安全數位盲簽章機制之設計與應用

(1)

國

立交通大學

資訊工程學系

博士論文

安全數位盲簽章機制之設計與應用

The Design of Secure Digital Blind

Signature Schemes and Their Applications

研

究生：吳林全

Student: Lin-Chuan Wu

指導教授：葉義雄

Advisor:

Yi-Shiung

Yeh

(2)

安全數位盲簽章機制之設計與應用

學生

: 吳林全指導教授: 葉義雄

國立交通大學資訊工程學系博士班

摘要

近年來由於網際網路應用快速地發展，使得網路購物和網路競標等電子交易服務日漸普及。目前這些服務所採用的認證方式大多為身份 -密碼（ID-Password）機制，因其不具備不可否認（ non-repudiation）的性質。因此，植基於公開金鑰基礎建設（PKI）之數位簽章機制能夠達到交易上之不可否認性，建立電子商務應用和服務之穩定基礎。然而，在電子現金或電子投票等應用中，須額外滿足使用者對匿名性（anonymity）的要求，以保障使用者的隱私權。因此，數位盲簽章機制的設計即是要解決此一問題，以提供使用者達到不可追蹤性 (untraceability)目的，使得在計算上簽章之簽署者事後無法識別所簽署之簽章是由何人所持有；換句話說就是要追蹤出該簽章的持有人在計算上是不可行的。

(3)

本論文主要是提出偽造即停盲簽章機制（fail-stop blind signature scheme）來解決傳統盲簽章機制在面對擁有無限計算能力的偽造者總是能夠成功地偽造簽章，且對偽造即停盲簽章機制所須具備的安全性質加以定義，並證明所提出之簽章機制是安全的。本論文亦針對現有各種植基於整數分解、二次剩餘以及離散對數之盲簽章機制，提出一些在安全上和效率上的改善方法。同時也探討代理盲簽章機制之不可偽造性（unforgeability）和不可追蹤性（ untraceability）等安全議題。最後，提出具備偽造即停盲簽章機制之電子現金系統和具備資訊隱藏和不可追蹤性之電子票卷協定，期能建構更安全的電子交易系統之理論基礎和應用服務。關鍵字: 不可追蹤性, 偽造即停盲簽章機制, 盲簽章機制, 密碼學, 資訊安全

(4)

The Design of Secure Digital Blind

Signature Schemes and Their Applications

Student: Lin-Chuan Wu Advisor: Yi-Shiung Yeh

Institute of Computer Science and Information Engineering

National Chiao Tung University

Abstract

Recently, Internet applications are developed rapidly, such that

electronic transaction services like purchasing and bidding on Internet are

more popular. The ID-Password mechanism is mainly used for

authentication, but it cannot achieve the non-repudiation property.

Therefore, the digital signature scheme based on PKI can achieve the

non-repudiation property in electronic transactions. It can be the

well-constructed basis for electronic commerce services and applications.

However, in electronic cash or electronic ticket applications, the

(5)

privacy. Thus, the digital blind signature scheme is proposed for this

purpose. The untraceability property is an important property in digital

blind signature scheme, it makes the signer computationally cannot identify

the signature which is owned by someone. In the other words, the signer

is computationally infeasible to trace the signature.

In this dissertation, a fail-stop blind signature scheme is proposed to

solve the problem that a forger with more powerful computational

capability can always forge a signature successfully. A secure fail-stop

blind signature scheme is also defined. Moreover, our proposed signature

scheme is proved secure.

Some improved digital blind signature schemes, in security and

efficiency, based on integer factorization, quadratic residue, and discrete

logarithm cryptosystems are also be presented in this dissertation.

Furthermore, the unforgeability and untraceability properties of proxy blind

signature schemes are discussed. Finally, an electronic cash system based

on fail-stop blind signature scheme and an electronic ticket protocol with

information hiding are proposed. They can be established for more secure

(6)

關鍵字: Untraceability, Fail-stop Blind Signature Scheme, Blind Signature

(7)

List of Figures

FIGURE 2.1 BLOCK DIAGRAM OF RSA SIGNATURE SCHEME... 5

FIGURE 2.2 PROTOCOL DIAGRAM OF RSA SIGNATURE SCHEME... 7

FIGURE 2.3 BLOCK DIAGRAM OF ELGAMAL SIGNATURE SCHEME... 8

FIGURE 2.4 PROTOCOL DIAGRAM OF ELGAMAL SIGNATURE SCHEME... 9

FIGURE 2.5 BLOCK DIAGRAM OF RABIN SCHEME...10

FIGURE 2.6 PROTOCOL DIAGRAM OF RABIN SCHEME...11

FIGURE 2.7 PROTOCOL DIAGRAM OF CHAUM SIGNATURE SCHEME...13

FIGURE 2.8 PROTOCOL DIAGRAM OF PARTIAL DELEGATION PROXY SIGNATURE SCHEME ...19

(11)

List of Tables

TABLE 4.1 THE COMPARISON OF REQUIRED STORAGE REQUIREMENTS...72

(12)

Chapter 1 Introduction

1.1 Motivations

Due to Internet applications are developed rapidly, such that electronic

transaction services like that purchasing and bidding on Internet are more

popular. These applications are mainly using the ID-Password mechanism

for authentication, but this mechanism cannot achieve the non-repudiation

property. For protect the users against malicious parties, some advanced

techniques to enhance the security of the electronic transaction services are

required. Therefore, the digital signature scheme based on Public Key

Infrastructure (PKI) can achieve the non-repudiation property. It is also

the key component for electronic commerce services and applications.

Although the digital signature scheme can achieve the non-repudiation

property, it cannot provide the privacy for the users. In some applications

like electronic cash or electronic ticket systems, the anonymity property is

very important and should be satisfied. Thus, the digital blind signature

scheme is proposed to ensure the unforgeability for the signer and achieve

(13)

signer computationally cannot identify the signature which is owned by

someone. Hence, the signer is computationally infeasible to trace the

signature.

However, the traditional digital blind signature schemes cannot protect

the signer against a forger with more powerful computational capability to

forge a signature. This means that there is no mechanism to protect the

signer against a forged signature which has succeeded in signature

verification. Namely, if a signed message succeeds in signature

verification it is assumed to be generated by the owner of the private key.

Thus, a fail-stop blind signature scheme is proposed to solve this problem

in this dissertation.

Recently, a lot of misunderstandings on digital blind signature

schemes and proxy blind signature schemes are submitted. They claim

that some blind signature schemes cannot satisfy the untraceability property.

However, these claims are incorrect and they will be analyzed and

corrected.

(14)

In this dissertation, a secure fail-stop blind signature scheme based on

the integer factorization is defined, proposed and proved. It can be

applied in more critical system like electronic payment systems which need

higher security against more powerful forger and can preserve the users’

privacy. Furthermore, some misunderstanding claims on digital blind

signature schemes are discussed and corrected in detail. The

untraceability property of the proxy blind signature schemes is also

analyzed in this dissertation. Finally, some more secure electronic

(15)

Chapter 2 Digital Signature Schemes

The ordinary handwritten signature is used to specify the responsibility

of the person and can achieve the non-repudiation property. A digital

signature scheme is a method to sign the message in electronic form and can

provide analogous to the ordinary handwritten signature. Any digital

information including digital signatures can be copied easily, so digital

signatures cannot be the digitalized version of handwritten signatures. To

overcome this problem, digital signature schemes are designed by using

mathematical functions and interactive protocols. The following sections

describe the various digital signature schemes in detail.

2.1 Rivest-Shamir-Adleman Signature Scheme

The concept of digital signature scheme was introduced by Diffie and

Hellman [12] in 1976. Generally, a digital signature scheme has the

signing algorithm and the verification algorithm. The fundamental idea is

that everyone has pair of keys: a signing/private key and a

(16)

the signing algorithm and the verification key is to verify the correctness of

the signature by using the public verification algorithm. Especially, the

verification key can be published and the signing key must be kept secretly.

In 1978, Rivest, Shamir, and Adleman [43] proposed the first digital

signature scheme based on the integer factorization problem. The signer

and the requester are two kinds of participants in RSA signature scheme.

The four phases in RSA signature scheme are: (1) Initialization, (2)

Requesting, (3) Signing, (4) Verification. Initially, the signer publishes

the necessary information for the participants. In the requesting phase,

the requester sends the message to the signer. The signer signs on that

message in the signing phase. Finally, anyone can verify the correctness

of the signature using the message-signature pair in the verification phase.

Figure 2.1

shows the block diagram of RSA signature scheme for signing

and verification. The detailed signature scheme is described as follows.

(17)

(1) Initialization: The signer randomly selects two large primes p

and q , and calculates n= p⋅q and φ(n)=(p−1)⋅(q−1) . Next, the

signer selects a large random number 1<d <φ(n) such that )

( mod

1 n

d

e⋅ ≡ φ . Thus, d is the private key of the signer and e is the

public key.

(2) Requesting: The requester prepares the message m and sends it to

the signer.

(3) Signing: The signer calculates the signature s=md modn on the

message m and sends s to the requester.

(4) Verification: Anyone can verify the correctness of the signature s

received from the requester by checking whether se =mmodn because e

is public.

The protocol diagram of RSA signature scheme is illustrated in

Figure

(18)

prime q p, : ) 1 )( 1 ( ) ( , = − − = pq n p q n φ key public n e GCD e∋ ( ,φ( ))=1: key private n ed d ∋ =1(modφ( )): message m :

_m

) (mod n m s= d

e

n,

message m : m message of signature s : ) (mod n s m= e

s

m message of signature s :

Figure 2.2 Protocol diagram of RSA signature scheme

Anyone can forge a signature by using multiplication attack in RSA

signature scheme. To prevent this attack, hash function can be used

within the signature scheme to reduce the problem.

2.2 ElGamal Signature Scheme

ElGamal [13] presented another digital signature scheme in 1985.

The security of ElGamal scheme is based on the difficulty of computing

discrete logarithm. There are many valid signatures for any given

message in ElGamal scheme, and any of these valid signatures are authentic

(19)

non-deterministic signature scheme. The major shortcoming in ElGamal

scheme is the double length of any message. The block diagram of ElGamal

signature scheme for signing and verification is shown by

Figure 2.3

.

Figure 2.3 Block diagram of ElGamal signature scheme

The four phases of ElGamal scheme are described in the following.

(1) Initialization: The signer randomly chooses a prime number p

such that discrete logarithm problem in Z is intractable. Let _p g∈Z_p*

be a primitive root and x be the private key of the signer. The public

key of the signer is defined by y= gx modp.

(2) Requesting: The requester sends the message m to the signer.

(3) Signing: The signer selects a random number k. Then s/he can

compute r= gk modp and s=k−1(m−xr)mod(p−1). The ( sr, ) is the

signature on the message m.

(4) Verification: Anyone can verify the correctness of the signature

) ,

(20)

Figure 2.4

illustrates the protocol diagram of ElGamal signature scheme. prime p : p of generator Z g∈ _p* : key private Z x∈ p : key public p g y= x (mod ): message Z m∈ _p :

_m

number random Z k∈ _p : ) (mod p g r = k ) 1 (mod ) ( 1 ₋ ₋ = − p rx m k s

)

,

( s

r

m message of signature s r, ): ( q to prime relatively message m : m message of signature s r, ): ( ) (mod p r y gm = r s

Figure 2.4 Protocol diagram of ElGamal signature scheme

2.3 Rabin Signature Scheme

In 1979, Rabin [40] proposed a signature scheme based on the

quadratic residue problem. The security of Rabin scheme is based on the

difficulty of computing square root modulo a composite number. Rabin

scheme is computationally secure against chosen-plaintext attack.

Figure

2.5

shows the block diagram of Rabin signature scheme for signing and

(21)

Figure 2.5 Block diagram of Rabin scheme

(1) Initialization: The signer can selects two random prime numbers

p and q , where p=3mod4 and q=3mod4. Then s/he calculates q

p

n= ⋅ and φ(n)=(p−1)⋅(q−1). Thus, p and q are the private key

and n is the public key.

(2) Requesting: The requester prepares the message m and sends it to

the signer.

(3) Signing: The signature is the square root of the message m.

Thus, the signer can calculate the signature s=m1/2 modn and sends s to

the requester.

(4) Verification: Anyone can verify the signature s by checking

whether s2 =mmodn is true.

The protocol diagram of Rabin signature scheme is illustrated detailed

(22)

prime q p=3mod4, =3mod4: ) 1 )( 1 ( ) ( , = − − = pq n p q n φ message m :

_m

) (mod 2 / 1 n m s=

n

message m : m message of signature s : ) (mod 2 n s m=

s

m message of signature s :

Figure 2.6 Protocol diagram of Rabin scheme

2.4 Chaum Blind Signature Scheme

Chaum [8] presented the first blind signature scheme based on RSA

digital signature scheme in 1982. The blind signature scheme allows a

requester to obtain a message signed by the signer without revealing

message. Therefore, the signer cannot link/trace any message-signature

pair practically later. The blind signature scheme can be used in

electronic payment systems or electronic voting systems to preserve the

participants’ anonymity. The detailed scheme is described in the

following.

(23)

randomly, and computes n= pq and φ(n)=(p−1)(q−1) . Then, the

signer selects two random numbers e and d such that ed ≡1modφ(n),

where )1<e<φ(n and 1<d <φ(n). Finally, the signer publishes ( en, )

as his public key and a one-way hash function H like SHA-1.

(2) Blinding and requesting: The requester selects a random number

r as the blinding factor, where r∈Zn*. Then, the requester sends the

blinded message m~ =reH(m)modn to the signer.

(3) Signing: After the signer receives the blind message m~, s/he

calculates d

m s ~

~ = and sends it to the requester.

(4) Unblinding: The requester can compute the signature

n s

r

s= −1~mod from the blinded signature s~.

(5) Verification: Anyone can easily verify the message-signature pair

) ,

(m s by checking that se =H(m)modn is true.

The signer cannot recognize which messages was actually signed and

know which blind signatures was actually generated due to the blinding

factor r . Therefore, Chaum blind signature scheme can achieve the

unlinkability/untraceability property.

(24)

scheme.

Signer

Requester

prime q p, : ) 1 )( 1 ( ) ( , = − − = pq n p q n φ key private n e GCD e∋ ( ,φ( ))=1: key public n ed d ∋ =1(modφ( )): message m :

m

~

) (mod ~ ~_s =_md _n

e

n,

Verifier

message m : m message of signature s : ) (mod n s m= d

s~

m message of signature m s r s = −1~ = d : number random r : ) (mod ~ _r _m _n m= e ) (mod ~ _rm _n s = d

Figure 2.7 Protocol diagram of Chaum signature scheme

2.5 Susilo-Safavi-Pieprzyk Fail-stop Signature

Scheme

The traditional digital signature schemes cannot protect the signer

against a forger with more powerful computational capability to forge a

signature. This means that there is no mechanism to protect the signer

against a forged signature which has succeeded in signature verification.

(25)

to be generated by the owner of the private key.

To overcome this kind of attack, Waidner and Pfitzmann [50, 38]

proposed the first fail-stop signature scheme. Fail-stop signature can

protect a signer against a forger even with more powerful computational

capability because the possibility of finding the signer’s right private key in

the fail-stop signature is negligible. The signer can use “proof of forgery”

algorithm to prove the signature is forgery. It achieves “proof of forgery”

by showing that the underlying computational assumption has been broken.

The signer can stop the system if a forgery occurs – hence named fail-stop

signature scheme. The signer is unconditionally secure and the requester

is cryptographically secure in the fail-stop signature scheme.

In 1992, van Heyst and Pedersen constructed a fail-stop signature

scheme based on the discrete logarithm problem [46] and their scheme is a

Lamport-like one-time signature [26]. Susilo, Safavi-Naini and Pieprzyk

[48] presented two RSA-based fail-stop signature schemes with and without

a trusted dealer in 1999. We only consider the scheme with trusted dealer

here for simplicity. Actually, the signer and the receiver can instead of

trusted dealer to perform the initialization phase by using Boneh-Franklin’s

(26)

dealer, the sender and the receiver in the Susilo et al.’s scheme with trusted

dealer. A forged signature can be proved by using Miller’s [33] and

Bach’s [2] methods to reveal non-trivial factors for the signer. The

detailed scheme is described as follows.

(1) Initialization: The two large prime numbers p and q are

chosen by the trusted dealer D , such that p = p2 '+1 and q = q2 '+1, where

'

p and q are also prime. Then, D computes ' n= pq and

) 1 )( 1 ( ) (n = p− q−

φ . Next, D chooses d_D as her/his private key and

computes e_D =d_D−1 modφ(n), where GCD(dD,φ(n))=1. Then, D selects a

random number α∈Zn* and computes n

D

d _mod

α

β = . Finally, D

publishes her/his public key ( nα, ) and sends (e_D,β) to the signer S

securely.

(2) Key generation: The signer S selects four random numbers,

which are k₁,k₂,k and ₃ k₄ as the private key, where ki∈Zn*, 1≤ i≤4.

Next, S computes k4 k3 modn

1 α β β = , k3 k1 modn 1 1 α β α = and n k k mod 2 4 1 2 α β

α = . Finally, s/he publishes her/his public key (β₁,α₁,α₂).

(3) Signature generation: The signer S computes y₁ =k₁x+k₂ and

4 3 2 k x k

y = + , where x∈Zn* is a message. Then, s/he publishes the

(27)

(4) Signature verification: The receiver R can verify the signature

by checking the formula αy2β₁y1 =α₁xα₂ modn. If it is true, this signature

is a valid one.

(5) Proof of forgery: If a forged signature (y₁ ,'y₂') on message x

succeeds in signature verification phase, S can prove that a forgery has

occurred by executing the following steps.

1. To construct the right signature (y₁,y₂) on message x.

2. To compute Z₁ =(y₁'−y₁) and Z₂ =(y₂ − y₂').

3. To compute γ =e_D(Z₂ −k₄Z₁)−k₃Z₁ =cφ(n)

4. To find non-trivial factors of n by using Miller’s [33] and Bach’s

[2] methods.

5. The non-trivial factors of n is the proof of forgery.

2.6 Mambo-Usuda-Okamoto Proxy Signature Scheme

The proxy signature scheme based on the discrete logarithm problem

was presented by Mambo et al. [30] in 1996. It can allow the designated

(28)

example, when a manager is going on a vacation, s/he can delegate her/his

secretary to sign the messages on behalf of her/him. There are three types

of delegation: full delegation, delegation by warrant and partial delegation

in the proxy signature scheme.

In full delegation, the original signer gives her/his private key to the

designated proxy signer and then the original signer and the proxy signer

can both generate the same signatures. However, the signatures generated

by the original signer and the proxy signer are not distinguishable. Thus,

the dispute between the original signer and the proxy signer on the

signature cannot be settled.

The warrant is used to show that the proxy signer is legal and to

describe the needed information between the original signer and the proxy

signer in delegation by warrant. It can be implemented by using ordinary

signature scheme. However, it needs to execute the proxy signature

verification process and then the ordinary signature verification process.

In partial delegation, the original signer uses her/his private key to

generate the proxy secret key and sends it to the proxy signer securely.

The signatures can be distinguished from the original signer and the proxy

(29)

delegation scheme and more efficient than delegation by warrant scheme.

We describe Mambo et al.’s partial delegation proxy signature scheme in

detail as follows.

(1) Initialization: The original signer randomly chooses a large prime

number p and a generator *

p

Z

g∈ . Let x be the private key of the

original signer and y be the corresponding public key such that

p g

y = x mod .

(2) Proxy delegation: The original signer randomly selects a number

o

k , and calculates r gko p

o = mod and so = x+koro mod(p−1). Next, the

original signer sends (r_o,s_o) to the proxy signer in a secure manner. After the proxy signer receives (r_o,s_o), s/he can verify it by checking the correctness of the equation g o yr ro p

o s

mod

= . If (ro,so) satisfies that equation, s/he can accept it as a valid proxy. Finally, the proxy signer

computes her/his proxy secret key s_pr =s_o +x_p modq.

(3) Requesting: The requester sends the prepared message m to the

signer.

(4) Signing: The proxy signer chooses k randomly, and computes

p g

r= k mod and s=k−1(m−xr)mod(p−1), where m is the message to be

(30)

(5) Verification: Anyone can verify the correctness of the signature

) ,

( sr by checking that the equation yrrs =gm modp holds.

Figure 2.8

illustrates the protocol diagram of Mambo et al.’s proxy

signature scheme. prime p : p of generator Z g p : * ∈ key private Z x∈ p: key public p g y= x_(mod ₎_: message Z m∈ p:

_m

number random Z ko∈ p: ) (mod p g r ko o = ) 1 (mod − + =x k r p so o o ) , (r_o s_o q to prime relatively message m : m message of signature s r, ): ( ) (mod p r y gm ₌ r s ) (mod p yr g o ro o s ₌ ) 1 (mod − + =s x p spr o p number random Z k∈ p : ) (mod p g r= k ) 1 (mod ) ( 1 ₋ ₋ = − p xr m k s ) , ( sr signature s r, ): (

Figure 2.8 Protocol diagram of Partial delegation proxy

signature scheme

(31)

Chapter 3 Analysis of Some Blind Signature

Schemes

In Section 3.1, we introduce the cryptanalysis on a new Rabin-like

blind signature scheme based on the quadratic residue problem. A

traceability attack on RSA-Based partially signature with low computation

is analyzed and corrected in detail In Section 3.2. Lee et al. claimed that

ElGamal blind signature scheme is traceable but we show that their claims

are incorrect in Section 3.3. Finally, we analyze Sun et al.’s traceability

attack on proxy blind signature scheme in Section 3.4.

3.1 Cryptanalysis on a New Rabin-like Blind

Signature Scheme

The Rabin digital signature scheme [40] is based on the square-root

problem. Its security is relying on the difficulty of finding the square

roots of a quadratic residue under a modulus n and it has been proved to be

as hard as factoring n [40]. Compared to the RSA cryptosystem [43], the

(32)

The blind signature scheme was proposed by Chaum [7] and it is based

on the RSA cryptosystem [43]. In addition to the unforgeability of the

signatures, it must satisfy two requirements: (1) the contents of messages

are unknown to the signer when signing and (2) the signer cannot trace the

signed messages after the senders have revealed the signatures publicly.

Because of the unlinkability property, blind signature can protect the

senders’ privacy in digital transactions and it can be applied in electronic

voting systems and electronic cash systems.

Recently, Chen et al. [10] proposed a new Rabin-like blind signature

scheme, which is based on the square-root problem. Although their

scheme is simple and efficient, it can be compromised when choosing some

particular blinding factors. In this section, we propose an attack on Chen

et al.’s scheme and demonstrate that their scheme is not secure.

Let Zn* ={k∈Zn |GCD(k,n)=1} be the multiplicative group under

modulus n, where n is a positive integer. An integer a is called a

quadratic residue (QR) in Zn*, if there exists an integer

*

Zn

x∈ such that

a

x2 ≡_n . If no such x exists, a is called a quadratic non-residue (QNR)

in Zn*. The set of all quadratic residues under modulus n is denoted by n

(33)

by Qn . That is, Qn =

{

a∈Zn ∃x∈Zn x ≡n a

}

2 * * , | and Qn =Zn −Qn * [32, 44, 46].

Let p be an odd prime and let α be a generator in _Z *

p . An

integer *

p

Z

a∈ is a quadratic residue modulo p if and only if a≡_pαi

where i is an even integer. It follows that |Q_p |=|Q_p |=(p−1)/2, i.e. half of the elements in _Z *

p are QR’s and the other half are QNR’s.

Let p be an odd prime and a be an integer. The Legendre symbol

⎟⎟ ⎠ ⎞ ⎜⎜ ⎝ ⎛ p a is defined below. P P Q a if Q a if a p if p a ∈ ∈ ⎪ ⎩ ⎪ ⎨ ⎧ − = ⎟⎟ ⎠ ⎞ ⎜⎜ ⎝ ⎛ , , | , 1 1 0

Let n be a product of two distinct odd primes p and q , i.e.,

q p

n= ⋅ . An integer a∈Zn* is a quadratic residue under modulo n if

and only if * p Z a∈ and a∈Z_q* . Therefore, 4 / ) 1 )( 1 ( | || | | |Q_n = Q_p Q_q = p− q− and |Q_n |=3(p−1)(q−1)/4.

Let n≥3 be an odd integer with prime factorization

k e k e e p p p n= 1 2 ⋅⋅⋅ 2

1 and let a be an integer. The Jacobi symbol [32] is

(34)

k e k e e p a p a p a n a ⎟⎟ ⎠ ⎞ ⎜⎜ ⎝ ⎛ ⋅ ⋅ ⋅ ⎟⎟ ⎠ ⎞ ⎜⎜ ⎝ ⎛ ⎟⎟ ⎠ ⎞ ⎜⎜ ⎝ ⎛ = ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ 1 2 2 1

Let n≥3 be an odd integer and

⎭ ⎬ ⎫ ⎩ ⎨ ⎧ ₌ ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ ∈ = *| 1 n a Z a J_n _n . n n n J Q

Q~ = − is defined to be the set of pseudo-squares under modulus n.

Thus the Jacobi symbol is a generalization of the Legendre symbol [32]

where n is not necessarily to be prime.

Let n= p⋅q be a Blum integer, i.e., p and q are distinct primes

and p≡ q₄ ≡₄ 3. If x∈Q_n, then x(n−p−q+5)/8 mod n is a square root of

x. If x∈ , then J_n ⎩ ⎨ ⎧ ∈ − ∈ = n n d Q x if x n Q x if x x ~ , , 2 where 8d =(n−p−q+5)/ .

Let n= p⋅q be a Williams integer [32], i.e., p and q are distinct

primes and p≡₈ 3 and q≡₈ 7. Thus, 2 is a quadratic non-residue under

modulus n with Jacobi symbol 2⎟=−1

⎠ ⎞ ⎜ ⎝ ⎛

n . Hence, multiplication of any

integer x by 2 or 2-1 mod n reverses the Jacobi symbol of x.

3.1.1 Chen et al.’s Blind Signature Scheme

(35)

based on Rabin’s signature scheme. There are two kinds of participants,

senders and the signer in the blind signature scheme. The sender requests

signatures from the signer, and the signer issues signatures on the blinded

messages to the sender. The protocol consists of three phases: (1)

requesting, (2) signing and (3) extraction. A sender submits a blinded

message to the signer in the requesting phase to obtain a signature. In the

signing phase, the signer computes the signature on the blinded message

and returns the result to the sender. Finally, the sender extracts the

signature from the result that he received in the extraction phase.

Let n= p⋅q be a Williams integer and (p,q) be kept secret by the

signer. Let H be a one-way hash function. The details of the scheme

are described as follows.

(1) Requesting: To request the signature of the message m, the sender

computes )H(m . Then s/he randomly chooses the blinding factor r∈Zn*.

The sender chooses appropriate bits a and b.

⎪ ⎪ ⎩ ⎪⎪ ⎨ ⎧ − = ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ = ⎟ ⎠ ⎞ ⎜ ⎝ ⎛ = 1 ) ( , 1 1 ) ( , 0 n m H if n m H if a such that a _n J n m H ∈ − ₍ ₎_mod

(36)

n m

H r

m~=2−a 4 ( )mod to the signer.

(2) Signing: After the signer receives m~ , s/he computes

n m H r s (2 a ( ))d mod ~₌ − 4 _where ₌₍ ₋ ₋ ₊₅₎_/₈ q p n

d is the private key of

the signer, and sends s~ back to the sender.

(3) Extraction: The sender computes s=(~sr−2)mod n and forms

) , ,

(s a b such that s2(−1)b2a ≡_n H(m). One can verify the correctness of

the signature (s,a,b) on the message m by checking the formula

) ( 2 ) 1 ( 2 m H s − b a ≡_n .

3.1.2 Cryptanalysis on Chen et al.’s Scheme

In this section, we demonstrate that Chen-Qiu-Zheng scheme [10] is

not secure against the chosen-ciphertext attack.

Theorem 3.1: Given two integers x and y in Z_n* , where

q p

n= ⋅ is a Blum integer. If x2 ≡_n y2 and x≠±ymod n , then

=

+ mod , )

(x y n n

GCD p or q .

Proof: By the Chinese remainder theorem, an integer w in Z_n* can

be represented by <w₁, w₂ >, where w₁ =(wmod p) and w₂ =(wmodq).

(37)

> +

+ >=< +

<k wmodn k₁ w₁ mod p, k₂ w₂ modq

> ⋅

⋅ >=< ⋅

<k wmodn k₁ w₁ mod p, k₂ w₂ modq

> >=< < − q k p k n

k 1 mod ₁ mod , ₂ mod

> −

− >=< −

< k modn k₁ mod p, k₂ modq

Besides, for every <k₁, k₂ > and <w₁, w₂ > in Zn* ,

> >=<

<k₁,k₂ w₁,w₂ if and only if k₁ =w₁ mod p and k₂ =w₂ modq.

Let x=<x₁, x₂ > in Zn*, where x1 =(xmod p) and x2 =(xmodq),

and let ( 2 mod )

n x

t = . The integer t has four square roots

} , , , , , , , {<x₁ x₂ > < x₁ −x₂ > <−x₁ x₂ > <−x₁ −x₂ > , where y=<−x₁, x₂ > or > − =<x₁, x₂

y since x≠(±ymodn) . If y=<−x₁, x₂ > , then

> =<

+y n x q

x mod ) 0,2 mod

( ₂ . Hence, (x+ymodn) can be divided by

p and GCD(x+y modn,n)= p . If y=<x₁, x− ₂ > , then

> =<

+ mod ) 2 mod ,0

(x y n x₁ p = <2x1 mod p, 0>. Thus, (x+ymodn) can be divided by q and GCD(x+ymodn,n)=q.

In Chen-Qiu-Zheng scheme, someone tries to compromise this

scheme, s/he can send (2 2 ( )mod )

n m h r a − , instead of (2−ar4h(m )mod n) to

the signer without being detected by the signer since it is blinded, and then

obtains )~ ((2 2 ( )) mod

n m

h r

(38)

) mod ) ( 2 ( 2 n m h r a

− _{with probability 1/2, and} ₍~ 1_mod ₎

n r

s − is a square root

of )(2−ah(m )mod n with probability 1/2, too. Then, the sender randomly

selects another rˆ , and sends (2 ˆ2 ( )mod )

n m

h r

a

− _{to the signer, so that he}

can receive ˆ ((2 ˆ2 ( )) mod )

n m

h r

s= −a d . If the integer (sˆrˆ−1mod n) is a

square root of (2−ah(m )mod n) and different from (±~sr−1 mod n) where

the probability is 4 1 2 1 2 1_⋅ ₌ , then (~ 1 ˆˆ 1 mod , ) n n r s r s GCD − + − is one of the

prime factors of n by Theorem 3.1. This kind of chosen-ciphertext

attack can compromise Chen-Qiu-Zheng scheme.

3.2 RSA-Based Partially Blind Signature Scheme

In AsiaCrypt’96, Abe and Fujisaki [1] submitted the first partially

blind signature scheme to inject the common information, like the date, on

the signature. Chien et al. [11] proposed more efficient RSA-based

partially blind signature scheme than Abe-Fujisaki’s scheme later.

Recently, Hwang et al. [21] claimed Chien et al.’s scheme cannot meet the

untraceability property of the blind signature. In this section, we show

that Hwang et al.’s claim is incorrect and Chien et al.’s scheme is still the

(39)

Recently, Chien et al. proposed RSA-based partially blind signature

with low computation for mobile and smart-card applications. Hwang et

al. claimed that Chien et al.’s scheme cannot meet the untraceability

property of the blind signature later. In this section, we show that Hwang

et al.’s claim is incorrect and Chien et al.’s scheme is still satisfy the

untraceability property.

3.2.1 Chien et al.’s scheme

In 2001, Chien et al. proposed an efficient partially blind signature

based on RSA cryptosystem. To compare with Abe-Fujisaki’s scheme,

Chien et al.’s scheme can reduce the amount of computations by almost

98% for the requester. Therefore, Chien et al.’s scheme is suitable for

mobile client and smart-card applications.

The signer and the requester are two kinds of participants in the

Chien’s partially blind signature. The requester obtains a partially blind

signature from the signer and the signer cannot link any message-signature

pair later. The four phases in Chien et al.’s scheme are (1) Initialization,

(2) Requesting, (3) Signing, (4) Extraction and verification. Initially, the

(40)

the requesting phase, the requester sends a blinded message and the agreed

common information to the signer. The signer signs on the blinded

message with the common information in the signing phase. Finally, the

requester obtains the signature from the blinded signature without removing

the injected common information in the extraction and verification phase.

Anyone can verify the correctness of the signature using the

message-signature pair and the agreed common information. The detailed

scheme is describe as follows.

(1) Initialization: The signer randomly selects two large primes p

and q , and calculates n= p⋅q and φ(n)=(p−1)⋅(q−1) . Then, the

signer selects large integers d such that e⋅d ≡1modφ(n), where e=3.

Thus, d is the private key of the signer and the signer publishes his public

key )( ne, and a secure one-way hash function h(⋅) like SHA-1.

(2) Requesting: The requester prepares the common information a

according to the predefined format. Then, s/he randomly selects two

integers r∈Z_n and u∈Z_n . The requester calculates n u m h re ( )( 2 +1)mod =

α and sends (a,α) to the signer. After the signer verifying the agreed common information a, s/he randomly chooses a

(41)

requester receives x, s/he selects a random number k and computes

rk

b= . Finally, the requester computes β =be(u−x)modn and sends β

to the signer.

(3) Signing: The signer calculates β−1 modn and n

x a

h

t = ( )d(α( 2 +1)β−2)2d mod then s/he sends (β−1,t) to the requester.

(4) Extraction and verification: After the requester receives (β−1,t),

s/he obtains the signature by calculating c=(ux+1)β−1be modn and n

k tr

s= 2 4 mod . The 3-tuple (a,c,s) is a signature on the message m,

and anyone can verify the correctness of (a,c,s) by checking whether

n c m h a h se = ( ) ( )( 2 +1)2 mod .

If )(a,c,s is a signature of the message m generated by Chien et

al.’s partially blind signature scheme, then se =h(a)h(m)(c2 +1)2 modn

must be held. The detailed proof can be found in [11].

3.2.2 Hwang et al.’s Traceability Attack

In Hwang et al.’s claim [21], the signer can keep a set of record for all

blinded messages and use them to trace back the blind signature. Thus,

(42)

untraceability of the blind signature. The detailed procedures of Hwang et

al.’s cryptanalysis are described as follows.

1. The signer can keep a set of records (αi, xi,βi,ti, βi−1) for each

instance i in Chien et al.’s scheme.

2. When the requester reveals (a,c,s,m) to the public, the signer can compute u~_i =(1+cx_i)(c−x_i)−1 modn for each instance i since

n x u x u b x u c i i i i e i i i i 1) ( 1)( ) mod ( ₊ −1 ₌ ₊ ₋ −1 = β .

3. The signer can obtain b ui xi d n

d i

i (~ ) mod

~ ₌ _β ₋ − _{for each instance i}

since β =be(u−x)modn. Note: b ui xi e n d i i (~ ) mod ~ ₌_β ₋

is wrong in Hwang et al. [21].

4. The signer can then compute r h m ui d n

d d i i ( ) (~ 1) mod ~ ₌_α − 2 ₊ − _{for each} instance i since r h m ui n e i i ( )( 1)mod 2 ₊ = α .

Note: r~_i =α_idh(m)e(u~_i2 +1)d modn is also wrong in Hwang et al. [21].

5. The signer can obtain ki bir~i modn

~ ~ ₌ −1

for each instance i since

n k

r

b_i = _i _i mod .

6. Finally, the signer can check if s ti ri ki modn

~ ~2_⋅ 4

⋅

= . If it is true,

the signer can trace back the blind signature.

(43)

the untraceability property of the blind signature.

3.2.3 Analysis of Hwang et al.’s Attack

In 1995, Harn [19] claimed that Camenisch et. al.’s blind signature

scheme [5] is traceable. Horster et al. [20] proved that Harn’s

cryptanalysis is incorrect later. However, Theorem 3.2 shows that Hwang

et al.’s claim on Chien et al.’s scheme is incorrect.

Theorem 3.2: For given a message-signature pair (a,c,s,m), the

signer can derive 4-tuple (u~_i,b~_i,~r_i,k~_i) such that s=t_i⋅r~_i2⋅k~_i4 modn is

always satisfied for each ( , , , , −1)

i i i i i x β t β α .

Proof: According to Hwang et al.’s claim, the signer can keep

) , , , , ( −1 i i i i i x β t β

α for each instance i in Chien et al.’s scheme. When

the requester reveals (a,c,s,m) to the public, the signer can compute

n x

c cx

u~_i =(1+ _i)( − _i)−1 mod for each instance i . Then s/he can obtain

n x

u

b~_i =β_id(~_i − _i)−d mod . The signer can compute n u m h r_i _id ( ) d(~_i 1) d mod ~ ₌_α − 2 ₊ − _and n r b

k~_i = ~_i~_i−1 mod . Finally, the signer

can check whether the formula s=t_i⋅r~_i2 ⋅k~_i4 modn is true or not.

(44)

i in the following derivations. ) ~ ~ (ti ⋅ri2⋅ki4 n r b r x a h i i i d i i i d ₍ ₍ ₁₎ ₎ ~ ₍~ ~ ₎ _mod ) ( _⋅ 2 ₊ −2 2 _⋅ 2 _⋅ −1 4 ≡ α β n r b x a h i i d i i i d ₍ ₍ ₁₎ ₎ ~ ~ _mod ) ( _⋅ 2 ₊ −2 2 _⋅ 4_⋅ −2 ≡ α β n u m h x u x a h i d d d i d i i d i d i i i d ₍ ₍ ₁₎ ₎ ₍ ₍~ ₎ ₎ ₍ ₍ ₎ ₍~ ₁₎ ₎ _mod ) ( _⋅ 2 ₊ −2 2 _⋅ ₋ − 4 _⋅ − 2 ₊ − −2 ≡ α β β α n u m h x u x a h( )d ⋅( _i2d( _i2+1)2d _i 4d)⋅( _i4d(~_i− _i) 4d)⋅( _i 2d ( )2d(~_i2 +1)2d)mod ≡ _α _β − _β − _α − n u m h x u x a h i d d d i i d i d ₍ ₁₎ ₍~ ₎ ₍ ₍ ₎ ₍~ ₁₎ ₎_mod ) ( _⋅ 2 ₊ 2 _⋅ ₋ 4 _⋅ 2 2 ₊ 2 ≡ − n u x u x m h a h i i i i d d d ₍ ₎ _[( ₁₎ ₍~ ₎ ₍~ ₁_)] _mod ) ( _⋅ 2 _⋅ 2 ₊ _⋅ ₋ 2 _⋅ 2 ₊ 2 ≡ − n u x u x m h a h( ) ( ) [( i 1) (~i i) (~i 1)] ]d mod [ _⋅ 2 _⋅ 2 ₊ _⋅ ₋ 2_⋅ 2 ₊ 2 ≡ − n u x u x m h a h( ) ( ) [( i 1) (~i i) (~i 1)] ]d mod [ _⋅ 2 _⋅ 2 ₊ _⋅ ₋ 2_⋅ 2 ₊ 2 ≡ − n u x u x x u m h a h( ) ( ) [(~i i) ( i ~i i ~i 1)] ]d mod [ _⋅ 2 _⋅ ₋ 2 _⋅ 2 2 ₊ 2 ₊ 2 ₊ 2 ≡ − n x u x u u x u x x u m h a h( ) ( ) [(~i i) ( i ~i i ~i 1 2~i i 2~i i)] ]d mod [ _⋅ 2 _⋅ ₋ 2_⋅ 2 2 ₊ 2 ₊ 2 ₊ ₊ ₋ 2 ≡ − n x u u x x u m h a h( ) ( ) [(~_i _i) (( _i~_i 1) (~_i _i) )] ]d mod [ _⋅ 2 _⋅ ₋ 2_⋅ ₊ 2 ₊ ₋ 2 2 ≡ − n c m h a h( ) ( ) [ 1] ]d mod [ _⋅ 2 _⋅ 2 ₊ 2 ≡ n s mod ≡

Thus, Hwang et al.’s cryptanalysis on Chien et al.’s scheme is incorrect.

(45)

untraceability property and it is an untraceable scheme.

3.3 Untraceable ElGamal Blind Signature Scheme

In Eurocrypt’94, Camenisch et al. presented the blind signature

schemes based on the discrete logarithm problem. Recently, Lee et al.

asserted that Camenisch et al.’s schemes cannot satisfy the untraceability

property of the blind signature scheme. We will analyze that Lee et al.’s

traceability attack is failed and Camenisch et al.’s schemes are still

untraceable here. Although Lee et al. presented an untraceable scheme, it

needs more computations and storages than Camenisch et al.’s schemes.

Hence, Lee et al.’s scheme is unnecessary.

A blind signature scheme is a protocol to allow the requester to obtain

a signature without revealing message and the signer cannot trace any

message-signature pair later. It can achieve the unforgeability property

for the signer and the untraceability for the requester. The first blind

signature scheme was presented by Chaum [8] and it is based on the integer

factoring problem. Camenisch et al. [5] proposed DSA [34] and

(46)

logarithm problem in Eurocrupt’94. Harn [19] pointed out that Camenisch

et al.’s schemes are traceable in 1995. Horster et al. [20] showed that

Harn’s cryptanalysis is incorrect later. Recently, Lee et al. [27] claimed

Horster et al.’s comment is improper and asserted Camenisch et al.’s

schemes cannot satisfy the untraceability property of the blind signature

scheme. However, we show that Lee et al.’s traceability attack on

Camenisch et al.’s schemes is failed in this section.

3.3.1 Camenisch et al.’s scheme

There are two kinds of participant: the signer and the requester in

Camenisch et al.’s blind signature scheme. Initialization, requesting,

signing, and verification are four phases in their schemes and the details of

DSA blind signature scheme are described in the following. (The concept of

Nyberg-Rueppel blind signature scheme is similar to DSA blind signature

scheme and its details are omitted here.)

(1) Initialization: Two large primes p and q are randomly chosen

by the signer such that q|(p−1). Next, s/he selects g∈Z_p* of order q

and a random number x∈Zq, and computes y g (mod p) x

= . Thus, the

(47)

the signer randomly selects kˆ∈Zq and calculates ˆ (mod )

ˆ

p g

r= k , and

sends rˆ to the requester.

(2) Requesting: To sign a message m which is relatively prime to q ,

the requester selects two random numbers a,b∈Zq and computes

) (mod

ˆ g p

r

r= a b . Then, s/he calculates the blinded message

) (mod ˆ ˆ 1 q r r am

m= − and sends mˆ to the signer.

(3) Signing: After the signer receives mˆ , s/he computes

) (mod ˆ ˆ ˆ ˆ xr km q

s= + and sends sˆ back to the requester.

(4) Verification: The requester can calculate the signature s by the

equation )ˆ ˆ 1 (mod q bm r r s

s= − + . Thus, ( sr, ) is the signature on the

message m . Anyone can verify the signature by checking whether

) (mod p

r y

gs = r m holds.

3.3.2 Lee et al.’s Traceability Attack

Recently, Lee et al. [27] asserted that Camenisch et al.’s schemes [5]

cannot satisfy the untraceability property of the blind signature scheme.

The detailed procedures of Lee et al.’s traceability attack on Camenisch et

(48)

traceability attack on Nyberg-Rueppel blind signature scheme is similar to

DSA blind signature scheme and its description is omitted for concise.)

1. The signer can record all instances (kî,rî,mî,sî) in Camenisch et

al.’s scheme.

2. After the requester publishes (r,s,m), the signer can calculate

) (mod ) ˆ ˆ ( 1 1 q r r s s m bi i i − − ₋

= for all instances because of

) (mod ˆ ˆ 1 q bm r r s s= − + .

3. Next, the signer can compute ˆ 1ˆ 1 (mod )

q r r m m ai i i − − = for all

instances because of ˆ ˆ 1 (mod )

q r

r am

m= − .

4. Finally, the signer can check whether r rˆaigbi (mod p)

i

= holds. If

it is true, the signer can trace the blind signature.

Thus, Lee et al. asserted that Camenisch et al.’s schemes cannot satisfy

the untraceability property of the blind signature.

3.3.3 Analysis of Lee et al.’s Attack

Recently, Hwang et al. [22] asserted that Chaum’s blind signature

scheme [8] is traceable and presented an untraceable blind signature scheme

(49)

et al’s claim is invalid later. There are several papers [23, 24] claimed

that many blind signature schemes incurred the traceability attack.

However, many cryptanalysts [28, 14] have showed the traceability attack

is failed later. We analyze that Lee et al.’s traceability attack is failed in

the following.

Based on Lee et al.’s traceability attack, the signer can keep

) ˆ , ˆ , ˆ , ˆ

(ki ri mi si for all instances in Camenisch et al.’s schemes. After the

requester publishes (r,s,m) , the signer can calculate

) (mod ) ˆ ˆ ( 1 1 q r r s s m bi i i − − ₋ = and ˆ 1ˆ 1 (mod ) q r r m m ai i i − −

= for all instances.

Then, the signer can check whether r rˆaigbi (mod p)

i

= holds. If the result

is true, Lee et al. asserted that the signer can trace the blind signature in

Camenisch et al.’s schemes. Indeed, we analyze that r rˆaigbi (mod p)

i

=

is always true for all instances in the following.

) (mod ˆ g p rai bi i ) (mod ) ˆ ˆ ( ˆ 1 1 p g gkiai m s sirri − − ₋ = ) (mod ) ˆ ˆ ( ) ˆ ˆ ( ˆ 1 1 1 1 p g gki mim ri r m s sirri − − − − ₋ = ) (mod ) ˆ ˆ ( ) ˆ ˆ ( ˆ 1 1 1 1 p gki mim ri r m s sirri − − − − ₊ ₋ = ) (mod ) ˆ ˆ ˆ ˆ ˆ ( 1 1 1 p gm kimiri r s sirri − − − ₊ ₋ =

(50)

) (mod ) ˆ ) ˆ ˆ ˆ ( ˆ ˆ ˆ ( 1 1 1 p gm kimiri r s xri kimi rri − − − ₊ ₋ ₊ = ) (mod )) ˆ ˆ ˆ ( ˆ ˆ ˆ ( 1 1 1 p gm kimiri r s xr kimirri − − − ₊ ₋ ₊ = ) (mod ) ˆ ˆ ˆ ˆ ˆ ˆ ( 1 1 1 p gm kimiri r s xr kimirri − − − ₊ ₋ ₋ = ) (mod ) ( 1 p gm− s−xr = ) (mod 1 1 p g gm−s −m−xr = ) (mod ) (yrrm m−1g−m−1xr p = ) (mod ) (yrm−1r g−m−1xr p = ) (mod ) (gxrm−1r g−m−1xr p = ) (mod p r =

For a given message-signature pair (r,s,m), the signer can derive )

,

(ai bi such that r rˆ g (mod p)

i i b

a i

= is always held for all instances

) ˆ , ˆ , ˆ , ˆ

(ki ri mi si . Hence, Lee et al.’s traceability attack on Camenisch et

al.’s schemes is failed. Although Lee et al.’s scheme satisfies the

untraceability property, it needs more computations and storages than

Camenisch et al.’s schemes. Thus, Lee et al.’s scheme is unnecessary.

(51)

The proxy blind signature scheme allows the designated proxy signer

using the proxy secret key to generate a blind signature on behalf of the

original signer. Tan et al. presented the DLP-based and ECDLP based

blind signature schemes. Lal and Awasthi proposed a improved

DLP-based scheme later. Recently, Sun et al. presented linkability attack

on Tan et al.’s and Lal-Awasthi’s proxy blind signature schemes

respectively. In this section, we show that Sun et al.’s attack is invalid

and these schemes are still satisfy the unlinkability property.

Mambo et al. [30] presented the proxy signature scheme to allow the

designated proxy signer to sign messages on behalf of the original signer.

For example, when a manager is going on a vocation, s/he can delegate

her/his secretary to sign messages on behalf of her/him. The defined three

types of delegation in the proxy signature scheme are full delegation,

partial delegation and delegation by warrant. In full delegation, the

original signer gives her/his private key to the designated proxy signer and

then the original signer and the proxy signer can both generate the same

signatures. The original signer uses her/his private key to generate the

proxy secret key and sends it to the proxy signer securely in partial

安全數位盲簽章機制之設計與應用

國

立 交 通 大 學

資訊工程學系

博士論文

安全數位盲簽章機制之設計與應用

The Design of Secure Digital Blind

Signature Schemes and Their Applications

研

究 生：吳林全

Student: Lin-Chuan Wu

指導教授：葉義雄

Advisor:

Yi-Shiung

Yeh

安全數位盲簽章機制之設計與應用

學 生

: 吳林全 指導教授: 葉義雄

國 立 交 通 大 學 資 訊 工 程 學 系 博 士 班

摘要

The Design of Secure Digital Blind

Signature Schemes and Their Applications

Contents

List of Figures

List of Tables

Chapter 1 Introduction

1.1 Motivations

Chapter 2 Digital Signature Schemes

2.1 Rivest-Shamir-Adleman Signature Scheme

Figure 2.1

Figure

m

e

n,

s

Figure 2.2 Protocol diagram of RSA signature scheme

2.2 ElGamal Signature Scheme

Figure 2.3

Figure 2.3 Block diagram of ElGamal signature scheme

Figure 2.4

m

)

,

( s

r

Figure 2.4 Protocol diagram of ElGamal signature scheme

2.3 Rabin Signature Scheme

Figure

2.5

Figure 2.5 Block diagram of Rabin scheme

m

n

s

Figure 2.6 Protocol diagram of Rabin scheme

2.4 Chaum Blind Signature Scheme

Signer

Requester

m

~

e

n,

Verifier

s~

Figure 2.7 Protocol diagram of Chaum signature scheme

2.5 Susilo-Safavi-Pieprzyk Fail-stop Signature

Scheme

2.6 Mambo-Usuda-Okamoto Proxy Signature Scheme

Figure 2.8

m

Figure 2.8 Protocol diagram of Partial delegation proxy

signature scheme

Chapter 3 Analysis of Some Blind Signature

Schemes

3.1 Cryptanalysis on a New Rabin-like Blind

Signature Scheme

{

}

3.2 RSA-Based Partially Blind Signature Scheme

3.2.1

Chien et al.’s scheme

立交通大學

究生：吳林全

學生

: 吳林全指導教授: 葉義雄

國立交通大學資訊工程學系博士班

_m

_m

_m

_m