The goal of this protocol is for Bob to get Alice to perform a Diffie-Hellman key exchange blindly, such that when the unblinded value is returned, Alice recognizes it as her own, but can’t distinguish it from others (i.e. similar to a blind signature).
Alice:
A = a*G
return A
Bob:
Y = hash_to_curve(secret_message)
r = random blinding factor
B'= Y + r*G
return B'
Alice:
C' = a*B'
(= a*Y + a*r*G)
return C'
Bob:
C = C' - r*A
(= C' - a*r*G)
(= a*Y)
return C, secret_message
Alice:
Y = hash_to_curve(secret_message)
C == a*Y
If true, C must have originated from Alice
I unearthed this protocol from a seemingly long forgotten cypherpunk mailing list post by David Wagner from 1996. It was devised as an alternative to RSA blinding in order to get around the now-expired patent by David Chaum. As in all ecash protocols, the secret_message
is remembered by Alice
in order to prevent double spends.
Depending on the use case, the protocol does have a slight weakness that may need to be addressed. Bob can't be certain thatC'
was correctly generated and thus corresponds to a*B'
. Alice can resolve this by also supplying a discrete log equality proof, showing that a
in A = a*G
is equal to a
in C' = a*B'
. This equality can be proven with a relatively simple Schnorr signature, as described below.
(These steps occur once Alice returns C')
Alice:
r = random nonce
R1 = r*G
R2 = r*B'
e = hash(R1,R2,A,C')
s = r + e*a
return R1, R2, s
Bob:
s*G == R1 + e*A
s*B'== R2 + e*C'
If true, a in A = a*G must be equal to a in C' = a*B'
It may be possible to simplify this and have Alice return a single R
that is equal to r*G + r*B'
and then have Bob verify s*(G+B') == R + e*(A+C')
, but it would be wise to analyze the security first (my main concern is that B'
is not exactly a NUMS).