An Efficient Blind Signature Scheme for Information ...

3 downloads 129 Views 182KB Size Report
KEY WORDS AND PHRASES: Anonymous electronic voting, blind signature, ... withstand a multiplicative attack that tries to construct a valid signature by.
An Efficient Blind Signature Scheme for Information Hiding Chun-I Fan and Wei-Kuei Chen ABSTRACT: This paper presents an efficient blind signature scheme under which information con be hidden in the signature and uncovered later for security purposes. When it is applied to an untraceable electronic cash system, cash owners are able to claim and identify lost cash; when applied to an anonymous electronic voting protocol, no election results are revealed until the entire voting process is finished. The additional computation for the proposed scheme, as compared with typical blind signatures, consists of just two hashing operations. KEY WORDS AND PHRASES: Anonymous electronic voting, blind signature, Internet security, privacy, untraceable electronic cash.

The idea of blind signatures was first introduced by David Chaum [2]. It has two key features: (1) protecting the privacy of users, and (2) preventing signatures from being forged. Two parties, a signer and a group of users, participate in a blind signature protocol. The user blinds the message and submits it to the signer for the signer's signature. The signer signs the blinded message and then sends the result, called the blind signature, back to the user. Finally, the user unblinds the blind signature to obtain the signer's signature on the chosen message. The signer's signature on the message can be verified by checking whether the corresponding public verification formula with the signature-message pair as parameter is true or not. In a secure blind signature scheme, the signer cannot derive the link between a signature shown for verification and the instance of the signing protocol that produces the corresponding blind signature. This property is usually referred to as unlinkability [2, 6]. Another key feature of blind signatures is unforgeability, meaning that the signature is the proof of the signer, and no one else can deliberately sign the message. Thanks to their unlinkability and unforgeability properties, blind signature techniques can be used in many advanced electronic communication services where anonymity is indispensable, such as untraceable electronic cash systems [3, 8, 11] and anonymous electronic voting protocols [4, 9, 13]. In a typical digital signature scheme like RSA, a signer who wishes to sign a message ni usually performs its signing operation on H(m), not directly on ni, where H is a one-way hash function, such as the MD or SHA family, and H(m) is called the message digest of im [10, 12]. Signing on H(m) makes it possible to withstand a multiplicative attack that tries to construct a valid signature by multiplying two or more given signatures. The message digest H(m) is the output of the hash function H with the input In, and its length is fixed and short (e.g., SHA-1 has a 160-bit output). As a result, signing on H(m) is more efficient than signing directly on m when m is longer than the modulus of the underlying digital signature scheme. Since a blind signature is a variant of a digital signature, that applv a one-way hash function to a message before signing also is adopted to withstand multiplicative attacks and improves the efficiency of alIntern,ational Jourinal of Electronic Com,imerc,e / Fall 2001, Vol. 6, No. 1, pp. 93-100.

Copvright ' 2001 M.E. Sharpe, Inc. All rights reserved. 1086-4415/2001 $9.50 +0.00.