Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Crypto Archives: Re: Marked cash in Lucre

Re: Marked cash in Lucre

Helger Lipmaa (helgercyber.ee)
Mon, 29 Nov 1999 16:56:42 +0200 (EET)

On Sun, 28 Nov 1999, Ben Laurie wrote:

> > : Here is the signature verification protocol. We want to prove that the
> > : exponent k on the public key g^k and the signed value y^k is the same.
> > : The signer chooses a random value r, and sends over commitments u = g^r
> > : and v = y^r. The verifier responds with a challenge c. The signer
> > : answers the challenge with w = c*k + r. The verification is that
> > : g^w = (g^k)^c * u, and that y^w = (y^k)^c * v.
> >
> > To make it non-interactive, use the standard technique of choosing the
> > challenge c as the hash of u and v. The signature can then be just
> > (c, w). The verifier derives u and v from the last two equations, then
> > checks that c == hash(u, v).
> After an extended bout of self-induced madness caused by a terminology
> change (note to self: never be seduced by improved terminology), I've
> suddenly realised that this simply doesn't work: the signer doesn't know
> y, so they can't calculate v=y^r. That's the whole point!

Note that: this protocol is by Chaum and Pedersen (Crypto '92). It is NOT
known to be zero-knowledge, however it is 'special honest-verifier
zero-knowledge' (Cramer, Damgård, Schoenmakers, Crypto '94). It is
known that black box ZK proofs require at least 4 moves, while this
protocol has three!

...Note also that technically, to have non-interactive ZK, it is necessary
for the parties to share a secret random string...

--- however the cited security requirement is sufficient in many
practical applications.

Help it hopes,
Helger Lipmaa

This archive was generated by hypermail 2.0b3 on Mon Nov 29 1999 - 11:53:57 CST