1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department...
-
date post
20-Dec-2015 -
Category
Documents
-
view
225 -
download
1
Transcript of 1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department...
1
Blind SignaturesBlind Signatures盲簽章盲簽章
Chun-I Fan 范俊逸E-Commerce & Security Engineering Lab.
Department of Computer Science and Engineering National Sun Yat-Sen University
2資訊工程學系
Outlines
Introduction
Digital Signatures
Blind Signatures
Partially Blind Signatures
Fair Blind Signatures
A User Efficient Blind Signature Scheme
Conclusions
3
Introduction
4資訊工程學系
Internet
Servers
Data Bases
Clients
Efficiency
Ubiquity
5資訊工程學系
Features of Internet Services
Efficiency: Faster than traditional services
Ubiquity: Users can obtain services anywhere
Flexibility: Clients can request services anytime
Openness: Popularization
Examples: Electronic cash and voting services
6資訊工程學系
Some Challenges to Internet Services
Security– Hackers and viruses– Privacy and policy considerations
Efficiency– A lot of extra computations must be performed
by users– Limited power of devices such as mobile units
or smart cards
7資訊工程學系
Cryptographic Techniques
Encryption/Decryption
Key Distribution Protocols
Identification Schemes
Digital Signatures
Blind Signatures
…….
8
Digital Signatures
9資訊工程學系
A Digital Signature Scheme
User Signer
Signature on Message
The signer’s signature on “Message”
Message
Linkable Signer
10資訊工程學系
Signature Generation and Verification
User
Signer
True / False
Message
Signature
Key
SignatureGenerator
SignatureVerifier
11
Blind Signatures
12資訊工程學系
Blind Signatures
User SignerMessage
Signature on Message
The signer’s signature on “Message”
Unlinkable Signer
13資訊工程學系
The Scheme
Unlinkability: it is intractable for the signer to link to
“Message” : the blinded message
Signature on “Message” : the blind signature
Signature on “Message”: to be obtained after unblinding
14資訊工程學系
Signature Generation and Verification
Signing
User Signer
SignatureVerifier
True / False
Key
Signature
Blinding
Unblinding
Message
Blind Signature
Message
Message
15資訊工程學系
A Generic Blind Signature Scheme
M : the underlying set of messages
R : a finite set of random integers
S : M MT : signing
V : MT M {true, false} : verifying
B : M R M : blinding
U : MT R MT : unblinding
16資訊工程學系
The Protocol
User Signer
m Mr R
B(m, r)
S(B(m, r))
U(S(B(m,r)), r) = S(m)
Signature-message pair: ((S(m), m))
V(S(m), m) = True
Publish V
17資訊工程學系
Flow Diagram
User Signer
True / False
B(..)
U(..)
mB(m, r)
S(B(m, r))
S(m)
r
r
V(..)
Key
S(.)
m
18資訊工程學系
Voter i Center
idi Make License(idi)
intent
S(intent)
Publish License(idi)License(idi)
Registration:
Voting:Vote:(S(intent), intent) Verify & Publish:
Sign on B(intent)
(S(intent), intent)
Application: Anonymous Voting
Identification Protocol
Blind Signature Scheme
Anonymous Channel
19資訊工程學系
An Anonymous Voting Protocol
m = intentionr R
B(m, r)
S(B(m, r))
U(S(B(m, r)), r) = S(m)
V(S(m), m) = TruePublish (S(m), m)
Vote: (S(m), m)
Voter Center
Publish V
Anonymous Channel
20資訊工程學系
Discussions
Tally Correctness– Unforgeable votes
– All registered voters must submit their votes
Anonymity– Unlinkability based on blind signatures
– Anonymous channels
21資訊工程學系
Customer Bank
identity
string
S(string)
Verify identity
Withdrawing:
Paying:
Cash:(S(string), string) CorrectnessChecking
Sign on B(string)
Application: Untraceable E-Cash
Identification Protocol
Blind Signature Scheme
Account no.
Deduct one dollarfrom the account.
Payee B
2-Spending Checking
E-cash DB
Store the cashAdd $1 to B’s account
22資訊工程學系
An Untraceable E-Cash Protocol
m M, r RB(m, r)
S(B(m, r))
U(S(B(m, r)), r) = S(m)
V(S(m), m) = TrueCash: (S(m), m)
(S(m), m)
“Fresh”Accept
Customer Bank
PayeePayee
Publish V
2-spendingchecking
23資訊工程學系
Discussions
Unforgeability
Untraceability
– Bank cannot trace an e-cash to the withdrawing protocol
The database will unlimitedly grow
Perfect crimes– Money Laundering
– To safely get a ransom
24
Partially Blind Signatures
25資訊工程學系
Partially Blind Signatures
User Signerm1
Signature on (
The signer’s signature on (m1 # m2)
# m2)Message = (
m1 # m2)
All of the signatures with the same m2 are indistinguishable from the signer’s point of view.
26資訊工程學系
Signature Generation and Verification
User Signer
True / False
Signature on (m1 # m2)
Blinding
Unblinding PartiallyBlind Signature
m1, m2 m1 # m2
Signing
Key
SignatureVerifier
(m1, m2)
27資訊工程學系
The Protocol
User Signer
m1, m2 M
r R (B(m1, r) # m2)
S(B(m1, r) # m2)
U(S(B(m1, r) # m2), r) = S(m1 # m2)
Signature-message triple: (S (m1 # m2), m1 , m2)
V(S(m1 # m2), (m1 # m2)) = True
Publish V
28資訊工程學系
Flow Diagram
User Signer
True / False
B(..) #
U(..)S(B(m1, r) # m2)
S(m1 # m2)
r
r
V(..)
Key
S(.)
(B(m1, r) # m2)m1 m2
(m1 , m2 )
29資訊工程學系
Discussions
Embed an expiration date into an e-cash
– E-cash = (S(m1 # m2), m1, m2)
– m2 is the expiration date of the e-cash
– All expired e-cash can be removed form the
bank’s database
The storage can be controlled
30
Fair Blind Signatures
31資訊工程學系
Money Laundering
BankCustomer A
Customer B
Withdraw a blinded e-cash
Forward the e-cash
Deposit the e-cash
Unlinkable
Unblinding
32資訊工程學系
To Safely Get a Ransom
Criminal
Payer Bank
Send a blinded message
Forward the blinded message
Withdraw the blinded e-cash
Unblinding
Deposit the e-cash
An
onym
ous
Ch
ann
el Unlinkable
Publish the blinded e-cash
33資訊工程學系
Fair Blind Signatures
To cope with the misuse of unlinkability– money laundering
– to safely get a ransom
The judge keeps the link information– unlinkable to the signer
– the judge can reveal the link when necessary
34資訊工程學系
The Registration Stage
User JudgeIdentification Protocol
License = (Sjudge(B(K);iduser), B(K))
K = Ejudge(iduser;random)
Sjudge : the signing function of the judge
Ejudge : the encryption function of the judge
random : a random string
35資訊工程學系
The Signing Stage
User Signer
m M
r RB(m, r), iduser , License = (…, B(K))
S(B(m, r) # B(K))
U(S(B(m, r) # B(K)), r) = S(m # K)
Signature-message triple: (S(m # K), m , K)
V(S(m # K), (m # K)) = True
Publish V
Verify License
36資訊工程學系
Discussions
Cash = (S(m # K), m, K)
– K = Ejudge(iduser…...)
Owner Tracing
– The judge can decrypt K and reveal iduser
37
A User Efficient Blind Signature Scheme
38資訊工程學系
The Underlying Foundation
Based on Quadratic Residues
If x2 = y (mod n), then y is a quadratic residue (QR) in Zn and x is a square root of y
If n = p1p2 where p1 and p2 are two distinct large primes, then, given (y, n), it is intractable to compute x without p1 or p2.
39資訊工程學系
The Blind Signature Protocol
The Blinding Stage
The Randomizing Stage
The Signing Stage
The Unblinding Stage
40資訊工程學系
The Blinding Stage
m Zn
u, v R Zn
= H(m)(u2+v2) mod n
User Signer
n = p1 p2
H: hash function
Publish (H,n)
41資訊工程學系
The Randomizing Stage
xx R Zn
b R Zn
= b2 mod n
= (uvx) mod n
User Signer
42資訊工程學系
The Signing Stage
= 1 mod n
Derive t such that
t4 n (x2+1)2
(t, )
User Signer
43資訊工程學系
The Unblinding Stage
c = (ux+v) mod n
s = bt mod n
User
Signature-Message Triple: (c,m,s)
Verification: s4 H(m)(c2+1) (mod n)
44資訊工程學系
Flow Chart
User Signer
Blinding
Response
m
(u, v) =H(m)(u2+v2)
Randomizing xx
b = b2(uvx)
Signing
(, p1, p2 )
Unblinding
(b, u, v)
t = ((x2+1)2 )1/4
= 1
(c, s) s4 = H(m)(c2+1)
(p1, p2 )
45資訊工程學系
Features
Unlinkability: (b,u,v) is randomly chosen and kept secret by the user
Unforgeability: (p1,p2) is kept secret by the signer and H is one-way
User Efficiency: 10 multiplications and 1 hashing for getting a signature; 4 multiplications and 1 hashing for verification
46資訊工程學系
Cam. Cha. Fer. Poi. Poi.Fan
DLRSARSA QRQR DL
Unlinkable:
Randomized:
Foundation:
MessageRecoverable:
○
○
○
○
○
×
○
×
○
○
○
×
○
○
×
○
○
×
Properties
47資訊工程學系
Cam. Cha. Fer. Poi. Poi.Fan
Inverse:
Hashing:
Exponentiation:
Multiplication:
The Computation for Users
3
0
2
2k
0
0
2
14
4
2
0
6
2
1
2
2
4
1
2
3
6
0
2
5
Reduced by: >99%>99% >99% >99% >99%
48資訊工程學系
The first blind signature scheme based on
Quadratic Residues (AsiaCrypt’96)
It is randomized
Very low computation for users
Customer Efficient untraceable e-cash services
Voter Efficient anonymous e-voting protocols
Remarks
49
Conclusions
50資訊工程學系
Blind Signature = Digital Signature + Encryption
Unforgeability and Unlinkability
Applications
– Untraceable Electronic Cash
– Anonymous Electronic Voting
Partially blind signatures can reduce the storage
Fair blind signatures can deal with the misuse of unlinkability
Summary
51資訊工程學系
References
1. Chun-I Fan and Chin-Laung Lei, ‘A Multi-Recastable Ticket Scheme for Electronic Elections,’ Advances in Cryptology-ASIACRYPT'96, 1996.
2. Chun-I Fan and Chin-Laung Lei, ‘User Efficient Blind Signatures,’ IEE Electronics Letters, 1998.
3. Chun-I Fan and Chin-Laung Lei, ‘Low-Computation Partially Blind Signatures for Electronic Cash,’ IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 1998.
4. Chun-I Fan and Wei-Kuei Chen, ‘An Efficient Blind Signature Scheme for Information Hiding,’ International Journal of Electronic Commerce, 2001.
5. Chun-I Fan and Chin-Laung Lei, ‘A User Efficient Fair Blind Signature Scheme for Untraceable Electronic Cash,’ Journal of Information Science and Engineering, 2002.