[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Blinding against Kocher's timing attacks



At 01:27 PM 12/12/95 -0800, you wrote:
>From: [email protected] (Johansson Lars)
>> Does anyone know whether David Chaum's patent on
>> blind digital signatures extends to this application?
>
>I don't think it would.  Chaum's blinding protocol has one major
>difference: the blinding factor is applied by a different person than
>the one doing the signing.  The purpose of the blinding is different,
>too; in Chaum's case the idea is to end up with a signature which is
>unknown to the signer, while with Kocher's "defensive blinding" the
>signature (or decryption) is an ordinary RSA one, and the blinding is
>just done internally by the signer to randomize the timing.

One thing I haven't heard mentioned would be the possibility of using TWO
blinding factors, by two different people, to blind the unsigned cash.    As
you may know, I'm interested in payee-anonymous systems as well as
payer-anonymous ones, and such a feature might assist in this.