Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department of Computer Science and Engineering National Sun Yat-Sen University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department of Computer Science and Engineering National Sun Yat-Sen University."— Presentation transcript:

1 1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department of Computer Science and Engineering National Sun Yat-Sen University cifan@cse.nsysu.edu.tw

2 資訊工程學系 2 Outlines u Introduction u Digital Signatures u Blind Signatures u Partially Blind Signatures u Fair Blind Signatures u A User Efficient Blind Signature Scheme u Conclusions

3 3 Introduction

4 資訊工程學系 4

5 5 Features of Internet Services u Efficiency: Faster than traditional services u Ubiquity: Users can obtain services anywhere u Flexibility: Clients can request services anytime u Openness: Popularization u Examples: Electronic cash and voting services

6 資訊工程學系 6 Some Challenges to Internet Services u Security – Hackers and viruses – Privacy and policy considerations u Efficiency – A lot of extra computations must be performed by users – Limited power of devices such as mobile units or smart cards

7 資訊工程學系 7 Cryptographic Techniques u Encryption/Decryption u Key Distribution Protocols u Identification Schemes u Digital Signatures u Blind Signatures u …….

8 8 Digital Signatures

9 資訊工程學系 9 A Digital Signature Scheme User Signer  Signature on Message The signer’s signature on “Message”  Message Linkable Signer

10 資訊工程學系 10 Signature Generation and Verification User Signer True / False Message Signature Key Signature Generator Signature Verifier

11 11 Blind Signatures

12 資訊工程學系 12 Blind Signatures User Signer Message  Signature on Message  The signer’s signature on “Message”  Unlinkable Signer

13 資訊工程學系 13 The Scheme   Unlinkability: it is intractable for the signer to link  to  “Message”: the blinded message  Signature on “Message”: the blind signature  Signature on “Message”: to be obtained after unblinding

14 資訊工程學系 14 Signature Generation and Verification Signing User Signer Signature Verifier True / False Key Signature Blinding Unblinding Message Blind Signature Message

15 資訊工程學系 15 A Generic Blind Signature Scheme u M : the underlying set of messages u R : a finite set of random integers u S : M  M T : signing u V : M T  M  {true, false} : verifying u B : M  R  M : blinding u U : M T  R  M T : unblinding

16 資訊工程學系 16 The Protocol UserSigner m  Mm  M r  R B(m, r) S(B(m, r)) U(S(B(m,r)), r) = S(m) Signature-message pair: ((S(m), m)) V(S(m), m) = True Publish V

17 資訊工程學系 17 Flow Diagram User Signer True / False B(..) U(..) m B(m, r) S(B(m, r)) S(m)S(m) r r V(..) Key S(.) m

18 資訊工程學系 18 Voter iCenter id i Make License(id i ) intent S(intent) Publish License(id i ) License(id i ) Registration: Voting: Vote: (S(intent), intent) Verify & Publish: Sign on B(intent) (S(intent), intent) Application: Anonymous Voting Identification Protocol Blind Signature Scheme Anonymous Channel

19 資訊工程學系 19 An Anonymous Voting Protocol m = intention r  R B(m, r) S(B(m, r)) U(S(B(m, r)), r) = S(m) V(S(m), m) = True Publish (S(m), m) Vote: (S(m), m) VoterCenter Publish V Anonymous Channel

20 資訊工程學系 20 Discussions u Tally Correctness – Unforgeable votes – All registered voters must submit their votes u Anonymity – Unlinkability based on blind signatures – Anonymous channels

21 資訊工程學系 21 CustomerBank identity string S(string) Verify identity Withdrawing: Paying: Cash:(S(string), string) Correctness Checking Sign on B(string) Application: Untraceable E-Cash Identification Protocol Blind Signature Scheme Account no. Deduct one dollar from the account. Payee B 2-Spending Checking E-cash DB Store the cash Add $1 to B’s account

22 資訊工程學系 22 An Untraceable E-Cash Protocol m  M, r  R B(m, r) S(B(m, r)) U(S(B(m, r)), r) = S(m) V(S(m), m) = True Cash: (S(m), m) (S(m), m) “Fresh” Accept Customer Bank Payee Publish V 2-spending checking

23 資訊工程學系 23 Discussions u Unforgeability u Untraceability – Bank cannot trace an e-cash to the withdrawing protocol u The database will unlimitedly grow u Perfect crimes – Money Laundering – To safely get a ransom

24 24 Partially Blind Signatures

25 資訊工程學系 25 Partially Blind Signatures User Signer m1m1  Signature on (  The signer’s signature on (m 1 # m 2 )  # m 2 )Message = ( m1m1 # m 2 ) All of the signatures with the same m 2 are indistinguishable from the signer’s point of view. 

26 資訊工程學系 26 Signature Generation and Verification User Signer True / False Signature on (m 1 # m 2 ) Blinding Unblinding Partially Blind Signature m1, m2m1, m2 m1m1 # m 2 Signing Key Signature Verifier (m 1, m 2 )

27 資訊工程學系 27 The Protocol UserSigner m 1, m 2  M r  R (B(m 1, r) # m 2 ) S(B(m 1, r) # m 2 ) U(S(B(m 1, r) # m 2 ), r) = S(m 1 # m 2 ) Signature-message triple: (S (m 1 # m 2 ), m 1, m 2 ) V(S(m 1 # m 2 ), (m 1 # m 2 )) = True Publish V

28 資訊工程學系 28 Flow Diagram User Signer True / False B(..) # U(..) S(B(m 1, r) # m 2 ) S(m 1 # m 2 ) r r V(..) Key S(.) (B(m 1, r) # m 2 ) m 1 m 2 (m 1, m 2 )

29 資訊工程學系 29 Discussions u Embed an expiration date into an e-cash – E-cash = (S(m 1 # m 2 ), m 1, m 2 ) – m 2 is the expiration date of the e-cash – All expired e-cash can be removed form the bank’s database u The storage can be controlled

30 30 Fair Blind Signatures

31 資訊工程學系 31 Money Laundering Bank Customer A Customer B  Withdraw a blinded e-cash  Forward the e-cash  Deposit the e-cash Unlinkable  Unblinding

32 資訊工程學系 32 To Safely Get a Ransom Criminal Payer Bank  Send a blinded message  Forward the blinded message  Withdraw the blinded e-cash  Unblinding  Deposit the e-cash Anonymous Channel Unlinkable  Publish the blinded e-cash

33 資訊工程學系 33 Fair Blind Signatures u To cope with the misuse of unlinkability – money laundering – to safely get a ransom u The judge keeps the link information – unlinkable to the signer – the judge can reveal the link when necessary

34 資訊工程學系 34 The Registration Stage User Judge Identification Protocol  License = (S judge (B(K);id user ), B(K)) K = E judge (id user ;random) S judge : the signing function of the judge E judge : the encryption function of the judge random : a random string

35 資訊工程學系 35 The Signing Stage UserSigner m  Mm  M r  R B(m, r), id user, License = (…, B(K)) S(B(m, r) # B(K)) U(S(B(m, r) # B(K)), r) = S(m # K) Signature-message triple: (S(m # K), m, K) V(S(m # K), (m # K)) = True Publish V Verify License

36 資訊工程學系 36 Discussions u Cash = (S(m # K), m, K) – K = E judge (id user …...) u Owner Tracing – The judge can decrypt K and reveal id user

37 37 A User Efficient Blind Signature Scheme

38 資訊工程學系 38 The Underlying Foundation u Based on Quadratic Residues u If x 2 = y (mod n), then y is a quadratic residue (QR) in Z n and x is a square root of y u If n = p 1 p 2 where p 1 and p 2 are two distinct large primes, then, given (y, n), it is intractable to compute x without p 1 or p 2.

39 資訊工程學系 39 The Blind Signature Protocol u The Blinding Stage u The Randomizing Stage u The Signing Stage u The Unblinding Stage

40 資訊工程學系 40 The Blinding Stage m  Z n u, v  R Z n  = H(m)(u 2 +v 2 ) mod n  User Signer n = p 1 p 2 H: hash function Publish (H,n)

41 資訊工程學系 41 The Randomizing Stage x x  R Z n b  R Z n  = b 2 mod n  =  (u  vx) mod n  UserSigner

42 資訊工程學系 42 The Signing Stage =   1 mod n Derive t such that t 4  n  (x 2 +1) 2 (t, ) UserSigner

43 資訊工程學系 43 The Unblinding Stage c =  (ux+v) mod n s = bt mod n User Signature-Message Triple: (c,m,s) Verification: s 4  H(m)(c 2 +1) (mod n)

44 資訊工程學系 44 Flow Chart User Signer Blinding Response m (u, v)  =H(m)(u 2 +v 2 ) Randomizing x x b  = b 2 (u  vx) Signing ( , p 1, p 2 ) Unblinding (b, u, v) t = (  (x 2 +1) 2 ) 1/4 =   1 (c, s) s 4 = H(m)(c 2 +1) (p 1, p 2 )

45 資訊工程學系 45 Features u Unlinkability: (b,u,v) is randomly chosen and kept secret by the user u Unforgeability: (p 1,p 2 ) is kept secret by the signer and H is one-way u User Efficiency: 10 multiplications and 1 hashing for getting a signature; 4 multiplications and 1 hashing for verification

46 資訊工程學系 46 Cam.Cha.Fer.Poi. Fan DLRSA QR DL Unlinkable: Randomized: Foundation: Message Recoverable: ○ ○ ○ ○ ○ × ○ × ○ ○ ○ × ○ ○ × ○ ○ × Properties

47 資訊工程學系 47 Cam.Cha.Fer.Poi. Fan Inverse: Hashing: Exponentiation: Multiplication: The Computation for Users 3 0 2 2k2k 0 0 2 14 4 2 0 6 2 1 2 2 4 1 2 3 6 0 2 5 Reduced by: >99%

48 資訊工程學系 48 u The first blind signature scheme based on Quadratic Residues (AsiaCrypt’96) u It is randomized u Very low computation for users u Customer Efficient untraceable e-cash services u Voter Efficient anonymous e-voting protocols Remarks

49 49 Conclusions

50 資訊工程學系 50 u Blind Signature = Digital Signature + Encryption u Unforgeability and Unlinkability u Applications – Untraceable Electronic Cash – Anonymous Electronic Voting u Partially blind signatures can reduce the storage u Fair blind signatures can deal with the misuse of unlinkability Summary

51 資訊工程學系 51 References

Download ppt "1 Blind Signatures 盲簽章 Chun-I Fan 范俊逸 E-Commerce & Security Engineering Lab. Department of Computer Science and Engineering National Sun Yat-Sen University."

Similar presentations

Simple and Practical Anonymous Digital Coin Tracing

Simple and Practical Anonymous Digital Coin Tracing
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2004 -

IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1.

1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.

Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google