Chaum's unpatented ecash scheme
Nomen Nescio
nobody at dizum.com
Tue Aug 20 19:00:06 EDT 2002
David Chaum gave a talk at the Crypto 2002 conference recently in which
he briefly presented a number of interesting ideas, including an approach
to digital cash which he himself said would "avoid the ecash patents".
The diagram he showed was as follows:
Optimistic Authenticator
z = x^s
Payer f(m)^a z^b Bank
----------------------------->
[f(m)^a z^b]^s
<-----------------------------
m, f(m)^s
----------------------------->
It's hard to figure out what this means, but it bears resemblance to a
scheme discussed on the Coderpunks list in 1999, a variant on a blinding
method developed by David Wagner. See
http://www.mail-archive.com/coderpunks@toad.com/msg02323.html for a
description, with a sketch of a proof of blindness at
http://www.mail-archive.com/coderpunks@toad.com/msg02387.html and
http://www.mail-archive.com/coderpunks@toad.com/msg02388.html.
In Chaum's diagram it is not clear which parts of the key are private and
which public, although z is presumably public. Since the bank's action
is apparently to raise to the s power, s must be secret. That suggests
that x is public. However Chaum's system seems to require dividing by
(z^b)^s in order to unblind the value, and if s is secret, that doesn't
seem possible.
In Wagner's scheme everything was like this except that the bank's key
would be expressed as x = z^s, again with x and z public and s secret.
f(m) would be a one-way function, which gets doubly-blinded by being
raised to the a power and multiplied by z^b, where a and b are randomly
chosen blinding factors. The bank raises this to its secret power s,
and the user unblinds to form f(m)^s. To later deposit the coin he does
as in the third step, sending m and f(m)^s to the bank.
For the unblinding, the user can divide by (z^b)^s, which equals z^(b*s),
which equals (z^s)^b, which equals x^b. Since x is public and the user
chose b, he can unblind the value. Maybe the transcription above of the
Chaum scheme had a typo and it was actually similar to the Wagner method.
Chaum commented that the payer does not receive a signature in this
system, and that he doesn't need one because he is protected against
misbehavior by the bank. This is apparently where the scheme gets
its name.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list