From: “Michael Froomkin - U.Miami School of Law” <froomkin@law.miami.edu>
To: Hal Finney <hal@rain.org>
Message Hash: b608fe361bb4507c8e4d5c99328d3a6f0f1f1b1df5f3149a1cdc91a65c484dfa
Message ID: <Pine.SUN.3.95.961116201838.5107B-100000@viper.law.miami.edu>
Reply To: <199611161725.JAA01334@crypt.hfinney.com>
UTC Datetime: 1996-11-17 01:21:49 UTC
Raw Date: Sat, 16 Nov 1996 17:21:49 -0800 (PST)
From: "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu>
Date: Sat, 16 Nov 1996 17:21:49 -0800 (PST)
To: Hal Finney <hal@rain.org>
Subject: Re: Members of Parliament Problem
In-Reply-To: <199611161725.JAA01334@crypt.hfinney.com>
Message-ID: <Pine.SUN.3.95.961116201838.5107B-100000@viper.law.miami.edu>
MIME-Version: 1.0
Content-Type: text/plain
On Sat, 16 Nov 1996, Hal Finney wrote:
>
> I don't quite follow how this would work. If Trent issues a blind
> signature, then that means (doesn't it?) that he doesn't see what he
> is signing. So how can he confirm that the message is actually from
> a member of the group when he doesn't see it?
There are two ways to do this.
Method number one is to have the person present 100 messages for blind
signature. You unblind 99, check that the data is there; the odds are
good it's there in other one. If any of the 99 are duds, you kick the
cheater out of the system.
The disadvantage of course is that the blind signer gets to read the
message. (Actually the other 99 copies of it, but no secrecy for the
signer.) This wasn't a problem for digital cash where each "message" was
a unique digital coin, but is a problem here.
Brands has a better scheme that I don't understand exactly. He recently
attempted to explain it to me thusly:
==start quote
In fact, the original Chaum/Fiat/Naor protocol was cut-and-choose,
where you would basically do the work for 100 coins in order to
obtain a single one that contains your identity; in my protocol
the bank sends to the user a single number, the user responds with
a single challenge, and the bank then provides a single response--
from this the user can compute exactly one blinded coin, that
nevertheless contains an identifier no matter how the user performs
the blinding. As a result, the protocol, while complex as to why
it is secure and in particular why the identifier cannot be gotten
rid of, is highly efficient. (To withdraw a coin, both the bank and
the user need not do more real-time computations than the work
for a single modular *multi*plication (not exponentiation)).
Thanks again!
Stefan Brands,
------------------------------------------------------
CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands
E-mail: brands@cwi.nl, URL: http://www.cwi.nl/~brands/
===end quote
Can anyone tell me more?
A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law |
U. Miami School of Law | froomkin@law.miami.edu
P.O. Box 248087 | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.
Return to November 1996
Return to ““Michael Froomkin - U.Miami School of Law” <froomkin@law.miami.edu>”