基於ECDSA之部分盲簽章及其在比特幣上應用之研究 - 政大學術集成
79
0
0
全文
(2) 致謝. 在台灣六年半的生活終於走向了尾聲,在這六年半的學習生涯中不僅學習了 非常扎實的資訊科學類的知識,培養了正確的研究態度,也親眼見證了 “台灣最美 的風景是人” 的這句話。. 政 治 大. 首先感謝左瑞麟指導教授對我的無私的教導。作為我在密碼學領域的引路人,. 立. 左瑞麟教授將他所了解的知識傾囊相授,在我研究的道路上一直為我提供寶貴的. ‧ 國. 學. 意見,使我不會一直在死胡同中打轉。另外我還想感謝口試委員曾一凡教授、王 紹睿教授、王智弘教授以及陳昱圻教授對我非常中肯的建議和指教,讓我對學術. ‧. 研究有更進一步的認知。我也非常感謝實驗室同僚在這兩年半的時光裡的陪伴, 感謝劉子源學長和許仁傑學長慷慨的幫助,兩位學長花了很多時間幫我討論我的. Nat. sit. y. 研究成果;也感謝同學們的支持和陪伴,給了我很大的鼓勵和堅持的動力。. al. er. io. 雖然未來的一切都還是未知,但我會帶著碩士生涯中學到的研究精神和處事. n. 態度堅定不移地向前邁進。. Ch. engchi. i Un. v. 黃泓遜 謹誌 2021/01. i DOI:10.6814/NCCU202100361.
(3) 摘要. 盲簽章是一種能夠不讓簽名者知道自己所簽訊息的數位簽章。然而在實際應 用中,簽名者往往需要記錄一些與簽名相關的額外訊息。為了解決這個問題,部 分盲簽章的概念被提出。除了具有盲簽章的性質外,部分盲簽章可以讓簽名者能. 政 治 大. 從所簽訊息中獲取到所需的相關的資訊。部分盲簽章在被提出至今有不少成果被. 立. 提出,但這些成果都需要花費較多的運算時間,或是不易應用到實際應用中。除. ‧ 國. 學. 此之外,隨著數位貨幣(如:比特幣)的興起,愈來愈多消費者會購買數位貨幣。 但目前的購買方式無法隱藏消費者的電子錢包位置,因此一些研究將重點放在基. ‧. 於橢圓曲線簽章算法(Elliptic Curve Digital Signature Algorithm,ECDSA)的 盲簽章的研究上。然而由於盲簽章存在簽名者完全不知道所簽訊息的特性,使得. Nat. sit. y. 這些基於 ECDSA 的盲簽章難以靈活地運用在數位貨幣系統上。因此,我們提出. al. er. io. 了提出了三個部分盲簽章。我們的第一個簽章是到目前為止的研究是效能最好的. n. 部分盲簽章。另外,為了與比特幣系統更加契合,我們提出了兩種改版之 ECDSA. Ch. i Un. v. 及其在通用群模型(Generic Group Model)下的安全性證明,並基於此提出了兩. engchi. 種首次與現行比特幣系統相契合的 ECDSA 部分盲簽章。我們為上述的部分盲簽 章都提供了安全性證明及效能分析。最後我們提出了我們的部分盲簽章在購買比 特幣時的應用方式。. 關鍵字:ECDSA、部分盲簽章、比特幣. ii DOI:10.6814/NCCU202100361.
(4) Abstract Blind signatures allow a user to obtain a signature without revealing message information to the signer. However, in many cases, the signer must record additional information relevant to the signature. Therefore, a partially blind signature was proposed to enable the signer to obtain some information from the signed message.. 立. 政 治 大. Although many partially blind signature schemes. have been proposed, they are time intensive and impractical. Additionally, with. ‧ 國. 學. the development of blockchain technology, users increasingly use Bitcoin for purchasing and trading with coin providers. Some studies have indicated that. ‧. elliptic curve digital signature algorithm (ECDSA)based blind signatures are compatible with Bitcoin because they prevent the linking of sensitive information. Nat. sit. y. due to the untamability of Bitcoin. However, these approaches are not sufficiently. al. er. io. flexible because blind signatures do not allow the signer to obtain any information.. v. n. In this thesis, we proposed three partially blind signature schemes. To the best of. Ch. i Un. our knowledge, compared with other stateoftheart schemes, our first scheme is. engchi. the most practical partially blind signature. Additionally, to be more compatible with the current Bitcoin protocol, we introduced two variants of ECDSA with their security proofs under generic group model. Based on these two variants of ECDSA we proposed two partially blind signature schemes. Security proofs are provided to demonstrate that all proposed schemes have satisfactory unforgeability and blindness. At last we describe a application of bitcoin purchasing based on proposed schemes. Keywords: ECDSA, Partially Blind Signature, Bitcoin. iii DOI:10.6814/NCCU202100361.
(5) Contents 致謝. i. 摘要. ii. Abstract. 立. 1 Introduction. 政 治 大. iii 1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1. 1.2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3. 1.3. Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4. 1.4. Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5. sit. n. al. 6. er. io 3 Background. y. Nat. 2 Related Work. ‧. ‧ 國. 學. 1.1. Ch. engchi. iv n .U . . . . .. 9. 3.1. Digital Signature . . . . . . . . . . . . . .. . . . . . . . . . . . . .. 9. 3.2. Schnorr Blind Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10. 3.3. Elliptic Curve Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . .. 11. 3.4. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 11. 3.5. Yi’s Blind ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 12. 4 Preliminary 4.1. 4.2. 15. Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 15. 4.1.1. Existential Forger . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 15. 4.1.2. Selective Forger . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 16. Property of Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 16. DOI:10.6814/NCCU202100361.
(6) 4.2.1. OneWayness (PreimageResistance) . . . . . . . . . . . . . . . . . .. 16. 4.2.2. SecondPreimageResistance . . . . . . . . . . . . . . . . . . . . . . .. 16. 4.2.3. ZeroFinderResistance . . . . . . . . . . . . . . . . . . . . . . . . . .. 16. 5 Generic Group Model. 18. 6 VariantECDSA. 22. 6.1. Definition of VariantECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . .. 22. 6.2. Unforgeability of variantECDSA . . . . . . . . . . . . . . . . . . . . . . . .. 23. 6.2.1. Existential Unforgeability Against NoMessage Attacks . . . . . . . .. 23. 6.2.2. Selective Unforgeability Against Adaptive ChosenMessage Attacks . .. 23 25. 7.2. 治 政 Scheme of VariantECDSA1 . . . . . . . . . .大 . . . . . . . . . . . . . . . . . 立 Generic Group Oracle for VariantECDSA1 . . . . . . . . . . . . . . . . . . .. 7.3. Security Proof of VariantECDSA1 . . . . . . . . . . . . . . . . . . . . . . .. 7 VariantECDSA1. 學. ‧ 國. 7.1. Generic Group Oracle for VariantECDSA2 . . . . . . . . . . . . . . . . . . .. 8.3. Security Proof of VariantECDSA2 . . . . . . . . . . . . . . . . . . . . . . .. 29 29 31. n. er. io. y. 8.2. al. 27. sit. Scheme of VariantECDSA2 . . . . . . . . . . . . . . . . . . . . . . . . . . .. Nat. 8.1. 9 Partially Blind Signature. 25. 29. ‧. 8 VariantECDSA2. 25. Ch. engchi. i Un. v. 33. 9.1. Definition of Partially Blind Signature . . . . . . . . . . . . . . . . . . . . . .. 33. 9.2. Security Definitions of Partially Blind Signature . . . . . . . . . . . . . . . . .. 34. 9.2.1. Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 34. 9.2.2. Partial Blindness . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 34. 10 The Proposed Scheme 1. 36. 11 The Proposed Scheme 2. 38. 12 The Proposed Scheme 3. 42. 13 Security Analysis. 46. DOI:10.6814/NCCU202100361.
(7) 14 Efficiency Analysis. 51. 15 Performance. 55. 16 Discussion. 56. 17 Application of the Proposed Schemes. 58. 17.1 Application on Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 58. 17.2 Further Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 61. 17.2.1 Fixed Denominations . . . . . . . . . . . . . . . . . . . . . . . . . . .. 61. 17.2.2 Different Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 61. 17.2.3 Amount of Daily Trades . . . . . . . . . . . . . . . . . . . . . . . . .. 62. 治 政 17.3 Applications beyond Bitcoin . . . . . . . . . .大 . . . . . . . . . . . . . . . . . 立. 62. 17.2.4 The Tradeoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ‧ 國. 64 65. ‧. io. sit. y. Nat. n. al. er. Bibliography. 學. 18 Conclusion. 63. Ch. engchi. i Un. v. DOI:10.6814/NCCU202100361.
(8) List of Tables 1. Generic Group Oracle Proposed by Brown . . . . . . . . . . . . . . . . . . . .. 19. 2. Notations in Brown’s [1] . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 20. 3. Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 21. 4. Generic Group Oracle for VariantECDSA1 . . . . . . . . . . . . . . . . . . .. 政 治 大 Generic Group Oracle 立for VariantECDSA2 . . . . . . . . . . . . . . . . . . .. 26. 學. ‧ 國. 5. 30. Operation Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 51. 7. Comparison1 of Computational Efficiency . . . . . . . . . . . . . . . . . . .. 52. 8. Comparison2 of Computational Efficiency . . . . . . . . . . . . . . . . . . .. 53. 9. Comparison of Signature Size . . . . . . . . . . . . . . . . . . . . . . . . . .. 54. 10. Running Time of the Proposed Partially Blind Signatures . . . . . . . . . . . .. 11. The Probability that User Guesses All the Indices Chosen by Signer under the. ‧. 6. n. Setting of n and u . . .. er. io. sit. y. Nat. al. 55. iv n C . .h . .e. . . . . . .i . U ngch . . . . .. . . . . . . . . . . . . .. 57. DOI:10.6814/NCCU202100361.
(9) List of Figures 1. Yi’s Blind ECDSA Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 13. 2. Our First Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37. 3. Our Second Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 41. 4. Our Third Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 45. 5. Application on Bitcoin Part 1 . . . . . . . . . . . . . . . . . . . . . . . . . . .. 59. 6. Application on Bitcoin Part 2 . . . . . . . . . . . . . . . . . . . . . . . . . . .. 59. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. DOI:10.6814/NCCU202100361.
(10) Chapter 1 Introduction 1.1 Background. 立. 政 治 大. In financial and commercial systems, it is often necessary to sign or seal documents to. ‧ 國. 學. provide authenticity. To sign digital documents in digital way, the concept of digital signature [2] appeared. The digital signature adopts the public key cryptography (PKC) [3] technology.. ‧. Every signer will get a public key that published and a secret key that kept by signer himself. The private key is used to sign the file while the public key is published for verifier to check. y. Nat. sit. the validity of the digital signature. And Digital signature should be unforgeable just like paper. er. io. signature and seal. The unforgeability of digital signatures means that no adversary can forge. al. iv n C However, in practical, there are many for where common digital signatures are not h escenarios ngchi U suitable, such as electronic cash [4] and electronic voting systems. For instance, in the electronic n. the a valid signature that never seen before except knowing the secret key.. cash system, the consumer purchase electronic cash from the electronic cash issuer (for example, the bank). If the bank completes the entire process of signature of issuing electronic cash, then the bank clearly knows the signed message. On the contrary, consumers only have the right to use the cash. After the consumer’s electronic cash is used, the bank stores the consuming record in its database. Therefore, the bank knows when the electronic cash was used and who used it. Since banks know the identity in real life of consumers, consuming records can easily be associated with consumers. Banks can easily grasp the consumption of all consumers. Therefore, it is necessary for consumers to hide the connection between these records and consumers. In order to solve the above problem, the concept of blind signature [5] was proposed. The. 1 DOI:10.6814/NCCU202100361.
(11) signature process of blind signature requires the joint participation of the signer (that is, the role of the bank in electronic cash system) and the user (that is, the role of the consumer in electronic cash system). User can decide what the signed message and signer signs the message without knowing what it is. Compared to the unforgeability of common digital signatures, blind signatures need to meet the the property called blindness additionally. We now discuss some further details about blindness. During the signing process, user blinds the message, so that signer does not know what he/she signs. After signer signing the message, user unblinds the result provided by signer and obtains the signature of original message. Therefore, signer can not get any information about the message or the final published signature during the signing process. This means that signer does not know when he signed that message and who he signed the message for after user publishing the original message and the signature (such as consuming. 政 治 大 linking the records and the user(consumer) identities since the information is not enough for the 立. electronic cash, in electronic cash system). The blindness property leads to the impossibility of. bank to link the records in database with the signing processes.. ‧ 國. 學. However, in practical, blind signatures face a problem : signer can only control the public key and the attributes related to it. For the remaining attributes, signer has no ability in control.. ‧. This means that signer can only affect the signature by replacing the public key. For example,. sit. y. Nat. in the electronic cash system, the bank does not know the signed message, and can only set. io. er. the rule that one signature provides one coin to the consumer, which leads to low efficiency. If the bank wants to provide more than one coin in an signature, it needs to use different public. n. al. Ch. i Un. v. keys to represent different amounts in each signature. Therefore, consumers and electronic cash. engchi. receivers (usually merchants) need to record all possible public keys in their electronic wallets. However, their electronic wallets are usually smart cards, which has no way to afford such amount of data. Another problem is doublespending. If the signature of electronic cash is valid forever, the holder of the electronic cash may use the electronic cash twice, which is called doublespending. To prevent doublespending, the bank has to record every consumption of the cash to ensure that the cash can only be consumed once. This will makes overflow of database, since the number of these records increases over time. In order to solve this problem, the concept of partially blind signature was first proposed by Abe and Fujisaki [6] as an extension of blind signature in 1996. Abe and Okamoto [7] further. 2 DOI:10.6814/NCCU202100361.
(12) introduced a concrete blind signature protocol along with a concrete security proof. Partial blind signatures can provide more convenience for signature issuing, and also provide more flexibility for application under different scenarios. For example, in the electronic cash system, if the bank want to add the amount of coins to a signature, it is no longer necessary to prepare a large number of public keys. Instead, bank signs the amount into the signature. Moreover, the bank may sign the date into the signature, then the bank will know whether each electronic cash is due or not. Thereby the bank can delete the expired message so that the size of the database is controlled.. 1.2 Motivation With the rise of digital currencies (such as Bitcoin [8]), more and more users purchase. 政 治 大 These platforms provide services to convert real currency into digital 立. digital currencies. Purchasers often purchase digital currency through some digital currency trading platforms.. currency. When purchase digital currencies, purchasers have to reveal their true identity. Since. ‧ 國. 學. they release their electronic wallet address sometime after, the platform can easily associate their true identity with the wallet address. Therefore, if partially blind signature can be applied. ‧. in purchasing of digital currency, the connection between the true identity and the address of. sit. y. Nat. the electronic wallet can be hidden, thereby ensuring the anonymity.. io. er. Most current digital currencies use signatures that are based on elliptic curve digital signature algorithm (ECDSA) [9], which is an elliptic curve version of DSA (Digital Signature. n. al. Ch. i Un. v. Algorithm) [10] that has a shorter length public key size than DSA, and therefore used in many. engchi. systems as digital signature scheme. However, at present, partially blind signatures based on ECDSA are rare. For example, the partially blind signature proposed by Li in 2004 [11]. In Li’s scheme, only signer has the right to put common information into signature but user can not. Moreover, the final signature does not contain the common information, so verifier has no way to check whether signer used the correct common information or signer changed the common information halfway. In 2004, An proposed a blind signature based on pure ECDSA [12] (that is, the signature generated by the blind signature can be directly verified by the ECDSA verification algorithm). Later Ladd [13] proposed an application of blind signature on Bitcoin based on An’s research, but due to the need to combine the cutandchoose [4] method, the efficiency is not that good. In 2019, Yi et al. [14] modified An’s scheme and fixed its security problem. However,. 3 DOI:10.6814/NCCU202100361.
(13) since the usage of Yi’s blind ECDSA restricted by the constraint that it only transfer one bitcoin with one signature, the practical efficiency of Yi’s blind ECDSA is still limited. Therefore we hope to raise the efficiency of blind signature in Bitcoin system by transfer blind signature into partially blind signature.. 1.3 Contributions To solve the aforementioned problems, we propose three partially blind signatures. Our first scheme is a practical partially blind signature scheme. The experimental results demonstrated that, compared with other stateoftheart schemes, our first scheme is the most efficient in terms of computational cost.. 政 治 大 with standard ECDSA, this scheme transfers only one bitcoin with one signature, which means 立 As mentioned in previous section, although Yi [14]’s blind ECDSA is fully compatible. that the computation is expensive. If there exists a partially blind ECDSA scheme which. ‧ 國. 學. can transfer arbitrary amount of bitcoins, the efficiency may be significantly improved. The common information is one of most important components of partially blind signature, since. ‧. common information contains information that signer desires. However the transfer from blind. sit. y. Nat. signature to partially blind signature, which implies the participation of common information. io. er. actually, needs explicit or implicit verification on common information. Thereby it is impractical to transfer Yi’s blind ECDSA into partially blind ECDSA by directly adding the common. n. al. Ch. i Un. v. information since a verification of the common information is also needed. Therefore, we. engchi. introduced two variants of ECDSA which will be used to construct our partially blind signatures that are compatible with ECDSA. Two variants of ECDSA are called variantECDSA1 and variantECDSA2, followed by their security proofs under generic group model. Subsequently, based on variantECDSA1 and 2, and the blind ECDSA of Yi [14], we proposed two ECDSA based partially blind signatures (i.e., the signature generated by the blind signature can be directly verified by the proposed variants of ECDSA verification algorithm). Because the published signature is a valid variant ECDSA signature, our second and third scheme are compatible with current Bitcoin protocol in accordance with the description in [14]. Moreover, we provide proofs of security to demonstrate that our schemes satisfy the unforgeability of partially blind signatures under adaptive chosenmessage attacks and partial blindness. Finally,. 4 DOI:10.6814/NCCU202100361.
(14) we describe a application of bitcoin purchasing based on proposed schemes.. 1.4 Organization We organize the rest of the manuscript as follows : Chapter 2 mentions some previous research results.. Some concrete schemes are introduced in Chapter 3 while preliminary. knowledge is described in Chapter 4. Chapter 5 introduces the generic group model[1]. The definition of variantECDSA is made in Chapter 6. Two Concrete schemes of variantECDSA are proposed in Chapter 7 and Chapter 8, with their security proofs under generic group model. Chapter 9 provides the definition and security models of partially blind signatures. Chapter 10, Chapter 11 and Chapter 12 propose three partially blind signature schemes. Chapter 13 provides. 政 治 大 stateoftheart schemes. In Chapter 16, some further details about our scheme 2 are discussed. 立 the correctness and security proofs. Chapter 14 compares our proposed schemes with other. Chapter 17 describes an application to show how do our proposed schemes work during bitcoin. ‧ 國. 學. trading, and make some further discussion. Finally, Chapter 18 summarizes this thesis.. ‧. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 5 DOI:10.6814/NCCU202100361.
(15) Chapter 2 Related Work The blind signature was first proposed by Chaum in 1983. In blind signature, the message. 政 治 大. was blinded and invisible to signer during signing process. The user can unblind the result. 立. provided by signer and obtain the final digital signature for the original message, and then make. ‧ 國. 學. it public. Blind signature can protect the anonymity of user, and can play a good role in scenarios like Bitcoin and electronic cash system in practical. Later, Pointcheval and Stern [15] defined. proved secure.. ‧. the security of blind signatures in 1996, and introduced a blind signature scheme that can be. Nat. sit. y. There are many directions of study to the blind signature. For example, due to the blindness. al. er. io. property of blind signature, it may be used for crime. Therefore, some studies have focused on. n. solving this problem. Such as the blind signature proposed by Stadler and Camenisch [16] in. Ch. i Un. v. 1995, the “indirect discourse certificate” proposed by Frankel et al. [17] in 1996, and the “magic. engchi. potion” signature proposed by Zhang et al. [18] in 2003, all can prevent blind signatures from being used for crime. Besides, it is also a common research direction to apply blind signature to identitybased signature (IBS), which was first proposed by Shamir [19]. The characteristic of this signature is that the public key of the signer is calculated by the identity of the signer. The identity of the signer is a string that can represent the signer, such as his mailbox. By combining Menezes et al.’s [20] bilinear pairing scheme, Zhang and Kim [21] proposed a blind signature based on the property of IBS in 2002, so that the scheme has a wider range of application. In addition to applying blind signature to IBS, there are many other types of digital signatures that have been applied to blind signature. For instance, proxy blind signatures. 6 DOI:10.6814/NCCU202100361.
(16) proposed by Lal and Awasthi [22], SafaviNaini et al. [23] and ZuoWen et al. [24]. Proxy blind signature applies property of proxy signature into blind signautre, which means that signer can let the agent sign on behalf of himself/ herself, thereby reducing the computation load of original signer. Forwardsecure blind signature rises the security level of common blind signature. In common blind signature, even the private key is leaked, the signature is still valid. But in forwardsecure blind signature, the signature will be invalid. There are several schemes proposed by Sherman et al. [25] and Duc et al. [26]. However, it is a pity that Liu and Cao [27] proved that Duc et al.’s [26] scheme is unsafe later. To meet the need for more than one person to jointly sign a blind signature, another type of signature is proposed, including the blind multisignature proposed by Chen et al. [28], the group blind signatures proposed by Lysyanskaya, Ramzan [29], and proposed by Kim et al. [30], the blind threshold signature. 政 治 大 Since the application of elliptic curve cryptography (ECC) in digital signature can 立. proposed by Vo et al. [31], and the blind threshold ring signature proposed by Chan et al. [32].. significantly decrease the key size, Debasish et al. [33] and Morteza et al. [34] conducted some. ‧ 國. 學. researches on the blind signature that based on the elliptic curve discrete logarithm problem (ECDLP) in 2007 and 2009, respectively. Zhang and Kim’s [21] blind signature is based on the. ‧. IBS, in the way of combining bilinear pairing, but the computation cost of bilinear pairing is not. sit. y. Nat. low enough. Until Debiao [35] proposed a identitybased blind signature without bilinear pairing. io. al. n. efficiency.. er. in 2011, which only apply the scalar point multiplication in elliptic curve, greatly improves the. Ch. i Un. v. One problem of blind signature is that the signed message remains unknown to signer. engchi. during signing phase, and signer can only control the public key. To solve this problem, Abe and Fujisaki [6] proposed the concept of partially blind signature in 1996, as an extension of blind signature. The difference between partially blind signature and blind signature (also called the fully blind signature) is that: the signing process requires another public message called common information. The common information is generated in the negotiation phase before signing, and (usually) should be added to the signature by both signer and user. Depending on the scenario, the common information can be produced in the negotiation phase or just be determined by one of the participants. Therefore partially blind signature provides more convenience for signer. Compare to the fully blind signature, partially blind signature ensures that some part of the signed message is reliable.. 7 DOI:10.6814/NCCU202100361.
(17) Since the first partially blind signature was proposed, many studies [36–40] followed. For example, in 2001, Chien et al. [36] proposed a partially blind signature protocol which has lower computation cost, making partially blind signature easier to implement on machines with weaker computing power. Partially blind signature scheme using bilinear pairing proposed by Zhang [37] in 2003 laid the foundation for other bilinearpairingbased blind signatures. In 2002, Greg and Colin [38] proposed the first partially blind signature with restrictive property. The restrictive property means user can only choose the message in the set that signer agreed. In 2005, Sherman et al. [39] proposed a threshold partially blind signature based on bilinear pairings so that the partially blind signature can only be valid when enough signers participate in the signing phase. Almost all the blind signatures or partially blind signatures aforementioned are proved security in random oracle model. In 2006, Okamoto [40] proposed a blind signature. 政 治 大. scheme that no longer relies on random oracle. This scheme has a higher security level and. 立. improved the performance.. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 8 DOI:10.6814/NCCU202100361.
(18) Chapter 3 Background 3.1 Digital Signature. 立. 政 治 大. The digital signature [2], which use the publickey Cryptography (PKC) [3] technology, is. ‧ 國. 學. a mechanism that can imitate the behavior of signing or stamping paper documents in reality and “sign” digital documents. Digital signature requires the use of two keys, a public key and. ‧. a private key. Everyone who needs to sign a file will have their own private key and public key. The private key is kept on its own without being known to others, and is used to sign the. y. Nat. sit. document. The public key is made public to be used in verifying whether the signature is valid or. al. er. io. not. Digital signature has property called unforgability: The unforgeability of digital signature. v. n. means that except for the legal signer, no one can forge a valid signature that never seen before without knowing the secret key.. Ch. engchi. i Un. In 1968, the U.S. federal government issued the Federal Information Processing Standards (FIPS) in order to formulate open standards for all government agencies and government contractors except U.S. military agencies, and gradually supplemented this Standard since then. Today’s standards mainly include data encoding standards, such as country area code, and encryption standards, such as data encryption standard and digital signature standard. In standard of digital signature, the U.S. federal government adopted a variant of digital signature proposed by Schnorr [41] in 1989 (we describe it in 3.2) and named it DSA [10] (Digital Signature Algorithm) as a part of the standard. DSA is not only used under the government system, many private institutions and private systems also use DSA as their digital signature scheme. However, the minimum length of the key of DSA specified by the Federal Information. 9 DOI:10.6814/NCCU202100361.
(19) Processing Standard is 2048 bits, which is a little too long in practical. Elliptic curve cryptography [42] (ECC) is a kind of public key cryptography that relies on the mathematical structure of elliptic curves.. Compared to nonellipticcurvebased. cryptography, elliptic curve cryptography requires shorter key size to provide the same security level. Therefore, after the emergence of elliptic curve cryptography, the elliptic curve digital signature algorithm [9] (ECDSA), which combines DSA and elliptic curve cryptography, came into being. ECDSA can achieve the same security level as that of the 2048bit key size DSA with only 224 bits key size, which is much shorter than DSA. ECDSA was also included in the Federal Information Processing Standard, and has been widely used by federal agencies and private institutions. For example, the digital signature used by Bitcoin is ECDSA. We describe its scheme in section 3.4.. 政 治 大. 立 3.2 Schnorr Blind Signature. ‧ 國. 學. In 1989, Schnorr [41] proposed a digital signature based on discrete logarithm problem (DLP). Schnorr signature is the foundation of many later digital signature schemes. The blind. ‧. version of Schnorr signature is proposed later [43, 44]. In Schnorr blind signature, public. sit. y. Nat. parameter is (p, q, g, H(·)), where p, q are two large primes which satifsy q|p−1, g is an element. io. er. in Zp ∗ of prime order q, and H(·) is a secure cryptography hash function agreed by both signer and user. The secret key is x, while public key is y = g x . Schnorr Blind Signature process can. al. n. be described as follows:. Ch. engchi. i Un. v. 1. Signer randomly picks k ∈ Zq , computes r = g k (mod p) and sends r to user. 2. User randomly chooses α, β ∈ Zq and calculates r′ = rg −α y −β (mod p). User then compute e′ = H(m, r′ ) and e = e′ + β (mod q), and send e back. 3. Signer calculates s = k − ex (mod q) and send it to user. 4. User computes s′ = s − α. The final signature is (e′ , s′ ). 5. Anyone who knows public key y can verify the sign (e′ , s′ ) by checking whether e′ =. 10 DOI:10.6814/NCCU202100361.
(20) ′. ′. H(m, g s y e (mod p)) holds: ′. H(m, g s y e. ′. (mod p)). = H(m, g s−α y e−β = H(m, g k−ex−α. (mod p)) (mod q) e−β. y. = H(m, g k g −ex g −α y e−β = H(m, ry −e g −α y e−β = H(m, ry −e g −α y e y −β = H(m, rg −α y −β. (mod p)). (mod p)) (mod p)) (mod p)). (mod p)). = H(m, r′ ) = e′. 立. 政 治 大. ‧ 國. 學. 3.3 Elliptic Curve Discrete Logarithm Problem. ‧. The security of our proposed scheme is based on the elliptic curve discrete logarithm problem (ECDLP) [45], which is a special case of the discrete logarithm problem defined as. sit. y. Nat. follows:. n. al. er. io. Definition 1. Suppose E is an elliptic curve over Z/pZ, where p is a prime. Given an elliptic. v. curve point tuple (P, Q), where P ∈ E(Z/pZ) and Q is a multiple of P , the ECDLP is to find a ∈ Z∗p such that Q = aP .. Ch. engchi. i Un. 3.4 ECDSA The ECDSA [9] is a digital signature scheme consisting of four algorithms: • Setup: An elliptic curve E is randomly selected by this algorithm, following by a group generator G of prime order q over E. Besides, algorithm randomly selects a hash function H(·). Finally, this algorithm outputs a set of public parameters pp = (E, G, q, H). • KeyGen: The Signer randomly selects their private key d ∈ [2, q − 1] and then computes their public key Q = d · G. 11 DOI:10.6814/NCCU202100361.
(21) • Sign: For a message m, the signer randomly selects a integer k from 2 to q − 1 and computes (Kx , Ky ) = kG, t = Kx mod q, and s = k −1 (H(m) + t · d) mod q. Finally, the signer outputs a signature σ = (t, s). • Verify: Anyone who knows the signer’s public key can validate the signature σ = (t, s). First, a verifier can compute u = s−1 H(m) mod q, v = s−1 t mod q, then let (Kx′ , Ky′ ) = uG + v · Q. Finally, the verifier output 1 if t′ = Kx′ mod q = t. Otherwise, the verifier outputs ⊥.. 3.5 Yi’s Blind ECDSA We first describe the modified Paillier encryption in Yi et al. [14]. This encryption consists of the following three algorithms:. 立. 政 治 大. • KeyGen: The user randomly selects two large different primes p and k that satisfy gcd(p−. ‧ 國. 學. 1, q) = 1 and gcd(k − 1, q) = 1, then calculate N = pqk and g = (1 + N )pk mod N 2 , where (p, k) remains secret and (N, g) is released.. ‧. y. Nat. • Enc: Any one who holds (N, g) can encrypt a message m ∈ Zq into ciphertext. The. n. al. er. io. N 2.. sit. encryptor randomly select r ∈ Z∗N 2 and output a ciphertext by computing C = g m rN mod. Ch. i Un. v. • Dec: The decryptor can use secret key (p, k) to decrypt ciphertext by calculating D =. engchi. C (p−1)(q−1)(k−1) mod N 2 and m = [ D−1 ][(p − 1)(q − 1)(k − 1)]−1 mod q. N pk Based on the modified Paillier encryption, Yi’s blind ECDSA scheme was proposed, as shown in Fig. 1. Furthermore, based on the proposed blind ECDSA scheme, Yi et al.. introduced a. application which achieve anonymity during buying bitcoins. The process is described as follows: • Bitcoin provider B and purchaser P start the process of buying bitcoins. P first use fiat currency to pay for bitcoins in credit card payment, cash or some other ways.. 12 DOI:10.6814/NCCU202100361.
(22) Signer. User. $. k1 ← − Z∗q K1 = k1 G K1. 立. 政 治 大. ‧ 國. 學. C2 = g t r2 N mod N 2. ‧. C1 , C2 with. y. zero-knowledge. sit. proofs. n. C = (C1 C2 ). al. er. io. −1 d k1 mod q. K = k2 K1 = (Kx , Ky ) C1 = g H(m) r1 N mod N 2. Nat. $. $. t = Kx mod q. Signer check ciphertexts, if correct r← − Z∗N 2. $. k2 ← − Z∗q , r1 , r2 ← − Z∗N 2. ·r. N. 2 modC Nh. engchi. i Un. v. C. s = k2−1 Dec(C, (p, k)) mod q signature σ = (t, s) Figure 1: Yi’s Blind ECDSA Scheme. 13 DOI:10.6814/NCCU202100361.
(23) • Next, Bitcoin provider B and purchaser P interact following Yi’s blind ECDSA scheme. That is: purchaser P generate his/her public key P KP which is the message m to be signed under ECDSA. Purchaser P then run the blind ECDSA with Bitcoin provider B to obtain the signature (t, s) of his/her public key P KP on the basis of B’s public key P KB . One signature implies to transfer one bitcoin to purchaser P. • Purchaser P later broadcast its transaction including its public key P KP and the corresponding signature in the Bitcoin system. Some miners or nodes may verify this signature. Since the signature generated from Yi’s blind ECDSA is a standard ECDSA signature which can be verified by ECDSA verification of Bitcoin, this signature can be verified by miners or nodes in Bitcoin system directly.. 政 治 大 corresponding signature in the立 Bitcoin system. Some miners or nodes may verify this signature. Purchaser P later broadcast its transaction including its public key P KP and the. ‧ 國. 學. Since the signature generated from Yi’s blind ECDSA is a standard ECDSA signature which can be verified by ECDSA verification of Bitcoin, this signature can be verified by miners or. ‧. nodes in Bitcoin system directly.. This application make sure that Bitcoin provider B only knows that P is one of the. Nat. sit. y. purchasers after the release of the transaction even though he/she holds the identity of purchaser. er. io. P in real live. This is guaranteed by the blindness property of blind signature guarantee. However Yi’s application only transfers one bitcoin with one signature, in practical it means. n. al. Ch. expensive computational cost for large amount transfer.. engchi. i Un. v. 14 DOI:10.6814/NCCU202100361.
(24) Chapter 4 Preliminary In this Chapter we introduce some preliminary components which we use in the following Chapters.. 立. 政 治 大. ‧ 國. 學. 4.1 Unforgeability. ‧. A signature scheme consists of three algorithms: key generation for the generation of public key and secret key, signature generation for the generation of signature on the input message,. Nat. sit. y. using the secret key, and signature verification for the verification of the input signature, message. al. er. io. and public key. Briefly speaking, forger F is an algorithm try to forge a valid signature without. n. knowing the secret key. There are two different kinds of forger: existential forger and selective forger.. Ch. engchi. i Un. v. 4.1.1 Existential Forger Let (Q, d) be the public key and the private key. An (ϵF , τF , qF )forger F of a signature scheme is a probabilistic algorithm with input Q and running time at most τF . The forger F is allowed to select a sequence of messages Mi for 1 ≤ i ≤ qF (for momessage attack, i = 0) and invoke the signing protocol to obtain signatures on these messages under the private key d. F can decide the choices of Mi depending on the previous obtained signatures. Finally F outputs a message M (different from the Mi ’s in signing protocols) and a candidate signature σ on M under public key Q. The forger F succeeds if (M, σ) pass the verification algorithm under public key Q. The forger’s probability of success is at least ϵF , where the probability is 15 DOI:10.6814/NCCU202100361.
(25) assessed over random choices of the key generation algorithm, the forger F , and the signing oracle.. 4.1.2 Selective Forger The only difference between a Sselective (ϵF , τF , qF )forger F and the existential forger mentioned above is that F has an additional input: the message M forged by F should be drawn at random from S.. 4.2 Property of Hash Function We now describe some properties of hash function needed in our following schemes. As. 政 治 大. shown in Brown’s research [1], the hash function used in ECDSA, usually SHA1 in practice,. 立. matches the following required properties.. ‧ 國. 學. 4.2.1 One-Wayness (Preimage-Resistance). ‧. (ϵI , τI )inverter Ih of hash function h is an probabilistic algorithm which has the input. sit. y. Nat. e ∈R H and the output message M ∈ {0, 1}∗ within runningtime at most τI . Under the random. io. is oneway or preimageresistant of strength (ϵI , τI ).. n. al. Ch. engchi 4.2.2 Second-Preimage-Resistance Let S ⊆ {0, 1}∗ .. er. choices of both e and Ih , the probability of h(M ) = e is at least ϵI . If no such Ih exists, then h. i Un. v. (ϵS , τS , S)secondpreimagefinder Sh for hash function h is a. probabilistic algorithm which has the input M ∈R S and the output message M ′ ∈ {0, 1}∗ within runningtime at most τS . Under the random choices of both M and Sh , the probability of M ̸= M ′ but h(M ) = h(M ′ ) is at least ϵS . If no such Sh exists, then h is secondpreimage resistant of strength (S, τS , S).. 4.2.3 Zero-Finder-Resistance (ϵZ , τZ )zerofinder Zh for hash function h is a probabilistic algorithm which has the output message M ∈ {0, 1}∗ within runningtime at most τZ . Under the random choices of Zh , the 16 DOI:10.6814/NCCU202100361.
(26) probability of h(M ) = 0 is at least τZ . If no such Zh is known, then h is zerofinderresistant of strength (Z, τZ ).. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 17 DOI:10.6814/NCCU202100361.
(27) Chapter 5 Generic Group Model So far ECDSA has been formally proved secure only by Brown [1] under generic group. 政 治 大. model, which was first introduced by Nechaev [46] and improved by Shoup [47]. In the generic. 立. group model for secure group An , where a secure group An is defined as a group that have. ‧ 國. 學. an intractable discrete logarithm problem, the group operation is assumed that can only be performed through an oracle. Moreover, the oracle of the group operation is assumed to be. ‧. “random” subject to the constraint of giving valid group operations.. In order to prove the security of ECDSA and DSA, Brown describes a variant of the generic. Nat. sit. y. group model. The generic group oracle is shown in Table 1.. al. er. io. We now describe the oracle in detail. There are three commands that oracle takes: push,. n. subtract and hint. The push and subtract commands are the same as Brown’s but we modify the. Ch. i Un. v. hint command a little. A forger can make push commands and subtract commands, but can not. engchi. access to hint commands directly. Notice that in the first oracle hint command is never used, where forger can only make push, subtract command and verifying query, and in the second oracle hint command is invoked to response to the signing query. Each command appends an element pair (Am+1 , zm+1 ) to the internal state, and the oracle maintain a the list of element pairs. The element pair consist of a public element Am+1 ∈ An and a private element zm+1 ∈ Zn . Am+1 and zm+1 both depends on commands that forger makes and random values that the oracle picks. We now discuss some further details. The argument of push command is an arbitrary element A ∈ An and its output is Am+1 = A. If Am+1 does not equal to some Ai in {A1 , · · · , Am }, then oracle randomly selects a private value zm+1 . Otherwise, let zm+1 equals the previous same private value zi .. 18 DOI:10.6814/NCCU202100361.
(28) Table 1: Generic Group Oracle Proposed by Brown Am+1 ← − Push (A ∈ An ). 1.Let Am+1 = A. 2.If Am+1 = Ai for some i ∈ {1, · · · , m}, let zm+1 = zi .. A ∈ / {A , · · · , A }, choose 政 3.If治 大 z ∈ Z \{z , · · · , z }. m+1. 立. m+1. R. 1. n. m. 1. m. Am+1 ← − Subtract (No argument). ‧ 國. 學. 1.Let zm+1 = (zm−1 − zm ) mod n. 2.If zm+1 = zi for some i ∈ {1, · · · , m},. ‧. let Am+1 = A.. io. sit. y. Nat. 3.If zm+1 ∈ / {z1 , · · · , zm }, choose Am+1 ∈R An \{A1 , · · · , Am }.. n. al. er. (Am+1 , sm+1 ) ← − Hint (hm+1 ∈ Zn \{0}). Ch. i Un. v. 1.Randomly choose zm+1 ∈ Zn except. e n elements g c h i in {z1, · · · , zm}.. 2.Randomly choose Am+1 ∈ An except elements in {A1 , · · · , Am }. 3.sm+1 = zm+1 −1 (hm+1 z1 + f (Am+1 )z2 ) mod n where f : An − → Zn is a certain fixed function.. 19 DOI:10.6814/NCCU202100361.
(29) Table 2: Notations in Brown’s [1] B. The set of the index of each basic pair. Cij ∈ Zn , i ∈ {1, · · · , m}, j ∈ B. Coefficients of derived private elements. A = (A1 , · · · , Am ). The vector of public elements. C. The coefficient matrix (Cij ) over Zn , where i ∈ {1, · · · , m} and j ∈ B. S. The response to the hint commands. zB = (zj )j∈B. The basic vector. z = (zi )1≤i≤m. The private vector. ∆i = (Cij )j∈B. The derivation of (Ai , zi ) (row vector). 政 治 大. We assume that two push commands are made at first with arguments A1 and A2 that. 立. randomly selected by forger. Besides, the base generator G = A1 and the public key Q = A2 .. ‧ 國. 學. The only condition is that A1 ̸= A2 . Forger can subsequently submit arbitrary elements in An through push command.. ‧. Subtract command subtract the two previous element pairs. The output is the public value Am+1 . Actually the oracle subtract previous private values zm−1 and zm to obtain zm+1 =. y. Nat. sit. zm−1 −zm first, ant then determine whether there is a previous zi equals zm+1 or not. If not, the. er. io. public value Am+1 will be a random element chose from An \{A1 , · · · , Am }.. al. n. iv n C information is included in the sm+1 . hsm+1 will later be e n g c h i Ua part of the signature for message The input of hint command is hm+1 and the output is (Am+1 , sm+1 ), where the extra. Mi ||Rm+1 (for scheme 3), where Mi is the input of signing query and Rm+1 is a random element.. The hint command can be regarded as a part of signing query, since when forger makes a signing query the oracle actually invokes the hint command to obtain required objects to return to forger as the response for the signing query, which is a signature (f (Am+1 ), sm+1 , Rm+1 ) for message Mi ||Rm+1 (for scheme 3). Notice that hint command is not used in the oracle for our variantECDSA1. Additionally, we call the pair (Ai , zi ) generated from a push command and different from any previous pair the basic pair. And we call all the rest pairs derived pair. We can present every derived private element zi as a Zn linear combination of previous basic private element. We recall some further notations in Brown’s [1], as shown in Table 2. 20 DOI:10.6814/NCCU202100361.
(30) Table 3: Derivations Push 1.If Am+1 = Ai for some i ∈ {1, · · · , m} then: (a) Let i be the least such index. (b) Let C(m+1)j = Cij for all j ∈ B. 2.If Am+1 ∈ / {A1 , · · · , Am } then: (a) Add index m + 1 to the set B. (b) Let Ci(m+1) = 0 for all i ∈ {1, · · · , m}. (c) Let C(m+1)(m+1) = 1. Subtract 1.Let C(m+1)j = Cmj − C(m−1)j for all j ∈ B. Hint. 立. 政 治 大. 1.Let C(m+1)1 = s−1 m+1 hm+1 .. ‧ 國. 3.Let C(m+1)j = 0 for all j ∈ B\{1, 2}.. 學. 2.Let C(m+1)2 = s−1 m+1 f (Am+1 ).. ‧. From above notations we have z = CzB . Besides, the derivation of a basic pair (Aj , zj ). y. Nat. sit. only has one nonzero coefficient which is in the j position. Furthermore, if there exist two. er. io. pairs with same public elements (Ai = Aj ) but different derivation (∆i ̸= ∆j ) for some 1 ≤. al. iv n C coincidences at any j . We show the generation h e n gofccoefficients h i U and derivations in push, subtract n. j < i ≤ m, we say there has occurred a coincidence. Coincidencefree means that there are no. and hint command in Table 3.. 21 DOI:10.6814/NCCU202100361.
(31) Chapter 6 Variant-ECDSA We recall that Yi et al. [14]’s blind ECDSA only transfers one bitcoin with one signature,. 政 治 大. which means it has expensive computational cost in practical. Hence a partially blind ECDSA. 立. scheme which can transfer arbitrary amount of bitcoins by release the amount, may have a. ‧ 國. 學. significantly improvement on computational efficiency. The common information is necessary in partially blind signature, however it is impractical to transfer Yi’s blind ECDSA into partially. ‧. blind ECDSA by directly adding the common information. Therefore, we introduced two variants of ECDSA: variantECDSA1 and variantECDSA2, which will be used to construct. Nat. sit. y. partially blind signatures that are compatible with ECDSA.. al. n. Chapter 7 and Chapter 8.. er. io. We define the variantECDSA in this Chapter. The concrete schemes are described in. Ch. engchi. i Un. v. 6.1 Definition of Variant-ECDSA. • Setup algorithm takes a security parameter λ as input and outputs public parameter pp = (E, G, q, H). • KeyGen algorithm takes the public parameter pp as input and outputs public key Q and secret key d. • Sign algorithm takes the message to be signed m and the secret key d as inputs and outputs a signature σ = (t, s, R) on message m, based on the public key Q. • Verify algorithm takes the message m, the signature σ and the corresponding public key 22 DOI:10.6814/NCCU202100361.
(32) Q as inputs and outputs 1 if the signature pass the verification.. 6.2 Unforgeability of variant-ECDSA We make two different security definition here, existential unforgeability against no message attacks and selective unforgeability against adaptive chosenmessage attacks.. 6.2.1 Existential Unforgeability Against No-Message Attacks To model the existential unforgeability against nomessage attacks, we define Game1 played by challenger C and adversary A, where adversary A is actually the existential forger that we mentioned in Chapter 4. Game 1:. 立. 政 治 大. • Setup: Challenger C takes a security parameter λ and generates public parameters. ‧ 國. 學. params. C subsequently sends λ and params to adversary A.. ‧. • Response: Adversary A outputs a signatures (m, σ).. y. Nat. Definition 2. A variant-ECDSA is existentially unforgeable against no-message attacks if. er. io. sit. no adversary wins the Game-1 with non-negligible probability.. n. al v 6.2.2 Selective Unforgeability Against Adaptive iChosen-Message Attacks. n U e against h i chosenmessage attacks, we define g c adaptive To model the selective unforgeability n. Ch. Game2 played by challenger C and adversary A, where adversary A is actually the selective forger that we mentioned in Chapter 4. Game 2: • Setup: Challenger C takes a security parameter λ and generates public parameters params. C subsequently sends λ and params to adversary A. • Attack: Adversary A makes the signing queries to obtain signatures from challenger C. The inputs of signing queries are messages m1 , · · · , mq where q is the number of queries. Besides, the next input message of query can be decided after obtaining the previous response. Adversary A finally obtain signatures (σ1 , · · · , σq ) 23 DOI:10.6814/NCCU202100361.
(33) • Response: Adversary A outputs a list of signatures (m1 , σ1 ), · · · , (mq , σq ). Definition 3. A variant-ECDSA is selectively unforgeable against adaptive chosen-message attacks if no adversary wins the Game-A with non-negligible probability.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 24 DOI:10.6814/NCCU202100361.
(34) Chapter 7 Variant-ECDSA-1 7.1 Scheme of Variant-ECDSA-1 治. 立. 政. 大. • Setup: An elliptic curve E is randomly selected by this algorithm, following by a group. ‧ 國. 學. generator G of prime order q over E. It then randomly selects a hash function H(·). Finally, this algorithm outputs a set of public parameters pp = (E, G, q, H).. ‧. • KeyGen: The Signer randomly selects their private key d ∈ [2, q − 1] and then computes. sit. y. Nat. their public key Q = d · G.. al. er. io. • Sign: For a message m, the signer randomly selects a integer k from 2 to q − 1 and. n. computes (Kx , Ky ) = kG, t = Kx mod q. Besides, signer random a R and compute −1. Ch. i Un. v. s = k (H(M ) + R + t · d) mod q. Finally, the signer outputs a signature σ = (t, s, R).. engchi. • Verify: Anyone who knows the signer’s public key can validate the signature σ = (t, s, R). First, a verifier can compute u = s−1 (H(M ) + R) mod q, v = s−1 t mod q, then let (Kx′ , Ky′ ) = uG + v · Q. Finally, the verifier output 1 if t′ = Kx′ mod q = t; otherwise, the verifier outputs ⊥.. 7.2 Generic Group Oracle for Variant-ECDSA-1 The oracle for variantECDSA1 under generic group model is shown in Table 4. Compared to Brown’s oracle, there is no hint command in this oracle but some special operations for special case is provided. 25 DOI:10.6814/NCCU202100361.
(35) Table 4: Generic Group Oracle for Variant-ECDSA-1 Am+1 ← − Push (A ∈ An ). 1.Let Am+1 = A. 2.If Am+1 = Ai for some i ∈ {1, · · · , m}, let zm+1 = zi . 3.If Am+1 ∈ / {A1 , · · · , Am }, choose zm+1 ∈R Zn \{z1 , · · · , zm }. Am+1 ← − Subtract (No argument) 1.Let zm+1 = (zm−1 − zm ) mod n.. 立. m+1. i. let Am+1 = A. 3.If zm+1 ∈ / {z1 , · · · , zm }, choose. ‧ 國. 學. Am+1 ∈R An \{A1 , · · · , Am }.. ‧. y. Nat. 1.Randomly choose a time value t ∈ [0, τF ].. io. sit. 2.Run the above part of oracle to which forger F makes arbitrary commands and final verification. n. al. er. Special Case :. 治 政 2.If z = z for大 some i ∈ {1, · · · , m},. Ch. iv n i U command, say command i, e The n gfirst c hsubtract with arbitrary arguments with one exception :. requested after time t, whose derivation ∆i. only have two nonzero coefficients (Ci1 and Ci2 ) and the private element zi is distinct from all previous private elements. 3.For this specail case, oracle chooss Ai at random −1 from f −1 (eCi1 Ci2 ) by using the invertibility of the. conversion function f , if possible (halt and admit failure otherwise).. 26 DOI:10.6814/NCCU202100361.
(36) 7.3 Security Proof of Variant-ECDSA-1 Brown referred some security requirements (such as secure ECDSA group, second preimageresistant hash function, etc.) for security proof under generic group model when proved ECDSA is secure, since our variantECDSA1 and variantECDSA2 and our partially blind signatures scheme 2 and scheme 3 use the same parameters and hash function as ECDSA, our two variantECDSA and partially blind signatures schemes satisfy those security requirements. To proving our variant ECDSA schemes, we slightly modifed Brown’s oracle. We show our oracles for variantECDSA1 in Table 4 and variantECDSA2 in next Chapter. Theorem 1. If there exists an (ϵF , τF , 0)-forger Fh of variant-ECDSA-1 in the generic group model for An with hash function h and with almost-invertible conversion function f , then. 政 治 大. there exists an (ϵI , τI )-inverter Ih and (ϵZ , τZ )-zero-finder Zh , where:. 立. ‧ 國. ϵZ ϵF τF ≥ − 10τF 10τF 20n. 學. ϵI +. (7.1). command.. ‧. Proof. We call the special command in our oracle for variant-ECDSA-1 qualif ied Besides, the derivation ∆i in qualif ied command is called exceptional. Nat. sit. y. derivation. Suppose F is an (ϵF , τF , qF )-forger in the generic group model. We assume. al. er. io. that there is an (ϵI , τI )-inverter Ih of the hash function h that invokes F as subroutine.. n. Here is the further analysis :. Ch. i Un. v. We assume that F succeeds with probability ϵF . During the verification phase,. engchi. forger call the oracle to verify the signature (M, (t, s, R)) he/she forged. The oracle then follows the variant-ECDSA-1 scheme to compute V = s−1 (H(M ) + R)G + s−1 tQ and compare t′ = f (V ) mod n to t. Hence the last response of oracle is Am = V for some m. Since Am = V = s−1 (H(M ) + R)G + s−1 tQ, G = A1 and Q = A2 , the derivation ∆m = (s−1 (H(M ) + R), s−1 t, 0, · · · , 0). If H(M ) = 0, a zero has been found, hence we proved the existence of the zero-finder Zh . If H(M ) ̸= 0, since t ̸= 0 as well, ∆i is a derived derivation (more then one non-zero coefficients). There are three possible cases for ∆m : • Derivation ∆m is a new derivation distinct from previous derivations but private element zm equals to some previous private elements zi . 27 DOI:10.6814/NCCU202100361.
(37) • Derivation ∆m is a new derivation distinct from previous derivations and private element zm is a new element. • Derivation ∆m = ∆i where ∆i is a previous derivation. In the first case, there occurred a coincidence. Brown [1] shows that the probability ( ) of occurring a coincidence is at most m2 /n. In the second case, since zm is new and ∆m is a new derivation, ∆m is non-exceptional. Therefore Am is a element randomly selected from An except {A1 , ..., Am−1 } by the oracle and probability that f (Am ) equals t is at most 10/(n − m) since t is determined before the random Am is chosen. In the third case, ∆m equals some previous ∆i , which has probability at least 1/τF. 政 治 大 ), thereby it is obviously that t = f (A 立. of being exceptional. Assume that ∆i is a exceptionalderivation for i ≤ m. In the oracle, −1 Ai ∈ f −1 (eCi1 Ci2. m). = f (Ai ) = eCi1 −1 Ci2 =. eCm1 −1 Cm2 = e(H(M ) + R)−1 t, where t ̸= 0 since the forged signature is valid. Hence we. ‧ 國. 學. have e = H(M ) + R. Since R is a random number, we have H(M ) = e − R = e′ . It is obviously that there exists a inverter Ih .. ‧. According to Brown [1], there is a probability at least 1/10 that f can be inverted. n. al. ( m) ϵF − ϵZ − n2 − ϵI ≥ 10τF. Ch. engchi. y. er. io. sit. Nat. successfully in the exceptional derivation. Thus, we have:. i Un 10 n−m. v. (7.2). Assume that m ≤ τF then we obtain the inequality in our theorem.. 28 DOI:10.6814/NCCU202100361.
(38) Chapter 8 Variant-ECDSA-2 8.1 Scheme of Variant-ECDSA-2 治. 立. 政. 大. • Setup: An elliptic curve E is randomly selected by this algorithm, following by a group. ‧ 國. 學. generator G of prime order q over E. It then randomly selects a hash function H(·). Finally, this algorithm outputs a set of public parameters pp = (E, G, q, H).. ‧. • KeyGen: The Signer randomly selects their private key d ∈ [2, q − 1] and then computes. sit. y. Nat. their public key Q = d · G.. al. er. io. • Sign: For a message m, the signer randomly selects a integer k from 2 to q − 1 and. n. computes (Kx , Ky ) = kG, t = Kx mod q. Besides, signer random a R and compute s = −1. Ch. i Un. v. k (H(m||R) + (t + R) · d) mod q. Finally, the signer outputs a signature σ = (t, s, R).. engchi. • Verify: Anyone who knows the signer’s public key can validate the signature σ = (t, s, R). First, a verifier can compute u = s−1 H(m||R) mod q, v = s−1 (t + R) mod q, then let (Kx′ , Ky′ ) = uG + v · Q. Finally, the verifier output 1 if t′ = Kx′ mod q = t; otherwise, the verifier outputs ⊥.. 8.2 Generic Group Oracle for Variant-ECDSA-2 The oracle for variantECDSA2 under generic group model is shown in Table 5. The hint command is invoked to response to the signing query in this oracle.. 29 DOI:10.6814/NCCU202100361.
(39) Table 5: Generic Group Oracle for Variant-ECDSA-2 Am+1 ← − Push (A ∈ An ). 1.Let Am+1 = A. 2.If Am+1 = Ai for some i ∈ {1, · · · , m}, let zm+1 = zi . 3.If Am+1 ∈ / {A1 , · · · , Am }, choose zm+1 ∈R Zn \{z1 , · · · , zm }.. Am+1 ← − Subtract (No argument). 立. 政 治 大 1.Let z. m+1. = (zm−1 − zm ) mod n.. 2.If zm+1 = zi for some i ∈ {1, · · · , m},. ‧ 國. 學. let Am+1 = Ai . 3.If zm+1 ∈ / {z1 , · · · , zm }, choose. ‧. Am+1 ∈R An \{A1 , · · · , Am }.. y 1.Random Rm+1 ∈ Zn . 2.Compute hm+1 = H(Mi ||Rm+1 ).. n. al. er. io. sit. Nat. (f (Am+1 ), sm+1 , Rm+1 ) ← − Signing query (Mi ).. Ch. i Un. v. 3.Invoke hint command:. i m+1, sm+1) ←− Hint (hm+1 ∈ Zn\{0}). e n g c h(A 1.Randomly choose zm+1 ∈ Zn except elements in {z1 , · · · , zm }. 2.Randomly choose Am+1 ∈ An except elements in {A1 , · · · , Am }. 3.sm+1 = zm+1 −1 (hm+1 z1 + f (Am+1 )z2 ) mod n where f : An − → Zn is a certain fixed function.. 30 DOI:10.6814/NCCU202100361.
(40) 8.3 Security Proof of Variant-ECDSA-2 Theorem 2. If there exists an S-selective (ϵF , τF , qF )-forger Fh of variant-ECDSA-2 in the generic group model for An with hash function h and with conversion function f almostbijective of strength at least β, then there exists an (ϵS , τS , S)-second-preimage-finder Sh and (ϵZ , τZ )-zero-finder Zh , where:. ϵS ≥ ϵF −. 1 1 −1 τF 2 −( − ) β 2n τF n. (8.1). Proof. Suppose F is an (ϵF , τF , qF )-forger in the generic group model for group An . We. 治 政 大 : invokes forger F as subroutine. Here is the further analysis 立 We assume that F succeeds with probability ϵ . During the verification phase, forger. assume that there is an (ϵS , τS , S)-second-preimage-finder Sh of the hash function h that. F. ‧ 國. 學. call the oracle to verify the signature (M, (t, s, R)) he/she forged. The oracle then follows the variant-ECDSA-1 scheme to compute V = s−1 H(M ||R)G + s−1 (t + R)Q and compare. ‧. t′ = f (V ) mod n to t. Hence the last response of oracle is Am = V for some m. Since. y. Nat. Am = V = s−1 H(M ||R)G + s−1 (t + R)Q, where G = A1 and Q = A2 , the derivation of. al. er. io. sit. Am is ∆m = (s−1 H(M ||R), s−1 (t + R), 0, · · · , 0). There are four possible cases for ∆m :. n. • Derivation ∆m is a new derivation distinct from previous derivations but private. Ch. i Un. v. element zm equals to some previous private elements zi .. engchi. • Derivation ∆m is a new derivation distinct from previous derivations and private element zm is a new element. • Derivation ∆m = ∆i where ∆i is a previous derivation and arise from a hint command. • Derivation ∆m = ∆i where ∆i is a previous derivation which is not arising from a hint command. In the first case, there occurred a coincidence. Brown [1] shows that the probability ( ) of occurring a coincidence is at most m2 /n.. 31 DOI:10.6814/NCCU202100361.
(41) In the second case, since zm is new and ∆m is a new derivation, ∆m is non-exceptional. Therefore Am is a element randomly selected from An except {A1 , ..., Am−1 } by the oracle. Since f (Ai ) = f (Am ) = t = Cm2 Cm1 −1 h(M ||R) = Ci2 Ci1 −1 h(M ||R) is determined before the random Ai is chosen and f is almost-bijective, this has with probability at most n(n − m)−1 β according to Brown [1]. In the third case, ∆m equals some previous ∆i , which means that Cm1 = Ci1 and Cm2 = Ci2 . Therefore we have s−1 H(M ||R) = si −1 H(Mi ||Ri ) and s−1 t = si −1 f (Ai ). Since t = f (V ) = f (Am ) = f (V ), we have s = si , as a result H(M ||R) = H(Mi ||Ri ). Obviously, forger has to forge a signature for a new message M other than arguments Mi of signing queries. Therefore M ||R ̸= Mi ||Ri . It is obviously that there exists a second-preimage-finder Sh .. 政 治 大 Z . If h(M ||R) ̸= 0, since t ̸= 0 as well, ∆ is a derived derivation (more then one non立 In the last case, if h(M ||R) = 0, a zero has been found, thereby there exists zero-finder. h. i. ‧ 國. 學. zero coefficients). Ai is derived and is randomly selected by the oracle from An except {A1 , · · · , Ai−1 }. Since f (Ai ) = f (Am ) = t = Cm2 Cm1 −1 h(M ||R) = Ci2 Ci1 −1 h(M ||R) is determined before the random Ai is chosen and f is almost-bijective, this has with. ‧. probability at most n(n − m)−1 β. And the probability is at most mn(n − m)−1 β after. y. sit. io. n. al. er. Thus, we have:. Nat. summing all possible i.. Ch. ϵS ≥ ϵF −. (m). emnβ n g −c h2i n−m. n. iv n U nβ. −. n−m. (8.2). We assume that τF < m to obtain the desired inequality.. 32 DOI:10.6814/NCCU202100361.
(42) Chapter 9 Partially Blind Signature In this Chapter, we show the definition and security requirements of a partially blind signature.. 立. 政 治 大. ‧ 國. 學. 9.1 Definition of Partially Blind Signature. ‧. A partially blind signature scheme consists of four algorithms, namely Setup, KeyGen, Issue, and Verify, described as follows:. sit. y. Nat. io. and outputs a set of public parameters params.. n. al. Ch. er. • Setup is a probabilistic polynomialtime algorithm that takes security parameter λ as input. i Un. v. • KeyGen is a probabilistic polynomialtime algorithm that takes a public parameters. engchi. params as input and outputs a signer’s signing key sk and its corresponding public verification key pk. • Issue is an interactive protocol between signer and user, described as follows. – The Agree algorithm allows user and signer to generate common information inf o. – The Blind algorithm takes a random string r, a message m, and common information inf o as input and outputs a string h for signer. – The Sign algorithm takes a string h and signer’s signing key sk as input and outputs a blind signature σ ¯ which will be unblinded by user.. 33 DOI:10.6814/NCCU202100361.
(43) – The Unblind algorithm takes a signature σ ¯ and the previously used random string r as input and outputs an unblinded signature σ. • Verify is a deterministic polynomialtime algorithm that takes an unblinded signature σ, message m, negotiated information inf o, and signer’s public verification key pk as input, and outputs “true” if σ is a valid signature signed by signer with the corresponding signing key sk on message m and common information inf o. Otherwise, it outputs “false”.. 9.2 Security Definitions of Partially Blind Signature Partially blind signature has to meet two security requirements in usual: unforgeability and partial blindness. We now define them as below.. 立. 9.2.1 Unforgeability. 政 治 大. ‧ 國. 學. To model the unforgeability security requirement, we define GameA played by challenger C and adversary A.. ‧ sit. y. Nat. Game A:. er. io. • Setup: Challenger C takes a security parameter λ and generates public parameters params. C subsequently sends λ and params to adversary A.. al. n. iv n C U protocol with challenger C in a Adversary A engages h inethe nsignature g c h i issuing. • Attack:. concurrent and interleaving way. For each inf o, the number of adversary A executing the signature issuing protocol with Challenger C until obtain the signature is linf o . • Response: Adversary A outputs a inf o and linf o+1 signatures (m1 , σ1 ), · · · , (mlinf o+1 , σlinf o+1 ). Definition 4. A partially blind scheme is existentially unforgeable against adaptive chosenmessage attacks if no adversary wins the Game-A with non-negligible probability.. 9.2.2 Partial Blindness To model the partial blindness security requirement, we define GameB played between challenger C and adversary A. 34 DOI:10.6814/NCCU202100361.
(44) Game B: • Setup: Challenger C takes a security parameter λ and generates public parameters params. C subsequently sends λ and params to adversary A. • Preparation: Adversary A selects two different messages m0 , m1 and a common information inf o. A then sends (m0 , m1 , inf o) to C. • Challenge: Challenger C selects a random bit b, then A sign both mb with inf o and m1−b with inf o. After unblinding the response of A, C sends (m0 , m1 , inf o, σb , σ1−b ) to A. • Response: Adversary A outputs a guess b′ . If b′ = b, then A wins.. 政 治 大. Definition 5. A partially blind scheme has partial blindness if no adversary wins the. 立. Game-B with non-negligible probability.. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 35 DOI:10.6814/NCCU202100361.
(45) Chapter 10 The Proposed Scheme 1 We proposed three partially blind signature schemes. In this Chapter we introduce a. 政 治 大. partially blind signature based on Schnorr blind signature, using random numbers as blinding. 立. factors. In Chapter 11 and Chapter 12 we proposed two partially blind signatures based. ‧ 國. messages.. 學. on variantECDSA1 and variantECDSA2 respectively, using Paillier cryptosystem to blind. ‧. The selection of public parameters is similar with ECDSA. Public parameters params = (E, G, q, H, H0 ), where H : {0, 1}∗ × Z∗q → Z∗q and H0 : {0, 1}∗ → Z∗q . To generate the. Nat. sit. y. key pair, the signer randomly selects a d ∈ [2, · · · , q − 1] as the secret key that remains secret.. al. er. io. Subsequently, the signer publishes their public key Q = dG. To generate a signature, the signer. n. and user interact as presented in Fig. 2. Anyone who knows the signer’s public key can verify. Ch. i Un. v. this signature by verifying e = H(m∥inf o, Rx (eQ + sG + cQ) mod q), where Rx denotes the. engchi. obtained x coordinate of an elliptic curve point.. 36 DOI:10.6814/NCCU202100361.
(46) Signer. User. $. $. k← − Z∗q. γ, δ ← − Z∗q. compute K1 = kG K1 K2 = K1 + γG + δQ = (x, y) t = x mod q e = H(m∥inf o, t) e′ = e − δ e′ c = H0 (inf o) s′ = (k − (e′ + c)d). 政s 治 大 ′. signature σ = (e, s). Figure 2: Our First Scheme. 學. ‧ 國. 立. s = s′ + γ. ‧. The valid signature σ = (e, s) can pass the verification because. y. Nat. n. al. er. io. = H(m∥inf o, Rx (k + δd + γ)G mod q). sit. e = H(m∥inf o, t). i Un. v. = H(m∥inf o, Rx (ed + (k − ed + δd − cd + γ) + cd)G mod q). Ch. engchi. = H(m∥inf o, Rx (ed + (k − e′ d − cd + γ) + cd)G mod q) = H(m∥inf o, Rx (ed + (k − e′′ d) + γ + cd)G mod q) = H(m∥inf o, Rx (ed + s′ + γ + cd)G mod q) = H(m∥inf o, Rx (eQ + sG + cQ) mod q). 37 DOI:10.6814/NCCU202100361.
(47) Chapter 11 The Proposed Scheme 2 In this Chapter, a partially blind signature scheme based on variantECDSA1 that we mentioned in Chapter 7, is proposed.. 立. 政 治 大. The selection of public parameters in this scheme is the same as that in ECDSA (i.e.,. ‧ 國. 學. params = (E, G, q, H), where H : {0, 1}∗ → Z∗q . To generate the key pair, the signer randomly selects a d ∈ [2, · · · , q − 1] as the secret key that remains secret. Then, the signer publishes their. ‧. public key Q = dG. To generate a signature, the signer and user interact as presented in Fig. 3. In particular, we adopt the modified Paillier encryption (KeyGen, Enc, Dec) of Yi et al. [14].. Nat. sit. y. More preciously, user needs to generate a modified Paillier encryption key pair ((N, g), (p, k)). er. io. by using the KeyGen algorithm and then to generate ciphertexts C1 = Enc(H(m)) = g H(m) r1N $. (mod N 2 ) and C2 = Enc(t) = g t r2N (mod N 2 ), where r1 , r2 ← − Z∗N 2 .. n. al. Ch. i Un. v. Moreover, we adopt a zeroknowledge proof into our protocol [48]. We define a relation R by. engchi. R = {(x, w)|x = (g, N, C), C = g w rN mod N 2 } The user must provide corresponding zeroknowledge proofs to convince the signer that he/ she knows the witness w that satisfy the relation above for C1 and C2 . This relation essentially means that both C1 and C2 comply with the modified Paillier encryption with the form g m rN (mod N 2 ) where m is the plaintext. We now described the process of interactive zeroknowledge proof. To prove that C1 is a correct form, the user first randomly selects x ∈ Zq , r′ ∈ Z∗N 2 and then sends C1′ = g x r′N (mod N 2 ) to the signer. After receiving C1′ , the signer selects b ∈ {0, 1} and returns it to the user. The user then processes it on the basis of the value b. If b = 0, the user provides (x, r′ ) to the signer. Otherwise, the user computes. 38 DOI:10.6814/NCCU202100361.
相關文件
Describe and analyze a recursive algorithm to reconstruct an arbitrary full binary tree, given its preorder and postorder node sequences as
• Consider an algorithm that runs C for time kT (n) and rejects the input if C does not stop within the time bound.. • By Markov’s inequality, this new algorithm runs in time kT (n)
• Consider an algorithm that runs C for time kT (n) and rejects the input if C does not stop within the time bound.. • By Markov’s inequality, this new algorithm runs in time kT (n)
Here, a deterministic linear time and linear space algorithm is presented for the undirected single source shortest paths problem with positive integer weights.. The algorithm
An n×n square is called an m–binary latin square if each row and column of it filled with exactly m “1”s and (n–m) “0”s. We are going to study the following question: Find
Breu and Kirk- patrick [35] (see [4]) improved this by giving O(nm 2 )-time algorithms for the domination and the total domination problems and an O(n 2.376 )-time algorithm for
reading An information report C: extracting key information to a graphic organizer T: text structure. S: Functions: definition / explanation / giving examples W: Vocabulary
3.16 Career-oriented studies provide courses alongside other school subjects and learning experiences in the senior secondary curriculum. They have been included in the
