[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected]*Subject*: MATH: Brands' cash, Hal's post #2*From*: Karl Lui Barrus <[email protected]>*Date*: Thu, 22 Sep 94 19:54:12 CDT*Sender*: [email protected]

-----BEGIN PGP SIGNED MESSAGE----- This post gives numerical examples to go along with Hal Finney's excellent description of Brands' digital cash, posted earlier. If the math is too much, just remember the whole point: > Blind signatures are, IMO, the key to anonymous digital cash, and in fact > to many forms of anonymity. The ability to engage in mutual information > manipulation with another person, while guaranteeing that no linkage will > later be possible between the data exchanged and the results of that > calculation, is the foundation for interacting in a complex way without > losing any privacy... > Vicki wants to end up with a non-interactive signature on m', which is a > special transformation of m. To do this, she engages in an interactive > signature protocol with Paul, getting him to sign m... the result is > that she ends up with a non-interactive signature on m' because Paul was > willing to participate in an interactive signature session on m Continuing along: > Now for the mathematics. Recall the g is the "generator" of the group, > the base of all of the powers. x is Paul's secret key, and GX=g^x is his > public key. I will use g = 10, n = 17389 as in the previous example. Paul will choose x = 351 to be his secret key, so GX = 10^351 mod 17389 = 16987 is his public key. In addition, the message is m = 1994. > As the first step of the interactive protocol, Paul chooses a random w > and sends Vicki MX = m^x, GW = g^w, and MW = m^w. Paul chooses a random w = 666 MX = 1994^351 mod 17389 = 11740 GW = 10^666 mod 17389 = 7115 MW = 1994^666 mod 17389 = 13262 > The relationship between m', which is what Vicki will end up > with a signature on, and m, which is the number that Paul sees, is > m' = (m^s)*(g^t). Vicki chooses s = 3694, t = 1243 m' = (1994^3694)*(10^1243) mod 17389 = 10313 > the challenge c is calculated as the hash of (m,MX,GW,MW). Vicki > must transform these numbers so that Paul will not recognize them, but in > such a way that the mathematical relationships are maintained. > To do this, Vicki chooses two (more) random numbers, u and v (along with > s and t above). Vicki chooses u = 5192, v = 100 > MX' = m'^x = ((m^s)*(g^t))^x = (m^(s*x))*(g^(t*x)) = (MX^s)*(GX^t) > GW' = g^w' = g^(u*w+v) = (g^(u*w))*(g^v) = (GW^u)*(g^v) > MW' = m'^w' = ((m^s)*(g^t))^(u*w+v) = [...] = > (GW^(u*t))*(MW^(u*s))*(m'^v) MX' = (MX^s)*(GX^t) = (11740^3694)*(16987^1243) mod 17389 = 10710 GW' = (GW^u)*(g^v) = (7115^5192)*(10^100) mod 17389 = 12113 MW' = (7115^(5192 1243))*(11740^(5192 3694))*(10313^100) mod 17389 = 9314 > Using these, Vicki calculates her hash c'= Hash(m',MX',GW',MW'). c' = hash(10313,10710,12113,9314) = 7672 (some hash function I made up) > Now, the c she sends to Paul... > c = c'/u c = (7672/5192) mod 17389 = 323 [ 5192 c = 7672 mod 17389 --> 5192 c" = 1 mod 17389 --> c" = 3520 ==> c = c" 7672 mod 17389 = 323 check: (323 5192) mod 17389 = 7672 ] > Paul will ... calculate r = c*x+w. r = (323 351 + 666) mod 17388 = 9711 > [Vicki calculates] r' = u*r + v r' = (5192 9711 + 100) mod 17388 = 11800 > The resulting signature on m' is (MX',GW',MW',r') So the resulting signature is (10710,12113,9314,11800) Okay, that should be an actual example of the protocol, unless I messed up somewhere ;) I hope to finish going through Hal's third post soon. Karl Barrus [email protected] -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLoImUMSF/V8IjI8hAQGRmAP/RojMlpm8rnnx4K6c3GEHsBoQL7hIhdBB bTiwBhkXbi8ZhHsZJtX9mFceIhTK7yIxVsq9y17d2m5NghGME1qtIN+MjbbvwHfp j9S9fWwF6/mIiRvV9IM1a23IGhyZi0ZQASLKRiPlStjbcwv6QoGxZQuTyGOD8pSn hpoKosUFbqY= =EIjf -----END PGP SIGNATURE-----

- Prev by Date:
**Re: Chomsky Arguments / Redefinitions** - Next by Date:
**Re: HIT MEN** - Prev by thread:
**RE: THE LAST WORD... (maybe)** - Next by thread:
**National Research Council** - Index(es):