Cryptography Reference
In-Depth Information
number sequences, (
a
i
)
,(
b
i
)
, and (
c
i
)
. The bank verifies whether these
numbers really result in the sequences (
x
i
)
and (
y
i
)
. The bank signs the
hash value of the non-disclosed check, returns its signature to Alice, and
debits Alice's account with the amount of 978 dollars.
If Alice were to cheat here, it would be discovered with a probability of
(N
−
1
)/N
.
5. Alice puts the following together:
•
the amount;
•
the check number
R
;
•
the hash sum she had submitted to the bank (without the blinding
factor); and
•
the bank's signature with the blinding factor removed (see Section
6.6.3).
She sends this check to Bob.
6. Bob asks Alice for the name of her bank, the bank's public key (unless
he knows it already), and then verifies the bank's signature.
7. If it's all right, he gives Alice a random 40-bit number,
Z
, consisting of
bits
z
i
. Alice has to give merchant Bob
a
i
,b
i
, and y
i
,ifz
i
=1,or
a
i
⊕
I, c
i
, and x
i
,ifz
i
=0.
In the first case, merchant Bob can calculate value
x
i
from
a
i
and
b
i
,
since he knows hash function
h()
. In the second case, he can recover
y
i
.
This means that he knows
x
i
and
y
i
for every
i
so that he can verify the
hash value (blindly signed by the bank) stated on the check.
8. Bob ships the merchandise to Alice and sends the check number, the
amount, and all data he obtained from Alice to the bank. The bank
stores these data and credits 978 dollars to his account.
How Secure is this Protocol?
This protocol protects Alice's anonymity. Though the bank gets the check
number from Bob as well as the amount and the data mentioned in Step 7, it
cannot recover Alice's identity. We can think of the two numbers
a
i
and
a
i
⊕
I
as a subset of secret
I
. The protocol uses secret splitting (Section 6.2) in this
