1 Provably secure randomized blind signature scheme based on bilinear pairing Source: Computers and Mathematics with Applications Author: Chun-I Fan, Wei-Zhe Sun, Vincent Shi-Ming Huang Presenter: 林志鴻

2 Outline  Introduction  Preliminaries  Randomized blind signature  Performance and security Analysis  Conclusion

3 Introduction User Signer + 盲因子 = (1)(2) + = (3) －盲因子 =

4 Introduction(cont.)  Usage of Blind Signature Anonymous electronic voting Untraceable electronic cash system  Security properties of Blind Signature Unlinkability Unforgeability randomization

5 Unlinkability Signer A B A? or B?

6 Blind signature with randomization  分成六個演算法 KeyGen(k) → (SK, PK) Blind(m, r, u) → α Sign(α,y, SK) → t Unblind(t, r) → s RandMix(u, y) → c ； σ=signature-message Verify(σ,PK) → {0,1}  Verify((Unblind (Sign (Blind (m, r, u),y,SK),r),m, RandMix(u, y) ),PK)=1

7 Outline  Introduction  Preliminaries  Randomized blind signature  Performance and security Analysis  Conclusion

8 Preliminaries  Bilinear Pairing  GDH Groups

9 Bilinear Pairing  e : G 1 × G 1 → G 2  Bilinearity  Non-degeneracy  Computability

10 GDH Groups  對於一個循環群 G CDH problem ︰ 對 a,b ∈ Zq 給定 (P,aP,bP) ∈ G 計算 abP DDH problem ︰ 對 a,b,c ∈ Zq 給定 (P,aP,bP,cP) ∈ G 判斷 c=ab  若存在一多項式時間演算法 A 可解決 DDH 問 題但不存在任何演算法可解決 CDH 問題則此 循環群 G 稱為 GDH Groups

11 Outline  Introduction  Preliminaries  Randomized blind signature  Performance and security Analysis  Conclusion

12 Randomized blind signature  Initialization phase  Blinding phase  Signing phase  Unblinding phase  Verification phase

13 Randomized blind signature (cont.)  Initialization phase 1. 輸入秘密參數 k 產生兩個 order q 的循環群 G 1,G 2,P 為 G 1 生成元, e: G 1 × G 1 →G 2 2. 簽章者選取兩個私鑰 x 1,x 2 ∈ Zq * 產生相對應 的公鑰 Pub 1 = x 1 P, Pub 2 = x 2 P,H:{0,1} * →G 1 *  params = (q, H,G 1,G 2,e,P, Pub 1, Pub 2 )

14 Randomized blind signature (cont.)  Blinding phase 1. 當使用者發送簽章要求時，簽章者隨機選取 y ∈ Z p * 傳送 ρ= yP 給使用者 2. 使用者準備明文 m 並隨機選取 u,r 1,r 2 ∈ Z p * ，設定 隨機參數 C = u ρ 3. 計算盲訊息 α 1 = r 1 H(m || C) + r 2 P α 2 = r 1 u (mod q) 4. 傳送 (α 1, α 2 ) 給簽章者

15 Randomized blind signature (cont.)  Signing phase 簽章者計算 T = x 1 α 1 + x 2 yα 2 P 並回傳給使用者  Unblinding phase 使用者計算 S = r 1 -1 (T – r 2 Pub 1 ) 此時簽章 - 訊息組為 ( S, m, C )  Verification phase 驗證式子 e(S, P) = e(H(m || C), Pub 1 )e(C, Pub 2 ) Pub 1 = x 1 P, Pub 2 = x 2 P ρ= yP,C = u ρ α 1 = r 1 H(m || C) + r 2 P α 2 = r 1 u (mod q)

16 Randomized blind signature (cont.) 整體流程

17 Outline  Introduction  Preliminaries  Randomized blind signature  Performance and security Analysis  Conclusion

18 Performance and security Analysis [11]A. Boldyreva [12]H. Elkamchouchi, Y. Abouelseoud [13]Y. Yu, S. Zheng, Y. Yang [14] [15]F. Zhang, K. Kim

19 Outline  Introduction  Preliminaries  Randomized blind signature  Performance and security Analysis  Conclusion

20 Conclusion  本文提出了一個提供具有隨機屬性的 pairing- based 盲簽章並正式的證明此簽章具有 unlinkability, unforgeability, 和 randomization properties 。  本文提出的方法為第一個可證明安全的隨機 化盲簽章