____________________________________________________________________
The solution lies in the heart of humankind.
Chris Lawson
The Armadillo Group ,::////;::-. James Choate
Austin, Tx /:'///// ``::>/|/ [EMAIL PROTECTED]
www.ssz.com .', |||| `/( e\ 512-451-7087
-====~~mm-'`-```-mm --'-
--------------------------------------------------------------------
---------- Forwarded message ----------
Date: Sun, 29 Apr 2001 15:34:19 -0600
From: Anonymous <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Ecash via anonymous credentials without blinding
One of the papers at Eurocrypt 2001 will be a new credential system by
Jan Camenisch and Anna Lysyanskaya. It is available from Jan's page
at http://www.zurich.ibm.com/~jca/publications.html.
Each player creates a numerical pseudonym with organization O, of the
form P = a_O^xu * b_O^s, mod n_O. (n_O is an RSA modulus belonging to
the organization, a_O and b_O are group elements < n_O, xu is the user's
secret identiy value, and s is a random blinding factor).
The idea is that the xu value is supposed to be the same for all the
user's pseudonyms. If so, then when the user gets a credential on one
of his pseudonyms, he can show it with regard to any of the others.
The credential is an RSA signature by O on P * d_O, where d_O is a
constant value chosen by O. The RSA signature uses a random exponent
e_O, different for each credential.
Using these values, a user with a credential on one of its pseudonyms
can show it on another by exhibiting a ZK proof. When he shows the
credential it is at another organization O' where he has a different
pseudonym P'. The user shows that he knows a value P such that both
P and P' are of the proper form above, and share the same xu value.
Furthermore, he knows an RSA signature on P' * d_O issued by O, with
some particular exponent e. All these proofs are zero knowledge and
the user does not actually reveal P or e or xu.
The net result is that he can convince O' that he has a credential issued
by O on another of his pseudonyms, while showing only his P' pseudonym
with O'.
The cool thing is that this can also be used as an ecash system, one that
doesn't use blind signatures. The pseudonym gets another term multiplied,
and information about that term is revealed openly during the credential
showing. This transforms the credential into a one-show credential,
in that any showing of the same credential must reveal that same value.
A one-show credential is essentially the same as an online ecash coin.
Issuing the credential is like issuing a coin, and showing the one-show
credential is like spending the coin. The revealed value during the
showing must be kept in a "spent coins" list as with other online ecash
systems.
Although it sounds complicated, the computation required is quite
practical. According to the authors, with an RSA modulus of 1024 bits,
a credential-pseudonym pair is about 4K bits, and showing possession of
a credential takes about 22 exponentiations total for both parties.
The paradigm of replacing blinding during withdrawal with ZK proof during
spending seems to be a promising alternative to the many blind signature
patents which cover electronic cash.
