Fair Blind Signatures Revisited

This paper presents a formal model for fair blind signature schemes and a provably secure scheme based on bilinear maps. A blind signature scheme is a protocol for obtaining a signature on a message which is unknown from the signer. Furthermore, the signer cannot link his transcript of a protocol to the resulting message-signature pair. Fair blind signatures were introduced by Stadler et al. at Eurocrypt'95 in [37]. A fair blind signature scheme is a blind signature scheme allowing two types of blindness revocation: link a signature to the session which conducted this signature (Session Tracing) or, conversely, identify a signature knowing a signing session (Signature Tracing). Various fair blind signature schemes have been proposed in the past years, but none of them presents a secure fair blind signature scheme that allows polynomially many signatures to be securely issued, even if Abe et al.'s claimed it in [3]. In this paper, we first show a flaw in the blindness of most (fair) blind signature schemes where the signer is able to link signatures if he chooses his keys in an appropriate way. Then, we show a flaw in the proof of unforgeability of Abe et al.' scheme and propose a stronger security model than theirs. It possesses all the needed properties for fair blind signature schemes: blindness, traceability and non frameability for both revocations (the one-more unforgeability is implied by these properties). Finally, we describe a new fair blind signature scheme based on bilinear maps. This scheme thwarts the flaw against previous blind signatures and is proved secure in the random oracle model with respect to our model.

[1]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[2]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[3]  Yiannis Tsiounis,et al.  "Indirect Discourse Proof": Achieving Efficient Fair Off-Line E-cash , 1996, ASIACRYPT.

[4]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’95 , 2001, Lecture Notes in Computer Science.

[5]  Jacques Traoré Making unfair a "fair" blind signature scheme , 1997, ICICS.

[6]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’89 , 1991, Lecture Notes in Computer Science.

[7]  Jennifer Seberry,et al.  Advances in Cryptology — AUSCRYPT '92 , 1992, Lecture Notes in Computer Science.

[8]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[9]  Rafail Ostrovsky,et al.  Security of blind digital signatures , 1997 .

[10]  Jan Camenisch,et al.  Efficient Blind Signatures Without Random Oracles , 2004, SCN.

[11]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[12]  David Pointcheval,et al.  Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks , 2001, ASIACRYPT.

[13]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[14]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[15]  Kwangjo Kim,et al.  Advances in Cryptology — ASIACRYPT '96 , 1996, Lecture Notes in Computer Science.

[16]  Jacques Traoré,et al.  On the Anonymity of Fair Offline E-cash Systems , 2003, Financial Cryptography.

[17]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[18]  Ueli Maurer,et al.  Digital Payment Systems with Passive Anonymity-Revoking Trustees , 1996, ESORICS.

[19]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[20]  Tatsuaki Okamoto,et al.  Provably Secure Partially Blind Signatures , 2000, CRYPTO.

[21]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[22]  Tatsuaki Okamoto,et al.  Efficient Blind and Partially Blind Signatures Without Random Oracles , 2006, IACR Cryptol. ePrint Arch..

[23]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[24]  Jacques Stern,et al.  Provably Secure Blind Signature Schemes , 1996, ASIACRYPT.

[25]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[26]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[27]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[28]  Ernest F. Brickell,et al.  Trustee-based tracing extensions to anonymous cash and the making of anonymous change , 1995, SODA '95.

[29]  Masayuki Abe,et al.  Provably Secure Fair Blind Signatures with Tight Revocation , 2001, ASIACRYPT.

[30]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[31]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[32]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[33]  Masayuki Abe,et al.  A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures , 2001, EUROCRYPT.

[34]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[35]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[36]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[37]  Yehuda Lindell,et al.  Concurrently-Secure Blind Signatures Without Random Oracles or Setup Assumptions , 2007, TCC.

[38]  Sébastien Canard,et al.  Defeating Malicious Servers in a Blind Signatures Based Voting System , 2006, Financial Cryptography.

[39]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[40]  Jacques Traoré,et al.  An Efficient Fair Off-Line Electronic Cash System with Extensions to Checks and Wallets with Observers , 1998, Financial Cryptography.

[41]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[42]  Marc Fischlin,et al.  Round-Optimal Composable Blind Signatures in the Common Reference String Model , 2006, CRYPTO.

[43]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[44]  Rafail Ostrovsky,et al.  Security of Blind Digital Signatures (Extended Abstract) , 1997, CRYPTO.

[45]  David Pointcheval,et al.  Strengthened Security for Blind Signatures , 1998, EUROCRYPT.

[46]  Kazuo Ohta,et al.  Divertible Zero Knowledge Interactive Proofs and Commutative Random Self-Reducibility , 1990, EUROCRYPT.

[47]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[48]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[49]  Aggelos Kiayias,et al.  Concurrent Blind Signatures Without Random Oracles , 2006, SCN.

[50]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[51]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[52]  Atsushi Fujioka,et al.  An Efficient Digital Signature Scheme Based on an Elliptic Curve Over the Ring Zn , 1992, CRYPTO.

[53]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .