Fair blind threshold signatures based on discrete logarithm

Fair Blind Threshold Signatures Based on Discrete Logarithm

Wen-Shenq Juang and Chin-Laung Lei



Department of Electrical Engineering, Rm. 343

National Taiwan University

Taipei, Taiwan, R.O.C.

Abstract

In this paper, we propose a group-oriented fair blind (t;n) threshold signature

scheme based on the discrete logarithm problem. By the scheme, anytout ofnsigners

in a group can represent the group to sign fair blind threshold signatures, which can be used in anonymous e-cash systems. Since blind signature schemes provide perfect unlinkability, such e-cash systems can be misused by criminals, e.g. to safely obtain a ransom or to launder money. Our scheme allows the judge (or the government) to deliver information allowing anyone of thetsigners to link his view of the protocol and

the message-signature pair. In our scheme, the size of a fair blind threshold signature is the same as that of an individual fair blind signature and the signature verication process is simplied by means of a group public key. The security of our scheme relies on the diculty of computing discrete logarithm.

Keywords: Fair Blind Signatures, Threshold Signatures, Discrete Logarithm, Privacy and Security, Secure E-Cash Systems.

1 Introduction

The concept of blind signature was introduced by Chaum [1]. It allows a requester to obtain signatures on the messages he provides to the signer without revealing these mes-sages. A distinguishing property required by a typical blind signature scheme [1, 2, 3, 4] is so-called the "unlinkability", which ensures that requesters can prevent the signer from deriving the exact correspondence between the actual signing process performed by the signer and the signature which later made public. The blind signatures can realize secure electronic payment schemes [1, 5, 6, 7] protecting customers' anonymity, and secure voting schemes [8, 9, 10] preserving voters' privacy. In a distributed environment, the signed blind messages can be regarded as a xed amount of electronic money in secure electronic

payment schemes, or as tickets in applications such as secret voting schemes. The security of the blind signature schemes proposed in [1, 3] are based on the hardness of factorization [11] and the schemes proposed in [2, 4] is based on the hardness of computing discrete logarithm [12].

Threshold signatures [13, 14] are motivated by the need that arises in organizations to have a group of employees who agree on a message before signing and by the need to protect the group private key from the attack of internal and external adversaries. The later becomes more important with the actual deployment of public key schemes in practice. The signing power of some authorities inevitably invites attackers to try and steal this power. The goal of a threshold signature scheme is to increase the availability of the signing authority and to increase the protection against forgery by making it harder for the adversary to learn the group secret key.

Instead of a single signer, two blind threshold signature schemes [15] have been pro-posed in a distributed environment, where several signers work together to sign a blind threshold signature. The schemes proposed in [15] allows

t

out of

n

participants in a group cooperating to sign a blind threshold signature without the assistance of a single trusted authority. In these schemes, the size of a threshold signature is the same as that of an individual signature and the signature verication process is equivalent to that of an individual signature. Therefore, these schemes are optimal with respect to the threshold signature size and the verication process.

In addition to the secure voting schemes [8, 9, 10] to protect voters' privacy, the concept of blind signatures has been widely used in secure electronic payment schemes [1, 5, 6, 7]. Up to date, the on-line e-cash schemes proposed by Chaum [1, 5] are more ecient and practical. The aim of these schemes was to produce an electronic version of money which retains the same properties as paper cash. These schemes involve customers, the bank and the shops and consists of the following phases: the withdrawal phase, the spending phase and the deposit phase. In real world environments, if the issue of e-coins are controlled by a single person. He can generate extra e-coins as he wishes. To cope with this dilemma, instead of a unique administrator, every customer needs to request blind threshold signa-tures as e-coins from

t

arbitrary administrators, so that,

t

arbitrary administrators can

represent the bank to issue e-coins. The underlying assumption is that: at least (

n

?

t

+1)

of the

n

administrators do not conspire with the others. The blind threshold signature schemes can be directly applied to these secure e-cash schemes for distributing the power of a single authority. By these schemes, secure e-cash schemes can meet the real world environments, such that, the issue of e-coins is controlled by several administrators. The blind threshold signature will work when at least

t

out of

n

administrator are honest. Since customers only need to request exact

t

members from

n

administrators, it can meet the real world environments without a single trusted administrator or with some absent/dishonest administrators.

Since blind signature schemes provide perfect unlinkability, such e-cash schemes can be misused by criminals, e.g. to safely obtain a ransom or to launder money [16]. To cope with this dilemma, the concept of fair blind signatures is introduced in [17]. In [17], three fair blind signature schemes are introduced to prevent the misuse of the unlinkability property. With the help of the judge, the signer can link a signature to the corresponding signing process. Since the fairness property is very important for preventing criminals from misusing the unlinkability property in e-cash schemes, we propose a fair blind threshold signature scheme based on the blind threshold signature scheme proposed in [15] and the registration method proposed in [17]. Our scheme allows the judge to deliver information allowing anyone of the

t

signers to link his view of the protocol and the message-signature pair. In our scheme, the size of a fair threshold signature is the same as that of an individual fair signature and the signature verication process is simplied by means of a group public key. The security of our schemes relies on the diculty of computing discrete logarithm and it is computationally infeasible for signers to derive the exact correspondence between the message they actually sign and all signers' complete views of the execution of the signing process without the assistance of the judge or the requester.

The paper is organized as follows. In Section 2, we present the denition of blindness of a threshold signature scheme. In Section 3, we present an ecient fair blind threshold signature scheme. Then we examine its correctness, security and linkage recovery in Section 4. In Section 5, we make some discussions. Finally, a concluding remark is given in Section 6.

2 Preliminary

In this section, we present the denition of blindness of a threshold signature scheme. There are two methods for verifying the validity of a signature: the comparison method and the restoration (message recovery) method [18]. In the comparison method, for verifying a signature, the corresponding message must be sent to a verier along with the signature. To save the length of the signature, instead of signing the whole message, one can make a signature on the digest of the message which is the hashed value of a secure one-way hash function [19, 20, 21] with the message as input. In the restoration method, only the signature is sent to a verier. The signed message which is embedded in the signature can be recovered after the verication process. Many signature schemes with message recovery have been proposed [11, 22]. We rst dene the blindness of a digital signature scheme with the comparison method as follows:

Denition 1

A blind signature scheme with the comparison method is an 11-tuple P =

(M

;

S

;

;

K

;

;

<

;

;@;



;



;

?)

;

where

 Mis a message space that is a set of strings (plaintexts),  S is a signature space that is a set of strings (signatures), 
is a random message space that is a set of strings,

 K=KeKd is a key space, such that Ke is the public key space and Kd is the private

key space,

 is the signer of the scheme,  <is a set of requesters,

 is a poly-time algorithm that on input a random string



2

;

constructs a private

key

K

d 2Kd and its corresponding public key

K

e2Ke

;



@

is a poly-time blinding algorithm that on input a message

m

2 M, a random

blinding string



2

;

a public key

K

e2Keand

h

(



)2

;

where h is a one-way hash

function and



2
, constructs the blinded message

m

0=

@

(

m;;K

  is a poly-time signing algorithm that on input a blinded message

m

0=

@

(

m;;K

e

;h

(



))2M, the private key

K

d 2Kd and the randomizing factor

;

constructs the blind

signature

s

0 = (

m

0

;K

d

;

)2S on

m

0

;

  is a poly-time unblinding algorithm that on input a blind signature

s

0= (

@

(

m;;

K

e

;h

(



))

; K

d

;

) 2S and the random blinding string

;

extracts the signature

s

=

(

s

0

;

) on m

;

 ? :MSKe!f

true

,

false

g is a poly-time verication algorithm that on input

a message-signature pair (

m;s

) and a public key

K

e2Ke

;

determines if

s

is a valid

signature for message

m;

such that, we have the following:

1. Before a requester

R

2< can request a blind signature, chooses a random string



2
, executes (



) to construct a private key

K

d 2 Kd and its corresponding

public key

K

e2Ke and then publishes his public key

K

e

:

2. In a blind signature generation, a requester

R

2<chooses a random string



2
and

computes

m

0 =

@

(

m;;K

e

;h

(



))

;

where

K

eis 's public key and



is the randomizing

factor chosen by

;

for blinding a message m and submits

m

0 to . then applies

the signing algorithm  to

m

0by his private key

K

d 2Kdand the randomizing factor



and sends the signing result

s

0 = (

m

0

;K

d

;

) to

R:

After receiving

s

0

; R

extracts

the signature

s

= (

s

0

;

) on the message m.

3. Anyone can verify if a message-signature pair (

m;s

) is valid for the public key

K

e2 Ke by the function ?.

4. In a blind signature generation, the signer' view and the message-signature pair (

m;s

) which is later made public are statistically independent. 2

The digital signature scheme with the restoration method can be dened similarly except the verication function ? must be replaced by a restoration function 

:

To verify a signature

s

2S

;

one simply computes

m

= (

s;K

e) and checks if

m

has some redundancy

Given a secret



, we say that the secret shadows (



i

;

1 

i



n

) construct a (

t;n

)

threshold secret sharing of



if

t

?1 (or less) of these values reveal no information about



and there exists a poly-time algorithm that outputs



having any subset of

t

values as inputs.

Let there be

n >

1 players in a distributed system and player

i

has his own secret

s

i. A

secure computing protocol for this system is a procedure for evaluating the function value

f

(

s

1

;s

2

;:::;s

n) jointly by the

n

players such that the output becomes commonly known

while

s

i remains secret. A secure computing protocol can be used to dene blind threshold

signature schemes. We dene the blindness of a (

t;n

) threshold signature scheme with the comparison method as follows:

Denition 2

A blind (

t;n

) threshold signature scheme with the comparison method is a 12-tuple PT = (M

;

S

;

;

K

;



;

;

<

;

T

;@

T

;

T

;

T

;

?)

;

where

 Mis a message space that is a set of strings (plaintexts),  S is a signature space that is a set of strings (signatures), 
is a random message space that is a set of strings,

 K=KeKd is a key space, such that Ke is the public key space and Kd is the private

key space,

  is a shadow key space,

 =f

U

ij1

i



n

gis a set of n signers,  <is a set of requesters,

 T :
n ! Ke is a poly-time distributed key generation protocol (secure computing

protocol) used by all the signers

:

The private input of

U

iis a random string



i 2

:

The output of the protocol is the group public key

K

e = T(



1

;

2

;:::;

n)

2Ke

:

At

the end of the protocol, the private output of signer

U

i2 is a secret shadow



i 2

;

such that the shadows



i

;

1

i



n;

form a (

t;n

) threshold secret sharing of

K

d2Kd

;



@

T :M
Ke
t!Mis a poly-time blinding algorithm that on input a message

m

2M, a random blinding string



2
, a public key

K

e2Ke and

h

(



P i)

2

;

1

i



t;

1

P

1

;P

t



n

and

P

i

< P

i

+1

;

where h is a one-way hash function and



P i

2

;

constructs the blinded message

m

0 =

@

T(

m;;K

e

;h

(



P1)

;h

(



P2)

;:::;h

(



Pt)) 2M

;

 T :MKet
t!S is a poly-time distributed signing protocol (secure

com-puting protocol) used by any subset of t signers f

U

P i

j1 

i



t;

1 

P

1

;P

t



n

and

P

i

< P

i+1

g. The private input of

U

P

i is the secret shadow



Pi

2  and the

randomizing factor



Pi

2

:

The public inputs consist of a blind message

m

0 =

@

T(

m;;K

e

;h

(



P1)

;h

(



P2)

;:::;h

(



Pt))

2 M and the public key

K

e2Ke. The output

of the protocol is the blind signature

s

0 = 

T(

m

0

;K

e

;

P1

;

P2

;:::;

Pt

;

P1

;

P2

;:::;

Pt) 2 S.

 T : S
!S is a poly-time unblinding algorithm that on input a blind signature

s

0 = 

T(

@

T(

m;;K

e

;h

(



P1)

;h

(



P2)

;:::;h

(



Pt))

;K

e

;

P1

;

P2

;:::;

Pt

;

P1

;

P2

;:::;

Pt)) 2 S and the random blinding string

;

extracts the signature

s

= T(

s

0

;

) on m

;

 ? :MSKe!f

true

,

false

g is a poly-time verication algorithm that on input

a message-signature pair (

m;s

) and a public key

K

e2Ke

;

determines if

s

is a valid

signature for message

m

, such that, we have the following:

1. Before a requester

R

2<can request a blind threshold signature from any subset of

t signers t =f

U

P i j1 

i



t;

1 

P

1

;P

t 

n

and

P

i

< P

i +1

g, all the signers in

have to apply T to construct a group public key

K

e 2Ke

;

where the corresponding

group private key of

K

e is

K

d 2Kd

:

At the end of T, each signer

U

i 2 gets a

secret shadow



i2

:

2. In a blind threshold signature generation, a requester

R

2<chooses a random string



2
and computes

m

0 =

@

T(

m;;K

e

;h

(



P1)

;h

(



P2)

;:::;h

(



P

t))

;

where

K

e is 's

group public key and



Pi is the randomizing factor chosen by

U

Pi

;

for blinding a

message m and submits

m

0 to

t =f

U

P i j1 

i



t;

1 

P

1

;P

t 

n

and

P

i

< P

i +1 g.

tthen apply the distributed signing protocol T to

m

0 and send

R

the signing result

s

0 =  T(

m

0

;K

e

;

P1

;

P2

;:::;

P t

;

P 1

;

P2

;:::;

P t))

;

where



P

i is the secret shadow of

U

Pi

:

After receiving

s

0

; R

extracts the signature

s

= 

T(

s

0

;

) on the message m.

3. Anyone can verify if a message-signature pair (

m;s

) is valid for the group public key

K

e2Ke by the function ?.

4. In a blind threshold signature generation, the signers' views



and the message-signature pair (

m;s

) which is later made public are statistically independent. 2

3 The proposed scheme

In this section, we propose a fair blind threshold signature scheme. In a typical signing process of a fair blind threshold signature scheme, there are three kinds of participants, the signers, the judge and a requester. Before the requester can obtain a signature from the signers, all the signers have to cooperate to distribute their secret shadows to other signers in advance. Then the requester acquires two pseudonyms from the judge and uses one of the pseudonyms to request a fair blind threshold signature from the signers. The proposed scheme consists of four phases: (1) the shadow distribution phase, (2) the registration phase, (3) the signature generation phase and (4) the signature verication phase. The shadow distribution phase is performed only once among the signers and then they can use their secret shadows to sign messages. In the registration phase, the requester requests two pseudonyms from the judge. One of the pseudonyms is used in the signature generation phase, whereas the other one is part of the signature. Thus, the judge, who knows the two corresponding pseudonyms, can link the message-signature pair with the corresponding signer's view. In the signature generation phase, a requester requests a blind threshold signature from the signers by sending the pseudonym to the signers and the signers cooperate to issue the fair blind threshold signature to the requester. In the signature verication phase, anyone can use the group public key to verify if a fair threshold signature is valid.

Let

U

i be the identication of signer

i

,

n

be the number of signers,

t

be the threshold

honest,

m

be the blind message to be signed,

h

be a secure one-way hashing function [23],

p

and

q

be two large strong prime numbers such that

q

divides (

p

?1)

;

and



be a generator

of

Z



p (

i:e:;

gcd(

;p

) = 1

; 

6= 1). Let

x

p

y

denote

x

=

y

mod

p

. Let

g

p



(p?1)=q

and "
" denote the ordinal string concatenation. Let

d

i be the secret key chosen by

U

i

and

d

J be the secret key chosen by the judge. In a distributed environment,

U

i and the

judge can publish their corresponding public keys

e

i and

e

J. Anyone can get

e

i and

e

J via

some authentication service (e.g. the X.509 directory authentication service [23]). Using a secure public key signature scheme [11, 12],

U

i and the judge can produce signatures of

messages by their own secret keys

d

i and

d

J

:

Anyone can verify these signatures by the

corresponding public keys

e

i and

e

J. Let

Cert

Ui(

m

) be the signature on the message

m

produced by

U

i and

Cert

J(

m

) be the signature on the message

m

produced by the judge.

3.1 The shadow distribution phase

Before a requester can request a fair blind threshold signature from the signers, all signers must cooperate to distribute their shadows to other signers. In the shadow distribution phase, each

U

i

;

1

i



n

, carries out the following steps:

1.

U

i chooses a secret key

z

i 2

Z

q and a secret polynomial

f

i(

x

) = Pt

?1

k=0

a

i;k

x

k _such

that

a

i;0=

z

i, computes i;k p

g

a

i;k and the signatures

Cert

Ui(

h

( i;k)) on i;k for

0 

k



t

?1 and sends (( i;k

;Cert

U

i(

h

( i;k))

;

0



k



t

?1) to

U

j

;

1 

j



n;

j

6=

i

.

2. Upon receiving (( j;k

;Cert

Uj(

h

( j;k))

;

1



j



n; j

6=

i;

0

k



t

?1) from all other

signers,

U

i veries if all

Cert

Uj(

h

( j;k)) are valid. If valid, he sends



i;j

q

f

i(

x

j)

;

where

x

j is a unique public number for

U

j

;

and a signature

Cert

Ui(

h

(



i;j)) on



i;j

secretly to every

U

j

;

1

j



n; j

6=

i

. Otherwise, he publishes the invalid signatures

and stops.

3. When

U

i receives all



j;i

; Cert

Uj(

h

(



j;i)), 1



j



n; j

6=

i;

from other signers, he

veries if the share



j;i received from

U

j is consistent with the certied values j;l,

0 

l



t

?1

;

by checking whether

g

 j;i p Qt ?1 l=0( j;l) xi l . If it fails,

U

i broadcasts

U

j

;

and then stops. Otherwise,

U

i computes the signature

Cert

Ui(

h

(

y

)) on the group public key

y

p Q nl=1

y

l p Q nl=1 l;

0 and the signature

Cert

U

i(

h

(j;i)) on j;i p

g

j;i

;

1



j



n

. He then sends (

Cert

U

i(

h

(

y

))

;

(j;i

; Cert

Ui(

h

(j;i))

;

1



j



n

)) to

all other signers.

4. Upon receiving all ((

Cert

Uj(

h

(

y

))

;

1



j



n; j

6=

i

)

;

(l;j

; Cert

U

j(

h

(l;j))

;

1 

l



n;

1 

j



n; j

6=

i

)),

U

i veries if all ((

Cert

U

j(

h

(

y

))

;

1



j



n; j

6=

i

)

;

(

Cert

Uj(

h

(l;j))

;

1



l



n;

1 

j



n; j

6=

i

)) are valid. If valid, the shadow keys

corresponding to the group secret key

z

q P

nj=1

z

j have been securely and correctly

distributed. The group public key

y

p Q nj=1

y

j p

g

P n j=1z j

;

all signers' public keys

y

j

;

1 

j



n

, and all public shadows l;j p

g

 l;j

;

1



l; j



n;

can then be

published by each signer. Otherwise,

U

i publishes the invalid signatures and stops.

3.2 The registration phase

Before a requester requests a fair blind threshold signature from the signers, he must acquire two pseudonyms from the judge by performing the following steps.

1. The requester sends a request for two pseudonyms to the judge. 2. The judge randomly chooses



and

2

Z

q, computes

0 p

g

 and 1 p 0,

stores (

;

0

;

1) and then sends the random numbers, the pseudonyms and their

signatures (

; ;

0

;

1

;Cert

J(

h

(0))

; Cert

J(

h

(1)),

Cert

J(

h

(



0

1))) back

to the requester

:

3. Upon receiving the random numbers, the pseudonyms and their signatures (

; ;

0

;

1

;Cert

J(

h

(0))

;Cert

J(

h

(1))

;Cert

J (

h

(



0

1))), the requester veries if

0

p

g

, 1

p

0 and the signatures of the pseudonyms are valid

:

If not, he has

to ask the judge to retransmit them.

3.3 The signature generation phase

Without loss of generality, we assume that

t

out of the

n

signers are

U

i

;

1

i



t:

When

a requester requests a fair blind threshold signature, he and the

t

signers perform the following steps during the signature generation phase.

1. The requester sends 0

;Cert

J(

h

(0)) to all

U

i

;

1



i



t:

2. Upon receiving 0

;Cert

J(

h

(0))

;

each

U

i veries if

Cert

J(

h

(0)) is valid by the

judge's public key

e

J. If valid, each

U

irandomly chooses a number

k

i2

Z

q, computes b

r

i p

g

k i

;

? i p ki 0 ,

u

i p zi + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )) 0 and sends b

r

i, ?i and

u

i

to the requester. Otherwise, he rejects it and stops.

3. After receiving all

r

bi, ?i and

u

i

;

1

i



t;

the requester checks if

u

i p ( i; 0( n Y j=t+1 j;i) Q t k =1;k 6=i ( ?x k x i ?x k ) )

;

1

i



t:

(1)

If

u

i

;

1

i



t;

is not valid he has to ask the corresponding signer to send it again.

Otherwise, he does the following.

(a) Choose two random numbers



2

Z

q and



2

Z

 q

;

compute

u

p ( Q ti=1

u

i)

_;

?p Q ti=1?i

; r

i p

g



r

bi

;v

2 p ( 1) (t)? 

; v

1 p

h

(

m

1

v

2

u

) Q ti=1

r

i and b

m

q



?1

v

1

:

(b) Check if

m

b 6

= 0. If yes, send

m

b to all

U

i

;

1



i



t:

Otherwise, go back to step

(a).

4. Upon receiving

m

b, each

U

i computes b

s

i q b

m

(

z

i+ Xn j=t+1

f

j(

x

i)( Yt k=1;k6=i ( ?

x

k

x

i?

x

k ))) +

k

i (2)

and sends

s

bi back to the requester.

5. After receiving all

s

bi

;

1



i



t;

the requester computes

s

iq b

s

i



+

;

1

i



t;

and checks if

g

?s i

y

v 1 i

r

ip ( n Y j=t+1 (j;i))( Q t k =1;k 6=i ( ?x k x i ?x k ))(?v 1 )

;

1

i



t:

(3) If

s

bi

;

1



i



t;

is not valid, he has to ask the corresponding signer to send it again.

Oth-erwise, he computes

s

q P

ti=1

s

i

:

The fair threshold signature of

m

is (

1

;Cert

J(

h

(1))

;

3.4 The signature verication phase

To verify the fair threshold signature (1

;Cert

J(

h

(1))

;v

1

;v

2

;s;u

) for the message

m;

one

simply checks if s 1 p

v

2

u

v1 and

g

?s

y

v 1

v

1 p

h

(

m

1

v

2

u

).

4 Analysis

We examine the correctness and security of our scheme in this section. We also show how to link a given signature to its corresponding signing process under the assistance of the judge.

4.1 Correctness

To prevent a signer from sending an invalid partial signature to the requester, the partial signature must be checked in step 5 of the signature generation phase. The following lemma ensures the correctness of partial signatures.

Lemma 1

. The partial signature (

r

i

;s

i

;u

i) is valid if

U

i is honest.

Proof

. By our scheme, we have

g

?s i

y

v 1 i

r

i p

g

?(bs i +)

g

z iv1

g

 b

r

i p

g

?(mb(z i + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )))+k i )

g

ziv1

g

ki p

g

?mb(z i + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )))

g

ziv1 p

g

?mzb i ?bm P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k ))

g

ziv 1 p

g

P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k ))(?mb ) p ( Q nj=t+1(j;i)) ( Q t k =1;k 6=i ( ?x k x i ?x k ))(?v 1 ) and

u

i p zi+ P n j=t+1f j(xi)( Q t k =1;k 6=i ( ?x k x i ?x k )) 0 p (

g

) zi+ P n j=t+1f j(xi)( Q t k =1;k 6=i ( ?x k x i ?x k )) p

g

(z i + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k ))) p (

g

zi + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )) ) p ( i; 0( Q nj=t+1j;i) Q t k =1;k 6=i ( ?x k x i ?x k ) )

_:

2

After the signature generation phase, the blind signature can be veried by the group public key in the signature verication phase. Lemma 2 ensures the correctness of the scheme.

Lemma 2

. The 6-tuple (1

;Cert

J(

h

(1))

; v

1

;v

2

;s;u

) is a valid fair blind threshold

sig-nature on the message

m

.

Proof

. The validity of the signature (1

;Cert

J(

h

(1))

; v

1

;v

2

;s;u

) on the message

m

can

easily be established as follows.

g

?s

y

v 1

v

1 p

g

?( P t i=1 (bs i +))

g

P n i=1z iv 1

h

(

m

1

v

2

u

)( Q ti=1

r

i) p

h

(

m

1

v

2

u

)

g

?(mb( P t i=1z i + P t i=1 ( P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k ))))+ P t i=1k i )?t

g

P n i=1z iv 1 (Q ti=1

g



r

bi) p

h

(

m

1

v

2

u

)

g

?(bm( P t i=1z i + P n j=t+1 ( P t i=1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k ))))+ P t i=1k i )

g

P n i=1z iv1 (Q ti=1

g

ki) p

h

(

m

1

v

2

u

)

g

?(bm( P t i=1z i + P n i=t+1z i ))

g

P n i=1z iv1 p

h

(

m

1

v

2

u

)

g

?bm P n i=1z i

g

P n i=1z iv1 p

h

(

m

1

v

2

u

)

g

?v 1 P n i=1z i

g

P n i=1z iv1 p

h

(

m

1

v

2

u

) and s 1 p ( P t i=1s i ) 0 p ( P t i=1 (bs i +)) 0 p t+  P t i=1 b si 0 p t+  P t i=1 (mb(zi+ P n j=t+1f j(xi)( Q t k =1;k 6=i ( ?x k x i ?x k )))+ki) 0 p t+  P t i=1k i+ mb P t i=1 (zi+ P n j=t+1f j(xi)( Q t k =1;k 6=i ( ?x k x i ?x k ))) 0 p t+  P t i=1k i + v 1 P n i=1z i 0 p ( 1) (t)( 1) ( P t i=1k i )( 1) (v 1 P n i=1z i ) p ( 1) (t)( 1) ( P t i=1k i )(

u

)v 1 p ( 1) (t)? 

u

v 1 p

v

2

u

v1

:

2

4.2 Security analysis

Let



denote the signers' complete views of an execution in the signature generation phase and let (

m;

(1

;Cert

J (

h

(1))

; v

1

;v

2

;s;u

) denote the message-signature pair generated in

that execution. Theorem 3 ensures the blindness of our proposed scheme.

Theorem 3

. The threshold signature scheme proposed in Section 2 is blind.

Proof

. For proving the blindness of the scheme, we show that given any view



and any valid message-signature pair (

m;

(1

;Cert

J(

h

(1))

; v

1

;v

2

;s;u

))

;

there exists a unique

triple of blinding factors

; 

and

:

Since the requester chooses the blinding factors



and



randomly and the judge also chooses the blinding factor

randomly, the blindness of the signature scheme follows.

Without loss of generality, assume that the signature (1

;Cert

J(

h

(1))

; v

1

;v

2

;s;u

)

for the message

m

has been generated by

t

signers

U

i

;

1

i



t;

with the view consisting

of 0

;k

i

;

b

r

i p

g

k i

;

? i p ki 0

;

b

s

i q

m

b(

z

i + P nj=t+1

f

j(

x

i)( Q tk=1;k6=i( ?x k xi ?x k ))) +

k

i

; u

i p zi + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )) 0

;

1 

i



t

and b

m;

then the following equations must hold for



and

:

v

1 p

m

t Y i=1

r

i p

m

t Y i=1

g



r

bi (4) b

m

q

v

1



?1 (5)

s

q t X i=1

s

i q t X i=1 (

s

bi



+



) (6)

Note that if

t < q

, then gcd(

t;q

) = 1

:

Since

m

b 2

Z

q and

m

b 6= 0

;

by equations (5) and

(6), the unique solution for



and



is:



q

m

b ?1

v

1 (7)



q(

s

? t X i=1 b

s

i



)

t

?1 (8)

In the following, we show that the solutions of



and



in equations (7) and (8) also satises equation (4).

h

(

m

1

v

2

u

) Q ti=1

g



r

bi p

g

?s

y

v 1

v

1

g

tQ ti=1

g

ki p

v

1

g

? P t i=1 (bs i +)

g

v 1 P n i=1z i

g

t

g

 P t i=1k i p

v

1

g

?((bm( P t i=1z i + P t i=1 ( P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k ))))+ P t i=1k i )+t)

g

v1 P n i=1z i

g

t

g

 P t i=1k i p

v

1

g

?(mb( P t i=1z i + P n i=t+1z i )+ P t i=1k i )

g

v 1 P n i=1z i

g

 P t i=1k i p

v

1

g

?((bm P n i=1z i + P t i=1k i ))

g

v 1 P n i=1z i

g

 P t i=1k i p

v

1

g

? P n i=1 b mzi

g

v1 P n i=1z i p

v

1

:

In additional to the equations (4), (5) and (6), the following equations must hold for

:

1 p 0 (9)

u

p ( t Y i=1

u

i) (10)

v

2 p ( 0) (t)?  (11) Since

g

p



(p?1)=q and



is a generator of

Z



p,

g

generates a cyclic subgroup

S

g of

Z



p

withj

S

gj=

q

and 0

;

1

2

S

g

;

we can only nd a unique solution for

satisfying equation

(9). This unique solution

also satises equation (10) and (11). 2

Given the secret information of a group of

 < t

members, Lemma 4 ensures that the threshold cryptosystem constructed in the shadow distribution phase will not disclose any extra information about the group secret keyP

ni=1

z

i.

Lemma 4

. Given a group of

 < t

members

G

=f

p

ij

p

i 2[1

;n

]

;

1

i





g and the set of

shares f



j;ij1

j



n; i

2

G

g. For any xed

j;

1

j



n;

it takes polynomial time on j

p

j

to generate a random set f

g

c aj;k j1

k



t

?1gsatisfying

g

 j;i p Qt ?1 k=0(

g

c aj;k)x i k for

i

2

G

.

Proof

. In step 3 of the shadow distribution phase, after

U

ihas received all



j;i, he veries

by checking if

g

j;i p Qt ?1 l=0( j;l) xi l . Therefore

g

j;i p t?1 Y l=0 (

g

aj;l)x i l p

g

P t?1 l=0a j;l x i l

:

(12) Since

g

p



(p?1)=q and



is a generator of

Z



p,

g

generates a cyclic subgroup

S

g of

Z



p with j

S

gj=

q

. From (12), we have



j;iq t?1 X l=0

a

j;l

x

il (13)

From (13), we know that given a xed index

j

, the shares



j;i

; i

2

G;

will use the same

variables

a

dj;k

;

0 

k



t

?1

;

as follows:



j;iq t?1 X k=0 d

a

j;k

x

ik

:

(14)

Given a xed index

j

, we can get at most



linear equations with

t

variables as follows:



j;i q t?1 X k=0 d

a

j;k

x

ik(

i

2

G

)

:

(15)

Since the linear equations have at least one solution

a

dj;k =

a

j;k

;

0



k



t

?1, we can

solve the linear equations (15) and get a random solution

a

dj;k, 1



k



t

?1

;

by assigning

random values to all free variables. From (15), it is clear that

g

j;i p

g

P t?1 k =0 c aj;k x i k p Qt ?1 k=0(

g

c aj;k)x i k . 2

In our fair blind threshold signature scheme, the partial signature (

s

i

;r

i

;u

i) must

satisfy the equation

g

?s i

y

v 1 i

r

i p

g

?s i

g

ziv1

r

i p ( Q nj=t+1(j;i)) ( Q t k =1;k 6=i ( ?x k x i ?x k ))(?v1) and

g

ui p ( i; 0( Q nj=t+1j;i) Q t k =1;k 6=i ( ?x k x i ?x k ) ) 0

:

Since

v

1

;

j;i

; x

k

; r

i

; y

i and

s

i are all public,

an attacker has to solve the discrete logarithm problem in order to get the secret value

z

i.

With the information of all partial signatures and the corresponding threshold signa-ture, an attacker is not capable of deriving the secret keys since it has to solve the equation

v

1

g

?s

y

v 1 p

h

(

m

1

v

2

u

)( Q ni=1

r

i)

g

?( P n i=1s i ) (Q ni=1

g

zi)v1

:

To solve this equation, one

has to solve the discrete logarithm problem.

Since

; 

and



are kept secret by the requester and all signatures are equally likely from the signer's point of view, it is computationally infeasible for the signer to de-rive the link between the view consisting of 0

;k

i

;

b

r

i p

g

k i

;

? i p ki 0

;

b

s

i q b

m

(

z

i+ P nj=t+1

f

j(

x

i)( Q tk=1;k6=i ( ?x k xi?x k))) +

k

i

; u

i p zi + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )) 0

;

1 

i



t;

b

m

and the signature (1 p

0

;Cert

J(

h

(

1))

; v

1

;v

2

;s;u

) for the message

m

submitted

by a requester for verication later.

4.3 Linkage recovery

Since blind threshold signature schemes without the fairness property provide perfect un-linkability, such e-cash schemes can be misused by criminals, e.g. to safely obtain a ransom or to launder money. For example, a criminal can safely obtain a ransom by joining a blind threshold signature scheme where the request is via an untraceable mail (e.g. an ordinary mail or an untraceable e-mail [24, 25]) and the signers put the blind threshold signature on a public board. Then the criminal can easily obtain the blind threshold sig-nature from the public board and derive the corresponding e-coins. To cope with this dilemma, in our proposed scheme, anyone of the

t

signers can rst send all pseudonyms (0

;Cert

J(

h

(0)))s requested by the criminal to the judge and then the judge sends

all the corresponding pseudonyms (

;

0

;

1

;Cert

J(

h

(0))

;Cert

J(

h

(1)))s back to the

signer. The signer can verify validity of the corresponding pseudonyms by checking if 0

p

1 and both

Cert

J(

h

(0)) and

Cert

J(

h

(1)) are valid

:

When the criminal

with-draws these e-coins from the signer, the signer can easily identify the criminal by linking the message-signature pair (

m;

(1

;Cert

J (

h

(1))

; v

1

;v

2

;s;u

)) with the corresponding

signer's view 0

;k

i

;

b

r

i p

g

k i

;

? i p ki 0

;

b

s

i q b

m

(

z

i +P nj=t+1

f

j(

x

i) ( Q tk=1;k6=i( ?x k xi ?x k ))) +

k

i

; u

i p zi + P n j=t+1f j (x i )( Q t k =1;k 6=i ( ?x k x i ?x k )) 0 and b

m:

If the judge is honest, all crimes by misusing the unlinkability property of blind threshold signatures will be prevented and the anonymity of honest customers will also be preserved.

5 Discussions

5.1 Performance Considerations

In this subsection we give an analysis of the computational eort required to compute fair blind threshold signatures in our scheme. Let Scheme 1 denote the fair blind threshold signature scheme in Section 3.3.1 and Scheme 1denote the corresponding underlying blind

signature scheme. Table 1 illustrates the comparison of the fair blind threshold signature scheme and the underlying fair blind signature scheme. Comparative to the underlying

Table 1: Cost of the signature generation phase in the fair blind threshold signature scheme and that in the underlying fair blind signature scheme.

The requester The Signer or

U

i

EXP INV MUL ADD EXP INV MUL ADD

Scheme 1 5 1 3

t

+ 6

t

3 0

n

?1

n

?

t

+ 1

Scheme 1 5 1 5 1 3 0 1 1

where

EXP = the number of modulo exponentiations, INV = the number of modulo inversions (divisions), MUL = the number of modulo multiplications, ADD = the number of modulo additions.

blind signature scheme, the extra cost for signing a blind threshold signature is to compute

z

i+P nj=t+1

f

j(

x

i)( Q tk=1;k6=i( ?x k xi ?x

k )) in Step 3 which contains

n

?2 modular multiplications

and

n

?

t

additions. For reducing the computational cost needed by the requester, the

partial signature verication in Step 3 and Step 5 would not be done except the nal threshold signature can not pass the verication equation in the signature verication phase. In this approach, the requester only needs to compute 5 modular exponentiations and 1 modular inverse in step 2 of the signature generation phase which is the same as the underlying fair blind signature scheme. Since the blind threshold verication functions of our schemes all are the same as those of the underlying blind signature schemes, the verication cost of our blind threshold signature is the same as that of the underlying blind signature. Comparative to the underlying fair blind signature schemes, the extra cost for requesting a fair blind threshold signature in our scheme is to computeQ

ti=1?i

;t;

Q ti=1 b

r

i

;

;

Q ti=1

u

i and P ti=1 b

s

i in the equation

s

q P ti=1

s

i q P ti=1( b

s

i



+



)q

t

+



P ti=1 b

s

i

which contains 3

t

+ 1 modular multiplications and

t

?1 modular additions.

5.2 Message Recovery

It is clear that our protocol can not provide the message recovery capability. Since our proposed blind threshold signature scheme is based on the blind signature scheme in [2] with message recovery. We can slightly modify our proposed scheme, such that, the modied scheme provides the message recovery capability. The verication process of the modied scheme can be the as follows:

1. Checks if s 1 p

v

2

u

v1

:

2. Computes

m

p

g

?s

y

v 1

v

1 and checks if

m

has some proper redundancy information.

But the modied scheme fails to achieve the fairness property as will be explained below.

Let (0

;

1) and ( 0 0

;

0

1) be two pair of pseudonyms and let (

1

;Cert

J(

h

(1))

;v

1

;v

2

;s;u

)

be the signature generated by the pseudonym (0

;

1) on the message

m:

The signature

is valid if

m

p

g

?s

y

v

1

v

1

; m

has some proper redundancy information and

s

1 p

v

2

u

v1

holds. From the signature, we can compute the signature (0

1

;Cert

J(

h

( 0 1))

;v

1

;v

0 2

;s;u

) by computing

v

0 2 p ( 0 1) s

_u

?v

1

:

This is a valid signature on

m

since

m

p

g

?s

y

v 1

v

1 and s 1 p

v

2

u

v1 holds. However, if the requester did not use 0

1, this signature can no longer

be linked to any run of the signature-generation protocol. Therefore, the modied scheme does not enjoy the fairness property. It is still an open problem if there exists a fair blind signature scheme with message recovery using the registration method.

6 Conclusion

We have proposed an ecient fair blind threshold signature scheme based on discrete logarithm. In our scheme, the size of a fair threshold signature is the same as that of an individual fair signature and the and the signature verication process is simplied by means of a group public key. The security of our schemes relies on the hardness of computing discrete logarithm and it is computationally infeasible for the signers to derive the exact correspondence between the message they actually sign and all signers' complete views of the execution of the signing process without the assistance of the judge or the requester. Our proposed scheme can be easily applied to current ecient single-authority e-cash schemes for distributing the power of a single single-authority without changing the underlying structure and degrading the overall performance.

References

[1]

Chaum, D

Blind signatures for untraceable payments, Proc. of Crypt'82, Plenum, NY, (1983) 99-203.

[2]

Camenisch, J L, Pivereau J M and Stadler, M A

Blind signatures based on the discrete logarithm problem, Proc. of EuroCrypt'94, LNCS 950, Springer-Verlag (1995) 428-432.

[3]

Fan, C and Lei, C

User Ecient Blind Signatures, IEE Electronics Letters, 34(6) (1998) 544-546.

[4]

Horster, P, Michels, M and Petersen, H

Meta-message recovery and meta-blind signature schemes based on the discrete logarithm problem and their applications, Proc. of AsiaCrypt'94, LNCS 917, Springer-Verlag (1994) 224-237.

[5]

Chaum, D

Privacy protected payments: unconditional payer and/or payee untrace-ability, In Smartcard 2000, North Holland (1988).

[6]

Ferguson, N

Single term o-line coins, Proc. of EuroCrypt'93, LNCS 765, Springer-Verlag (1993) 318-328.

[7]

Okamoto, T and Ohta, K

Universal Electronic cash, Proc. of Crypt'91, LNCS 576, Springer-Verlag (1992) 324-337.

[8]

Fujioka, A, Okamoto, T and Ohta, K

A practical secret voting scheme for large scale elections, Proc. of AusCrypt'92, LNCS 718, Springer-Verlag (1992) 244-251. [9]

Juang, W and Lei, C

A collision free secret ballot protocol for computerized general

elections, Computers & Security, 15(4) (1996) 339-348.

[10]

Juang, W and Lei, C

A secure and practical electronic voting scheme for real world environments, IEICE Trans. on Fundamentals, E80-A(1) (January 1997) 64-71. [11]

Rivest, R L, Shamir, A and Adelman, L

A method for obtaining digital

signa-tures and public key cryptosystem, Comm. of ACM, 21(2) (1978) 120-126.

[12]

ElGamal, T

A public key cryptosystem and a signature scheme based on discrete logarithm, IEEE Trans. on Information Theory, IT-31(4) (1985) 469-472.

[13]

Gennaro, R, Jarecki, S, Krawczyk, H and Rabin, T

Robust threshold DSS signatures, Proc. of EuroCrypt '96, LNCS 1070, Springer Verlag (1996) 354-371.

[14]

Harn, L

Group-oriented (t, n) threshold digital signature scheme and digital mul-tisignature, IEE Proc. Compu. Digit. Tech., 141(5) (1994) 307- 313.

[15]

Juang, W and Lei, C

Blind threshold signatures based on discrete logarithm, Proc. of Second Asian Computing Science Conference on Programming, Concurrency and Parallelism, Networking and Security, LNCS 1179, Springer-Verlag (1996) 172 -181. [16]

Solms, S and Naccache, D

On blind signatures and perfect crime, Computer &

Security, 11 (1992) 581-583.

[17]

Stadler, M, Piveteau, J and Camenisch, J

Fair blind signatures, Proc. of Euro-Crypt'95, LNCS 921, Springer-Verlag (1995) 209-219.

[18]

Okamoto, T

A digital multisignature scheme using bijective public-key cryptosys-tems, ACM Trans. Computer Syscryptosys-tems, 6(8) (1988) 432-441.

[19] NIST FIPS PUB 180, Secure hash standard, National Institute of Standards and Technology, U. S. Department of Commerce, DRAFT (1993).

[20]

Pohlig, S and Hellman, M E

An improved algorithm for computing logarithms over GF(p) and its cryptographic signicance, IEEE Trans. on Information Theory, IT-24 (1978) 106-110.

[21]

Rivest, R L

The MD5 message-digest algorithm, RFC 1321, Internet Activities Board, Internet Privacy Task Force (1992).

[22]

Nyberg K and Rueppel, R A

Message recovery for signature schemes based on the discrete logarithm problem, Advances in Cryptology: Proc. of EuroCrypt'94, LNCS 950, Springer-Verlag (1995) 182-193.

[23]

Stallings, W

Network and internetwork security, Prentice Hall International (1995). [24]

Chaum, D

Untraceable electronic mail, return addresses, and digital pseudonyms,

Comm. of ACM, 24(2) (1981) 84-88.

[25]

Juang, W, Lei, C and Fan, C

Anonymous Channel and Authentication in Wireless Communications, to appear in Computer Communications.