Elsevier

Computers & Security

Volume 24, Issue 1, February 2005, Pages 44-49
Computers & Security

A randomized RSA-based partially blind signature scheme for electronic cash

https://doi.org/10.1016/j.cose.2004.05.008Get rights and content

Abstract

Blind signature schemes can yield a signature and message pair whose information does not leak to the signer. However, when blind signatures are used to design e-cash schemes, there are two problems. One is the unlimited growth of the bank's database which keeps all spent e-cashes for preventing double spending. Another problem is that the signer must assure himself that the message contains accurate information such as the face value of the e-cash without seeing it. Partially blind signatures can cope with these problems. In partially blind signatures, the signer can explicitly include some agreed common information such as the expiration date and the face value in the blind signature. Randomized signature schemes can withstand one-more-forgery under the chosen plaintext attack. Based on RSA cryptosystem Fan–Chen–Yeh proposed a randomized blind signature scheme and Chien–Jan–Tseng also proposed a randomized partially blind signature scheme. But, the attacker can remove the randomizing factor from the messages to be signed in these two schemes. The attacker can also change the common information of Chien–Jan–Tseng's partially blind signature. In this paper, we propose a secure randomized RSA-based partially blind signature scheme, and show that the proposed scheme satisfies the blindness and unforgeability properties. We also analyse the computation cost of the proposed scheme.

Introduction

The blind signature technique was first introduced by Chaum (1983) to protect an individual's privacy. A secure blind signature scheme should satisfy the blindness and unforgeability properties.

Blindness: it allows a user to acquire a signature on a message without revealing anything about the message to the signer. Blindness property ensures that no one can derive a link between a view and a valid blind signature except the signature requester. A view of the signer is defined to be the set of all messages that the signer has received and generated when issuing the signature. Owing to the blindness property, blind signatures have been widely used in untraceable electronic cash systems.

Unforgeability: it means that only the signer can generate the valid signatures.

In an electronic cash system, the bank (or the signer) issues electronic cash, i.e., e-cash, and a customer (or a user) can withdraw e-cash from his account and deposit e-cash into his account in the bank. When we use blind signature to design e-cash schemes, there are two shortcomings. (1) To prevent a customer from double-spending his e-cash, the bank has to keep a spent database which stores all spent e-cash to check whether a specified e-cash has been spent or not by searching this database. Certainly, the spent database kept by the bank may grow unlimitedly. (2) To believe the face value of e-cash in the withdraw phase, the signer must assure himself that the message contains accurate information without seeing it. The cut-and-choose algorithm is widely used to solve this problem. But this is very inefficient. To get a low enough probability of cheating, the cut-and-choose must consist of many terms, and the vast amount of data terms spoil its computation and communication efficiency.

Partially blind signatures introduced by Abe and Fujisaki (1996) can eliminate the above two shortcomings. Partial blindness property allows the bank to explicitly include some agreed common information such as the expiration date and the face value in the blind signature. In a secure partially blind signature scheme, a user cannot replace the common information with another one. Using the partially blind signatures the bank can prevent the bank's spent database from growing unlimitedly. By embedding an expiration date into each e-cash issued by the bank, all expired e-cash recorded in the bank's database can be removed. This removal of the expired e-cash limits the size of the bank's spent database. The user can also renew his e-cash when the old e-cash is close to the expiration date. After verifying that the old e-cash, making sure the old e-cash is not expired and not in the spent database, the bank issues a new e-cash to the user using the partially blind signature scheme and records the old e-cash in the spent database. In addition, the bank also cannot build a relationship between the old e-cash and the new e-cash. Using partially blind signatures the bank can believe the face value of e-cash to be signed. By embedding the face value in each e-cash, the bank can clearly know the value on the blindly issued e-cash.

The Chaum (1983) RSA-based blind signature scheme and the Abe and Fujisaki (1996) RSA-based partially blind signature scheme are vulnerable to the one-more-forgery under the chosen plaintext attack (Coron et al., 1999, Desmedt and Odlyzko, 1994). Using the homomorphic property, the attacker can forge a new signature. To be immune to the chosen plaintext attack, Ferguson (1994) suggested that the signer had better inject one or more randomizing factors into the blinded message such that the attackers cannot predict the exact content of the message the signer signs. This is referred to as the randomization property. In a secure randomized signature scheme, a user cannot remove the signer's randomizing factor. Based on RSA cryptosystem Fan et al. (2000) proposed a randomized blind signature scheme and Chien et al. (2001) also proposed a randomized partially blind signature scheme. But, the attacker can remove the randomizing factor from the messages to be signed (Kwon and Cho, 2003), thus, Fan–Chen–Yeh's blind signature scheme and Chien–Jan–Tseng's partially blind signature scheme are vulnerable to the chosen plaintext attack. In addition, the attacker can also change the common information of Chien–Jan–Tseng's partially blind signature (Kwon and Cho, 2003).

Our main goal is to design a secure randomized partially blind signature scheme based on RSA. In this paper, we first describe our randomized partially blind signature scheme, and then examine the correctness, blindness and unforgeability properties. Finally we analyse the computation costs of the proposed scheme. Our proposed scheme can be used to design e-cash systems.

Section snippets

The proposed randomized partially blind signature scheme based on RSA

We begin by describing the RSA function. Let n = pq be the product of two large primes of the same size. A typical size for n is 1024 bits. Each of the factors is 512 bits. Let e, d be two integers satisfying ed  1(mod ϕ(n)) where ϕ(n) = (p  1)(q  1). We define the RSA function as RSA N, e(x) = xe(mod n). If d is given, the RSA function can be easily inverted using the equality xed  x(mod n). We refer to d as a trapdoor enabling one to invert the RSA function. We assume that the RSA function is one-way

Correctness

In the Blinding stage of the proposed partially blind signature, the user computes the blinded message α = reuH(muey)(mod n) and sends α to the signer. If one of the integers u, r or H(muey) is not in Zn*, the signer cannot compute ((αx)(a))−1(mod n) in the Signing stage. However, the probability of that u, r or H(muey) is not in Zn* is negligible and nearly 2−|p| or 2−|q| where |p|, |q| denote the bit lengths of p, q, and |p|, |q| = 512 in a practical implementation. This negligible situation

Conclusion

In this paper, we have presented a secure randomized partially blind signature scheme based on RSA. The blindness and unforgeability properties and the computation costs were also examined. We believe that more efficient randomized RSA-based scheme for electronic cash will be proposed in the future.

Acknowledgments

We thank the support of National Natural Science Foundation of China (NSFC90204016, NSFC60373048) and the National High Technology Development Program of China under Grant (863, No. 2003AA144030). Finally, we thank the anonymous referees for their helpful comments and suggestions.

Tianjie Cao received the M.Sc. degree in Mathematics from Nankai University (P.R. China) in 1993. Currently he is an Associate Professor of Computer Science at China University of Mining and Technology. He is also Ph.D. candidate at the State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences. His research interests include electronic cash, cryptographic protocols and network security.

References (9)

  • M. Abe et al.

    How to date blind signatures

    Advances in cryptology—Asiacrypt'96

    (1996)
  • D. Chaum

    Blind signatures for untraceable payments

    Advances in cryptology—CRYPTO' 82

    (1983)
  • Chien HY, Jan JK, Tseng YM. RSA-based partially blind signature with low computation. In: Proceedings of the eighth...
  • J.S. Coron et al.

    On the security of RSA padding

    Advances in cryptology—CRYPTO'99

    (1999)
There are more references available in the full text version of this article.

Cited by (0)

Tianjie Cao received the M.Sc. degree in Mathematics from Nankai University (P.R. China) in 1993. Currently he is an Associate Professor of Computer Science at China University of Mining and Technology. He is also Ph.D. candidate at the State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences. His research interests include electronic cash, cryptographic protocols and network security.

Dongdai Lin received the M.Sc. and Ph.D. degree in Cryptography at Institute of System Sciences, Chinese Academy of Sciences in 1990. Currently he is a Research Professor at the State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences.

Rui Xue received the Ph.D. degree in Mathematics from Beijing Normal University (P.R. China) in 1999. He was a post-doctorial fellow at the Laboratory of Computer Science in the Institute of Software (1999–2001), Chinese Academy of Sciences (CAS). Currently he is a Research Professor at the State Key Laboratory of Information Security, Institute of Software, CAS.

View full text