key
would be expressed as x = z^s, again with x and z public and s secret.
f(m) would be a one-way function, which gets doubly-blinded by being
raised to the a power and multiplied by z^b, where a and b are randomly
chosen blinding factors.  The bank raises this to its secret power s,
and the user unblinds to form f(m)^s.  To later deposit the coin he does
as in the third step, sending m and f(m)^s to the bank.

For the unblinding, the user can divide by (z^b)^s, which equals z^(b*s),
which equals (z^s)^b, which equals x^b.  Since x is public and the user
chose b, he can unblind the value.  Maybe the transcription above of the
Chaum scheme had a typo and it was actually similar to the Wagner method.

Chaum commented that the payer does not receive a signature in this
system, and that he doesn't need one because he is protected against
misbehavior by the bank.  This is apparently where the scheme gets
its name.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list