From: jim bell <jimbell@pacifier.com>
Date: Thu, 14 Dec 1995 08:16:31 +0800
To: Hal <hfinney@shell.portal.com>
Subject: Re:  Blinding against Kocher's timing attacks
Message-ID: <m0tPynk-0008yYC@pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 01:27 PM 12/12/95 -0800, you wrote:
>From: ljo@ausys.se (Johansson Lars)
>> Does anyone know whether David Chaum's patent on
>> blind digital signatures extends to this application?
>
>I don't think it would.  Chaum's blinding protocol has one major
>difference: the blinding factor is applied by a different person than
>the one doing the signing.  The purpose of the blinding is different,
>too; in Chaum's case the idea is to end up with a signature which is
>unknown to the signer, while with Kocher's "defensive blinding" the
>signature (or decryption) is an ordinary RSA one, and the blinding is
>just done internally by the signer to randomize the timing.

One thing I haven't heard mentioned would be the possibility of using TWO
blinding factors, by two different people, to blind the unsigned cash.    As
you may know, I'm interested in payee-anonymous systems as well as
payer-anonymous ones, and such a feature might assist in this.