Question regarding common modulus on elliptic curve cryptosystems AND E-CASH
Sergio Lerner
sergiolerner at pentatek.com
Mon Mar 22 11:09:16 EDT 2010
I've read some papers, not that much. But I don't mind reinventing the
wheel, as long as the new protocol is simpler to explain.
Reading the literature, I couldn't find a e-cash protocol which :
- Hides the destination / source of payments.
- Hides the amount of money transferred.
- Hides the account balance of each person from the bank.
- Allows off-line payments.
- Avoids giving the same "bill" to two different people by design. This
means that the protocol does not need to detect the use of cloned "bills".
- Gives each person a cryptographic proof of owning the money they have
in case of dispute.
I someone points me out a protocol that manages to fulfill this
requirements, I'd be delighted.
I think I can do it with a commutative signing primitive, and a special
zero-proof of knowledge.
Regards,
Sergio Lerner.
On 22/03/2010 10:25 a.m., Jonathan Katz wrote:
> That paper was from 1980. A few things have changed since then. =)
>
> In any case, my point still stands: what you actually want is some
> e-cash system with some special properties. Commutative encryption is
> neither necessary nor (probably) sufficient for what you want. Have
> you at least looked at the literature (which must be well over 100
> papers) on e-cash?
>
> On Mon, 22 Mar 2010, Sergio Lerner wrote:
>
>> Commutativity is a beautiful and powerful property. See "On the power
>> of Commutativity in Cryptography" by Adi Shamir.
>> Semantic security is great and has given a new provable sense of
>> security, but commutative building blocks can be combined to build
>> the strangest protocols without going into deep mathematics, are
>> better suited for teaching crypto and for high-level protocol design.
>> They are like the "Lego" blocks of cryptography!
>>
>> Now I'm working on an new untraceable e-cash protocol which has some
>> additional properties. And I'm searching for a secure commutable
>> signing primitive.
>>
>> Best regards,
>> Sergio Lerner.
>>
>>
>> On 22/03/2010 09:56 a.m., Jonathan Katz wrote:
>>> Sounds like a bad idea -- at a minimum, your encryption will be
>>> deterministic.
>>>
>>> What are you actually trying to achieve? Usually once you understand
>>> that, you can find a protocol solving your problem already in the
>>> crypto literature.
>>>
>>> On Sun, 21 Mar 2010, Sergio Lerner wrote:
>>>
>>>>
>>>> I looking for a public-key cryptosystem that allows commutation of
>>>> the operations of encription/decryption for different users keys
>>>> ( Ek(Es(m)) = Es(Ek(m)) ).
>>>> I haven't found a simple cryptosystem in Zp or Z/nZ.
>>>>
>>>> I think the solution may be something like the RSA analogs in
>>>> elliptic curves. Maybe a scheme that allows the use of a common
>>>> modulus for all users (RSA does not).
>>>> I've read on some factoring-based cryptosystem (like Meyer-Muller
>>>> or Koyama-Maurer-Okamoto-Vantone) but the cryptosystem authors say
>>>> nothing about the possibility of using a common modulus, neither
>>>> for good nor for bad.
>>>>
>>>> Anyone has a deeper knowledge on this crypto to help me?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list