Cryptanalysis on Traceability on RSA-Based Partially Signature with Low Computation

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Cryptanalysis on Traceability on RSA-Based Partially Signature with Low Computation Lin-Chuan Wu1, Yi-Shiung Yeh1, and Tsann-Shyong Liu2 1. Department of Computer Science and Information Engineering National Chiao Tung University Hsinchu, Taiwan 300, R.O.C. 2. Telecommunication Laboratories Chunghwa Telecom Co., Ltd.. 12, Lane 551, Min-Tsu Road Sec. 5 Yang-Mei, Taoyuan, Taiwan 326, R.O.C. The rest of the paper is organized as follows. In Section 2, we describe Chien et al.’s partially signature scheme and review Hwang et al.’s claim. We show that Hwang et al.’s claim is incorrect briefly in Section 3. Finally, the conclusion is given in Section 4.. Abstract-Recently, Chien et al. proposed RSAbased partially blind signature with low computation for mobile and smart-card applications. Hwang et al. claimed that Chien et al.’s scheme cannot meet the untraceability property of the blind signature later. In this paper, we show that Hwang et al.’s claim is incorrect and Chien et al.’s scheme is still satisfy the untraceability property.. 2. Review of Chien et al.’s scheme and Hwang et al.’s claim. Keywords: Partially blind signature, RSA cryptosystem, Cryptography, Information security. 2.1 Chien et al.’s partially blind signature scheme with low computation. 1. Introduction In 2001, Chien et al. proposed an efficient partially blind signature based on RSA cryptosystem. To compare with Abe-Fujisaki’s scheme, Chien et al.’s scheme can reduce the amount of computations by almost 98% for the requester. Therefore, Chien et al.’s scheme is suitable for mobile client and smart-card applications. The signer and the requester are two kinds of participants in the Chien’s partially blind signature. The requester obtains a partially blind signature from the signer and the signer cannot link any messagesignature pair later. The four phases in Chien et al.’s scheme are : (1) Initialization, (2) Requesting, (3) Signing, (4) Extraction and verification. Initially, the signer initially publishes the necessary information for participants. In the requesting phase, the requester sends a blinded message and the agreed common information to the signer. The signer signs on the blinded message with the common information in the signing phase. Finally, the requester obtains the signature from the blinded signature without removing the injected common information in the extraction and verification phase. Anyone can verify the correctness of the signature. Chaum [2] first introduced the concept of the blind signature scheme in 1983. Chaum’s scheme is based on RSA public key cryptosystem and its security depends on the difficulty of integer factorization. It allows the requester to obtain a signature signed by the signer without revealing message and the signer cannot link any messagesignature pair later. Hence, the blind signature scheme can achieve unforgeability for the signer and untraceability for the requester. It can be used for preserving user’s anonymity in electronic payment systems or electronic voting systems. In AsiaCrypt’96, Abe and Fujisaki [1] submitted the first partially blind signature scheme to inject the common information, like the date, on the signature. Chien et al. [4] proposed more efficient RSA-based partially blind signature scheme than Abe-Fujisaki’s scheme later. Recently, Hwang et al. [8] claimed Chien et al.’s scheme cannot meet the untraceability property of the blind signature. In this paper, we show that Hwang et al.’s claim is incorrect and Chien et al.’s scheme is still the untraceable scheme.. 1031.

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. using the message-signature pair and the agreed common information. The detailed scheme is describe as follows. (1) Initailization. The signer randomly selects two large primes p and q , and calculates. 1. The signer can keep a set of records −1. (α i , xi , β i , ti , β i ) for each instance i in Chien et al.’s scheme. 2. When the requester reveals ( a, c, s, m) to the public, the signer can compute. n = p ⋅ q and φ (n) = ( p − 1) ⋅ (q − 1) . Then, the signer selects large integers d such that e ⋅ d ≡ 1 mod φ (n) , where e = 3 . Thus, d is. u~i = (1 + cxi )(c − xi ) −1 mod n for each instance i since −1 e −1 c = (ui xi + 1) β i bi = (ui xi + 1)(ui − xi ) mod n. the private key of the signer and the signer publishes his public key (e, n) and a secure one-way hash. . 3.. function h(⋅) like SHA-1. (2) Requesting. The requester prepares the common information a according to the predefined format. Then, (s)he randomly selects two integers r ∈ Z n and u ∈ Z n . The requester calculates. The. signer. can. obtain. β = b e (u − x) mod n . ~ d ~ e Note : bi = β i (u i − xi ) mod n. in Hwang et. ~ d bi = β i (u~i − xi ) − d mod n for each instance i since. and sends (a, α ) to the signer. After the signer verifying the agreed common information a , (s)he randomly chooses a. α = r e h(m)(u 2 + 1) mod n. al. [8] is wrong. 4. The signer. can. +. integer x ∈ Z n , where x < n , and sends it to the. instance. requester. After the requester receiving x , (s)he selects a random number k and computes b = rk . Finally, the requester computes. Hwang et al. [8] is also wrong.. for. ~. ~. −1. ri 5. The signer can obtain k i = bi ~. (3) Signing. The signer calculates. β −1 mod n. each instance i since bi = ri k i mod n .. t = h(a) d (α ( x 2 + 1) β −2 ) 2 d mod n −1 (s)he sends ( β , t ) to the requester.. and. (4). Extraction. and. verification.. After. 6.. then. the. signer. can. check. if. trace back the blind signature. Therefore, Hwang et al. claimed that Chien et al.’s scheme cannot meet the untraceability property of the blind signature.. the. −1. c = (ux + 1) β −1b e mod n and 2 4 s = tr k mod n . The 3-tuple (a, c, s) is a signature on the message m , and anyone can verify the correctness of ( a, c, s ) by checking whether s e = h(a)h(m)(c 2 + 1) 2 mod n .. 3. Cryptanalysis on Hwang et al.’s claim In 1995, Harn [6] claimed that Carmenisch et. al.’s blind signature scheme [2] is traceable. Horster et al. [7] proved that Harn’s cryptanalysis is incorrect later. Recently, there are several papers about traceability of the blind signature proposed by Hwang et al. [9-11]. Unfortunately many cryptanalysts [13, 12, 5] have proved that Hwang et al.’s claims are all failed. In this paper, we show that Hwang et al.’s claim on Chien et al.’s scheme is also incorrect.. (a, c, s) is a signature of the message m. generated by Chien et al.’s partially blind signature scheme, then s = h( a ) h( m)(c + 1) mod n 2. Finally,. mod n for. 2 ~4 s = ti ⋅ ~ ri ⋅ ki mod n . If it is true, the signer can. requester receiving ( β , t ) , (s)he obtains the signature by calculating. e. each. i since α i = ri h(m)(ui + 1) mod n . d 2 d Note : ~ ri = α i h(m) e (u~i + 1) mod n in. to the signer.. and sends. compute. 2. e. β. β = b e (u − x) mod n. If. then. d 2 ~ ri = α i h(m) − d (u~i + 1) − d mod n. 2. must be held. The detailed proof can be found in [4].. According to Hwang et al.’s claim, the signer can. β i , t i , β i −1 ). 2.2 Hwang et al.’s claim. keep (α i , xi ,. In Hwang et al.’s claim, the signer can keep a set of record for all blinded messages and use them to trace back the blind signature. Thus, Hwang et al. claimed that Chien et al.’s scheme cannot meet the untraceability of the blind signature. The detailed procedures of Hwang et al.’s claim are described as follows.. Chien et al.’s scheme. When the requester reveals (a, c, s, m) to the public, the signer can compute. for each instance i in. u~i = (1 + cxi )(c − xi ) −1 mod n for each instance . Then (s)he can obtain i ~ d ~ −d bi = β i (ui − xi ) mod n . The signer can. 1032.

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan. d 2 compute ~ ri = α i h(m) − d (u~i + 1) − d mod n and. al.’s partially blind signature scheme still satisfy the untraceability property.. ~ ~ −1 k i = bi ~ ri mod n . Finally, the signer can check 2 ~4 whether the formula s = t ⋅ ~ r ⋅ k mod n is true i. i. References. i. or not. However, we show that the formula is always true for each instance i as follows.. [1] M. Abe and E. Fujisaki, “How to Date Blind Signatures,” Advances in Cryptology-ASIACRYPT’96, LNCS 1163, Springer-Verlag, 1996, pp.224-251. ~ 2 4 (ti ⋅ ~ ri ⋅ ki ) [2] J. L. Carmenisch, J. M. Piveteau and M. A. Stadler, “Blind Signatures Based on the Discrete Logarithm 2 −2 2 ~ −1 ≡ h(a ) d ⋅ (α i ( xi + 1) β i ) 2 d ⋅ ~ ri (bi ⋅ ~ ri ) 4 mod n Problem,” Advances in Cryptology2 −2 2 d ~ 4 ~−2 EUROCCRYPT’94, Rump session, 1994, (5 pages). d ≡ h(a ) ⋅ (α i ( xi + 1) β i ) ⋅ bi ⋅ ri mod n [3] D. Chaum, “Blind Signature Systems,” Advances in d ~ 2 −2 2 d d −d 4 Cryptology-CRYPTO’83, Plenum, 1983, pp.153. ≡ h(a) ⋅ (α i ( xi + 1) β i ) ⋅ ( β i (ui − xi ) ) ⋅ [4] H. Y. Chien, J. K. Jan and Y. M. Tseng, “RSA-Based d 2 Partially Bind Signature with Low Computation,” (α i h(m) − d (u~i + 1) − d ) −2 mod n Parallel and Distributed Systems, IEEE Computer −4 d 2d 2 4d ≡ h(a) d ⋅ (α i ( xi + 1) 2 d β i ) ⋅ ( β i (u~i − xi ) −4 d ) ⋅ Society Press, no. 26-29, Jun. 2001, pp.385-389. [5] C. I. Fan, “Comments on Hwang-Lee-Lai Attack upon −2d 2 Fan-Lee Partially Blind Signature Scheme,” IEICE (α i h(m) 2 d (u~i + 1) 2 d ) mod n Trans. Fundamentals, vol. E86-A, no. 7, Jul. 2003, pp. 2 1900-1901. ≡ h(a) d ⋅ ( xi + 1) 2 d ⋅ (u~i − xi ) −4 d ⋅ [6] L. Harn, “Cryptanalysis of the Blind Signatures Based 2 (h(m) 2 d (u~i + 1) 2 d ) mod n on the Discrete Logarithm Problem,” Electronics Letters, vol. 31, no. 14, Jul. 1995, pp. 1136. 2 ≡ h(a) d ⋅ h(m) 2 d ⋅ [( xi + 1) ⋅ (u~i − xi ) −2 ⋅ [7] P. Hoster, M. Michels and H. Petersen, “Comment : Cryptanalysis of the Blind Signatures Based on the 2 (u~i + 1)]2 d mod n Discrete Logarithm Problem,” Electronics Letters, vol. 31, no. 21, Oct. 1995, pp. 1827. 2 2 −2 ~ ≡ [h(a) ⋅ h(m) ⋅ [( xi + 1) ⋅ (ui − xi ) ⋅ [8] M. S. Hwang, C. C. Lee and Y. C. Lai, “Traceability 2 on RSA-Based Partially Signature with Low (u~i + 1)]2 ]d mod n Computation,” Applied Mathematics and 2 2 −2 ~ Computation, vol.145, no. 2-3, Dec. 2003, pp. 465≡ [h(a) ⋅ h(m) ⋅ [( xi + 1) ⋅ (ui − xi ) ⋅ 468. 2 [9] M. S. Hwang, C. C. Lee and Y. C. Lai, “An (u~i + 1)]2 ]d mod n Untraceable Blind Signature Scheme,” IEICE Trans. Fundamentals, vol. E86-A, no. 7, Jul. 2003, pp. 1902≡ [h(a) ⋅ h(m) 2 ⋅ [c 2 + 1] 2 ] d mod n 1906. ≡ s mod n [10] M. S. Hwang, C. C. Lee and Y. C. Lai, “Traceability From the above, given a message-signature pair on Stadler et al.’s Fair Blind Signature Scheme,” IEICE Trans. Fundamentals, vol. E86-A, no. 2, Feb. (a, c, s, m) , the signer can derive 4-tuple 2003, pp. 513-514. ~ ~ 2 ~4 [11] M. S. Hwang, C. C. Lee and Y. C. Lai, “Traceability (u~i , bi , ~ ri , ki ) such that s = ti ⋅ ~ ri ⋅ k i mod n is on Low-Computation Partially Blind Signatures for −1 always satisfied for each (α i , xi , β i , ti , β i ) . Electronic Cash,” IEICE Trans. Fundamentals, vol. E85-A, no. 5, May. 2002, pp. 1181-1182. Thus, Hwang et al.’s claim on Chien et al.’s scheme [12] N. Y. Lee and M. K. Sun, “Analysis on Traceability is incorrect. on Stadler et al.’s Fair Blind Signature,” IEICE Trans. Fundamentals, vol. E86-A, no. 11, Nov. 2003, pp. 4. Conclusions 2901-2902. [13] N. Y. Lee and C. N. Wu, “Comment on Traceability Analysis on Chaum Blind Signature,” IEICE Trans. Recently, Hwang et al. claimed that Chien et al.’s Fundamentals, vol. E87-A, no. 2, Feb. 2004, pp. 511scheme cannot meet the untraceability property of 512. the blind signature. In this paper, we show that. Hwang et al.’s claim is incorrect. Thus, Chien et. 1033.

(4)