How to construct DLP-based blind signatures

The first DLP-based blind signatures applied into E-cash systems can be found in [9, 3]. In the context of a blind signature, blindness is a very impor-tant aspect. We give the definition of blindness of a bind signature [5] as follows.

Def.1. If the signer’s view of a signature execution and the signature results on message, are statistically independent, the signature scheme is called blind.

We note that blindness of a blind signature indicates that the message pairs are unlinkable. In other words, even knowing N valid signature-message pairs, no one except the signer can consturct the (N + 1)th valid signature-message pair. Therefore, the E-Cash systems built on blind signa-tures are also unlinkable as the bank notes or coins we use in our real life (we can not decide whether two diffenent paper currencies or coins come from the same customer or not).

Normally, in an DLP-based signature or authentication scheme, to prove the knowledge of a secret but not revealing any information about it, a signer or a prover has to compute the ordinate of a point of a line. The intercept and the abscissa of the line are chosen at random by a signature acquirer or/and by the signer. The slope of the line is the secret (a discrete logarithm w.r.t a

DLP-based blind signatures and their application in E-Cash systems 75 base which is known only to the prover or signer. With the public key of the signer, any recipients can verify the signature to make sure that the signer knows the secret. Under DLP assumption, no one can derive information about the secret from the signatures no matter how many times the signature prototocl or authentication protocol has been executed. This is a zero knowledge proof precess. To construct blind signatures based on DLP, the signer’s view of the protocol must be randomized to obtain the blindness of a blind signature.

Proposition 1. The DLP-based blind signatures can be constructed by ran-domizing any coefficients of the line (except the slope of the line, i.e. the secret) which can be viewed by the signer during the normal knowledge proof pro-cess. Afterwards, the rest of coefficients of the line can be deduced under some equalities satisfying the normal signature process. Which coefficent should be selected to be randomized can be decided according to feasibility or efficiency.

Almost all this kind of blind signatures [9, 3, 5, 19, 7, 22] can be built up in this way. We illustrate the process of constructing the sort of blind signatures with two examples given separately in [3] and [5].

Stefan Brand’s restrictive blind signature Restrictive blind signature was first introduced by Brand [3] and is very suitable for designing double-spending resistant or fair off-line E-Cash systems. To some extent, it is a basic model for constructing practical E-Cash systems and plays important role in the area of E-Cash. We investigate the process of constructing such a blind signature. We follow the denotations defined in Brand’s scheme.

system parameters

User: is related to and stored together with the user’s identifying information at the bank.

Bank: computes and sends it to the user Normal signing process

The normal process of Brand’s signature scheme is shown in figure 1.

Blinding process

Now we explain how to construct the blind signature on instead of as in the normal signing process.

First, according to the definition of the blindness in Def.1, there should be a new signature tuple on the blinded message The two tuples, and should be completely independent and satisfy the verification equations

and separately. is the

signer’s view during the signing process and is the final blind signature result which will be not known to the signer.

To blind the signing process, can be first randomized according to the proposition 1 by setting as in Brand’s scheme [3] or as in Chaum’s scheme [9], where integers are chosen at random. Obviously, and are independent because of random chosen The rest of the tupe can be dedueced now as follows.

is the tuple seen by the signer satisfying

and where is the secret known only to the signer.

the following equalities must hold:

Similarly, can be deduced in the same way: to satisfy the equality (from above, we already know that and

must hold. The blind signature then has been con-structed.

Another example J.Camenisch presented two DLP-based blind signatures in [5]. One of them is based on a modification of DSA. Another one is derived from Nybeg-Rueppel scheme [16]. We describe the blinding process of the later blind signature as another example to show how can we obtain this sort of blind signatures.

system parameters The system parameters are as follows. A prime and has a large prime factor q. An element of order q. The system’s a message a signer selects at random and computes as follows.

From the fact that to satisfy the equality

private key is the corresponding public key is To sign

DLP-based blind signatures and their application in E-Cash systems 77

The pair is the signature on the message Any recipients can check the equality to verify the signature.

where and should be independent, can

be randomized with the line are randomly selected

integers, will be computed by the signer with form of is chosen by the signer at random. Substituting in the

to satisfy the equality

must equal to and Then, we have obtained the blind signature as described in [5].