|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Marked cash in Lucre
Ben Laurie (ben
algroup.co.uk)
Mon, 29 Nov 1999 11:08:01 +0000
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Helger Lipmaa: "Re: Marked cash in Lucre"
- Previous message: Anonymous: "Re: Marked cash in Lucre"
- Maybe in reply to: lcs Mixmaster Remailer: "Marked cash in Lucre"
Anonymous wrote:
>
> > > : Here is the signature verification protocol. We want to prove that the
> > > : exponent k on the public key g^k and the signed value y^k is the same.
> > > : The signer chooses a random value r, and sends over commitments u = g^r
> > > : and v = y^r. The verifier responds with a challenge c. The signer
> > > : answers the challenge with w = c*k + r. The verification is that
> > > : g^w = (g^k)^c * u, and that y^w = (y^k)^c * v.
> > >
> > > To make it non-interactive, use the standard technique of choosing the
> > > challenge c as the hash of u and v. The signature can then be just
> > > (c, w). The verifier derives u and v from the last two equations, then
> > > checks that c == hash(u, v).
> >
> > After an extended bout of self-induced madness caused by a terminology
> > change (note to self: never be seduced by improved terminology), I've
> > suddenly realised that this simply doesn't work: the signer doesn't know
> > y, so they can't calculate v=y^r. That's the whole point!
>
> The terminology may be confusing you. y is the value given to the signer
> to sign (figuratively speaking - we all know it's not really signing,
> otherwise the patent police would step in). The client software may have
> blinded it first, but that is irrelevant to the signer. Any issues with
> regard to blinding are handed purely by the client. In your earlier
> description, y may have been the unblinded value. For this description,
> keep in mind that y is whatever value the client gave to the server to
> be signed.
Aha. Indeed, in my frame of reference y is the unblinded coin, y g^b
would be the blinded coin.
> The client gave a value, y, to the server. The server supposedly
> raised it to the exponent k. The client doesn't know k, but he knows
> the generator g and the value (dare we call it a key?) g^k which have
> been published by the server. What the client wants to know, in order to
> see that the bank isn't cheating, is whether the bank raised the y value
> it was given to the same exponent that it raised g to get the published
> g^k value. That is what the proof above guarantees.
Right.
My other concern was over the non-interactive variant - I'm not
convinced that a search wouldn't be possible to find a value of r that
appears to work even though the signature was made with k'.
As for whether we can call g^k a key, it seems to me we can, but perhaps
we need a new term for such objects (a semikey, maybe?).
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html"My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi
- Next message: Helger Lipmaa: "Re: Marked cash in Lucre"
- Previous message: Anonymous: "Re: Marked cash in Lucre"
- Maybe in reply to: lcs Mixmaster Remailer: "Marked cash in Lucre"
This archive was generated by hypermail 2.0b3 on Mon Nov 29 1999 - 08:17:45 CST