Blind Signature Schemes.Pdf

A simple forward secure blind signature scheme based on master keys and blind signatures

Yeu-Pong Lai † Chin-Chen Chang †Department of Computer Science and Information Engineering, National Defence University, Chung Cheng Institute of Technology, Tauyuan, Taiwan, 335. Email: [email protected]

Department of Computer Science and Information Engineering, National Chung Cheng University, Chaiyi, Taiwan, 621. Email: [email protected]

Abstract tackers can be prevented, these cryptosystems can per- form correctly and securely. However, some cryptosys- The forward secure property is important in digi- tems may not be secure if the secret information is re- tal signature schemes. Many schemes have been pro- vealed or detected. Furthermore, these cryptosystems posed for the forward secure signature. Among them, may cause confusion. For instance, in digital signature only a few have been proposed for the forward secure schemes, when the secret key of a signer is revealed or blind signature. The blind signature is, however, a crit- stolen, others who know the secret key can counterfeit ical technique in e-business and other applications and the digital signatures of this signer. The signer, how- , thus, more research should be devoted on it. This pa- ever, cannot withdraw all the digital signatures indis- per focuses on the design of forward secure blind sig- criminately, because some signatures are indeed signed nature schemes. Digital signature schemes have been by the signer. The forward secure property ensures that proposed and discussed for years. Some of them are ef- these signatures, signed before the secret key was re- ficient and secure. Even specific computing hardware vealed, are valid. In other words, the forward secure is designed for these schemes. Our idea is, there- property makes it impossible to forge signatures valid fore, to combine two existing schemes, Koyama’s mas- in previous time periods even if the current secret key of ter key scheme and Chaum’s blind signature scheme, the signer is compromised. Many forward secure signa- so that a forward secure blind signature scheme re- ture schemes have been proposed recently [1][4]. These sults. This proposed scheme is also fully examined for schemes all have the forward secure property. the forward secure property and the blind signing prop- In addition, there are several signature schemes, erty. Since these two schemes are both based on the RSA called blind signature schemes, have been proposed for cryptosystem, the security of the proposed scheme de- untraceable applications. The untraceable property en- pends on the difficulty of solving the factoring prob- sures that signature requesters cannot be identified by lem. a signer so that the signature schemes can be applied Keywords: Forward secure property, blind signa- to e-commerce applications. The most popular blind ture, RSA cryptosystem, master key signature scheme was proposed by David Chaum in 1982[2]. This blind signature scheme and its variations play important roles in cryptography as well as in prac- 1. Introduction tical applications such as e-cash, e-voting systems, etc. However, these schemes do not have the forward se- Nowadays, many cryptosystems are believed to be cure property. In contrast, in 2003, Duc et al. proposed quite secure, and can be proven to be secure under very a forward secure blind signature scheme based on the reasonable assumptions. As long as secret information OGQ blind signature scheme [3]. is stored safely and accessed by internal or external at- As mentioned above, the requirement for forward se-

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE curity is that digital signatures that are valid in previ- untraceability of the proposed scheme. The properties ous time periods should be unforgeable . Moreover, if are separately discussed in subsections 5.1, 5.2, 5.3, and the current secret key of a signer is compromised, at- 5.4, respectively. Finally, conclusions are given in Sec- tackers cannot forge signatures valid in previous time tion 6. periods to obligate a signer to the forged signatures. Intuitively, this requirement can be satisfied by using 2. A master key scheme different public key pairs for the signing procedures in each time period. However, the public key should be Master key schemes are public key cryptosystems. In changed and announced frequently. this scheme, there is a special key pair, called master The shortcoming can be overcome by applying the key pair, which can decrypt (or encrypt) messages en- master key schemes instead of the public key schemes. crypted (or decrypted) by other participants’ keys. Ev- The master key schemes use a public key and sev- ery participant has a public key and a secret key. The eral secret keys (or several public keys and one se- master public key can decrypt messages encrypted by cret key). Thus, each secret key can be assigned for the participants with their secret keys. Also, messages the signing procedure in one time period. The pub- encrypted with the master secret key can be decrypted lic key is not changed anyway. In 1982, Koyama pro- by participants using their secret keys. posed a master key scheme based on the RSA public- Koyama proposed a master key scheme for the RSA key cryptosystem[5]. The master encryption and de- public-key cryptosystems[5]. The master key pair is cryption keys in this scheme can be generated by using generated from several public key and secret key pairs. the Euclidean algorithm. Thus, the computation for the The master secret key is the multiplicative inverse of master keys is not complex. In addition, this scheme is the master public key modulo to the least common mul- compatible to Chaum’s blind signature scheme for gen- tiplier of these moduli for participants’ key pairs. Thus, erating a forward secure blind signature scheme. the master key of a cryptosystem can be generated if The most popular application of blind signature certain conditions are satisfied. schemes is the use of e-cash. There are three partic- For k participators in the cryptosystem, there are ipants in the scheme, a bank, customers, and a verifier. k keypairs,(e1,d1), (e2,d2), ...,(ek,dk), which sat- The bank signs the e-cash and maintains customers’ isfy eidi =1mod Li,wherei is from 1 to k. Li is the bank accounts. The untraceablility of customers is an least common multiplier of pi − 1andqi − 1, where pi important requirement for e-business, since customers and qi are secret and the multiplier ni = piqi is pub- like to keep their privacy when spending money. Be- lic. The master key pair (eh,dh) satisfies the equa- cause of the anonymity of customers, the forward se- tion ehdh =1mod L,whereL = lcm(L1,L2,...,Lm). cure property in these e-cash schemes is very important. When the secret key of the bank is compromised, Koyama’s master key scheme: attackers can generate e-cash. The bank cannot repudi- Let e1,i represent the master encryption key for the ate the e-cash, because legal customers should not pay keys, e1,e2,...,ei.Fork participants, the master en- for the mistake of the bank losing the secret key. For cryption key eh is e1,k and the master decryption key this reason, the forward secure blind signature is pro- dh is d1,k. The master encryption key e1,1 is the en- posed and discussed. cryption key e1. The master encryption key satis- This paper proposes a way to combine a master fies: key scheme with a blind signature scheme to obtain e1,i = e1,i−1 mod L1,i, a forward secure blind signature scheme. The follow- where L1,i = lcm(L1,L2,...,Li), ing section introduces a master key scheme for the for- and ward secure property. Actually, any RSA-based master e1,i = ei mod Li. key scheme might be tried and fitted for the proposed scheme[6]. A numerical example is also provided to Deriving from the previous equations, we get show the performance of this master key scheme. Sec- xi−1 × L1,i−1 − yi × Li = ei − e1,i−1. tion 3 presents a very popular blind signature scheme. It is widely employed in e-commerce for its simplic- Since both the numbers xi−1 and yi are natu- ity and security. It is also an RSA-based cryptosystem. ral numbers, they can be derived by using the Eu- The combination of the above two schemes is then pro- clidean algorithm when the numbers L1,i−1, Li, ei, posed in Section 4. The proposed scheme is a forward and e1,i−1 are given. Thus, e1,i can be determined af- secure blind signature scheme. Section 5 discusses the ter the numbers xi−1 and yi have been computed. The properties of correctness, blindness, unforgeability and master decryption key dh is then equal to d1,k satisfy-

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE ing e1,kd1,k =1mod L1,k. After this phase, the signer makes the key (e, n) public and keeps his/her secret key (d, p, q) secret. The Example: numbers p and q are two distinct large primes. Other Let parameters satisfy n = pq, ed =1mod Φ(n), where (e1,d1,p1,q1,n1) = (23, 7, 3, 17, 51), Φ(n)=(p − 1)(q − 1). The signing phase presents (e2,d2,p2,q2,n2)=(7, 17, 11, 13, 143), the protocol between the signer and a requester for (e3,d3,p3,q3,n3)=(3, 29, 5, 23, 115). the signer to blindly sign a hashed message, H(m). The hashed messages have the same length, since the e1 = e1 mod L1 = e1 mod lcm(p1 − 1,q1 − 1) hash function is used. Thus, the signing phase processes =23mod lcm(2, 16) = 7, on the messages of the same length. After the signing e1,2 = e2 mod L2 = e2 mod lcm(p2 − 1,q2 − 1) phase, the requester has a signature of the hashed mes- d =7mod lcm(10, 12) = 7, sage, (H(m)) mod n. e1,3 = e3 mod L3 = e3 mod lcm(p3 − 1,q3 − 1) The verification phase, which uses the signer’s pub- =3mod lcm(4, 22) = 3, lic key (e, n) to verify the signature (H(m))d mod n by d e e1,2 = e1 mod lcm(L1)=23mod lcm(16) = 7, computing (H(m) ) mod n and by comparing the re- e1,3 = e1,2 mod lcm(L1,L2) sult with the hashed message H(m) mod n,canbeper- =7mod lcm(16, 60) = 7 mod 240 = 7. formed by any user in the scheme or by a trusted third party. If both are equivalent, the signature Therefore, (H(m))d mod n is valid for the message m. The de- e1,3 =3mod 44 = 7 mod 240. tails of these phases are given below. Let e1,3 = e3 + y3 × L3 = e1,2 + x2 × L1,2. Chaum’s blind signature: By Euclidean algorithm, we get (y3,x2) = (11, 2), (1) Initialization: Thus, 1. The signer chooses two distinct large primes p e1,3 = 487. and q, and computes two numbers n and Φ(n),where Since e1,3 d1,3 =1mod lcm(L1,L2,L3)=1mod 2640, n = pq and Φ(n)=(p − 1)(q − 1). we have d1,3 = 103. 2. The signer randomly selects a number e,where ∗ e ∈ ZΦ(n) and then derives a number d satisfy- Verification: ing ed =1mod Φ(n). Master key pair (e1,3,d1,3) = (487, 103). 3. The signer publishes the public key (e, n)and Let m = 30. the one way hash function H, and keeps the se- (1) Test the master decryption key cret key (d, p, q) secret. (a)Encryption with the public key pair (e1,n1): e c = m 1 mod n1 = 3023 mod 51 = 21. (2) Signing phase: (b)Decryption with the master key d1,3: 1. To request a signature for the message m,there- cd1,3 mod n mod ∗ 1 = 21103 51 = 30. quester selects a random number r,wherer ∈ Zn (2) Test the master encryption key and computes α = reH(m) mod n with the pub- (a)Encryption with the master key e1,3: lic data, e, n and H. e c = m 1,3 mod n1 = 30487 mod 51 = 21. 2. The signer computes t = αd =((reH(m)))d mod (b)Decryption with the private key pair (d1,n1): n = r(H(m))d mod n and transmits the num- d c 1 mod n1 = 217 mod 51 = 30. ber t to the requester. 3. The requester computes s = r−1tmodn= −1 d d 3. A blind signature scheme r r(H(m)) mod n =(H(m)) mod n.Thus, the two-tuple (m, s) is the signature for the mes- ChaumproposedanRSA-basedblindsigna- sage m. ture scheme that has been widely used in untraceable e-cash applications[2]. This section introduces (3) Verification phase: the scheme which consists of three phases: the ini- One can test the validity of the signature (m, s)by e tial phase, the signing phase, and the verification comparing H(m)withs mod n. These data e, n, phase. The initial phase generates the public key pair and H are public so that every participant can ver- and secret key pair for the signer. Actually, the ini- ify the signature (m, s). tial phase is the same as the key generation process in the RSA cryptosystem[6]. In this scheme, the signer does not know the mes-

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE sage m he signs, because the message is protected with (2) Blind signing phase in the interval i: a random number r that is not removed before the last The signer announces the modulus ni. Requesters step of the signing phase. Thus, the scheme is called a use the master encryption key e1,k and the modu- blind signature scheme. After the signing phase is com- lus ni to request a blind signature. pleted, the connection between the signer and the re- 1. To request a signature of the message m,there- r r ∈ Z∗ quester is closed. The validity of the signature can be quester selects a random number ,where ni e examined without exposing the privacy and anonymity and computes α = r 1,k H(m) mod ni with these pub- of the requester so that the scheme can be applied in lic data, e1,k, ni and H. e-cash applications. This is because users do not want 2. The signer computes t = αdi = e d d to be traced while they are spending the e-cash ap- (r 1,k H(m)) i mod ni = r(H(m)) i mod ni, and trans- proved (signed) by an authority. In this scenario, the mits the number t to the requester. −1 signer is the authority, the requester is the user, and 3. The requester computes s = r tmodni = −1 d d the message m is the serial number of the e-cash. r r(H(m)) i mod ni =(H(m)) i mod ni.Thus, the two-tuple (m, s) is the signature of the message m. 4. The proposed scheme (3) Verification phase for the signature signed in time The forward secure property is not discussed of- period i: ten in blind signature schemes. Actually, the prop- The verifier takes e1,k and ni to verify (m, s), where erty is very important to blind signature schemes. d s = H(m) i mod ni. When a secret is revealed, all signatures will be- 1. Compute v1 = H(m) mod ni. come invalid. This is because the signer does not even e 2. Compute v2 = s 1,k mod ni. know the content he/she has ever signed. Thus, all sig- 3. Examine whether these two values v1 and v2 are natures are invalid. In the e-cash application, valid equivalent. e-cash can be printed by anyone when the secret of the signer has been revealed. The solution for this shortcoming is to embed the forward se- 5. Discussions cure characteristic into blind signature schemes. This can be easily solved by combining a blind sig- In this section, different properties of the proposed nature scheme with a master key scheme. In each scheme are discussed. The first subsection discusses time period, there is a secret key for signing mes- the correctness of the proposed scheme. In the sub- sages. The public key does not change over time, but section, two remarks are given for requesters who only the secret key changes in each time period. If the cur- receive the correct digital signatures that are valid for rent secret key is compromised, signatures from past a certain time period. The second subsection discusses time periods can still be valid. The damage is lim- the signer’s blindness to the message content. The un- ited in e-cash issued within certain period. forgeability of signatures is presented in Subsection 5.3. Since the forging procedure refers to factoring a large Proposed scheme: number, the digital signature is unforgeable. Untrace- (1) Initialization: ability allows the signer or the verifier of a signature to In this stage, a master key scheme is applied to gener- verify the signature (m, s) but not to identify the re- ate the secret key pairs. The public information is the quester in the signing phase. master encryption key e1,k. The secrets are the moduli n1,n2,...,nk and the corresponding secret keys 5.1. Correctness d1,d2,...,dk. The steps are presented in the following. The correctness of this forward secure blind signa- 1. Generate k pairs of RSA public key pairs, ture scheme is presented in this subsection. Analyses 2. Apply Koyama’s scheme to generate the mas- are made in two aspects: (1) requesters can obtain the d ter key pair of the k key pairs for k time inter- correct signature (H(m)) i mod ni for the message m vals, in time period i, and (2) requesters cannot obtain sig- 3. Order the k key pairs according to the values of natures valid in previous time periods. ni’s, from small to large, where n1

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE the signer uses di and ni to sign messages. The signa- Li = lcm(pi − 1,qi − 1) and ni = piqi.Thenumber d ture for the message m is (H(m)) i mod ni. Li can be derived only after the two large primes, pi and qi, are factored from ni. Thus, the difficulty is the Remark 1: Requesters can obtain correct signatures. same as those of RSA-based cryptosystems. The signature phase of the proposed scheme is refer- enced to Chaum’s blind signature scheme, which per- 5.4. Untraceability forms in the following way. The requester chooses a random number r and In blind signature schemes, the untraceability indi- e computes c1 = r 1,k H(m) mod ni when the re- cates that the requester does not show his/her iden- quester wants to obtain a signature for the mes- tification while verifying the signature (m, s) for the sage m in the time period i. The signer then “signs” i-th time period. The verifier and signer can verify c1 with the secret key di. The signing procedure com- the validity of signatures. They cannot trace the re- di putes c2 = c1 mod ni. When the requester requester of signatures according to m and s. For the −1 ceives c2, he computes s = r c2 mod ni.Since signer, the received message he obtained in the signing e1,m di =1mod Φ(ni) according to the correct- phase is only c1. He cannot derive the message m from ness of Koyama’s master key scheme, s is then equal to c1, even if he stored the temporary values c1’s of the d (H(m)) i mod ni.Thus,s is the signature of the mes- signatures and the identifications of the correspond- sage m. ing requesters. When the signature (m, s) is provided in the verification phase, the signer still cannot iden- Remark 2: The forward security requirement is satis- tify the requester by multiplying the stored c1’s with fied. the multiplicative inverse of H(m) modulo to the mod- Let j

5.2. Blindness This paper presented a way to apply a master scheme to forward secure blind signature applications. The blindness of blind signature schemes ensures For each time period, there is a private sub-key for sign- that the message m is not known by the signer in ing digital signatures. The public master key is used for the signing phase. Since the signing phase is based all time periods, even though the modulus ni is changed on Chaum’s blind signature scheme, the message m for different time periods. In fact, the complexity of the is also “protected” with the random number r.The encryption procedure is dominated by the exponenti- signer only knows the temporary variable c1,where ation operation, not by the modular operation. The e c1 = r 1,k H(m) mod ni but not the message m.The computing complexity of the proposed scheme is the signer can not factor c1 to obtain m becausehedoes same as that of the RSA-based cryptosystems. In other not know r. words, the proposed scheme is also based on the difficulty of factoring a large number. Besides, the acceler- 5.3. Unforgeability ating strategy for these RSA-based cryptosystems can be applied to our proposed scheme as well. Unforgeability means a signature can only be signed TheproposedschemeisbasedonKoyama’smas- by a signer. Others cannot forge a signer’s valid sig- ter key scheme and Chaum’s blind signature scheme. nature. To forge valid signatures, forgers will need to Both schemes are based on the RSA public key have the secret keys di’s to forge signatures in the time cryptosystem[6], so they can operate compati- period i. The forger may want to obtain the corre- bly to be a forward secure blind signature scheme. sponding public key ei derived from e1,k. The difficulty, As mentioned in previous paragraphs, the mas- however, is the same as solving the factoring problem. ter key scheme is for the forward secure prop- This is because they need to have Li from ni,where erty. The other scheme, Chaum’s blind signature

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE scheme, is therefore for blind signing. The combination of these two schemes is a good way to generate the desired property. Any improvements to these two schemes might be easily applied to the proposed scheme. These two schemes in combination may be portable if there is a more efficient RSA-based scheme designed for the master key or the blind signature cryptosystems. To sum up, we presented an efficient way to ex- tend the applications of existing schemes, for example, Koyama’s master key scheme and Chaum’s blind signature scheme. We also introduced a portable idea to combine schemes based on the same difficulty problem, for example the factoring problem. In other words, those schemes based on the discrete logarithm problem may be similarly combined to produce other forward secure blind signature schemes. That is the direc- tion of our future research work.

References

[1] M. Bellare and S. K. Miner. A forward-secure digital signature scheme. In Advances in Cryptology - CRYPTO’99,, LNCS 1666, Springer-Verlag:431–448, 1999. [2] D. Chaum. Blind signatures for untraceable payments. In Advances in Cryptology - CRYPTO’82,,Plenum Publishing:199–204, 1982. [3] D. N. Duc, J. H. Cheon, and K. Kim. A forward- secure blind signature scheme based on the strong rsa assumption. In 5th International Conference on In- formation and Communications Security - ICICS 2003, Huhehaote City, Inner-Mongolia, China,, LNCS 2836, Springer-Verlag:11–21, 2003. [4] G. Itkis and L. Reyzin. Forward-secure signatures with optimal signing and verifying. In Advances in Cryptol- ogy - CRYPTO’01,, LNCS 2136, Springer-Verlag:332– 354, 2001. [5] K. Koyama. A master key for the rsa public-key cryptosystem. IEICE Transactions on Information and Sys- tems, J65-D(2):163–170, 1982. [6] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the Association for Computing Machinery, 21:120–126, 1978.