On Thu, Oct 30, 2003 at 09:06:10AM -0800, James A. Donald wrote:
> On 28 Oct 2003 at 13:49, Adam Back wrote:
> > So for that reason I think Chaum's scheme practically would
> > not be viable over EC. (Or you could do it but you'd be
> > better off performance, security and key/messag size doing
> > Chaum over normal RSA).
>
> Simple Chaumian blinding works fine on EC.
So Chaumian blinding with public exponent e, private exponent d, and
modulus n is this and blinding factor b chosen by the client:
blind:
b^e.m mod n ->
sign:
<- (b^e.m)^d mod n
= b.m^d mod n (simplifying)
and divide by b to unblind:
m^d mod n
how are you going to do this over EC? You need an RSA like e and d to
cancel.
> Some more complex schemes, such as some of Brand's, do not.
Brands DH based blinding scheme works in EC. ECDH is directly
analogous, the usual conversion from discrete log (g^x mod p) to the
EC analog (x.G over curve E) works.
Adam
