9.2 Security Definitions of Partially Blind Signature
9.2.2 Partial Blindness
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
– The Unblind algorithm takes a signature ¯σ and the previously used random string r as input and outputs an unblinded signature σ.
• Verify is a deterministic polynomialtime algorithm that takes an unblinded signature σ, message m, negotiated information inf o, and signer’s public verification key pk as input, and outputs “true” if σ is a valid signature signed by signer with the corresponding signing key sk on message m and common information inf o. Otherwise, it outputs “false”.
9.2 Security Definitions of Partially Blind Signature
Partially blind signature has to meet two security requirements in usual: unforgeability and partial blindness. We now define them as below.
9.2.1 Unforgeability
To model the unforgeability security requirement, we define GameA played by challenger C and adversary A.
Game A:
• Setup: Challenger C takes a security parameter λ and generates public parameters params. C subsequently sends λ and params to adversary A.
• Attack: Adversary A engages in the signature issuing protocol with challenger C in a concurrent and interleaving way. For each inf o, the number of adversary A executing the signature issuing protocol with ChallengerC until obtain the signature is linf o.
• Response: AdversaryA outputs a info and linf o+1signatures (m1, σ1),· · · , (mlinf o+1, σlinf o+1).
Definition 4. A partially blind scheme is existentially unforgeable against adaptive chosen-message attacks if no adversary wins the Game-A with non-negligible probability.
9.2.2 Partial Blindness
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Game B:
• Setup: Challenger C takes a security parameter λ and generates public parameters params. C subsequently sends λ and params to adversary A.
• Preparation: Adversary A selects two different messages m0, m1 and a common information inf o. A then sends (m0, m1, inf o) toC.
• Challenge: ChallengerC selects a random bit b, then A sign both mbwith inf o and m1−b with inf o. After unblinding the response ofA, C sends (m0, m1, inf o, σb, σ1−b) toA.
• Response: AdversaryA outputs a guess b′. If b′ = b, thenA wins.
Definition 5. A partially blind scheme has partial blindness if no adversary wins the Game-B with non-negligible probability.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 10
The Proposed Scheme 1
We proposed three partially blind signature schemes. In this Chapter we introduce a partially blind signature based on Schnorr blind signature, using random numbers as blinding factors. In Chapter 11 and Chapter 12 we proposed two partially blind signatures based on variantECDSA1 and variantECDSA2 respectively, using Paillier cryptosystem to blind messages.
The selection of public parameters is similar with ECDSA. Public parameters params = (E, G, q, H, H0), where H : {0, 1}∗ × Z∗q → Z∗q and H0 : {0, 1}∗ → Z∗q. To generate the key pair, the signer randomly selects a d∈ [2, · · · , q − 1] as the secret key that remains secret.
Subsequently, the signer publishes their public key Q = dG. To generate a signature, the signer and user interact as presented in Fig. 2. Anyone who knows the signer’s public key can verify this signature by verifying e = H(m∥info, Rx(eQ + sG + cQ) mod q), where Rxdenotes the obtained x coordinate of an elliptic curve point.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Signer User
k ←− Z$ ∗q γ, δ ←− Z$ ∗q
compute K1 = kG
K1
K2 = K1+ γG + δQ = (x, y) t = x mod q
e = H(m∥info, t) e′ = e− δ e′
c = H0(inf o) s′ = (k− (e′+ c)d)
s′
s = s′+ γ signature σ = (e, s) Figure 2: Our First Scheme
The valid signature σ = (e, s) can pass the verification because
e = H(m∥info, t)
= H(m∥info, Rx(k + δd + γ)G mod q)
= H(m∥info, Rx(ed + (k− ed + δd − cd + γ) + cd)G mod q)
= H(m∥info, Rx(ed + (k− e′d− cd + γ) + cd)G mod q)
= H(m∥info, Rx(ed + (k− e′′d) + γ + cd)G mod q)
= H(m∥info, Rx(ed + s′+ γ + cd)G mod q)
= H(m∥info, Rx(eQ + sG + cQ) mod q)
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 11
The Proposed Scheme 2
In this Chapter, a partially blind signature scheme based on variantECDSA1 that we mentioned in Chapter 7, is proposed.
The selection of public parameters in this scheme is the same as that in ECDSA (i.e., params = (E, G, q, H), where H : {0, 1}∗ → Z∗q. To generate the key pair, the signer randomly selects a d ∈ [2, · · · , q −1] as the secret key that remains secret. Then, the signer publishes their public key Q = dG. To generate a signature, the signer and user interact as presented in Fig. 3.
In particular, we adopt the modified Paillier encryption (KeyGen, Enc, Dec) of Yi et al. [14].
More preciously, user needs to generate a modified Paillier encryption key pair ((N, g), (p, k)) by using the KeyGen algorithm and then to generate ciphertexts C1 = Enc(H(m)) = gH(m)r1N (mod N2) and C2 = Enc(t) = gtrN2 (mod N2), where r1, r2 ←− Z$ ∗N2.
Moreover, we adopt a zeroknowledge proof into our protocol [48]. We define a relation R by
R ={(x, w)|x = (g, N, C), C = gwrN mod N2}
The user must provide corresponding zeroknowledge proofs to convince the signer that he/ she knows the witness w that satisfy the relation above for C1 and C2. This relation essentially means that both C1 and C2 comply with the modified Paillier encryption with the form gmrN (mod N2) where m is the plaintext. We now described the process of interactive zeroknowledge proof. To prove that C1 is a correct form, the user first randomly selects x ∈ Zq, r′ ∈ Z∗N2 and then sends C1′ = gxr′N(mod N2) to the signer. After receiving C1′, the signer selects b ∈ {0, 1} and returns it to the user. The user then processes it on the basis of
‧
process ℓ times, the user can convince the signer that the ciphertext C1 is generated with a probability of 1− 1/2ℓ in accordance with the Paillier encryption scheme. In addition, the user must use the same method to convince the signer that C2 is the correct form. This kind of zeroknowledge proof is called interactive, which can be transferred to noninteractive process [49].Except sending C1, C2 along with zeroknowledge proofs, to make sure that user does not replace inf o with other inf o′, we require he/she to run the following steps. User randomly selects (l1,· · · , ln) ← Z∗ϕ(N2), computes Fi = gliIlNi mod N2 for i = 1,· · · , n, where I = H(inf o), and sends F1,· · · , Fn to signer. After accepting C1, C2 and their zeroknowledge proofs from user, signer randomly chooses u different numbers i = (i1,· · · , iu) from [1,· · · , n]
and send the list i to user. User now starts the opening phase and discloses L = (l1,· · · , ln) except lj where j ∈ (i1,· · · , iu). Signer can use L to check whether all the opening ciphertexts are correct. If there exists a ciphertext is not generated correctly, signer aborts it. Since user have no idea what indices signer will pick, he/she cannot replace inf o with some other inf o′. We provide a detail discussion in Chapter 16.
After interacting with the signer, the user obtains a final signature (t, s, R), where R = li1+· · · , liu mod q. Anyone who knows the public key of signer can verify this signature in the ECDSA by computing the following steps:
• Compute u = s−1(H(m) + RH(inf o)) mod q, where R = li1 + · · · + liu, and v = s−1t mod q.
• Compute (Kx′, Ky′) = uG + vQ and t′ = Kx′ mod q.
• Verify whether t′ = t.
Subsequently, we analyze how a valid signature σ = (t, s, R) can pass the verification.
First, because C1 = gH(m)rN1 mod N2, C2 = gtrN2 mod N2, I = H(inf o) and R = li1+· · · + liu mod q, we have
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
C = (C1C2dFi1· · · Fiu)k1−1 (mod q) · rN (mod N2)
= ((gH(m)rN1 )(gtr2N)d(gli1Ili1N)· · · (gliuIliuN))k
−1
1 (mod q)
· rN (mod N2)
= gk−11 (H(m)+RI+td) (mod q)
· (r1k−11 rk2−11 d(li1· · · liu)k−11 r)
N
(mod N2)
= Enc(k1−1(H(m) + RI + td)).
Moreover, because gq = (1 + N )pqk = (1 + N )N = 1 (mod N2), we have
s = k2−1Dec(C, (p, k))
= k2−1k1−1(h + Rh′+ td) (mod q),
where h = H(m) and h′ = H(inf o), and
K = (Kx, Ky)
= k2K1
= k2(k1)G
= k1k2G.
Therefore, if the signature is valid, t′ = t.
‧
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 12
The Proposed Scheme 3
We proposed a partially blind signature scheme based on variantECDSA2 that mentioned in Chapter 8, in this Chapter.
Both scheme 2 and scheme 3 are based on variants of ECDSA and adopt the modified Paillier encryption system we mentioned in Chapter 3.
The selection of public parameters in this scheme is the same as that in ECDSA (i.e., params = (E, G, q, H, H1), where H : {0, 1}∗ → Z∗q and H1 is a function which map random string to a elliptic curve point. To generate the key pair, the signer randomly selects a d∈ [2, · · · , q − 1] as the secret key that remains secret. Then, the signer publishes their public key Q = dG. To generate a signature, the signer and user interact as presented in Fig. 4. The odified Paillier encryption (KeyGen, Enc, Dec) of Yi et al. and the zeroknowledge proof are adopted there. User first generates a modified Paillier encryption key pair ((N, g), (p, k)) by using the KeyGen algorithm and then generates ciphertexts C1 = Enc(H(m, I)) = gH(m,I)r1N (mod N2) and C2 = Enc(t + α2) = gt+α2r2N (mod N2), where r1, r2 ←− Z$ ∗N2.
In our third scheme, the user needs to provide corresponding zeroknowledge proofs of C1 and C2 well, with the process that we described in previous section. In additional, in this scheme, there is no need to generate additionally ciphertexts Fi = gliIliN mod N2 other than C1 and C2. Our scheme 3 use a different method to prevent user from replacing the common information inf o with other information inf o′ decided by user himself/herself. Precisely, we hash the common information inf o into a elliptic curve point Z . Both signer and user will bind this point Z to a random number (α1 for signer and α2 for user). The random number α1 will
‧
After interacting with the signer, the user obtains a final signature (t, s, R). Anyone who knows the public key of signer can verify this signature in the ECDSA by computing the following steps:
• Compute u = s−1H(m, I) mod q and v = s−1(t + R) mod q.
• Compute (Kx′, Ky′) = uG + vQ and t′ = Kx′ mod q.
• Verify whether t′ = t.
Subsequently, we analyze how a valid signature σ = (t, s, R) can pass the verification.
First, because C1 = gH(m)rN1 mod N2, C2 = gt+α2r2N mod N2, we have
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
where h = H(m, I), and
K = (Kx, Ky)
= k2K1
= k2(k1)G
= k1k2G.
Therefore, if the signature is valid, t′ = t.
‧
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 13
Security Analysis
Theorem 3. Our first scheme satisfies unforgeability if ECDLP is hard.
Proof. Assume that adversary A can break the unforgeability of our first scheme with non-negligible probability. Then, a challenger C can make use of adversary A to solve ECDLP. At first, C is given an elliptic curve E, a multiplicative group G with generator G and prime order q, and a group element Q∈ G.
• Setup: C selects hash functions H : {0, 1}∗× Z∗q → Z∗q and H0 :{0, 1}∗ → Z∗q which act as random oracles. Then, C initials two lists L1, L2, sets Q as the public key, and sends Q toA.
• Attack: In this phase, A can adaptively makes the following requests:
– H0 request: When A requests the oracle with infoi, C first verifies whether (inf oi, ci) is in list L1. If it exists,C responds A with ci; otherwise,C randomly selects a ci ∈ Z∗q as a response to A and stores (infoi, ci) in list L1 for consistency and to avoid collision.
– H request: Similarly, when A requests the oracle with (mi, inf oi, ti), C first verifies whether any (mi, inf oi, ti, ei) pairs are in list L2. If one exists, C responds A with ei; otherwise, C randomly selects a ei ∈ Z∗q as a response to A and stores (mi, inf oi, ti, ei) in list L2 for consistency and to avoid collision.
A requests the oracle with (m C selects e ∈ Z∗
‧
x coordinate of the input value. When calculating ti, C verifies whether any (mi, inf oi, ti) pairs are in L2. If one is present, C selects a different si and repeats the aforementioned steps. Finally, (mi, inf oi, ti, ei) is stored in list L2. C then sends (ei, si) to A.
• Forgery: In this phase, A outputs a valid signature σ∗ = (e∗, s∗) for message m∗ and agreed information inf o∗.
By using a forking lemma [44], C can construct a Las Vegas machine to produce another signature ¯σ = (¯e, ¯s), where ¯e ̸= e∗. C then solves the ECDLP by computing
Theorem 4. Our first scheme satisfies partial blindness.
Proof. Supposing adversary A is given a challenge tuple (m0, m1, inf o, (e0, s0), (e1, s1)).
Moreover, the adversary’s view of the signing process is (K1, (e′0, s′0), (e′1, s′1). Some blind random factors can map (K1, e′i, s′i) to (ej, sj) for any i, j ∈ {0, 1}; therefore, A cannot distinguish between two message–signature pairs from their view of the signing process.
Let γ′ = e− e′, δ′ = s− s′, and c = H0(inf o). Because s′ = (k− (e′+ c)d), we have:
‧
always lead to the same relationship defined in the signing protocol.Moreover, (e0, s0) has the same distribution as (e1, s1) where (e0, s0), (e1, s1) are generated relative to the random numbers (γ, δ) chosen from Z∗q. Therefore, A cannot distinguish between two messages from the signature pairs in their view.
Theorem 5. Our second scheme satisfies unforgeability if the variant-ECDSA-1 is unforgeable.
Proof. Because adversary A must provide a ciphertext of H(m) (i.e., C1) and t (i.e., C2) with their zero-knowledge proofs to challenger C to convince C that A produced the ciphertexts (C1, C2) in accordance with the Paillier cryptosystem honestly.
A follows the Paillier encryption process, and challenger C responds with C = (C1C2dFi1· · · Fiu)k−11 (mod q)rN (mod N2) = Enc(k1−1(H(m) + RH(inf o) + td)) (mod q)).
Therefore, A can only obtain a signature (t, s, R) for message m and info, where s = k2−1[k1−1(H(m) + RH(inf o) + td)] (mod q) and R is a sum of some random numbers.
Note that if adversaryA disobeys the scheme and sends integers other than the ciphertext
‧
ECDSA-1 signature. The only difference is: since our scheme 2 is a partially blind signature, verifier in our scheme 2 will calculate the hash value of inf o, say H(inf o), and obtain R′ = RH(inf o). Verifier then verify the variant-ECDSA-1 signature (t, s, R′) through the verification process of variant-ECDSA-1. Since common information inf o is just a string generated from the negotiation between A and C and is known to both participants at the beginning, its presence does not affect the security. Therefore, if the variant-ECDSA-1 is unforgeable, as we proved in Chapter 7, given some partially blind signatures generated from scheme 2,A cannot forge one more partially blind signature.
Theorem 6. Our second scheme satisfies partial blindness if the underlying modified Paillier encryption is semantically secure.
Proof. Supposing adversaryA is given a challenge tuple (m0, m1, inf o, (t0, s0, R0), (t1, s1, R1)).
Besides, the adversary’s view of the signing process is (K1, (C1, C2, F1,· · · , Fn, i, L, C)0, (C1, C2, F1,· · · , Fn, i, L, C)1). Here, (C1, C2)0 and (C1, C2)1 can be viewed as the ciphertexts that encrypt (H(m0), t0) and (H(m1), t1) by using the semantically secure modified Paillier encryption [14]. Therefore, A cannot obtain any information from the signing view without knowing the secret key. Moreover, although A can obtain k1−1(H(m)+RI +td) (mod q) through the homomorphic property of Paillier cryptosystem, without knowing secret key,A cannot distinguish which message is encrypted, i.e., m = m0
or m = m1. Nevertheless, from A’s view, he/she cannot distinguish between s0, R0 and s1, R1. In detail, since R is the sum of li1,· · · , liu and A only holds Fi1,· · · , Fiu (which are ciphertexts of li1I,· · · , liuI, I = H(inf o)) from user, without the secret key of Paillier encryption, A cannot distinguish R with any other random number. Therefore, A cannot distinguish between two messages from the signature pairs and their view.
Theorem 7. Our third scheme satisfies unforgeability if the variant-ECDSA-2 is unforgeable.
Proof. Because adversary A must provide a ciphertext of H(m) (i.e., C1) and t + α2 (i.e., C2) with their zero-knowledge proofs to challenger C to convince C that A produced the ciphertexts (C1, C2) in accordance with the Paillier cryptosystem honestly. A follows the Paillier encryption process, and challenger C responds with C = (gα1C1C2d)k−11 (mod q)rN (mod N2) = Enc(k1−1(H(m||I) + (t + R)d)) (mod q)), where I = RZ = RH1(inf o), and
‧
α1. Therefore, A can only obtain a signature (t, s, R) for message m and info, where s = k2−1[k1−1(H(m||I) + (t + R)d)] (mod q) and R is a random number. Note that, if adversaryA disobeys the scheme and sends integersother than the ciphertext of H(m||R) and t + α2, (t, s, R) will not be a valid signature for message m and inf o.
Nevertheless, the signature (t, s, R) that scheme 3 output is basically a valid variant-ECDSA-2 signature. Here is the only difference: since our scheme 3 is a partially blind signature, verifier in our scheme 3 will use hash function H1to calculate the Z = H1(inf o).
In variant-ECDSA-2 verifier compute u = s−1H(m||R), while in our scheme 3 verifier compute u = s−1H(m||I) where I = RZ = RH1(inf o). Since common information inf o is just a string generated from the negotiation between A and C and is known to both participants at the beginning, its presence does not affect the security. Therefore, if the variant-ECDSA-2 is unforgeable, as we proved in Chapter 8, given some partially blind signatures generated from scheme 3,A cannot forge one more partially blind signature.
Theorem 8. Our third scheme satisfies partial blindness if the underlying modified Paillier encryption is semantically secure.
Proof. Supposing adversaryA is given a challenge tuple (m0, m1, inf o, (t0, s0, R0), (t1, s1, R1)).
The adversary’s view of the‘ signing process is (K1, (C1, C2, C)0, (C1, C2, C)1). Here, (C1, C2)0 and (C1, C2)1 can be viewed as the ciphertexts that encrypt (H(m0||I0), t0) and (H(m1||I1), t1), where I0 = ((α1)0 + (α2)0)H1(inf o) and I1 = ((α1)1 + (α2)1)H1(inf o), by using the semantically secure modified Paillier encryption [14]. Therefore, A cannot obtain any information from the signing view without knowing the secret key. Moreover, although adversary A can obtain k−11 (H(m, I) + (t + R)d) (mod q) (R = α1 + α2) through the homomorphic property of Paillier cryptosystem (in fact, ciphertext C only), without knowing secret key, A cannot distinguish which plaintext is encrypted, i.e., (k1)−10 (H(m0, I0)+(t0+R0)d) (mod q) or (k1)−11 (H(m1, I1)+(t1+R1)d) (mod q). Thereby, fromA’s view, A cannot distinguish between s0, R0, where s0 = (k2)−10 (k1)−10 (H(m0, I0) + (t0+R0)d) (mod q) and s1, R1, where s1 = (k2)−11 (k1)−11 (H(m1, I1)+(t1+R1)d) (mod q)).
Additionally, even though A try to hide a random integer β into the ciphertext C that he/she returns to C by C = E(β) instead of k1−1(H(m, I) + (t + R)d) (mod q), it can be detected because the signature (t, s, R), where s = k−1β, is not a valid signature of
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 14
Efficiency Analysis
In this section, we compare our proposed scheme with other related partially blind signature schemes [40, 50, 51] in terms of computational cost and signature size. As presented in Table 6, TM L, TEM, TEX, TIN, TBP, TM T P, and TCH represent the time required to calculate the modular multiplication of two integers, elliptic curve scalar point multiplication, modular exponentiation, modular inversion of an integer, bilinear pairing, maptopoint hash function, and chaotic function, respectively. Moreover, to facilitate result comparison, we use the least timeintensive operation of TM Las the base operation to represent the other operations. According to [52–54], TEM ≈ 29TM L, TEX ≈ 240TM L, TIN ≈ 11.6TM L, TBP ≈ 87TM L, and TM T P ≈ 29TM L.
The comparison results of computational costs are presented in Table 7 and 8. Although scheme [40] and scheme [50] are secure under the standard model, they require more than 20TEX and several highcost operations including TIN and TBP during the issuing and verification
Table 6: Operation Notations
Notations Operation ≈ TM L
TM L Modular multiplication of two integers 1
TEM Elliptic curve scalar point multiplication 29
TEX Modular exponentiation 240
TIN Modular inversion of an integer 11.6
TBP Bilinear pairing 87
TM T P Map-to-point hash function 29
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Table 7: Comparison-1 of Computational Efficiency
Schemes Computational cost
Issue phase Verification phase
[40] 20TM L+ 17TEX + 6TIN 4TM L+ 3TEX + 2TBP [50] 8TM L+ (11 + k1+ k2)TEX + 5TBP 3TEX + 3TBP
[51] 7TM L+ 6TEM + TIN 3TM L+ 3TEM
Scheme 1 TM L+ 3TEM 3TEM
Scheme 2 (n + 2u + 3)TM L+ 2TEM
2TM L+ 2TEM + TIN +(2n + 2u + 4ℓ + 5)TEX + 2TIN
Scheme 3 3TM L+ 4TEM + (7 + 4ℓ)TEX + 2TIN+ 2TM T P 2TM L+ 3TEM + TIN+ TM T P
k1, k2: bit length of m and m∥info in [50], respectively.
ℓ: number of interactive rounds in zero-knowledge proof.
n: the number of ciphertexts generated by user.
u: the number of ciphertexts chosen by signer.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Table 8: Comparison-2 of Computational Efficiency
Schemes Total computational cost ≈ TM L
[40] 24TM L+ 20TEX + 6TIN+ 2TBP 5415.6
[50] 8TM L+ (14 + k1 + k2)TEX + 8TBP 4064 + 240(k1+ k2)
[51] 10TM L+ 9TEM + TIN 300
Scheme 1 TM L+ 6TEM 175
Scheme 2 (n + 2u + 5)TM L+ 4TEM 481n + 482u + 960ℓ
+(2n + 2u + 4ℓ + 5)TEX + 3TIN +1355.8
Scheme 3 5TM L+ 7TEM + (7 + 4ℓ)TEX + 3TIN+ 3TM T P 960ℓ + 2009.8
k1, k2: bit length of m and m∥info in [50], respectively.
ℓ: number of interactive rounds in zero-knowledge proof.
n: the number of ciphertexts generated by user.
u: the number of ciphertexts chosen by signer.
phases. Scheme [51] is inexpensive in terms of computational cost because it is based on ECC. It cost only 300TM L without pairings and MTP functions. Subsequently, we discuss the computational cost of our schemes. Our scheme 1 needs only 175TM L to finish total computation, which is the most practical. Our scheme 2 requires 481n + 482u + 960ℓ + 1355.8 in total, where n is the number of ciphertexts generated by user, u is the number of ciphertexts randomly chosen by signer, and ℓ is the number of rounds in zeroknowledge proof. Our scheme 3 requires 960ℓ + 2009.8 in total, where ℓ is the number of rounds in zeroknowledge proof.
Although our scheme 2 and 3 have more expensive computation cost than other schemes, these two schemes can almost be directly used in current ECDSA systems.
Table 9 compares the signature size of our scheme and those of [40, 50, 51]. To ensure a fair comparison, we adopted a similar security level [55] at 128bit for all schemes.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Table 9: Comparison of Signature Size
Schemes Complexity Signature size (bits)
[40] |G| + 2|q| 672
[50] 2|G| 448
[51] 3|q| + |G| 896
Ours Scheme 1 2|q| 448
Ours Scheme 2 3|q| 672
Ours Scheme 3 3|q| 672
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Chapter 15 Performance
In this chapter we demonstrate the performance of our partially blind signature schemes, under a machine with 8GB RAM and Intel(R) Core(TM) i54460 CPU with 2.3 GHZ processor speed on Windows 10. The running time is shown in Table 10, where the elliptic curve we choose is secp256k1, which is the same as the curve used in the Bitcoin. Besides, we let l, the number of rounds in zeroknowledge proofs equals 10, and u and n, the number of ciphertexts generated by user and chosen by signer equals 5 and 10, respectively.
Table 10: Running Time of the Proposed Partially Blind Signatures
Schemes Running Times(secs)
Issue Verify
Scheme 1 0.228 0.183
Scheme 2 217.846 0.151
‧
In this section we focus on our scheme 2. We first discuss about if a malicious user who knows what indices that signer will pick, then he/she can make a signature for different inf o′. Then, we discuss the probability that malicious can successfully guess what indices that the signer will pick before sending C1 to the signer.
First, if the user has known what indices that signer will pick, he/she can perform the following steps to replace inf o with inf o′ and make a signature σ = (t, s, R′) for (m, inf o′) that can pass the verification. Suppose the user has known that signer will choose indices (i1,· · · , iu), he/she then produces Fj = gl′jI′zjN mod N2, for j = i1,· · · , iu, where I′ = H(inf o′) and l′j and zj are decided by the user. Signer follows the protocol and computes C = (C1C2dFi1· · · Fiu)k1−1 (mod q)· rN (mod N2). Then, the signer returns C to the user.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
σ can pass the verification: Any verifier calculates u = s−1(H(m) + R′H(inf o′)) mod q and v = s−1t mod q. With (u, v), the verifier can process as the verify in ECDSA and pass the verification. Hence, the above shows that a malicious user who knows what indices signer will choose can produce valid signature for inf o′.
To avoid that user can easily guess the indices chosen by signer, the setting of n and u is important. The probability of a malicious user guessing all indices is
u
n ×nu−1−1 × un−2−2 × · · · ×n−u+11 , as shown in Table 11.
Table 11: The Probability that User Guesses All the Indices Chosen by Signer under the Setting of n and u
u 5 10 15 20 25
n 10 20 30 40 50
Pro. 3∗ 10−3 5∗ 10−6 6∗ 10−9 7∗ 10−12 7∗ 10−15