國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
we describe a application of bitcoin purchasing based on proposed schemes.
1.4 Organization
We organize the rest of the manuscript as follows : Chapter 2 mentions some previous research results. Some concrete schemes are introduced in Chapter 3 while preliminary knowledge is described in Chapter 4. Chapter 5 introduces the generic group model[1]. The definition of variantECDSA is made in Chapter 6. Two Concrete schemes of variantECDSA are proposed in Chapter 7 and Chapter 8, with their security proofs under generic group model.
Chapter 9 provides the definition and security models of partially blind signatures. Chapter 10, Chapter 11 and Chapter 12 propose three partially blind signature schemes. Chapter 13 provides the correctness and security proofs. Chapter 14 compares our proposed schemes with other stateoftheart schemes. In Chapter 16, some further details about our scheme 2 are discussed.
Chapter 17 describes an application to show how do our proposed schemes work during bitcoin trading, and make some further discussion. Finally, Chapter 18 summarizes this thesis.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 2
Related Work
The blind signature was first proposed by Chaum in 1983. In blind signature, the message was blinded and invisible to signer during signing process. The user can unblind the result provided by signer and obtain the final digital signature for the original message, and then make it public. Blind signature can protect the anonymity of user, and can play a good role in scenarios like Bitcoin and electronic cash system in practical. Later, Pointcheval and Stern [15] defined the security of blind signatures in 1996, and introduced a blind signature scheme that can be proved secure.
There are many directions of study to the blind signature. For example, due to the blindness property of blind signature, it may be used for crime. Therefore, some studies have focused on solving this problem. Such as the blind signature proposed by Stadler and Camenisch [16] in 1995, the “indirect discourse certificate” proposed by Frankelet al. [17] in 1996, and the “magic potion” signature proposed by Zhang et al. [18] in 2003, all can prevent blind signatures from being used for crime.
Besides, it is also a common research direction to apply blind signature to identitybased signature (IBS), which was first proposed by Shamir [19]. The characteristic of this signature is that the public key of the signer is calculated by the identity of the signer. The identity of the signer is a string that can represent the signer, such as his mailbox. By combining Menezes et al.’s [20] bilinear pairing scheme, Zhang and Kim [21] proposed a blind signature based on the property of IBS in 2002, so that the scheme has a wider range of application.
In addition to applying blind signature to IBS, there are many other types of digital
‧
proposed by Lal and Awasthi [22], SafaviNaini et al. [23] and ZuoWen et al. [24]. Proxy blind signature applies property of proxy signature into blind signautre, which means that signer can let the agent sign on behalf of himself/ herself, thereby reducing the computation load of original signer. Forwardsecure blind signature rises the security level of common blind signature. In common blind signature, even the private key is leaked, the signature is still valid. But in forwardsecure blind signature, the signature will be invalid. There are several schemes proposed by Sherman et al. [25] and Duc et al. [26]. However, it is a pity that Liu and Cao [27] proved that Duc et al.’s [26] scheme is unsafe later. To meet the need for more than one person to jointly sign a blind signature, another type of signature is proposed, including the blind multisignature proposed by Chen et al. [28], the group blind signatures proposed by Lysyanskaya, Ramzan [29], and proposed by Kim et al. [30], the blind threshold signature proposed by Vo et al. [31], and the blind threshold ring signature proposed by Chan et al. [32].
Since the application of elliptic curve cryptography (ECC) in digital signature can significantly decrease the key size, Debasish et al. [33] and Morteza et al. [34] conducted some researches on the blind signature that based on the elliptic curve discrete logarithm problem (ECDLP) in 2007 and 2009, respectively. Zhang and Kim’s [21] blind signature is based on the IBS, in the way of combining bilinear pairing, but the computation cost of bilinear pairing is not low enough. Until Debiao [35] proposed a identitybased blind signature without bilinear pairing in 2011, which only apply the scalar point multiplication in elliptic curve, greatly improves the efficiency.
One problem of blind signature is that the signed message remains unknown to signer during signing phase, and signer can only control the public key. To solve this problem, Abe and Fujisaki [6] proposed the concept of partially blind signature in 1996, as an extension of blind signature. The difference between partially blind signature and blind signature (also called the fully blind signature) is that: the signing process requires another public message called common information. The common information is generated in the negotiation phase before signing, and (usually) should be added to the signature by both signer and user. Depending on the scenario, the common information can be produced in the negotiation phase or just be determined by one of the participants. Therefore partially blind signature provides more convenience for signer.
Compare to the fully blind signature, partially blind signature ensures that some part of the signed message is reliable.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Since the first partially blind signature was proposed, many studies [36–40] followed. For example, in 2001, Chien et al. [36] proposed a partially blind signature protocol which has lower computation cost, making partially blind signature easier to implement on machines with weaker computing power. Partially blind signature scheme using bilinear pairing proposed by Zhang [37] in 2003 laid the foundation for other bilinearpairingbased blind signatures. In 2002, Greg and Colin [38] proposed the first partially blind signature with restrictive property.
The restrictive property means user can only choose the message in the set that signer agreed.
In 2005, Sherman et al. [39] proposed a threshold partially blind signature based on bilinear pairings so that the partially blind signature can only be valid when enough signers participate in the signing phase. Almost all the blind signatures or partially blind signatures aforementioned are proved security in random oracle model. In 2006, Okamoto [40] proposed a blind signature scheme that no longer relies on random oracle. This scheme has a higher security level and improved the performance.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 3 Background
3.1 Digital Signature
The digital signature [2], which use the publickey Cryptography (PKC) [3] technology, is a mechanism that can imitate the behavior of signing or stamping paper documents in reality and “sign” digital documents. Digital signature requires the use of two keys, a public key and a private key. Everyone who needs to sign a file will have their own private key and public key. The private key is kept on its own without being known to others, and is used to sign the document. The public key is made public to be used in verifying whether the signature is valid or not. Digital signature has property called unforgability: The unforgeability of digital signature means that except for the legal signer, no one can forge a valid signature that never seen before without knowing the secret key.
In 1968, the U.S. federal government issued the Federal Information Processing Standards (FIPS) in order to formulate open standards for all government agencies and government contractors except U.S. military agencies, and gradually supplemented this Standard since then. Today’s standards mainly include data encoding standards, such as country area code, and encryption standards, such as data encryption standard and digital signature standard. In standard of digital signature, the U.S. federal government adopted a variant of digital signature proposed by Schnorr [41] in 1989 (we describe it in 3.2) and named it DSA [10] (Digital Signature Algorithm) as a part of the standard. DSA is not only used under the government system, many private institutions and private systems also use DSA as their digital signature scheme. However, the minimum length of the key of DSA specified by the Federal Information
‧
Processing Standard is 2048 bits, which is a little too long in practical.
Elliptic curve cryptography [42] (ECC) is a kind of public key cryptography that relies on the mathematical structure of elliptic curves. Compared to nonellipticcurvebased cryptography, elliptic curve cryptography requires shorter key size to provide the same security level. Therefore, after the emergence of elliptic curve cryptography, the elliptic curve digital signature algorithm [9] (ECDSA), which combines DSA and elliptic curve cryptography, came into being. ECDSA can achieve the same security level as that of the 2048bit key size DSA with only 224 bits key size, which is much shorter than DSA. ECDSA was also included in the Federal Information Processing Standard, and has been widely used by federal agencies and private institutions. For example, the digital signature used by Bitcoin is ECDSA. We describe its scheme in section 3.4.