Re: ECC and blinding.
On Thu, Oct 30, 2003 at 09:06:10AM -0800, James A. Donald wrote: On 28 Oct 2003 at 13:49, Adam Back wrote: So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA). Simple Chaumian blinding works fine on EC. So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client: blind: b^e.m mod n - sign: - (b^e.m)^d mod n = b.m^d mod n (simplifying) and divide by b to unblind: m^d mod n how are you going to do this over EC? You need an RSA like e and d to cancel. Some more complex schemes, such as some of Brand's, do not. Brands DH based blinding scheme works in EC. ECDH is directly analogous, the usual conversion from discrete log (g^x mod p) to the EC analog (x.G over curve E) works. Adam
Re: ECC and blinding.
Fair enough. But this is not Chaum's scheme, it is Wagners and it is DH based (or ECDH based in your writeup). You said earlier: Simple Chaumian blinding works fine on EC. and the above scheme is not Chaumian blinding. Chaum never invented DH blinding, if you read Brands thesis even you'll see that Chaum (who was Brands PhD supervisor for some of the time) told Brands to forget about trying to do DH based blinding because it's not possible. Brands credits Chaum for setting the challenge :-) which led him to find ways to do DH based blinding. (And the private key certificate which is a generalisation of DH blinding to multiple attributes and selective disclosure of those attributes). Adam On Sun, Nov 02, 2003 at 08:16:45AM -0800, James A. Donald wrote: See:Anonymous Electronic Cash http://www.echeque.com/Kong/anon_transfer.htm Lower case letters represent integers, capital letters elliptic curve points. Let k be the banks secret key. The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k. Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R He then calculates Q = T- t * V He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR
Re: ECC and blinding.
-- James A. Donald: Simple Chaumian blinding works fine on EC. On 31 Oct 2003 at 15:26, Adam Back wrote: So Chaumian blinding with public exponent e, private exponent d, and modulus n is this and blinding factor b chosen by the client: blind: b^e.m mod n- sign: - (b^e.m)^d mod n = b.m^d mod n (simplifying) and divide by b to unblind: m^d mod n how are you going to do this over EC? You need an RSA like e and d to cancel. See:Anonymous Electronic Cash http://www.echeque.com/Kong/anon_transfer.htm Lower case letters represent integers, capital letters elliptic curve points. Let k be the banks secret key. The bank promises to pay a specific sum of money for any secret of the form ( x, P), such that P = k * H(x) where H is a hash function mapping random integers onto points on an elliptic curve and k is a secret known only to the token issuer Bob has an existing old used token of this form, and therefore knows that V= k * U even though he does not know k. Bob invents the random numbers t and q, constructs an elliptic point R = t *U + Hash( q ) and pays the bank to construct T= k * R He then calculates Q = T- t * V He now has a new token ( q , Q) of the required form, even though the Bank did not generate Q, has never seen it before, and when it sees it will not recognize it as having any relationship to T or R. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ONKujWd8zHpibnZny18642N1+yn2u22b10pYMq9S 4JTKi/HgEDA3K9dghxgfMcU8LPnOgG8ibhebtAfJR
Re: ECC and blinding.
There are two variants of Brands schemes: over RSA or DH. The DH variant can be used with the EC. People don't do RSA over EC because the security argument doesn't work (ie I believe you can do it technically, but the performance / key size / security arguments no longer work). So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA). There are other blinding schemes also such as David Wagner's blind MAC approach, and that should work over EC as it is DH based. Adam On Mon, Oct 27, 2003 at 05:41:11PM -0600, Neil Johnson wrote: Will ECC work with blinding (Chaum, Brands, etc.) techniques? Just curious.
Re: ECC and blinding.
-- On 28 Oct 2003 at 13:49, Adam Back wrote: So for that reason I think Chaum's scheme practically would not be viable over EC. (Or you could do it but you'd be better off performance, security and key/messag size doing Chaum over normal RSA). Simple Chaumian blinding works fine on EC. Some more complex schemes, such as some of Brand's, do not. But I do not see any demand for the more complex schemes. The simplest scheme is already complicated enough, that some of the complexities afflict the end user. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG aKHDMdj+9gnBr65YtX0qhoydEhjayKgfhkQHEAzr 4mclgavEBK5DyZ0aLB/l/EnYG2RizakxZ8mZUlz+E
Re: ECC and blinding.
At 5:41 PM -0600 10/27/03, Neil Johnson wrote: Will ECC work with blinding (Chaum, Brands, etc.) techniques? I've heard serious people discuss it with a straight face, at least. Chaumian blinding is simply big number multiplication, right? And Chaum's double-spending detection is an M-of-N hash where M=N=2. So doing that to an ECC message/public-key shouldn't be hard... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'