1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department of Computer Science and Engineering National Sun Yat-Sen University

資訊工程學系 2 Outlines u Introduction u Digital Signatures u Blind Signatures u Partially Blind Signatures u Fair Blind Signatures u A User Efficient Blind Signature Scheme u Conclusions

3 Introduction

資訊工程學系 4

5 Features of Internet Services u Efficiency: Faster than traditional services u Ubiquity: Users can obtain services anywhere u Flexibility: Clients can request services anytime u Openness: Popularization u Examples: Electronic cash and voting services

資訊工程學系 6 Some Challenges to Internet Services u Security – Hackers and viruses – Privacy and policy considerations u Efficiency – A lot of extra computations must be performed by users – Limited power of devices such as mobile units or smart cards

資訊工程學系 7 Cryptographic Techniques u Encryption/Decryption u Key Distribution Protocols u Identification Schemes u Digital Signatures u Blind Signatures u …….

8 Digital Signatures

資訊工程學系 9 A Digital Signature Scheme User Signer  Signature on Message The signer’s signature on “Message”  Message Linkable Signer

資訊工程學系 10 Signature Generation and Verification User Signer True / False Message Signature Key Signature Generator Signature Verifier

11 Blind Signatures

資訊工程學系 12 Blind Signatures User Signer Message  Signature on Message  The signer’s signature on “Message”  Unlinkable Signer

資訊工程學系 13 The Scheme   Unlinkability: it is intractable for the signer to link  to  “Message”: the blinded message  Signature on “Message”: the blind signature  Signature on “Message”: to be obtained after unblinding

資訊工程學系 14 Signature Generation and Verification Signing User Signer Signature Verifier True / False Key Signature Blinding Unblinding Message Blind Signature Message

資訊工程學系 15 A Generic Blind Signature Scheme u M : the underlying set of messages u R : a finite set of random integers u S : M  M T : signing u V : M T  M  {true, false} : verifying u B : M  R  M : blinding u U : M T  R  M T : unblinding

資訊工程學系 16 The Protocol UserSigner m  Mm  M r  R B(m, r) S(B(m, r)) U(S(B(m,r)), r) = S(m) Signature-message pair: ((S(m), m)) V(S(m), m) = True Publish V

資訊工程學系 17 Flow Diagram User Signer True / False B(..) U(..) m B(m, r) S(B(m, r)) S(m)S(m) r r V(..) Key S(.) m

資訊工程學系 18 Voter iCenter id i Make License(id i ) intent S(intent) Publish License(id i ) License(id i ) Registration: Voting: Vote: (S(intent), intent) Verify & Publish: Sign on B(intent) (S(intent), intent) Application: Anonymous Voting Identification Protocol Blind Signature Scheme Anonymous Channel

資訊工程學系 19 An Anonymous Voting Protocol m = intention r  R B(m, r) S(B(m, r)) U(S(B(m, r)), r) = S(m) V(S(m), m) = True Publish (S(m), m) Vote: (S(m), m) VoterCenter Publish V Anonymous Channel

資訊工程學系 20 Discussions u Tally Correctness – Unforgeable votes – All registered voters must submit their votes u Anonymity – Unlinkability based on blind signatures – Anonymous channels

資訊工程學系 21 CustomerBank identity string S(string) Verify identity Withdrawing: Paying: Cash:(S(string), string) Correctness Checking Sign on B(string) Application: Untraceable E-Cash Identification Protocol Blind Signature Scheme Account no. Deduct one dollar from the account. Payee B 2-Spending Checking E-cash DB Store the cash Add $1 to B’s account

資訊工程學系 22 An Untraceable E-Cash Protocol m  M, r  R B(m, r) S(B(m, r)) U(S(B(m, r)), r) = S(m) V(S(m), m) = True Cash: (S(m), m) (S(m), m) “Fresh” Accept Customer Bank Payee Publish V 2-spending checking

資訊工程學系 23 Discussions u Unforgeability u Untraceability – Bank cannot trace an e-cash to the withdrawing protocol u The database will unlimitedly grow u Perfect crimes – Money Laundering – To safely get a ransom

24 Partially Blind Signatures

資訊工程學系 25 Partially Blind Signatures User Signer m1m1  Signature on (  The signer’s signature on (m 1 # m 2 )  # m 2 )Message = ( m1m1 # m 2 ) All of the signatures with the same m 2 are indistinguishable from the signer’s point of view. 

資訊工程學系 26 Signature Generation and Verification User Signer True / False Signature on (m 1 # m 2 ) Blinding Unblinding Partially Blind Signature m1, m2m1, m2 m1m1 # m 2 Signing Key Signature Verifier (m 1, m 2 )

資訊工程學系 27 The Protocol UserSigner m 1, m 2  M r  R (B(m 1, r) # m 2 ) S(B(m 1, r) # m 2 ) U(S(B(m 1, r) # m 2 ), r) = S(m 1 # m 2 ) Signature-message triple: (S (m 1 # m 2 ), m 1, m 2 ) V(S(m 1 # m 2 ), (m 1 # m 2 )) = True Publish V

資訊工程學系 28 Flow Diagram User Signer True / False B(..) # U(..) S(B(m 1, r) # m 2 ) S(m 1 # m 2 ) r r V(..) Key S(.) (B(m 1, r) # m 2 ) m 1 m 2 (m 1, m 2 )

資訊工程學系 29 Discussions u Embed an expiration date into an e-cash – E-cash = (S(m 1 # m 2 ), m 1, m 2 ) – m 2 is the expiration date of the e-cash – All expired e-cash can be removed form the bank’s database u The storage can be controlled

30 Fair Blind Signatures

資訊工程學系 31 Money Laundering Bank Customer A Customer B  Withdraw a blinded e-cash  Forward the e-cash  Deposit the e-cash Unlinkable  Unblinding

資訊工程學系 32 To Safely Get a Ransom Criminal Payer Bank  Send a blinded message  Forward the blinded message  Withdraw the blinded e-cash  Unblinding  Deposit the e-cash Anonymous Channel Unlinkable  Publish the blinded e-cash

資訊工程學系 33 Fair Blind Signatures u To cope with the misuse of unlinkability – money laundering – to safely get a ransom u The judge keeps the link information – unlinkable to the signer – the judge can reveal the link when necessary

資訊工程學系 34 The Registration Stage User Judge Identification Protocol  License = (S judge (B(K);id user ), B(K)) K = E judge (id user ;random) S judge : the signing function of the judge E judge : the encryption function of the judge random : a random string

資訊工程學系 35 The Signing Stage UserSigner m  Mm  M r  R B(m, r), id user, License = (…, B(K)) S(B(m, r) # B(K)) U(S(B(m, r) # B(K)), r) = S(m # K) Signature-message triple: (S(m # K), m, K) V(S(m # K), (m # K)) = True Publish V Verify License

資訊工程學系 36 Discussions u Cash = (S(m # K), m, K) – K = E judge (id user …...) u Owner Tracing – The judge can decrypt K and reveal id user

37 A User Efficient Blind Signature Scheme

資訊工程學系 38 The Underlying Foundation u Based on Quadratic Residues u If x 2 = y (mod n), then y is a quadratic residue (QR) in Z n and x is a square root of y u If n = p 1 p 2 where p 1 and p 2 are two distinct large primes, then, given (y, n), it is intractable to compute x without p 1 or p 2.

資訊工程學系 39 The Blind Signature Protocol u The Blinding Stage u The Randomizing Stage u The Signing Stage u The Unblinding Stage

資訊工程學系 40 The Blinding Stage m  Z n u, v  R Z n  = H(m)(u 2 +v 2 ) mod n  User Signer n = p 1 p 2 H: hash function Publish (H,n)

資訊工程學系 41 The Randomizing Stage x x  R Z n b  R Z n  = b 2 mod n  =  (u  vx) mod n  UserSigner

資訊工程學系 42 The Signing Stage =   1 mod n Derive t such that t 4  n  (x 2 +1) 2 (t, ) UserSigner

資訊工程學系 43 The Unblinding Stage c =  (ux+v) mod n s = bt mod n User Signature-Message Triple: (c,m,s) Verification: s 4  H(m)(c 2 +1) (mod n)

資訊工程學系 44 Flow Chart User Signer Blinding Response m (u, v)  =H(m)(u 2 +v 2 ) Randomizing x x b  = b 2 (u  vx) Signing ( , p 1, p 2 ) Unblinding (b, u, v) t = (  (x 2 +1) 2 ) 1/4 =   1 (c, s) s 4 = H(m)(c 2 +1) (p 1, p 2 )

資訊工程學系 45 Features u Unlinkability: (b,u,v) is randomly chosen and kept secret by the user u Unforgeability: (p 1,p 2 ) is kept secret by the signer and H is one-way u User Efficiency: 10 multiplications and 1 hashing for getting a signature; 4 multiplications and 1 hashing for verification

資訊工程學系 46 Cam.Cha.Fer.Poi. Fan DLRSA QR DL Unlinkable: Randomized: Foundation: Message Recoverable: ○ ○ ○ ○ ○ × ○ × ○ ○ ○ × ○ ○ × ○ ○ × Properties

資訊工程學系 47 Cam.Cha.Fer.Poi. Fan Inverse: Hashing: Exponentiation: Multiplication: The Computation for Users k2k Reduced by: >99%

資訊工程學系 48 u The first blind signature scheme based on Quadratic Residues (AsiaCrypt’96) u It is randomized u Very low computation for users u Customer Efficient untraceable e-cash services u Voter Efficient anonymous e-voting protocols Remarks

49 Conclusions

資訊工程學系 50 u Blind Signature = Digital Signature + Encryption u Unforgeability and Unlinkability u Applications – Untraceable Electronic Cash – Anonymous Electronic Voting u Partially blind signatures can reduce the storage u Fair blind signatures can deal with the misuse of unlinkability Summary

資訊工程學系 51 References