Fail-Stop Blind Signature Scheme Based on the Integer Factorization

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Fail-Stop Blind Signature Scheme Based on the Integer Factorization Lin-Chuan Wu1, Chun-I Fan2, Yi-Shiung Yeh1 and Tsann-Shyong Liu3 1. Department of Computer Science and Information Engineering National Chiao Tung University Hsinchu, Taiwan 300, R.O.C. 2. Department of Computer Science and Engineering National Sun Yat-Sen University Kaoshing, Taiwan, R.O.C. 3. Telecommunication Laboratories Chunghwa Telecom Co., Ltd.. 12, Lane 551, Min-Tsu Road Sec. 5 Yang-Mei, Taoyuan, Taiwan 326, R.O.C. Fail-stop signature can protect a signer against a forger even with unlimited computational power because the possibility of finding the signer’s right private key in the fail-stop signature is negligible. The signer can use “proof of forgery” algorithm to prove the signature is forgery. It achieves “proof of forgery” by showing that the underlying computational assumption has been broken. The signer can stop the system if a forgery occurs – hence named fail-stop signature scheme. The signer is unconditionally secure and the recipient is cryptographically secure in the fail-stop signature scheme. One important application of the fail-stop signature is electronic payment system [6]. The anonymity of participants is very important in electronic payment systems. However, it cannot be achieved in the fail-stop signature. Chaum [3] introduced the concept of a blind signature scheme which can protect the anonymity of participants. The blind signature scheme allows a user to obtain a message signed by the signer without revealing message and the signer cannot link any message-signature pair later. The blind signature scheme can be used in electronic payment systems to preserve participants’ anonymity. In this paper, we propose the first fail-stop blind signature scheme which is based on RSA-based failstop signature scheme presented by Susilo, SafaviNaini and Pieprzyk [8]. Our scheme can provide “proof of forgery” for signers and guarantee “anonymity” for participants. We will give sufficient proof to show that the proposed scheme satisfies the conditions of fail-stop signature and blind signature. It can provide more secure. Abstract-In this paper, we proposed the first failstop blind signature scheme based on the integer factorization to obtain unforgeability and anonymity properties. It can be applied in more critical system like electronic payment systems which need higher security against more powerful forger and can preserve participants’ anonymity. Keywords: Fail-Stop Signature, Blind Signature, RSA cryptosystem, Cryptography, Information Security.. 1. Introduction A digital signature can provide analogous to ordinary hand-written signature for achieving nonrepudiation property. Diffie and Hellman [4] introduced the concept of digital signature in 1976, and then Rivest, Shamir, and Adleman [7] proposed the first digital signature scheme in 1978. RSA public-key cryptosystem is based on the integer factoring problem and the security of the cryptosystem relies on that computational assumption. However, such signatures are only computationally secure for the signer because a forger may forge a signature with unlimited computational power. This means that there is no mechanism to protect a signer against a forged signature which has succeeded in signature verification. Namely, if a signed message succeeds in signature verification it is assumed to be generated by the owner of the private key. To overcome this kind of attack, Waidner and Pfitzmann [9] proposed the first fail-stop signature.. 302.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. α y β1 y = α1 xα 2 mod n. cryptographic primitive for applying in electronic payment systems. This paper is organized as follows. RSA-based fail-stop signature scheme will be reviewed in Section 2. In Section 3, we propose a fail-stop blind signature scheme based on the integer factorization problem. In Section 4, we show that the proposed scheme satisfies the conditions of fail-stop signature and blind signature. Finally, we give brief conclusions in Section 5.. message x .. 2. RSA-based Fail-Stop Signature. 2.. key. and. forgery.. 3. Fail-Stop Blind Signature Scheme The fail-stop blind signature scheme combines the advantages of both fail-stop signature and blind signature. Our proposed scheme is a modification of Susilo et al.’s scheme with trusted dealer. There are seven phases (1) Initialization, (2) Key generation, (3) Blinding, (4) Signing, (5) Unblinding, (6) Verification and (7) Proof of forgery in the fail-stop blind signature scheme. The three kinds of participants in our scheme are the same as the section 2. The detailed scheme is described bellow. (1) Initialization phase : Initially, the trusted dealer D chooses two large primes p and q such that p = 2 p '+1 and q = 2q '+1 , where p ' and. q' are also prime. D computes n = pq and φ (n) = ( p − 1)(q − 1) . Next, eD and d D are chosen. Next, S. eD d D. β1 = α k β k mod n , k k k k α1 = α β1 mod n and α 2 = α β1 mod n . Finally, he publishes his public key ( β1 , α 1 , α 2 ) . 3. 4. the. trusted dealer such that ≡ 1 mod φ (n) . Then, D chooses a integer randomly. and. computes. β = α d mod n . Finally, D publishes his public key (α , n) , keeps his private key d D secretly and sends (eD , β ) to S via secure channel. D. (3) Signature generation phase : S computes and y 2 = k3 x + k 4 , where *. by. α ∈ Z n*. 2. y1 = k1 x + k 2. x ∈ Z n is a message.. compute. 5. The non-trivial factors of n is the proof of. (2) Key generation phase : S selects four random numbers, which are k1 , k 2 , k 3 and k 4 as the private. 1. To. [5] and Bach’s [1] methods.. D. 3. and. 4. To find non-trivial factors of n by using Miller’s. α ∈ Z n * and computes β = α d mod n . Finally, D publishes his public key (α , n) and sends (eD , β ) to S securely.. 4. Z1 = ( y1 '− y1 ). γ = eD ( Z 2 − k 4 Z1 ) − k3 Z1 = cφ (n). eD = d D mod φ (n) , where GCD (d D , φ (n)) = 1 . Then, D selects a random. computes. compute. 3.. computes. * key, where k i ∈ Z n , 1 ≤ i ≤ 4 .. To. Z 2 = ( y2 − y2 ' ) .. −1. number. If it is true, this. verification phase, S can prove that a forgery has occurred by executing the following steps. 1. To construct the right signature ( y1 , y 2 ) on. p = 2 p'+1 and q = 2q'+1 , where p' and q' are also prime [2]. Then, D computes n = pq and φ (n) = ( p − 1)(q − 1) . Next, D selects d D as private. .. signature is a valid one. (5) Proof of forgery phase : If a forged signature ( y1 ' , y2 ' ) on message x succeeds in signature. Susilo, Safavi-Naini and Pieprzyk [8] presented two RSA-based fail-stop signature schemes (with or without a trusted dealer). We only consider the scheme with trusted dealer here for simplicity. Actually, the signer and the receiver can instead of trusted dealer to perform the initialization phase by using Boneh-Franklin’s algorithm [2]. There are three kinds of participants, which are the trusted dealer, the sender and the receiver in the Susilo et al.’s scheme with trusted dealer. A forged signature can be proved by using Miller’s [5] and Bach’s [1] methods to reveal non-trivial factors for the signer. The detailed scheme is described as follows. (1) Initialization phase : The two large prime numbers p and q are chosen by D , such that. her/his. 1. 2. (2) Key generation phase : The signer S randomly chooses his private key ( k1 , k 2 , k 3 , k 4 ),. Then, he publishes the. signature ( y1 , y 2 ) on message x .. ki ∈ Z n. where. (4) Signature verification phase : R can verify the signature by checking the formula. *. and. computes. β1 = α k β k mod n , α1 = α k β1k mod n 4. 303. 3. 3. 1. and.

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. α 2 = α k β1k mod n . Finally, S publishes his(her) public key ( β1 , α 1 , α 2 ) and a one-way 4. 2. Lemma 3: The signer can prove that a forgery has occurred by the probability. hash function H . (3) Blinding phase : For a message m , the. φ ( n) − 1 . φ ( n). *. receiver R selects a random numbers r in Z n .. The detailed proofs of Lemma 1, 2 and 3 are described in Susilo et al. [8]. The second condition of a secure fail-stop blind signature is satisfied by Lemma 2. Theorem 1 shows that a forger even with unlimited computational power, still there exists φ (n) possible private keys for that signature.. ~ = rH (m) mod n with a blinding R computes m factor r , where H ( m) is the hashed value of message m . Then, R sends the blinded message ~ and x = H (r ) mod n to S . m (4) Signing phase : In this phase, S computes ~ ~ (k x + k ) and ~ ~ (k x + k ) . S s1 = m s2 = m 1 2 3 4 sends the blinded signature ( ~ s1 , ~ s2 ) on blinded ~ to R . message m (5) Unblinding phase : After R obtains the s1 , ~ s2 ) , he(she) performs the blinded signature ( ~ −1 unblinding operation by computing s1 = r ~ s1 and −1 ~ s 2 = r s2 . Then, ( s1 , s2 ) is the signature on hashed message H (m) .. Theorem 1: The forger even with unlimited computational power still existing φ (n) possible private keys for that blinded signature ( ~ s1 , ~ s2 ) on. ~ together with corresponding the blinded message m public key. Proof: To Assume the forged blinded signature on ~ is (~ s1 ' , ~ s2 ' ) and the public the blinded message m. key of the signer is ( β1 , α 1 , α 2 ) . If a forger with unlimited computational power can solve the discrete logarithm and factorization problem successfully, he can obtain these equations as follows.. (6) Verification phase : Anyone can verify the message-signature ( H (m), x, s1 , s 2 ) by checking if. ~ ~ mod φ (n) s1 ' = (k1 x + k 2 )m ~ ~ mod φ (n) s ' = (k x + k )m. α s β1s = α1 H ( m )α 2 mod n . 2. 1. (7) Proof of forgery phase : This phase is similar to Susilo et al.’s scheme in section 2. The signer can prove that a forgery has occurred by revealing the non-trivial factors of n .. 2. 3. 4. c1 = (k 3 + wk1 ) mod φ (n) c2 = (k 4 + wk 2 ) mod φ (n) ~ = rH (m) , x, c , c ∈ Z * and Where m n 1 2 w = logα β1 = k 4 + d D k3 . Then, a forger can. 4. Security Analysis. rewrite these representation.. A secure fail-stop blind signature scheme must satisfy four conditions as follows. (1) The forger is nearly impossible to forge a signature even with unlimited computational power. (2) The signer can use a polynomial-time algorithm to prove that a forgery has occurred. (3) The polynomial-bounded signer cannot forge a signature and prove it a forgery later. (4) The signer is computationally infeasible to link the message he actually signed and the corresponding signature for verification later.. equations. by. using. matrix. ~ m ~ 0 0 ⎤⎡k ⎤ ⎡~ s1 ' ⎤ ⎡ xm 1 ⎥ ⎢ 0 0 xm ~ m ~ ⎥ ⎢k ⎥ ⎢~ ⎢ ⎥ ⎢ 2 ⎥ = ⎢ s2 '⎥ ⎢ w 0 1 0 ⎥ ⎢ k3 ⎥ ⎢ c1 ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥ ⎣ 0 w 0 1 ⎦ ⎣ k 4 ⎦ ⎣ c2 ⎦ The. above. matrix’s. rank. is. 3. because. ~ r − wr − r + m ~ r = 0 , where r is the i-th xm 3 1 2 4 i row of the matrix. There are φ ( n) possible private keys for that blinded signature since the solutions of equations are φ ( n) . □. Lemma 1: There equally like exists φ (n) matching private keys for each public key, such that different private key generate different signature on the same message. 2. Lemma 4: The forger even with unlimited computational power cannot generate the blinded signature on a new message.. Lemma 2: The signer can prove that a forgery has occurred by factorizing n if a forged signature ( s1 ' , s2 ' ) on a message m succeeds in verification phase.. Theorem 2: The polynomial-bounded signer cannot generate a valid signature and prove it a forgery later.. 304.

(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Proof: The polynomial-bounded signer must have another private key ( k1 ' , k 2 ' , k3 ' , k 4 ' ) which can. Theorem 4: The signer computationally cannot ~ he actually signed and link the blinded message m the corresponding signature ( s1 , s2 ) for verification later. Proof: In the signing phase, the signer can obtain ~ = rH (m) and the blinded message m. match the corresponding public key ( β1 , α 1 , α 2 ) to deny a generated valid signature, such that. α 1 = α k ' β1k ' mod n α 2 = α k ' β1k ' mod n 1. 3. 2. 4. another. private. key. and .. x = H (r ) mod n . The signer can obtain the signature ( s1 , s2 ) in the verification phase, where s1 = r −1~ s1 = (k1 x + k 2 ) H (m) −1~ s 2 = r s2 = ( k 3 x + k 4 ) H ( m). The difficulty to find. (k1 ' , k 2 ' , k3 ' , k 4 ' ). is. equivalent to solve the discrete logarithm problem. Moreover, it is difficult to find d D without knowing. φ ( n). since the difficulty of integer factorization. Hence, the proposed scheme satisfies the third condition of a secure fail-stop blind signature by Theorem 2. □. The signer is computationally infeasible to link the blinded message and the signature for verification later since a blinding factor is chosen randomly by the receiver. The last condition of a secure fail-stop blind signature is satisfied by Theorem 4. □. Theorem 3: There exists a unique private key corresponding to the public key, the blinded ~ and a signature ( ~ s1 , ~ s2 ) on the blinded message m. 5. Conclusions. valid blinded signature ( ~ s1 ' , ~ s2 ' ) on the blinded. ~ ' , where m ~≠m ~' . message m Proof: From Theorem 1, the forger even with unlimited computational power still existing φ (n) possible private keys for the blinded signature on the blinded message corresponding the public key. The signer can organize these equations as follows.. Waidner and Pfitzmann presented the first failstop signature that can provide a signer to prove the signature is forgery. In this paper, we propose the first fail-stop blind signature scheme and give sufficient proof to prove that it satisfies the conditions of fail-stop signature and blind signature. It is suitable to be applied in untraceable electronic payment systems which need higher security against an unlimited forger and can preserve the anonymity of participants.. ~ ~ mod φ (n) s1 = (k1 x + k 2 )m ~ ~ mod φ (n) s2 = ( k 3 x + k 4 ) m ~ ~ ' mod φ (n) s1 ' = (k1 x + k 2 )m ~ ~ ' mod φ (n)' s ' = (k x + k )m 2. 3. References. 4. c1 = (k 3 + wk1 ) mod φ (n) c2 = (k 4 + wk 2 ) mod φ (n) ~ = rH (m) , x, c , c ∈ Z * and Where m n 1 2 w = logα β1 = k 4 + d D k 3 . The matrix. [1] E. Bach, “Discrete Logarithm and Factoring,” Report no. UCB/CSD 84/186, Comp. Sc. Division (EECS), University of California, Berkeley, 1984. [2] D. Boneh and M. Franklin, “Efficient Generation of Shared RSA keys,” Advances in Cryptology CRYPTO ’97, LNCS Vol. 1294 (1997), SpringerVerlag, pp. 425-439. [3] D. Chaum, “Blind Signatures for Untraceable Payments,” Advances in Cryptology - CRYPTO ‘82, Plenum Press (1983), pp. 199-203. [4] W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Trans. Information Theory, Vol. IT-22 (1976), pp. 644-654. [5] G. L. Miller, “Riemann’s Hypothesis and Tests for Primality,” Journal of Computer and System Sciences, Vol. 13 (1976), pp. 300-317. [6] B. Pfitzmann and M. Waidner, “Fail-Stop Signatures and Their Applications,” SECURICOM P1, Paris (1991), pp. 145-160. [7] R. L. Rivest, A. Shamir, and L. M. Adleman, “A Method for Obtaining Digital Signatures and Publickey Cryptosystems,” Communications of the ACM, Vol. 21 (1978), pp. 120-126. [8] W. Susilo, R. Safavi-Naini, and J. Pieprzyk, “RSAbased Fail-Stop Signature Schemes,” International. representation of above equations can rewrite as follows.. ~ m ~ s1 ⎤ 0 0⎤ ⎡~ ⎡ xm ⎢ ⎥ ⎢ 0 ~ ~ ~ 0 xm m ⎥ ⎡ k1 ⎤ ⎢ s2 ⎥⎥ ⎢ ~' m ~' 0 ⎢ xm s '⎥ 0 ⎥ ⎢⎢k 2 ⎥⎥ ⎢ ~ = ⎢~1 ⎥ ⎥ ⎢ ~ ~ 0 xm' m'⎥ ⎢ k3 ⎥ ⎢ s2 '⎥ ⎢ 0 ⎢ ⎥ ⎢w 0 1 0 ⎥ ⎣k 4 ⎦ ⎢ c1 ⎥ ⎢ ⎥ ⎥ ⎢ 1 ⎦⎥ w 0 ⎣⎢ 0 ⎣⎢ c2 ⎦⎥ ~≠m ~ ' , The above coefficient matrix’s Since m rank is 4. Hence, the private key is unique corresponding to the public key. We prove that the first condition of a secure fail-stop blind signature is satisfied from Theorem 3. □. 305.

(5) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. secure serviceability,” Advances in Cryptology EUROCRYPT '89, LNCS Vol. 434 (1989), SpringerVerlag, pp. 690.. Workshop on Security, IEEE Computer Society Press (1999), pp. 161-166. [9] M. Waidner and B. Pfitzmann, “The Dining Cryptographers in the Disco : unconditional sender and recipient untraceability with computationally. 306.

(6)