Traceability on RSA-based partially signature with low computation

Traceability on RSA-based partially

signature with low computation

Min-Shiang Hwang

, Cheng-Chi Lee

, Yan-Chi Lai

a_{Graduate Institute of Networks and Communications Engineering, Chaoyang University}

of Technology, 168 Gifeng E.Rd., Wufeng, Taichung County 413, Taiwan, ROC

b_{Department of Computer and Information Science, National Chiao-Tung University,}

1001 TaHsueh Road, Hsinchu, Taiwan, ROC

Abstract

In this article, we show that the Chien et al.Õs partially blind signature scheme based on RSA public cryptosystem could not meet the untraceability property of a blind signature.

2002 Elsevier Inc. All rights reserved.

Keywords: Blind signature; Electronic cash; Untraceability

1. Introduction

The concept of the blind signature was first introduced by Chaum [3]. It is an important technique to protect the right of an individualÕs privacy while one was shopping or voting over the Internet. Different from a regular digital signature scheme [6,8,9], the two additional required properties of a blind signature [7,13] are as follows. Blindness means the signer of the blind signature does not see the content of the message and untraceability means the signer of the blind signature is unable to link the message-signature pair after the blind signature has been revealed to the public.

A blind signature also can be applied to electronic cash. To prevent double spending and reduce the size of the database of the electronic cash system

*

Corresponding author.

E-mail address:[email protected](M.-S. Hwang).

0096-3003/$ - see front matter
2002 Elsevier Inc. All rights reserved. doi:10.1016/S0096-3003(02)00500-3

Applied Mathematics and Computation 145 (2003) 465–468

[10,11], partially blind signatures were proposed [1,5]. In 2001, Chien et al. [4] proposed a partially blind signature scheme based on RSA cryptosystem [2,12] that could reduce the computation load. However, in this article, we show that Chien et al.Õs scheme failed to meet the untraceability property of a blind signature.

2. Chien et al.’s partially blind signature scheme

Recently, Chien et al. [4] proposed a partially blind signature scheme which is based on RSA public-key cryptosystem [12]. This scheme is divided into four phases: (1) initialization, (2) requesting, (3) signing, and (4) extraction and verification phases. The procedures of this scheme are listed as follows: • Initialization: The signer chooses two distinct large primes p and q at

ran-dom and computes n¼ pq. Let e be a public key such that gcdðe; /ðnÞÞ ¼ 1, where /ðnÞ ¼ ðp  1Þðq  1Þ. And then calculate a privacy key d such that ed¼ 1 mod /ðnÞ. The signer makes ðe; nÞ as his/her public parameters and keeps ðp; q; dÞ secretly.

• Requesting: The requester prepares the common information a, according to the predefined format, and the message m. The requester selects randomly two integers r and u in Z

n and then he/she computes a¼ r

e_HðmÞðu2_{þ 1Þ}

mod n, here HðÞ denotes a one-way hash function. Finally, the requester sends the tuple ða; aÞ to the signer.

After receiving ða; aÞ, the signer verifies the common information a at first. And then the signer randomly chooses an integer x (x < n) and sends it to the requester.

After receiving x, the requester selects randomly an integer k and computes b¼ rk and b ¼ be_{ðu  xÞ mod n. Then the requester sends b to the signer.}

• Signing: Upon receiving b, the signer computes b1_{mod n and t¼ hðaÞ}d

ðaðx2_{þ 1Þb}2_Þ2d

mod n and then sendsðb1; tÞ to the requester.

• Extraction and verification: After receiving ðb1; tÞ, the requester computes c¼ ðux þ 1Þb1be_{mod n and s¼ tr}2_k4_{mod n. The tuple ða; c; sÞ is a digital}

signature on the message m. Any one can verify the signature ða; c; sÞ by checking if se_{¼ H ðaÞH ðmÞ}2

ðc2_{þ 1Þ}2

mod n.

The correctness of the above protocol is shown in [4].

3. The weakness of Chien et al.’s scheme

In this section, we show that Chien et al.Õs partially blind signature scheme could not meet the untraceability property of a blind signature. The signer will 466 M.-S. Hwang et al. / Appl. Math. Comput. 145 (2003) 465–468

keep a set of records for all blinded messages and use them to link a valid signatureða; c; s; mÞ to its previous signing process instance. The procedures of this cryptanalysis are listed as follows:

1. The signer can keep a set of recordsfa; x; b; t; b1g, for all blinded messages. 2. When the requester reveals ða; c; s; mÞ to the public, the signer can link it using the kept records. Since c¼ ðux þ 1Þb1be_{¼ ðux þ 1Þðu  xÞ}1_{mod n,}

the signer can derive a parameter uuby computing uu¼ ð1 þ cxÞðc  xÞ1modn. 3. Since b¼ be_{ðu  xÞ mod n, the signer can derive a parameter bbby computing}

 b

b¼ ðbðuu xÞ1Þdmod n¼ bdðuu xÞemod n.

4. Since a¼ re_HðmÞðu2_{þ 1Þ mod n, the signer can derive a parameter rrby}

com-puting rr¼ ad_HðmÞe_ðuu2_{þ 1Þ}e

mod n.

5. Since b¼ rk, the signer can derive a parameter kkby computing kk¼ bbrr1_.

6. Finally, the signer can check if s¼ trr2_kk4

mod n. If the result is true, the signer can link this signature.

From the above procedures, the partially blind signature of the requester can been trace.

4. Conclusion

In this article, we have shown that a cryptanalysis of Chien et al.Õs partially blind signature scheme and the scheme could not meet the requirements of the untraceability property of a blind signature.

Acknowledgement

This research was partially supported by the National Science Council, Taiwan, ROC, under contract no.: NSC90-2213-E-324-004.

References

[1] M. Abe, E. Fujisaki, How to date blind signatures, in: Advances in Cryptology–– ASIACRYPTÕ96, LNCS 1163, Springer-Verlag, November 1996, pp. 244–251.

[2] C.-C. Chang, M.-S. Hwang, Parallel computation of the generating keys for RSA cryptosystems, IEE Electronics Letters 32 (15) (1996) 1365–1366.

[3] D. Chaum, Blind signatures system, in: Advances in Cryptology, CRYPTOÕ83, 1983, pp. 153– 156.

[4] H.Y. Chien, J.K. Jan, Y.M. Tseng, RSA-based partially blind signature with low computation, in: IEEE 8th International Conference on Parallel and Distributed Systems, June 2001, pp. 385–389.

[5] C.I. Fan, C.I. Lei, Low-computation partially blind signatures for electronic cash, IEICE Transactions on Fundamentals E81-A (5) (1998) 818–824.

[6] M.-S. Hwang, C.-C. Chang, K.-F. Hwang, An ElGamal-like cryptosystem for enciphering large messages, IEEE Transactions on Knowledge and Data Engineering 14 (2) (2002) 445– 446.

[7] M.-S. Hwang, C.-C. Lee, Y.-C. Lai, Traceability on low-computation partially blind signatures for electronic cash, IEICE Transactions on Fundamentals on Electronics, Communications and Computer Sciences E85A (5) (2002) 1181–1182.

[8] M.-S. Hwang, C.-C. Lee, E.J.-L. Lu, Cryptanalysis of the batch verifying multiple DSA-type digital signatures, Pakistan Journal of Applied Sciences 1 (3) (2001) 287–288.

[9] M.-S. Hwang, I.-C. Lin, K.-F. Hwang, Cryptanalysis of the batch verifying multiple RSA digital signatures, Informatica 11 (1) (2000) 15–19.

[10] M.-S. Hwang, I.-C. Lin, L.-H. Li, A simple micro-payment scheme, Journal of Systems and Software 55 (3) (2001) 221–229.

[11] M.-S. Hwang, E.J.-L. Lu, I.-C. Linm, Adding timestamps to the secure electronic auction protocol, Data & Knowledge Engineering 40 (2) (2002) 155–162.

[12] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the ACM 21 (2) (1978) 120–126.

[13] Y.-L. Tang, M.-S. Hwang, Y.-C. Lai, Cryptanalysis of a blind signature scheme based on elgamal signature. International Journal of Pure and Applied Mathematics, in press. 468 M.-S. Hwang et al. / Appl. Math. Comput. 145 (2003) 465–468