Ben writes:
> > Imagine there is a blinding function b, and an unblinding function
> > b'. Alice sends Bob b(y). Bob produces z=f'(b(y)). Alice extracts x =
> > b'(z).
> >
> > Has this been done for RSA etc?
>
> Pass, but I can't see why anyone would, since f'() for RSA is thought to
> not exist.
f' exists for RSA -- it's called factoring. Sure it's expensive, but
that's why Julian wanted to use Bob's f' cracking service.
The interesting question is whether there is a b and b' that allows
Alice to use Bob's cracking service without Bob discovering x.
Clearly if Bob has y he can find x, because this has the same or lower
work effort than finding f'(b(y)). This implies that y must be kept
secret from Bob.
For DH you could do it as follows: public key y=g^x mod p, shared p
parameter, blind b(y) = g^B.g^x mod p. Give b(y) to Bob, he finds
f'(b(y)) = x+B, Alice unblinds by subtracting B.
Adam
