Provably secure randomized blind signature scheme based on bilinear pairing

1

Provably secure randomized blind signature scheme based on bilinear pairing

Source: Computers and Mathematics with Applications

Author: Chun-I Fan , Wei-Zhe Sun, Vincent Shi-Ming Huang

Presenter: 林志鴻

2

Outline

Introduction Preliminaries Randomized blind signature Performance and security Analysis Conclusion

3

Introduction

User Signer

+ 盲因子 =(1) (2) +

=

(3) －盲因子 =

4

Introduction(cont.)

Usage of Blind Signature Anonymous electronic voting Untraceable electronic cash system

Security properties of Blind Signature Unlinkability Unforgeability randomization

5

Unlinkability

Signer

A

B

A? or B?

6

Blind signature with randomization

分成六個演算法 KeyGen(k) → (SK, PK) Blind(m, r, u) → α Sign(α,y, SK) → t Unblind(t, r) → s RandMix(u, y) → c ； σ=signature-message Verify(σ,PK) → {0,1}

Verify((Unblind (Sign (Blind (m, r, u),y,SK),r),m, RandMix(u, y) ),PK)=1

7

Outline

Introduction Preliminaries Randomized blind signature Performance and security Analysis Conclusion

8

Preliminaries

Bilinear Pairing GDH Groups

9

Bilinear Pairing

e : G1 × G1 → G2

Bilinearity Non-degeneracy Computability

10

GDH Groups

對於一個循環群 G CDH problem ︰

對 a,b Zq∈ 給定 (P,aP,bP) ∈ G 計算 abP DDH problem ︰

對 a,b,c Zq ∈ 給定 (P,aP,bP,cP) ∈ G 判斷 c=ab

若存在一多項式時間演算法 A 可解決 DDH問題但不存在任何演算法可解決 CDH 問題則此循環群 G 稱為 GDH Groups

11

Outline

Introduction Preliminaries Randomized blind signature Performance and security Analysis Conclusion

12

Randomized blind signature

Initialization phase Blinding phase Signing phase Unblinding phase Verification phase

13

Randomized blind signature (cont.)

Initialization phase

1. 輸入秘密參數 k 產生兩個 order q 的循環群G1,G2 ,P 為 G1生成元 , e: G1× G1→G2

2. 簽章者選取兩個私鑰 x1,x2 Zq∈ * 產生相對應的公鑰 Pub1 = x1P, Pub2 = x2P ,H:{0,1}*→G1

*

params = (q, H,G1,G2,e,P, Pub1, Pub2)

14

Randomized blind signature (cont.)

Blinding phase1. 當使用者發送簽章要求時，簽章者隨機選取

y Z∈ p* 傳送 ρ= yP 給使用者

2. 使用者準備明文 m 並隨機選取 u,r1,r2 Z∈ p* ，設

定隨機參數 C = u ρ

3. 計算盲訊息α1 = r1H(m || C) + r2Pα2 = r1u (mod q)

4. 傳送 (α1, α2 ) 給簽章者

15

Randomized blind signature (cont.)

Signing phase 簽章者計算 T = x1α1 + x2yα2P並回傳給使用者

Unblinding phase使用者計算 S = r1

-1(T – r2Pub1)此時簽章 -訊息組為 (S,m,C)

Verification phase驗證式子 e(S, P) = e(H(m || C), Pub1)e(C, Pub2)

Pub1 = x1P, Pub2 = x2Pρ= yP ,C = u ρα1 = r1H(m || C) + r2Pα2 = r1u (mod q)

16

Randomized blind signature (cont.)

整體流程

17

Outline

Introduction Preliminaries Randomized blind signature Performance and security Analysis Conclusion

18

Performance and security Analysis

[11]A. Boldyreva[12]H. Elkamchouchi, Y. Abouelseoud[13]Y. Yu, S. Zheng, Y. Yang[14] [15]F. Zhang, K. Kim

19

Outline

Introduction Preliminaries Randomized blind signature Performance and security Analysis Conclusion

20

Conclusion

本文提出了一個提供具有隨機屬性的 pairing-based 盲簽章並正式的證明此簽章具有 unlinkability, unforgeability, 和 randomization properties 。

本文提出的方法為第一個可證明安全的隨機化盲簽章