Analysis of Sun et al.'s linkability attack on some proxy blind signature schemes

Analysis of Sun et al.Õs linkability attack on some proxy

blind signature schemes

Lin-Chuan Wu

, Yi-Shiung Yeh

, Tsann-Shyong Liu

a_{Department of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu 300, Taiwan, ROC} b_{Telecommunication Laboratories, Chunghwa Telecom Co., Ltd., 12 Lane 551, Min-Tsu Road Sec. 5, Yang-Mei, Taoyuan 326, Taiwan, ROC}

Received 5 February 2005; received in revised form 10 May 2005; accepted 10 May 2005 Available online 29 June 2005

Abstract

The proxy blind signature scheme allows the designated proxy signer using the proxy secret key to generate a blind signature on behalf of the original signer. Tan et al. presented the DLP-based and ECDLP based blind signature schemes. Awasthi and Lal pro-posed a improved DLP-based scheme later. Recently, Sun et al. presented linkability attack on Tan et al.Õs and Awasthi–LalÕs proxy blind signature schemes respectively. In this paper, we show that Sun et al.Õs attack is failed and these schemes are still satisfy the unlinkability property.

Ó 2005 Elsevier Inc. All rights reserved.

Keywords: Unlinkability; Blind signature; Proxy signature; Digital signature; Cryptography

1. Introduction

The blind signature scheme was first proposed by

Chaum (1983) in CryptoÕ83. The security of ChaumÕs scheme is based on the difficulty of integer factoring. The blind signature scheme can achieve the unforgeabil-ity property for the signer and the unlinkabilunforgeabil-ity for the receiver.Mambo et al. (1996)presented the proxy signa-ture scheme to allow the designated proxy signer to sign messages on behalf of the original signer. For example, when a manager is going on a vacation, (s)he can dele-gate her/his secretary to sign messages on behalf of her/him.Tan et al. (2002)presented two proxy blind sig-nature schemes to allow the proxy signer to generate a blind signature on behalf of the original signer.Awasthi and Lal (2005)showed a forgery attack on Tan et al.Õs schemes and proposed a more secure proxy blind signa-ture scheme later. Recently,Sun et al. (2005)pointed out

that neither Tan et al.Õs schemes nor Awasthi–LalÕs scheme satisfy the unlinkability property of the proxy blind signature scheme. In this paper, we show that Sun et al.Õs linkability attack is failed and these schemes are still satisfy the unlinkability property.

2. Reviews of Tan et al.’s and Awasthi–Lal’s proxy blind signature schemes

The system parameters in the following proxy blind signature schemes are defined as follows:

System parameters

p, q two large prime numbers, where qj (p
1) g element of Z

pof order q

xo, yo secret key and public key of the original signer

respectively, where y_o¼ gxo_{mod p}

xp, yp secret key and public key of the proxy signer

respectively, where y_p¼ gxp_{mod p}

h( ) a secure and public one way hash function k the concatenation of strings

0164-1212/$ - see front matter Ó 2005 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2005.05.007

* _{Corresponding author. Tel.: +886 3 4244151; fax: +886 3 4244147.} E-mail address:[email protected](L.-C. Wu).

www.elsevier.com/locate/jss The Journal of Systems and Software 79 (2006) 176–179

2.1. Tan et al.’s proxy blind signature schemes

Tan et al. (2002)presented two proxy blind signature schemes based on the discrete logarithm problem (DLP) and elliptic curve discrete logarithm problem (ECDLP) in 2002. They also defined the required security proper-ties of proxy blind signature scheme. There are three kinds of participants: original signer, the proxy signer and the receiver in their schemes. The three phases in their schemes are (1) Proxy delegation, (2) Signing and (3) Verification. The details of Tan et al.Õs DLP-based scheme are described as follows.

(1) Proxy delegation phase. The original signer ran-domly selects a number ko, and calculates ro¼ gko mod p

and so= ko+ xoromod q. Then, the original signer sends

(ro, so) to the proxy signer in a secure way. After the proxy

signer receives it, (s)he can verify it by checking the cor-rectness of the equation gso _{¼ y}ro

oromod p. Finally, the

proxy signer computes her/his proxy secret key spr=

so+ xpmod q.

(2) Signing phase. The proxy signer chooses a random number k, computes t = gkmod p and sends (ro, t) to the

receiver. After receiving it, the receiver randomly chooses two numbers a and b and calculates r¼ tgb_y
a
b

p ðyrooroÞ
a

mod p, e = h(rk m) mod q, u ¼ ðyro

oroÞ
eþby
eo mod p and

e0_{= (e
a
b) mod q. Then, the receiver sends e}0 _to

the proxy signer. Next, the proxy signer calculates the blinded signature s0_{= e}0_s

pr+ k mod q and sends s0back

to the receiver. Finally, the receiver computes s = s0_{+ b mod q. The signature of the message m is}

(m, u, s, e).

(3) Verification phase. Anyone can verify the correct-ness of the proxy blind signature (m, u, s, e) by checking that e¼ hðgs_y
e

p y e

oumod pkmÞ mod q holds. The

descrip-tions of Tan et al.Õs ECDLP-based proxy blind signature scheme is omitted here because it is similar to DLP-based scheme except to replace discrete logarithm cryp-tosystem parameters by elliptic curve crypcryp-tosystem parameters.

2.2. Awasthi and Lal’s proxy blind signature scheme

Awasthi and Lal (2005)showed a forgery attack on Tan et al.Õs schemes and proposed a more secure and efficient proxy blind signature scheme later. Proxy-unprotected and proxy-protected are two kinds of schemes according to whether the original signer can generate the same proxy signature as the proxy signer. In proxy-protected schemes, the proxy signer and the original signer both can generate valid proxy signa-tures. Only the proxy signer can generate valid proxy signatures that (s)he cannot repudiate it later in proxy-protected schemes. The participants, phases and system parameters are the same as Tan et al.Õs schemes. The detailed scheme is described in the following.

(1) Proxy delegation phase. The original signer chooses a random number ko, and computes ro¼

gko_{mod p and s}

o= xo+ koromod q. Next, the original

signer sends (ro, so) to the proxy signer via a secure

channel. After the proxy signer receives it, (s)he can verify it by checking whether the equation gso_¼

y_orro

o mod p holds. In proxy-unprotected case, the proxy

signer uses spr= soas her/his proxy secret key and ypr¼

y_orro

o mod p as her/his proxy public key. In

proxy-pro-tected case, the proxy signer computes spr= so+ xpr

-mod q as her/his proxy secret key and y_pr¼ yorrooyp

mod p as her/his proxy public key. (Note that the proxy public keys in Sun et al.Õs paper must be exchanged each other in unprotected and proxy-protected cases.)

(2) Signing phase. The proxy signer randomly chooses a number k and computes t = gkmod p and sends (ro, t)

to the receiver. After receiving it, the receiver selects two random numbers a and b. Then (s)he calculates r¼ tg
a_y
b

pr mod p, e0= h(rk m) mod q, and e = (e0+ b)

mod q. The receiver sends e to the proxy signer. Next, the proxy signer calculates the blinded signature s0₌

k
esprmod q and sends s0 back to the receiver.

Finally, the receiver computes s = s0
_{a mod q from}

the blind signature s0_{. The signature of the message m}

is (m, s, e0_).

(3) Verification phase. Anyone can verify the correct-ness of the proxy blind signature (m, s, e0_{) by checking}

whether e0_{¼ hðg}s_ye0

prmod pkmÞ mod q holds.

3. Sun et al.’s linkability attack on some proxy blind signature schemes

InSun et al.Õs (2005) linkability attack, they pointed out that the proxy signer can record all blinded messages and use them to trace back the corresponding blind sig-natures. Hence, Sun et al. claimed that all Tan et al.Õs schemes and Awasthi–LalÕs scheme cannot satisfy the unlinkability property of the blind signature. The details of Sun et al.Õs attack are described as follows.

3.1. Sun et al.’s attack on Tan et al.’s schemes

We only describe the detailed Sun et al.Õs attack on Tan et al.Õs DLP-based proxy blind signature scheme be-cause Tan et al.Õs ECDLP-based scheme is similar to it. 1. The proxy signer can keep all set of recordsðti; e0i; s0iÞ

for each instance i in Tan et al.Õs DLP-based scheme, where ti¼ gki mod p.

2. When the receiver reveals (m, u, s, e) to the public, the proxy signer can compute b0_i¼ s
s0

imod q for each

instance i since s = s0_{+ b mod q.}

3. The proxy signer can calculate a0

i¼ ðe
b 0 i
e

0 iÞ mod q

for each instance i since e0_{= (e
a
b) mod q.}

4. Then the proxy signer can compute r0 i¼ tigb 0 iy
a 0 i
b0i p  ðyro oroÞ
a 0

i_{mod p for each instance i since r}¼

tgb_y
a
b p ðy

ro

oroÞ
amod p.

5. Finally, the proxy signer can check that r0

i¼ g s_y
e

p y e

oumod p holds. If it is true, the proxy

signer can trace back the blind signature.

Hence, Sun et al. claimed that Tan et al.Õs schemes cannot satisfy the unlinkability property of the blind signature.

3.2. Sun et al.’s attack on Awasthi–Lal’s scheme

1. The proxy signer can keep all set of records ðti; e0i; ~siÞ

for each instance i, where ti¼ gkimod p.

2. After the receiver reveals (m, s, e) to the public, the proxy signer can calculate a0

i¼ ~si
s mod q for each

instance i since s¼ ~s
a mod q. 3. The proxy signer can calculate b0_i¼ ðe0

i
eÞ mod q for

each instance i since e0_{= (e + b) mod q.}

4. The proxy signer then can compute r0 i¼ tig
a 0 iy
b 0 i pr

mod p for each instance i since r¼ tg
a_y
b pr mod p.

5. Finally, the proxy signer can check whether r0

i¼ gsyeprmod p holds. If the equation is true, the

proxy signer can trace back the blind signature. Thus, Sun et al. claimed that Awasthi–LalÕs scheme cannot satisfy the unlinkability property of the blind signature.

4. Analysis of Sun et al.’s linkability attack

Harn (1995)first pointed out thatCamenisch et al.Õs (1994) blind signature scheme is linkable.Hoster et al. (1995) showed that HarnÕs claim is incorrect later. Re-cently,Hwang et al. (2002, 2003a,b,c)presented several papers to claim that several blind signature schemes are linkable. Unfortunately many cryptanalysts (Wu and Yeh, 2005; Lee and Wu, 2004; Lee and Sun, 2003; Fan, 2003) have showed that Hwang et al.Õs papers are all failed respectively. In this section, we show that Sun et al.Õs linkability attack is failed and Tan et al.Õs and Awasthi–LalÕs proxy blind signature schemes are still unlinkable.

4.1. Analysis of Sun et al.’s linkability attack on Tan et al.’s schemes

According to Sun et al.Õs linkability attack, the proxy signer can keep all set of records ðti; e0i; s0iÞ for each

instance i in Tan et al.Õs DLP-based scheme. After the receiver reveals (m, u, s, e) to the public, the proxy signer can calculate b0_i¼ s
s0

imod q for each instance i.

Next, (s)he can obtain a0

i¼ ðe
b 0

i
e0iÞ mod q. Then

the proxy signer can calculate r0 i¼ tigb 0 iy
a 0 i
b0i p ðyro oroÞ
a 0

i_{mod p. Finally, the proxy signer can check}

whether the equation r0 i¼ g

s_y
e p y

e

oumod p holds.

How-ever, we show that the equation is always true for each instance i in the following:

tigb 0 iy
a 0 i
b0i p ðyrooroÞ
a 0 i_{mod p}  tigs
s 0 iy
eþb 0 iþe0iþs0i
s p ðyr_ooroÞ b0 iþe0i
e_{mod p}  gs_ðt ig
s 0 iÞy
e p ðy b0_iþe0 iþs 0 i
s p ÞðyrooroÞ b0_iþe0 i
e_{mod p}  gs_ðt ig
s 0 iÞy
e p ðy s
s0 iþe0iþs0i
s p ÞðyrooroÞb 0 iþe0i
e_{mod p}  gs_ðt ig
s 0 iÞy
e p ðy e0_i pÞðyrooroÞ b0_iþe0 i
e_{mod p}  gs_ðt ig
s 0 iÞy
e p ðy e0 i pÞðyrooroÞb 0 i
e_ðyro oroÞe 0 i_{mod p}  gs_ðt ig
s 0 iÞy
e p ðy e0_i pÞðyrooroÞ b0_i
e_ðyro oroÞ e0 i_ðye oy
eo Þ mod p  ðgs_y
e p y e oÞðtig
s 0 iye 0 i pÞðyrooroÞb 0 i
e_ðyro oroÞe 0 i_ðy
e o Þ mod p  ðgs_y
e p y e oÞðg ki_g
e0ispr
ki_ye 0 i pÞ  ðyro oroÞ b0 i
e_ðyro oroÞ e0 iðy
e o Þ mod p  ðgs_y
e p y e oÞðg ki
ki_g
e0iðsoþxpÞ_ye 0 i pÞ  ðyro oroÞ b0 i
e_ðyro oroÞ e0 i_ðy
e o Þ mod p  ðgs_y
e p y e oÞðg
e0 iðsoþxpÞge 0 ixpÞ  ðyro oroÞ b0 i
e_ðyro oroÞ e0 i_ðy
e o Þ mod p  ðgs_y
e p y e oÞðg
e 0 iso_Þðyro oroÞb 0 i
e_ðyro oroÞe 0 i_ðy
e o Þ mod p  ðgs_y
e p y e oÞðy ro oroÞ
e 0 i_ðyro oroÞ e0 i_ðyro oroÞ b0 i
e_ðy
e o Þ mod p  ðgs_y
e p y e oÞðy ro oroÞb 0 i
e_ðy
e o Þ mod p  gs_y
e p y e oumod p  r0 imod p

For a given message-signature pair (a, c, s, m), the proxy signer can derive 3-tuple ðb0_i; a0

i; r0iÞ such that r0i¼

gs_y
e

p yeoumod p is always held for eachðti; e0i; s0iÞ. Hence,

Sun et al.Õs claim is incorrect and Tan et al.Õs DLP-based scheme is still satisfy the unlinkability property. The analysis of Sun et al.Õs linkability attack on Tan et al.Õs ECDLP-based scheme is similar to above description.

4.2. Analysis of Sun et al.’s linkability attack on Awasthi–Lal’s scheme

Based on Sun et al.Õs linkability attack, the proxy signer can record all set of ðti; ei; s0iÞ for each instance i

in Awasthi–LalÕs scheme. After the receiver reveals (m, s, e0_{) to the public, the proxy signer can compute}

a0

i¼ ðs0i
sÞ mod q for each instance i. Then (s)he can

calculate b0_i¼ ðei
e0Þ mod q. Next, the proxy signer

can compute r0 i¼ tig
a 0 iy
b 0 i

pr mod p . Finally, the proxy

signer can check if the equation e0_{¼ hðg}s_y
e0

pr 

mod pkmÞ mod q holds. We show that the equation is always true for each instance i in the following:

hðtig
a 0 i_y
b 0 i pr mod pkmÞ mod q  hðtigs
s 0 iye0
ei pr mod pkmÞ mod q  hðgs_t ig
s 0 iye 0
_e i pr mod pkmÞ mod q  hðgs_t igeispr
kiye 0
_e i pr mod pkmÞ mod q  hðgs_gki
ki_geispr_ye0
ei pr mod pkmÞ mod q  hðgs_geispr_ye0
ei pr mod pkmÞ mod q  hðgs_yei pry e0
_e i pr mod pkmÞ mod q  hðgs_ye0 prmod pkmÞ mod q  e0

For a given message-signature pair (m, s, e0_{), the proxy}

signer can derive 3-tuple ðb0

i; a0i; r0iÞ such that

e0_{¼ hðg}s_y
e0

pr mod pkmÞ mod q is always held for each

ðti; ei; s0iÞ. Hence, Sun et al.Õs linkability attack is failed

again on Awasthi–LalÕs scheme. Awasthi–LalÕs scheme is still satisfy the unlinkability property of the proxy blind signature scheme.

5. Conclusions

Recently, Sun et al. pointed out that Tan et al.Õs schemes and Awasthi–LalÕs scheme cannot satisfy the unlinkability property of the proxy blind signature scheme. In this paper, we show that Sun et al.Õs link-ability attack is failed and these schemes are still satisfy the unlinkability property.

Acknowledgement

This work was supported in part by the Bestwise International co.

References

Awasthi, A.K., Lal, S., 2005. Proxy blind signature scheme. Transac-tion on Cryptology 2 (1), 5–11. Available from:<http://eprint.iacr. org/2003/072.pdf>.

Camenisch, J.L., Piveteau, J.M., Stadler, M.A., 1994. Blind signatures based on the discrete logarithm problem. In: Advances in Cryp-tology—EUROCRYPTÕ94, Rump session, 1994, 5pp.

Chaum, D., 1983. Blind signature systems. In: Advances in Crypto-logy—CRYPTOÕ83. Plenum, p. 153.

Fan, C.I., 2003. Comments on Hwang–Lee–Lai attack upon Fan–Lee partially blind signature scheme. IEICE Trans. Fundam. E86-A (7), 1900–1901.

Harn, L., 1995. Cryptanalysis of the blind signatures based on the discrete logarithm problem. Electron. Lett. 31 (14), 1136. Hoster, P., Michels, M., Petersen, H., 1995. Comment: cryptanalysis of

the blind signatures based on the discrete logarithm problem. Electron. Lett. 31 (21), 1827.

Hwang, M.S., Lee, C.C., Lai, Y.C., 2002. Traceability on low-computation partially blind signatures for electronic cash. IEICE Trans. Fundam. E85-A (5), 1181–1182.

Hwang, M.S., Lee, C.C., Lai, Y.C., 2003a. Traceability on RSA-based partially signature with low computation. Appl. Math. Comput. 145 (2–3), 465–468.

Hwang, M.S., Lee, C.C., Lai, Y.C., 2003b. An untraceable blind signature scheme. IEICE Trans. Fundam. E86-A (7), 1902– 1906.

Hwang, M.S., Lee, C.C., Lai, Y.C., 2003c. Traceability on Stadler et al.Õs fair blind signature scheme. IEICE Trans. Fundam. E86-A (2), 513–514.

Lee, N.Y., Sun, M.K., 2003. Analysis on traceability on Stadler et al.Õs fair blind signature. IEICE Trans. Fundam. E86-A (11), 2901– 2902.

Lee, N.Y., Wu, C.N., 2004. Comment on traceability analysis on chaum blind signature. IEICE Trans. Fundam. E87-A (2), 511– 512.

Mambo, M., Usuda, K., Okamoto, K., 1996. Proxy signature: delegation of the power to sign messages. IEICE Trans. Fundam. E79-A (9), 1338–1353.

Sun, H.M., Hsieh, B.T., Tseng, S.M., 2005. On the security of some proxy blind signature scheme. J. Syst. Software 74, 297– 302.

Tan, Z., Liu, Z., Tang, C., 2002. Digital proxy blind signature schemes based on DLP and ECDLP. MM Research Preprints, No. 21, MMRC, AMSS, Academic, Sinica, Beijing, pp. 212– 217.

Wu, L.C., Yeh, Y.S., 2005. Comment on Traceability on RSA-based partially signature with low computation. Appl. Math. Comput., in press.