--- begin forwarded text To: [EMAIL PROTECTED] Path: not-for-mail From: [EMAIL PROTECTED] (Ian Goldberg) Newsgroups: isaac.lists.coderpunks Subject: Wagner-style blinding without a ZK proof Date: 28 May 2001 14:56:05 GMT Organization: ISAAC Group, UC Berkeley Lines: 25 Distribution: isaac NNTP-Posting-Host: abraham.cs.berkeley.edu NNTP-Posting-Date: 28 May 2001 14:56:05 GMT Originator: [EMAIL PROTECTED] (Ian Goldberg) Sender: [EMAIL PROTECTED] In Wagner-style blinding, we normally need to use a ZK proof in order for the user to be convinced that the coin he got is valid (and "unmarked"). But we don't really need to do that, if we work in a group in which the Decisional Diffie Hellman problem is easy (though the Computational Diffie Hellman problem is (presumed) hard). [Examples of such groups have been found by Joux and Nguyen: "Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups". <http://eprint.iacr.org/2001/003/>. Also see Boneh & Franklin, "Identity-Based Encryption from the Weil Pairing", <http://crypto.stanford.edu/~dabo/abstracts/ibe.html>, to appear in Crypto 2001.] The user can simply verify for himself in such a group whether DL(a,a^x) == DL(g,g^x), even though he doesn't know x, and can't calculate a^x by himself. Unfortunately, this likely can't be used in Lucre, since one could argue (as in section 18 of Stefan Brands' tech report at <http://www.cwi.nl/ftp/brands/CS-R9323.ps>) that in a group where DDH is easy but DH is hard, the above construction really *is* a digital signature, and so Chaum's blinding patent would seem to apply. - Ian --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]