1

Blind SignaturesBlind Signatures盲簽章盲簽章

Chun-I Fan 范俊逸E-Commerce & Security Engineering Lab.

Department of Computer Science and Engineering National Sun Yat-Sen University

cifan@cse.nsysu.edu.tw

2資訊工程學系

Outlines

Introduction

Digital Signatures

Blind Signatures

Partially Blind Signatures

Fair Blind Signatures

A User Efficient Blind Signature Scheme

Conclusions

3

Introduction

4資訊工程學系

Internet

Servers

Data Bases

Clients

Efficiency

Ubiquity

5資訊工程學系

Features of Internet Services

Efficiency: Faster than traditional services

Ubiquity: Users can obtain services anywhere

Flexibility: Clients can request services anytime

Openness: Popularization

Examples: Electronic cash and voting services

6資訊工程學系

Some Challenges to Internet Services

Security– Hackers and viruses– Privacy and policy considerations

Efficiency– A lot of extra computations must be performed

by users– Limited power of devices such as mobile units

or smart cards

7資訊工程學系

Cryptographic Techniques

Encryption/Decryption

Key Distribution Protocols

Identification Schemes

Digital Signatures

Blind Signatures

…….

8

Digital Signatures

9資訊工程學系

A Digital Signature Scheme

User Signer

Signature on Message

The signer’s signature on “Message”

Message

Linkable Signer

10資訊工程學系

Signature Generation and Verification

User

Signer

True / False

Message

Signature

Key

SignatureGenerator

SignatureVerifier

11

Blind Signatures

12資訊工程學系

Blind Signatures

User SignerMessage

Signature on Message

The signer’s signature on “Message”

Unlinkable Signer

13資訊工程學系

The Scheme

Unlinkability: it is intractable for the signer to link to

“Message” : the blinded message

Signature on “Message” : the blind signature

Signature on “Message”: to be obtained after unblinding

14資訊工程學系

Signature Generation and Verification

Signing

User Signer

SignatureVerifier

True / False

Key

Signature

Blinding

Unblinding

Message

Blind Signature

Message

Message

15資訊工程學系

A Generic Blind Signature Scheme

M : the underlying set of messages

R : a finite set of random integers

S : M MT : signing

V : MT M {true, false} : verifying

B : M R M : blinding

U : MT R MT : unblinding

16資訊工程學系

The Protocol

User Signer

m Mr R

B(m, r)

S(B(m, r))

U(S(B(m,r)), r) = S(m)

Signature-message pair: ((S(m), m))

V(S(m), m) = True

Publish V

17資訊工程學系

Flow Diagram

User Signer

True / False

B(..)

U(..)

mB(m, r)

S(B(m, r))

S(m)

r

r

V(..)

Key

S(.)

m

18資訊工程學系

Voter i Center

idi Make License(idi)

intent

S(intent)

Publish License(idi)License(idi)

Registration:

Voting:Vote:(S(intent), intent) Verify & Publish:

Sign on B(intent)

(S(intent), intent)

Application: Anonymous Voting

Identification Protocol

Blind Signature Scheme

Anonymous Channel

19資訊工程學系

An Anonymous Voting Protocol

m = intentionr R

B(m, r)

S(B(m, r))

U(S(B(m, r)), r) = S(m)

V(S(m), m) = TruePublish (S(m), m)

Vote: (S(m), m)

Voter Center

Publish V

Anonymous Channel

20資訊工程學系

Discussions

Tally Correctness– Unforgeable votes

– All registered voters must submit their votes

Anonymity– Unlinkability based on blind signatures

– Anonymous channels

21資訊工程學系

Customer Bank

identity

string

S(string)

Verify identity

Withdrawing:

Paying:

Cash:(S(string), string) CorrectnessChecking

Sign on B(string)

Application: Untraceable E-Cash

Identification Protocol

Blind Signature Scheme

Account no.

Deduct one dollarfrom the account.

Payee B

2-Spending Checking

E-cash DB

Store the cashAdd $1 to B’s account

22資訊工程學系

An Untraceable E-Cash Protocol

m M, r RB(m, r)

S(B(m, r))

U(S(B(m, r)), r) = S(m)

V(S(m), m) = TrueCash: (S(m), m)

(S(m), m)

“Fresh”Accept

Customer Bank

PayeePayee

Publish V

2-spendingchecking

23資訊工程學系

Discussions

Unforgeability

Untraceability

– Bank cannot trace an e-cash to the withdrawing protocol

The database will unlimitedly grow

Perfect crimes– Money Laundering

– To safely get a ransom

24

Partially Blind Signatures

25資訊工程學系

Partially Blind Signatures

User Signerm1

Signature on (

The signer’s signature on (m1 # m2)

# m2)Message = (

m1 # m2)

All of the signatures with the same m2 are indistinguishable from the signer’s point of view.

26資訊工程學系

Signature Generation and Verification

User Signer

True / False

Signature on (m1 # m2)

Blinding

Unblinding PartiallyBlind Signature

m1, m2 m1 # m2

Signing

Key

SignatureVerifier

(m1, m2)

27資訊工程學系

The Protocol

User Signer

m1, m2 M

r R (B(m1, r) # m2)

S(B(m1, r) # m2)

U(S(B(m1, r) # m2), r) = S(m1 # m2)

Signature-message triple: (S (m1 # m2), m1 , m2)

V(S(m1 # m2), (m1 # m2)) = True

Publish V

28資訊工程學系

Flow Diagram

User Signer

True / False

B(..) #

U(..)S(B(m1, r) # m2)

S(m1 # m2)

r

r

V(..)

Key

S(.)

(B(m1, r) # m2)m1 m2

(m1 , m2 )

29資訊工程學系

Discussions

Embed an expiration date into an e-cash

– E-cash = (S(m1 # m2), m1, m2)

– m2 is the expiration date of the e-cash

– All expired e-cash can be removed form the

bank’s database

The storage can be controlled

30

Fair Blind Signatures

31資訊工程學系

Money Laundering

BankCustomer A

Customer B

Withdraw a blinded e-cash

Forward the e-cash

Deposit the e-cash

Unlinkable

Unblinding

32資訊工程學系

To Safely Get a Ransom

Criminal

Payer Bank

Send a blinded message

Forward the blinded message

Withdraw the blinded e-cash

Unblinding

Deposit the e-cash

An

onym

ous

Ch

ann

el Unlinkable

Publish the blinded e-cash

33資訊工程學系

Fair Blind Signatures

To cope with the misuse of unlinkability– money laundering

– to safely get a ransom

The judge keeps the link information– unlinkable to the signer

– the judge can reveal the link when necessary

34資訊工程學系

The Registration Stage

User JudgeIdentification Protocol

License = (Sjudge(B(K);iduser), B(K))

K = Ejudge(iduser;random)

Sjudge : the signing function of the judge

Ejudge : the encryption function of the judge

random : a random string

35資訊工程學系

The Signing Stage

User Signer

m M

r RB(m, r), iduser , License = (…, B(K))

S(B(m, r) # B(K))

U(S(B(m, r) # B(K)), r) = S(m # K)

Signature-message triple: (S(m # K), m , K)

V(S(m # K), (m # K)) = True

Publish V

Verify License

36資訊工程學系

Discussions

Cash = (S(m # K), m, K)

– K = Ejudge(iduser…...)

Owner Tracing

– The judge can decrypt K and reveal iduser

37

A User Efficient Blind Signature Scheme

38資訊工程學系

The Underlying Foundation

Based on Quadratic Residues

If x2 = y (mod n), then y is a quadratic residue (QR) in Zn and x is a square root of y

If n = p1p2 where p1 and p2 are two distinct large primes, then, given (y, n), it is intractable to compute x without p1 or p2.

39資訊工程學系

The Blind Signature Protocol

The Blinding Stage

The Randomizing Stage

The Signing Stage

The Unblinding Stage

40資訊工程學系

The Blinding Stage

m Zn

u, v R Zn

= H(m)(u2+v2) mod n

User Signer

n = p1 p2

H: hash function

Publish (H,n)

41資訊工程學系

The Randomizing Stage

xx R Zn

b R Zn

= b2 mod n

= (uvx) mod n

User Signer

42資訊工程學系

The Signing Stage

= 1 mod n

Derive t such that

t4 n (x2+1)2

(t, )

User Signer

43資訊工程學系

The Unblinding Stage

c = (ux+v) mod n

s = bt mod n

User

Signature-Message Triple: (c,m,s)

Verification: s4 H(m)(c2+1) (mod n)

44資訊工程學系

Flow Chart

User Signer

Blinding

Response

m

(u, v) =H(m)(u2+v2)

Randomizing xx

b = b2(uvx)

Signing

(, p1, p2 )

Unblinding

(b, u, v)

t = ((x2+1)2 )1/4

= 1

(c, s) s4 = H(m)(c2+1)

(p1, p2 )

45資訊工程學系

Features

Unlinkability: (b,u,v) is randomly chosen and kept secret by the user

Unforgeability: (p1,p2) is kept secret by the signer and H is one-way

User Efficiency: 10 multiplications and 1 hashing for getting a signature; 4 multiplications and 1 hashing for verification

46資訊工程學系

Cam. Cha. Fer. Poi. Poi.Fan

DLRSARSA QRQR DL

Unlinkable:

Randomized:

Foundation:

MessageRecoverable:

○

○

○

○

○

×

○

×

○

○

○

×

○

○

×

○

○

×

Properties

47資訊工程學系

Cam. Cha. Fer. Poi. Poi.Fan

Inverse:

Hashing:

Exponentiation:

Multiplication:

The Computation for Users

3

0

2

2k

0

0

2

14

4

2

0

6

2

1

2

2

4

1

2

3

6

0

2

5

Reduced by: >99%>99% >99% >99% >99%

48資訊工程學系

The first blind signature scheme based on

Quadratic Residues (AsiaCrypt’96)

It is randomized

Very low computation for users

Customer Efficient untraceable e-cash services

Voter Efficient anonymous e-voting protocols

Remarks

49

Conclusions

50資訊工程學系

Blind Signature = Digital Signature + Encryption

Unforgeability and Unlinkability

Applications

– Untraceable Electronic Cash

– Anonymous Electronic Voting

Partially blind signatures can reduce the storage

Fair blind signatures can deal with the misuse of unlinkability

Summary

51資訊工程學系

References

1. Chun-I Fan and Chin-Laung Lei, ‘A Multi-Recastable Ticket Scheme for Electronic Elections,’ Advances in Cryptology-ASIACRYPT'96, 1996.

2. Chun-I Fan and Chin-Laung Lei, ‘User Efficient Blind Signatures,’ IEE Electronics Letters, 1998.

3. Chun-I Fan and Chin-Laung Lei, ‘Low-Computation Partially Blind Signatures for Electronic Cash,’ IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 1998.

4. Chun-I Fan and Wei-Kuei Chen, ‘An Efficient Blind Signature Scheme for Information Hiding,’ International Journal of Electronic Commerce, 2001.

5. Chun-I Fan and Chin-Laung Lei, ‘A User Efficient Fair Blind Signature Scheme for Untraceable Electronic Cash,’ Journal of Information Science and Engineering, 2002.