[45343] in Cypherpunks
Re: Blinding against Kocher's timing attacks
daemon@ATHENA.MIT.EDU (jim bell)
Wed Dec 13 17:57:09 1995
Date: Wed, 13 Dec 1995 13:32:50 -0800
To: Hal <hfinney@shell.portal.com>
From: jim bell <jimbell@pacifier.com>
Cc: cypherpunks@toad.com
At 01:27 PM 12/12/95 -0800, you wrote:
>From: ljo@ausys.se (Johansson Lars)
>> Does anyone know whether David Chaum's patent on
>> blind digital signatures extends to this application?
>
>I don't think it would. Chaum's blinding protocol has one major
>difference: the blinding factor is applied by a different person than
>the one doing the signing. The purpose of the blinding is different,
>too; in Chaum's case the idea is to end up with a signature which is
>unknown to the signer, while with Kocher's "defensive blinding" the
>signature (or decryption) is an ordinary RSA one, and the blinding is
>just done internally by the signer to randomize the timing.
One thing I haven't heard mentioned would be the possibility of using TWO
blinding factors, by two different people, to blind the unsigned cash. As
you may know, I'm interested in payee-anonymous systems as well as
payer-anonymous ones, and such a feature might assist in this.
