• 沒有找到結果。

Quality of life in patients with head and neck cancer receiving targeted or multimodal therapy - Update of the EORTC QLQ-H&N35, Phase i

N/A
N/A
Protected

Academic year: 2021

Share "Quality of life in patients with head and neck cancer receiving targeted or multimodal therapy - Update of the EORTC QLQ-H&N35, Phase i"

Copied!
8
0
0

加載中.... (立即查看全文)

全文

(1)

Short Paper

________________________________________________

An Anonymous Endorsement System

WEI-CHI KU AND SHENG-DE WANG Department of Electrical Engineering

National Taiwan University Taipei, 106 Taiwan E-mail: sdwang@hpc.ee.ntu.edu.tw

The expression of one’s opinion through endorsement is one of the simplest methods of democratic participation. The result of an endorsement can be used to evaluate whether a certain subject should deserve a higher attention. In some cases, the endorsers desire privacy protection. However, conventional paper-based endorsement systems provide neither convenience nor well privacy protection for the endorsers. In addition, current electronic anonymous voting schemes are unsuitable for anonymous endorsement. This motivates us to develop an anonymous endorsement system that can be realized on computer networks. The proposed system satisfies completeness, soundness, privacy, unreusability, eligibility, and verifiability. In practice, the proposed system can be integrated with the conventional paper-based endorsement system.

Keywords: anonymous endorsement, privacy, security, digital signature, untraceable email

system

1. INTRODUCTION

The expression of one’s opinion through endorsement is one of the simplest methods of democratic participation. The result of an endorsement can be used to evaluate whether or not the subject should deserve further attention. The endorsement subject may be a request to recall an elected representative, an approval of someone’s qualification as a candidate for a large scale election, a proposal for certain public project, and so on. For instance, in most democratic countries, it is only when the number of endorsements excesses a certain quorum that the vote for recalling a delinquent officer can be held. Theoretically, the result of the endorsement depends on the intention of the individual. In practice, the result may also be affected by the method that carries it out. To endorse the subject with the conventional paper-based endorsement method, one must

Received May 15, 2000; revised August 14, 2000; accepted September 26, 2000. Communicated by Chi Sung Laih.

(2)

go to a particular place that may be far from one’s domicile. In addition, the endorser’s privacy is not well protected in that the identity of the endorser is revealed to at least a group of verifiers. In some situations only when the endorser’s privacy can be protected, the endorsers may feel free to express their views without fear of retaliation. The inconvenience and unease of the conventional paper-based endorsement method often makes people more likely to abandon their rights. Moreover, if the number of endorsers is large, manual verification of the endorsement book will be a tedious task. Therefore, we are motivated to design an anonymous endorsement system that can be realized on computer networks.

Many voting schemes, e.g., [1-12], have been proposed from both theoretical and practical perspectives. However, these voting schemes are unsuitable for anonymous endorsement since the voter must personally register for each election. If one who wants to endorse a subject requiring personal registration, the endorser’s privacy will be violated. In this paper, we describe a practical anonymous endorsement system. By extending the blind signature technique [13, 14], the power of the authority can be distributed among an administrator and several scrutineers [9]. The proposed system satisfies completeness, soundness, privacy, unreusability, eligibility, and verifiability. In addition, the proposed system does not assume that the member will behave well.

2. REVIEW OF BLIND SIGNATURE TECHNIQUES

The concept of the blind signature was first introduced by Chaum [13], and an alternative implementation can be found in [14]. The blind signature scheme ensures that the signature requester can prevent the signer from acquiring the exact correspondence between the signed message and the signature requester. The blind signature scheme proposed in [13] is based on RSA [15], and can be restated as follows. Suppose that the private exponent, the public exponent, and the modulus of the signer,

say Bob, are, respectively, dBob, eBob, and nBob. To make the paper more concise, we

define four operations:

SignBob(a) ≡ adBob mod nBob (1)

Sign-1Bob(a) ≡ aeBob mod nBob (2)

HideBob(a, b) ≡ beBoba mod nBob (3)

UnstrapBob(a, b) ≡ b-1⋅ a mod nBob (4)

where a and b ∈ [1, nBob-1]. If someone, say Alice, wishes to obtain the signature of

Bob on message M ∈ [1, nBob-1] without revealing its content, she generates a secret

number r ∈ [1, nBob-1], calculates w = HideBob(M, r), and then sends w to Bob. Next, Bob

calculates x = SignBob(w) and sends x back to Alice. Upon receiving x, Alice first

calculates y = UnstrapBob(x, r), and then calculates z = Sign-1Bob(y). Alice checks

whether the equation z = M holds. If it is true, Alice has obtained SignBob(M) without

(3)

The blind signature scheme can be extended to distribute the power of authority among several parties [9] in the proposed anonymous endorsement system. Suppose there are t signers, P1, P2, …, and Pt with M < nP1< nP2< …< nPt. We can orderly obtain

the blind signature of P1 on M, the blind signature of P2 on SignP1(M), …, and the blind

signature of Pt on SignPt-1(SignPt-2 … (SignP1(M) … )). We use BS(M | P1, P2, …, Pt) to

denote the whole operation.

3. ANONYMOUS ENDORSEMENT SYSTEM

The proposed system involves an administrator (A), a set of N scrutineer (S1, S2, …,

and SN), and the members. Three assumptions are made in the proposed system, (1) the

existence of an untraceable email system, e.g., the mix-net [1] or the dc-net [16], (2) at

least one of A, S1, S2, …, and SN is trusted, and (3) the existence of a one-way

permutation function, which implies P ≠ NP [17]. Although no one-way permutation

function has yet been found, many researchers [8, 10, 18–20] believe that the discrete logarithm function is a candidate for the one-way permutation function. For example,

f(x) = gx mod Q, where Q denotes a large prime, x ∈ [1, Q-1] represents an integer with

large entropy, and g is a generator of ZQ*.

The operation of the proposed system can be divided into six phases. In Phase 1

(the initiation phase), A, S1, S2, …, and SN generate their respective RSA key pairs. In

Phase 2 (the registration phase), each member registers his public key with A. In Phase 3 (the ticket distribution phase), each member receives a set of p tickets after sending a

request to A, S1, S2, …, and SN for ticket distribution. The value of p is the maximum

number of endorsements that can be held following this ticket distribution. In Phase 4 (the endorsement origination phase), the subject originator sends a request to A. Then,

A announces the subject, subject number (suppose k), and the email address of the

originator. In Phase 5 (the endorsement phase), if the member wants to endorse this

subject, he sends his kth ticket to the originator by using an untraceable email system [1,

16]. In Phase 6 (the verification and tally phase), A publishes the collected tickets sent from the originator for public verification and counting. The tally of the verified tickets in the endorsement table represents the number of endorsers of the subject.

Phase 1. Initiation

A generates a sequence of p RSA key pairs in which dA<i>, eA<i> and nA<i>, denote his

ith private exponent, pubic exponent, and modulus, respectively. Each Sj, where j ∈ {1,

2, …, N}, generates his RSA key pair in which dSj denotes the private exponent, eSj

denotes the public exponent, and nSj denotes the modulus, such that nA<i> < nS1 < nS2 < …<

nSN for i = 1, 2, …, p. In addition, a one-way permutation function f( ) and a one-way

hash function h( ), e.g., SHA-1 [21], are predetermined and published.

Phase 2. Registration

To register as a member, someone, say u, first generates his RSA key pair, including

(4)

u, A calculates SignA<1>(h(u || eu || nu)) and then publishes the result and {u || eu || nu},

where || denotes concatenation. In this phase, member’s privacy is not required.

Phase 3. Ticket Distribution

When the registration phase is completed, A originates a ticket distribution by announcing an identifier, say Y, which is an unpredictable and non-repeated number.

The member u generates a sequence of long random numbers R<i>, where i = 1, 2, …, p,

and then calculates his hidden identities according to the following formula:

αu<i> = f(IDu || R<i>), for i = 1, 2, …, p. (5)

Next, member u generates a secret number r, and calculates

βu<i>(0) = HideA<i>({Y || αu<i>}, r), for i = 1, 2, …, p, (6)

requ(0) = Signu(h(Y || βu<1>(0) || βu<2>(0) || … || βu<p>(0))), (7)

and sends {Y || βu<1>(0) || βu<2>(0) || … || βu<p>(0) || requ(0)} to A. If h(Y || βu<1>(0) || βu<2>(0)

|| … || βu<p>(0)) ≠ Sign-1u(requ(0)), A rejects the request. Otherwise, A signs each βu<i>(0)

with his ith private key to derive SignA<i>u<i>(0)), denoted by λu<i>(0), where i = 1, …, p.

Next, A sends λu<i>(0), i = 1, 2, …, p, back to u. Then, u calculates

tu<i>(0) = UnstrapAu<i>(0), r), for i = 1, 2, …, p. (8)

If Sign-1A<i>(tu<i>(0)) = {Y || αu<i>} holds for i = 1, …, p, member u will believe BS({Y || αu<i>} | A<i>) = tu<i>(0) where i = 1, …, p. After that, u calculates

βu<i>(1) = HideS1(tu<i>(0), r), for i = 1, 2, …, p, (9)

requ(1) = Signu(h(Y || βu<1>(1) || βu<2>(1) || … || βu<p>(1))). (10)

Next, he sends {Y || βu<1>(1) || βu<2>(1) || … || βu<p>(1) || requ(1)} to S1. After verifying requ(1),

S1 calculates and sends λu<i>(1) = SignS1u<i>(1)), i = 1, …, p, back to u. Then, u

calculates

tu<i>(1) = UnstrapS1u<i>(1), r), for i = 1, 2, …, p. (11)

If Sign-1S1(tu<i>(1))= tu<i>(0) holds for i = 1, …, p, u will believe BS({Y || αu<i>} | A<i>, S1) =

tu<i>(1) where i = 1, …, p. Similarly, u can further obtain the blind signatures of S2, S3,…,

and SN-1 in order. Finally, u will obtain BS ((Y || αu<i>) | A<i>, S1, S2, …, SN), i.e., tu<i>(N),

and item tu<i>(N), denoted by Tu<i> for simplicity, will be used as the ith ticket of member u.

(5)

Phase 4. Endorsement Origination

If someone, say G, wants to originate an anonymous endorsement for a subject SUB, he can send his request to A. If SUB is legal, A assigns k to the identifier of SUB and

announces the endorsement by publishing {SUB || k || G || ADG} and SignA<k>(h(Y || SUB

|| k || G || ADG)), where ADG denotes the email address of G.

Phase 5. Endorsement

If member u wants to endorse SUB, he can send his kth ticket, Tu<k>, to G through an

untraceable email system. All tickets received are recorded in the endorsement table.

Phase 6. Verification and Tally

When the endorsement phase is completed, G signs the endorsement table and sends the signature as well as the endorsement table to A. Then, A removes the duplicate tickets, and sorts and verifies the rest in the endorsement table. Next, A signs the sorted, duplicate-free and verified endorsement table, and publishes it and its signature for public verification and counting. In addition, the original endorsement table with its signature received from G is also published. Anyone can check to see whether the following equation holds:

Sign-1A<k>(Sign-1S1(Sign-1S2(…(Sign-1SN(Tu<k>))))) = (Y || αu<k>). (12)

If it is true, the number of endorsers for SUB is the tally of the verified tickets. In addition, the value of k is increased by one, and if k > p, the system returns to Phase 3; otherwise, the system enters Phase 4.

4. SECURITY ANALYSIS

Here, we adopt the security criteria [4, 10] for a voting scheme with slight modifications to evaluate the security of the proposed system.

Theorem 1 (completeness). All collected tickets are counted correctly.

Sketch of Proof: The ticket presented by each member should be counted correctly in

the endorsement table. If all the hidden identities within the collected tickets are generated according to Eq.(5), all collected tickets will be accepted. However, if a

member x randomly generates his hidden identity, there are two cases: (Case 1) αx<i>

differs from the hidden identities of other endorsers, implying that Tx<i> differs from the

endorsing tickets of other endorsers; or (Case 2) αx<i> occasionally equals the hidden

identity of a rule-abiding endorser y, which implies Tx<i> collides with Ty<i>. In this case,

the duplicate tickets will be removed. We can reasonably regard that Ty<i> is accepted,

while Tx<i> is rejected. On the other hand, since the tickets are collected by the

originator of the anonymous endorsement rather than the administrator, it is reasonable that the collected tickets will not be intentionally dropped. Hence, the proposed system

(6)

is complete.

Theorem 2 (soundness). No one can disrupt the anonymous endorsement.

Sketch of Proof: It is only when all of A, S1, S2, …, and SN conspire that forged tickets

can be generated. However, this contradicts the assumption that at least one of A, S1,

S2, …, and SN is trusted. Therefore, the proposed system is sound.

Theorem 3 (privacy). The relationship between the endorser and his ticket is concealed. Sketch of Proof: Since R<i> is a long random number selected by member u, it is

computationally infeasible for others to deduce αu<i> from IDu, and vice versa according

to Eq.(5). Thus, the system provides endorser’s privacy.

Theorem 4 (unreusability). No ticket can be used twice.

Sketch of Proof: As each ticket can be used for one and only one specific endorsement,

the proposed system satisfies unreusability.

Theorem 5 (eligibility). Only a member can endorse.

Sketch of Proof: Since the outsider can neither successfully obtain tickets nor forge

valid tickets (by Theorem 2), the proposed system provides eligibility.

Theorem 6 (verifiability). The result of an anonymous endorsement can be verified

individually and universally.

Sketch of Proof: By recognizing the hidden identity, the endorser can confirm whether

his ticket is placed correctly in the endorsement table. Hence, the proposed system is individually verifiable. In addition, anyone can check the validity of all published tickets by using the pubic keys of A and the scrutineers. By Theorem 1, the system is universally verifiable.

5. CONCLUSIONS

We have proposed an anonymous endorsement system that can be realized on existing computer networks. We do not assume that the member must follow the hidden identity generation procedure. If a member does not generate his hidden identities accordingly, his hidden identities may collide with others. This system ensures that rule-abiding members can endorse successfully. On the contrary, the rights of the rule-contradicting members are not protected. For practical use, the proposed system can be integrated with the conventional paper-based endorsement mechanism. However, the members of the anonymous endorsement system are restricted to endorsing through the anonymous endorsement system. The endorsement of the members of the anonymous endorsement system will not be counted in the conventional paper-based endorsement book. The final endorsement result is the summation of the endorsement tally in the paper-based endorsement book and the tally of the tickets in the endorsement table.

(7)

REFERENCES

1. D. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,”

Communications of ACM, Vol. 24, 1981, pp. 84-88.

2. D. Chaum, “Elections with unconditionally secret ballots and disruption equivalent to breaking RSA,” in Proceedings of EuroCrypt’88, 1988, pp. 177-182.

3. K. Ohta, “An electrical voting scheme using a single administrator,” 1988 Spring

National Convention Record (Japan), IEICE, Vol. 1, 1988, A-294, pp. 296.

4. A. Fujioka, T. Okamoto, and K. Ohta, “A practical secret voting scheme for large scale elections,” in Proceedings of AusCrypt’92, 1992, pp. 244-251.

5. T. Okamoto, A. Fujioka, and K. Ohta, “A practical large scale secret voting scheme based on non-anonymous channels,” in Proceedings of the 1993 Symposium on

Cryptography and Information Security, 1993, 1C, pp. 12

6. C. Park, K. Itoh, and K. Kurosawa, “Efficient anonymous channel and all/nothing election scheme,” in Proceedings of EuroCrypt’93, 1994, pp. 248-258.

7. K. Sako and J. Kilian, “Receipt-free mix-type voting scheme  A practical solution

to the implementation of a voting booth,” in Proceedings of EuroCrypt ’95, 1995, pp. 393-403.

8. W. Juang and C. Lei, “A collision-free secret ballot protocol for computerized general elections,” Computers & Security, Vol. 15, 1996, pp. 339-348.

9. J. Benaloh and M. Yung, “Distributing the power of a government to enhance the privacy of voters,” ACM Symposium on Principles of Distributed Computing, 1986, pp. 52-62.

10. K. Sako and J. Kilian, “Secure voting using partially compatible homomorphisms,” in Proceedings of Crypto’94, 1995, pp. 411-424.

11. W. Juang and C. Lei, “A secure and practical electronic voting scheme for real world environments,” IEICE Transactions on Fundamentals, Vol. E80-A, 1997, pp. 64-71. 12. W.-C. Ku and S.-D. Wang, “A secure and practical electronic voting scheme,”

Computer Communications, Vol. 22, 1999, 279-286.

13. D. Chaum, “Blind signature for untraceable payments,” in Proceedings of Crypto’82, 1983, pp. 199-203.

14. J. L. Camenisch, J. M. Preteau, and M. A. Stadler, “Blind signature schemes based on the discrete logarithm problem,” Rump Session of EuroCrypt’94, 1995, pp. 428-432.

15. R. L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public key cryptosystems,” Communications of the ACM, 1978, pp. 120-126. 16. D. Chaum, “The dining cryptographers problem: Unconditional sender and recipient

untraceability,” Journal of Cryptology, Vol. 1, 1988, pp. 65-67.

17. M. R. Garey and D. S. Johnson, Computer and Intractability – A Guide to The

Theory of NP-Completeness, Murray Hill, 1979.

18. T. El Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. IT-31, 1985, pp. 469-472.

19. W. Diffie and M. E. Hellman, “New direction in cryptography,” IEEE Transactions

on Information Theory, Vol. IT-22, 1976, pp. 644-654.

(8)

over GF(p) and its cryptographic significance,” IEEE Transactions on Information

Theory, Vol. IT-24, 1978, pp. 106-110.

21. National Institute of Standards and Technology, “Secure hash standard,” NIST FIPS PUB 180-1, U.S. Department of Commerce, April 1995.

Wei-Chi Ku (顧維祺) was born in Taiwan on April 13, 1967. He received the B.S.

degree in Computer Science and Information Engineering from National Chiao Tung University, Taiwan, in 1990, and the M.S. degree in Computer Science and Information Engineering from National Cheng Kung University, Taiwan, in 1992. From 1992 to 1994, he was a Reserve Officer, and served in the National Defense Management College, Taipei, Taiwan. In 2000, he received the Ph.D. degree in Electrical Engineering from National Taiwan University, Taiwan. In 2001, he joined the faculty of the Department of Computer Science and Information Engineering at Fu Jen Catholic University, where he is currently an associate professor. His research interests include cryptology and network security.

Sheng-De Wang (王勝德) was born in Taiwan on November 5, 1957. He received

the B.S. degree from National Tsing Hua University, Hsinchu, Taiwan, in 1980, and the M.S. and the Ph.D. degrees in Electrical Engineering from National Taiwan University, Taipei, Taiwan in 1982 and 1986, respectively. In 1986, he joined the faculty of the Department of Electrical Engineering at National Taiwan University, where he is currently a professor. His research interests include parallel processing, artificial intelligence, information security, and neuro-computing. Dr. Wang is a member of the Association for Computing Machinery, the International Neural Networks Community, and the IEEE Computer Society. He is also a member of the Phi Tau Honor society.

參考文獻

相關文件

好了既然 Z[x] 中的 ideal 不一定是 principle ideal 那麼我們就不能學 Proposition 7.2.11 的方法得到 Z[x] 中的 irreducible element 就是 prime element 了..

Wang, Solving pseudomonotone variational inequalities and pseudocon- vex optimization problems using the projection neural network, IEEE Transactions on Neural Networks 17

volume suppressed mass: (TeV) 2 /M P ∼ 10 −4 eV → mm range can be experimentally tested for any number of extra dimensions - Light U(1) gauge bosons: no derivative couplings. =&gt;

For pedagogical purposes, let us start consideration from a simple one-dimensional (1D) system, where electrons are confined to a chain parallel to the x axis. As it is well known

The observed small neutrino masses strongly suggest the presence of super heavy Majorana neutrinos N. Out-of-thermal equilibrium processes may be easily realized around the

Define instead the imaginary.. potential, magnetic field, lattice…) Dirac-BdG Hamiltonian:. with small, and matrix

incapable to extract any quantities from QCD, nor to tackle the most interesting physics, namely, the spontaneously chiral symmetry breaking and the color confinement.. 

(1) Determine a hypersurface on which matching condition is given.. (2) Determine a