-- James A. Donald: > > Simple Chaumian blinding works fine on EC.
On 31 Oct 2003 at 15:26, Adam Back wrote: > So Chaumian blinding with public exponent e, private exponent d, and > modulus n is this and blinding factor b chosen by the client: > > blind: > b^e.m mod n -> > sign: > <- (b^e.m)^d mod n > = b.m^d mod n (simplifying) > > and divide by b to unblind: > m^d mod n > > how are you going to do this over EC? You need an RSA like e and d to > cancel. See:"Anonymous Electronic Cash" http://www.echeque.com/Kong/anon_transfer.htm Lower case letters represent integers, capital letters elliptic curve points. Let k be the banks secret key. The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k. Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R He then calculates Q = T- t * V He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR
