Comment on traceability on RSA-based partially signature with low computation

Comment on traceability on RSA-based

partially signature with low computation

Lin-Chuan Wu

_{, Yi-Shiung Yeh}

Department of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu, 12, Lane 551, Min-Tsu Road Sec.5, Yangmei 326, Taiwan, ROC

Abstract

Recently, Chien et al. proposed RSA-based partially blind signature with low com-putation for mobile and smart-card applications. Hwang et al. claimed that Chien et al.
s scheme cannot meet the untraceability property of the blind signature later. In this paper, we show that Hwang et al.
s claim is incorrect and Chien et al.
s scheme is still satisfy the untraceability property.

Ó 2005 Elsevier Inc. All rights reserved.

Keywords: Partially blind signature; RSA; Cryptography; Information security

1. Introduction

Chaum [3] first introduced the concept of the blind signature scheme in 1983. Chaum
s scheme is based on RSA public key cryptosystem and its secu-rity depends on the difficulty of integer factorization. It allows the requester to obtain a signature signed by the signer without revealing message and the sign-er cannot link any message-signature pair latsign-er. Hence, the blind signature

0096-3003/$ - see front matter Ó 2005 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2005.01.023

*

Corresponding author.

E-mail addresses:[email protected](L.-C. Wu),[email protected](Y.-S. Yeh). www.elsevier.com/locate/amc

scheme can achieve unforgeability for the signer and untraceability for the requester. It can be used for preserving user
s anonymity in electronic payment systems or electronic voting systems.

In AsiaCrypt
96, Abe and Fujisaki[1]submitted the first partially blind sig-nature scheme to inject the common information, like the date, on the signa-ture. Chien et al. [4] proposed more efficient RSA-based partially blind signature scheme than Abe–Fujisaki
s scheme later. Recently, Hwang et al.

[8] claimed Chien et al.
s scheme cannot meet the untraceability property of the blind signature. In this paper, we show that Hwang et al.
s claim is incorrect and Chien et al.
s scheme is still the untraceable scheme.

The rest of the paper is organized as follows. In Section 2, we describe Chien et al.
s partially signature scheme and review Hwang et al.
s claim. We show that Hwang et al.
s claim is incorrect briefly in Section 3. Finally, the conclu-sion is given in Section 4.

2. Review of Chien et al.’s scheme and Hwang et al.’s cryptanalysis 2.1. Chien et al.
s partially blind signature scheme with low computation

In 2001, Chien et al. proposed an efficient partially blind signature based on RSA cryptosystem. To compare with Abe–Fujisaki
s scheme, Chien et al.
s scheme can reduce the amount of computations by almost 98% for the reques-ter. Therefore, Chien et al.
s scheme is suitable for mobile client and smart-card applications.

The signer and the requester are two kinds of participants in the Chien
s par-tially blind signature. The requester obtains a parpar-tially blind signature from the signer and the signer cannot link any message-signature pair later. The four phases in Chien et al.
s scheme are: (1) Initialization, (2) Requesting, (3) Sign-ing, (4) Extraction and verification. Initially, the signer initially publishes the necessary information for participants. In the requesting phase, the requester sends a blinded message and the agreed common information to the signer. The signer signs on the blinded message with the common information in the signing phase. Finally, the requester obtains the signature from the blinded signature without removing the injected common information in the extraction and verification phase. Anyone can verify the correctness of the signature using the message-signature pair and the agreed common information. The detailed scheme is describe as follows.

(1) Initialization The signer randomly selects two large primes p and q, and cal-culates n = p Æ q and /(n) = (p
1) Æ (q
1). Then, the signer selects large integers d such that e Æ d 1 mod /(n), where e = 3. Thus, d is the private key of the signer and the signer publishes his public key (e, n) and a secure one-way hash function h( Æ ) like SHA-1.

(2) Requesting The requester prepares the common information a according to the predefined format. Then, (s)he randomly selects two integers r2 Zn

and u2 Zn. The requester calculates a = reh(m)(u2+ 1) mod n and sends

(a, a) to the signer. After the signer verifying the agreed common informa-tion a, (s)he randomly chooses a integer x2 Zþ

n, where x<n, and sends it to

the requester. After the requester receiving x, (s)he selects a random num-ber k and computes b = rk. Finally, the requester computes b = be(u
x) -mod n and sends b to the signer.

(3) Signing The signer calculates b
1mod n and t = h(a)d(a(x2+ 1)b
2)2dmod n then (s)he sends (b
1, t) to the requester.

(4) Extraction and verification After the requester receiving (b
1, t), (s)he obtains the signature by calculating c = (ux + 1)b
1bemod n and s = tr2k4mod n. The 3-tuple (a, c, s) is a signature on the message m, and anyone can verify the correctness of (a, c, s) by checking whether se= h(a)h(m) (c2+ 1)2mod n.

If (a, c, s) is a signature of the message m generated by Chien et al.
s partially blind signature scheme, then se= h(a)h(m)(c2+ 1)2mod n must be held. The de-tailed proof can be found in[4].

2.2. Hwang et al.’s cryptanalysis

In Hwang et al.
s claim[8], the signer can keep a set of record for all blinded messages and use them to trace back the blind signature. Thus, Hwang et al. claimed that Chien et al.
s scheme cannot meet the untraceability of the blind signature. The detailed procedures of Hwang et al.
s cryptanalysis are described as follows.

1. The signer can keep a set of records ðai; xi;bi; ti;b
1i Þ for each instance i in

Chien et al.
s scheme.

2. When the requester reveals (a, c, s, m) to the public, the signer can compute ~

ui¼ ð1 þ cxiÞðc
xiÞ
1mod n for each instance i since c¼ ðuixiþ 1Þb
1i b e

i ¼

ðuixiþ 1Þðui
xiÞ
1mod n.

3. The signer can obtain ~bi¼ bdið~ui
xiÞ
d

mod n for each instance i since b= be(u
x) mod n.

Note: ~bi¼ bdið~ui
xiÞ e

mod n in Hwang et al.[8]is wrong. 4. The signer can then compute ~ri¼ adihðmÞ

d

ð~u2_i þ 1Þ
dmod n for each instance i since ai¼ reihðmÞðu2i þ 1Þ mod n.

Note: ~ri¼ adihðmÞ e

ð~u2_i þ 1Þdmod n in Hwang et al.[8]is also wrong. 5. The signer can obtain ~ki¼ ~bi~r
1i mod n for each instance i since

bi= rikimod n.

6. Finally, the signer can check if s¼ ti ~r2i  ~k 4

imod n. If it is true, the signer can

Therefore, Hwang et al. claimed that Chien et al.
s scheme cannot meet the untraceability property of the blind signature.

3. Comments on Hwang et al.’s cryptanalysis

In 1995, Harn[6]claimed that Carmenisch et. al.
s blind signature scheme[2]

is traceable. Horster et al.[7]proved that Harn
s cryptanalysis is incorrect later. Recently, there are several papers about traceability of the blind signature pro-posed by Hwang et al.[9–11]. Unfortunately many cryptanalysts[13,12,5]have proved that Hwang et al.
s claims are all failed. In this paper, we show that Hwang et al.
s claim on Chien et al.
s scheme is also incorrect.

According to Hwang et al.
s claim, the signer can keepðai; xi;bi; ti;b
1i Þ for

each instance i in Chien et al.
s scheme. When the requester reveals (a, c, s, m) to the public, the signer can compute ~ui¼ ð1 þ cxiÞðc
xiÞ
1mod n for each

in-stance i. Then (s)he can obtain ~bi¼ bdið~ui
xiÞ
dmod n. The signer can

com-pute ~ri¼ adihðmÞ
d

ð~u2_i þ 1Þ
dmod n and ~ki¼ ~bi~r
1i mod n. Finally, the signer

can check whether the formula s¼ ti ~r2i  ~k 4

imod n is true or not. However,

we show that the formula is always true for each instance i as follows. ðti ~r2i ~k 4 iÞ  hðaÞ d  ðaiðx2i þ 1Þb
2 i Þ 2d  ~r2 ið~bi ~r
1i Þ 4 mod n  hðaÞd ðaiðx2i þ 1Þb
2 i Þ 2d  ~b4_i  ~r
2i mod n  hðaÞd ðaiðx2i þ 1Þb
2 i Þ 2d  ðbdið~ui
xiÞ
dÞ4  ðad ihðmÞ
d ð~u2_i þ 1Þ
dÞ
2mod n  hðaÞd ða2d i ðx 2 i þ 1Þ 2d b
4d_i Þ  ðb4di ð~ui
xiÞ
4dÞ  ða
2di hðmÞ 2d ð~u2 i þ 1Þ 2d Þ mod n  hðaÞd ðx2 i þ 1Þ 2d  ð~ui
xiÞ
4d ðhðmÞ 2d ð~u2 i þ 1Þ 2d Þ mod n  hðaÞd hðmÞ2d  ½ðx2 i þ 1Þ  ð~ui
xiÞ
2 ð~u2i þ 1Þ 2d mod n  ½hðaÞ  hðmÞ2 ½ðx2 i þ 1Þ  ð~ui
xiÞ
2 ð~u2i þ 1Þ 2 dmod n  ½hðaÞ  hðmÞ2 ½ðx2 i þ 1Þ  ð~ui
xiÞ
2 ð~u2i þ 1Þ 2 dmod n  ½hðaÞ  hðmÞ2 ½ð~ui
xiÞ
2 ðx2i~u 2 i þ x 2 iþ ~u 2 i þ 1Þ 2 dmod n  ½hðaÞ  hðmÞ2 ½ð~ui
xiÞ
2  ðx2 i~u 2 i þ x 2 i þ ~u 2 i þ 1 þ 2~uixi
2~uixiÞ 2 dmod n  ½hðaÞ  hðmÞ2 ½ð~ui
xiÞ
2 ððxi~uiþ 1Þ 2 þ ð~ui
xiÞ 2 Þ2dmod n  ½hðaÞ  hðmÞ2 ½c2_{þ 1}2 dmod n s mod n:

From the above, given a message-signature pair (a, c, s, m), the signer can derive 4-tuple (~ui; ~bi; ~ri; ~ki) such that s¼ ti ~r2i  ~k

4

imod n is always satisfied for each

ðai; xi;bi; ti;b
1i Þ. Thus, Hwang et al.
s cryptanalysis on Chien et al.
s scheme

is incorrect.

4. Conclusions

Recently, Hwang et al. claimed that Chien et al.
s scheme cannot meet the untraceability property of the blind signature. In this paper, we give some com-ments on Hwang et al.
s cryptanalysis and show their claim is incorrect. Thus, Chien et al.
s partially blind signature scheme is still satisfy the untraceability property.

References

[1] M. Abe, E. Fujisaki, How to date blind signatures, Advances in Cryptology—ASIA-CRYPT
96, LNCS 1163, Springer-Verlag, 1996, pp.224–251.

[2] J.L. Carmenisch, J.M. Piveteau, M.A. Stadler, Blind signatures based on the discrete logarithm problem, Advances in cryptology—EUROCCRYPT
94, Rump Session, 1994, 5 p.

[3] D. Chaum, Blind signature systems, Advances in Cryptology—CRYPTO
83, Plenum, 1983, p. 153.

[4] H.Y. Chien, J.K. Jan, Y.M. Tseng, RSA-based partially blind signature with low computation, Parallel and Distributed Systems, IEEE Computer Society Press, 2001, pp. 385–389. [5] C.I. Fan, Comments on Hwang–Lee–Lai attack upon Fan-Lee partially blind signature

scheme, IEICE Trans. Fundament. E86-A (7) (2003) 1900–1901.

[6] L. Harn, Cryptanalysis of the blind signatures based on the discrete logarithm problem, Electron. Lett. 31 (14) (1995) 1136.

[7] P. Hoster, M. Michels, H. Petersen, Comment: Cryptanalysis of the blind signatures based on the discrete logarithm problem, Electron. Lett. 31 (21) (1995) 1827.

[8] M.S. Hwang, C.C. Lee, Y.C. Lai, Traceability on RSA-based partially signature with low computation, Appl. Math. Comput. 145 (2–3) (2003) 465–468.

[9] M.S. Hwang, C.C. Lee, Y.C. Lai, An untraceable blind signature scheme, IEICE Trans. Fundament. E86-A (7) (2003) 1902–1906.

[10] M.S. Hwang, C.C. Lee, Y.C. Lai, Traceability on Stadler et al.
s fair blind signature scheme, IEICE Trans. Fundament. E86-A (2) (2003) 513–514.

[11] M.S. Hwang, C.C. Lee, Y.C. Lai, Traceability on low-computation partially blind signatures for electronic cash, IEICE Trans. Fundament. E85-A (5) (2002) 1181–1182.

[12] N.Y. Lee, M.K. Sun, Analysis on traceability on Stadler et al.
s fair blind signature, IEICE Trans. Fundament. E86-A (11) (2003) 2901–2902.

[13] N.Y. Lee, C.N. Wu, Comment on traceability analysis on chaum blind signature, IEICE Trans. Fundament. E87-A (2) (2004) 511–512.