At 10:20 PM 11/21/1999 -0000, Some Ostensibly Anonymous Person remailed
an article to coderpunks, which Bob Hettinga reposted to cryptography
and probably also to cypherpunks. David Wagner's developed a blinding
method probably not covered by Chaum's existing patents, which
has been implemented in -Lucre, http://anoncvs.aldigital.co.uk/lucre/.
>[..There's a Chaum blinded undeniable signatures algorithm which
>unfortunately fails for digicash use because the bank can mark coins.]
>It was suggested at the time that David Wagner's blinding was immune to
>this marking attack. However recently it has been learned that this
>is not true; the bank can mark cash using Wagner blinding as well.
>The current Lucre implementation would be vulnerable.
...
>It appears that there is a simple fix, but other people should look at it
...
>The proposed fix is to combine the two forms of blinding,
>Wagner's and Chaum's. Choose two random blinding factors, r and s, and blind
>by calculating y^s * g^r. [...Details omitted...]
>By having two blinding factors rather than one, there is one additional
>degree of freedom ....
There are two issues to deal with - whether the blinding works
technically, and whether it's possibly covered by Chaum's patents.
After all, the prime importance of Wagner's blinding work was that
it hopefully wasn't stuck in the Chaum patent mess.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
