HOW TO CONSTRUCT DLP-BASED BLIND SIGNATURES AND THEIR APPLICATION
4. The application of blind signatures in E-Cash
In the progress of E-Cash systems, there are four basic models for the appli-cation of blind signatures.
Model I: Normal blind signature Under this simplest model, a bank signs blindly on the coins and checks the coins on-line to prevent multi-spending.
Model II : Restrictive blind signature Brand’s restrictive blind signature plays a significant role in developing off-line E-Cash systems. In previous off-line systems which providing anonymity, double-spending resistance, most of them utilize the property of the restrictive blind signature system more or less [3, 18, 4, 7, 6, 10]. Under this model, the principle of utilizing the re-strictive blind signature to build E-Cash systems is that a user’s identity will be embedded into “inside” construction of a restrictive blind signature which will not be known to the bank. When spending the coin at a merchant, the user proves to the merchant her knowledge on the “inside” construction using the zero knowledge proof. When double spending the coin, two points of a line in the zero knowledge proof will be exposed, and the coefficients of the line can then be computed and used to reveal the “inside” construction of message.
Consequently, knowing the “inside” construction results in revealing the the identity information of the user.This kind of system is still anonymous for the bank blindly signing the “outside” construction of the message. This concept can be further extended to built up group signature and group signature based E-Cash systems [20, 15, 21, 17].
Model III : Fair blind signature Although fair blind signature itself is a new concept introduced in [18, 4], it can be easily obtained from restrictive blind signature or other blind signatures and can be further used to construct fair off-line E-Cash systems. Fair E-Cash systems can offer a compromise be-tween the need of the privacy protection of users and effectively preventing the misuse by criminals. The trick in fair blind signatures is that a third party(may be more than one), or called trustee, is involved in the systems. In early systems [4, 7], trustees view all or parts of the blinding process so that the trustees can revoke the anonymity provided by the blind signature. But the trustees has to be involved in each withdrawal or opening account protocol. The efficiency is low. In later systems [6, 10], the trustees have a public-private key pair so that there is no need for the trustees to be on-line or invovled in any protocols except
DLP-based blind signatures and their application in E-Cash systems 79 tracing protocol.
Model IV : Partially fair blind signature More recently, a signature called restrictive partially blind signature is proposed by Maitland [14]. Partially blind signatures were introduced by Masayuki Abe [2]. A partially blind signature scheme allows a signer to produce a blind signature on a message while some common agreed information(i.e. expiry date, denominational information) re-mains visible despite the blinding process. There is no need to use different signing keys for different denominations. We point out here that it is possible to construct anonymity revocable off-line E-Cash which can make exact payment while keep double-spending resistant with restrictive blind partially signature [14, 1, 13]. Exact payment can also imply that there is no need to design divis-ible E-Cash systems in which complicated cryptographic technologies have to be used resulting in low inefficiency and impractical systems for small amount fund transfer.
For the space limitation, we didn’t illustrate the application of different blind signatures in E-Cash systems with concrete examples. How to construct fair or partially blind signatures will be discussed in the full version of this paper.
5.
Conclusion
In this paper, we generaized the process of constucting a DLP-based blind signature. Knowing this process, we can convert most of DLP-based digital signature into blind version. Meanwhile, we roughtly described how to utilize different blind signatures to design different E-Cash systems.
References
M. Abe and E. Fujisaki. How to date blind signatures. In Advances in Cryptology -ASIACRYPT ’96, International Conference on the Theory and Applications of Crypotology and Information Security 1996, Proceedings, LNCS 1163, Springer-Verlag, 1996.
M. Abe and T. Okamoto. Provably secure partially blind signatures. In Advances in Cryp-tology - CRYPTO 2000 – 20th Annual International CrypCryp-tology Conference, Proceedings, LNCS 1880, Springer-Verlag, 2000.
S. Brands. Untraceable off-line cash in wallet with observers. In Advances in Cryptology - CRYPTO ’93, LNCS 773, Springer-Verlag, 1993.
E. Brickell, P. Gemmell, and D. Kravitz. Trustee-based tracing extensions to anonymous cash and the making of anonymous change. In Proceedings of the 6th Annual ACM-SIAM Symposium on Discrete Algorithms, ACM, Jan 1995.
J. Camenisch. Blind signatures based on the discrete logarithm problem. In Advances in Cryptology - EUROCRYPT ’94, LNCS 950, Springer-Verlag, 1994.
J. Camenisch, U.M. Maurer, and M. Stadler. Digital payment systems with passive anonymity-revoking trustees. In ESORICS’96, 1996.
J. Camenisch, J. Piveteau, and M. Stadler. An efficient fair payment system. In Proc.ACM Conference on Computer and Communications Security, 1996.
[8]
D.Chaum. Blind signatures for untraceable payments. In David Chaum, Ronald L.Rivest, and Alan T.Sherman, editors, Advance in Cryptology: Crypto 82, Plenum Press, 1983.
D.Chaum and T.P. Pedersen. Wallet databases with observers. In Ernest F.Brickell, editor, Advance in Cryptology: Proceedings of Crypto 92, pages 1–14. Springer-Verlag, 1993.
Y. Frankel, Y. Tsiounis, and M. Yung. Indirect discourse proofs: achieving efficient fair off-line e-cash. In Advances in Cryptology - ASIACRYPT’96, LNCS 1163, Springer-Verlag, 1996.
(Matthieu Gaud and Jacques On the anonymity of fair off-line e-cash systems.
In Financial Cryptography – Seventh International Conference. FC’2003 Proceedings, LNCS 2742, Springer-Verlag, 2003.
P. Horster, M. Michels, and H. Petersen. Efficient blind signature schemes based on the discrete logarithm problem. Technical Report TR-94-6, University of Technology Chemnitz-Zwickau, 1994.
M.Abe and J.Camenisch. Partially blind signature schemes. In Proceedings of the 1997 SCIS, SCIS’97-33D, 1997.
G. Maitland and C. Boyd. A provably secure restrictive partially blind signature scheme.
In Public Key Cryptography, Fourth International Workshop on Practice and Theory in Public Key Cryptography, PKC ’02, LNCS 2274, Springer-Verlag, 2002.
Greg Maitland and Colin Boyd. Fair electronic cash based on a group signature scheme.
In ICICS’01, LNCS 2229, Springer-Verlag, 2001.
K. Nyberg and R. A. Rueppel. A new signature scheme based on the dsa giving message recovery. In Conference on Computer and Communications Security – CCS’93, ACM Press, 1993.
Jacques Canard. On fair e-cash systems based on group signature schemes. In ACISP’03, LNCS 2727, Springer-Verlag, 2003.
M. Stadler, J.M. Piveteau, and J.Camenisch. Fair-blind signatures. In Advances in Cryp-tology - EUROCRYPT ’95, LNCS 921, Springer-Verlag, 1995.
T.Okamoto. Provable secure and practical identification schemes and corresponding signa-ture signasigna-ture schemes. In Ernest F.Brickell, editor, Advance in Cryptology: Proceedings of Crypto 92, LNCS 740, Springer-Verlag, 1993.
Group signature and their relevance to privacy-protecting offline electronic cash systems. In ACISP99, LNCS 1587, Springer-Verlag, 1999.
W.Qiu, K.Chen, and D.Gu. A new off-line privacy protecting e-cash system with revokable anonymity. In ISC’02, LNCS 2433, Springer-Verlag, 2002.
Fangguo Zhang and Kwangjo Kim. Id-based blind signature and ring signature from pairings. In Advances in Cryptology - ASIACRYPT’02, LNCS 2501, Springer-Verlag, 2002.