ONE-SHOW BLIND SIGNATURE SYSTEMS
This is a continuation of application Ser. No.
07/384,092, filed July 24, 1989, now U.S. Pat. No.
4,914,698 which is a continuation of Ser. No. 07/168,802, filed Mar. 16, 1988, now abandoned.
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to cryptographic systems, and more specifically to public-key digital signature systems providing unlinkability.
2. Description of Prior Art
Blind signatures are known in the art, as described in European Patent Publication No. 0139313, dated 2/5/85, claiming priority on U.S. Ser. No. 524896, titled "Blind signature systems," and European Patent Publication No. 0218305, dated 4/15/87, claiming priority on U.S. Ser. No. 784999, titled "Unanticipated blind signature systems," both by the present applicant.
These signatures can be used rather directly to construct a payment system (as described, for instance, in the applicant's "Security without identification: Transaction systems to make Big-Brother obsolete," Communications of the ACM, Oct. 1985, pp. 1030-1044.) In such systems, a bank might charge, say, one dollar to make a blind signature. People can buy such signatures from the bank (the blinding lets them keep the bank from learning which ones they bought) and then spend them at, say, a shop. The shop could check with the bank in an on-line transaction to verify upon receiving a particular signature that it has not already been spent elsewhere. If shops do not perform such checking, then someone could spend the same number in more than one shop, and the blind signatures would protect them from ever being traced. But on-line checking may be costly or even infeasible in many applications.
Another use of blind signatures is in credential mechanisms. These were also introduced in the article cited above, and have since been further detailed in "A secure and privacy-protecting protocol for transmitting personal information between organizations," that appeared in Proceedings of Crypto 86, A. M. Odlyzko Ed., Springer-Verlag, 1987, by the present applicant and J. -H. Evertse. When "digital pseudonyms" are established for showing or receiving credentials in such mechanisms, it may be necessary to perform an on-line transaction to ensure that the same pseudonym has not already been used before.
In all these systems, there are essentially three parties: (1) the signature issuing party; (2) the plurality of parties to whom signatures are issued by the first party; and (3) the pluarlity of parties to whom the signatures are shown by the second parties. One aspect that could be improved-without reducing unlinkability for "honest" second parties-is that the third parties must check with one another or some clearing center before accepting a signature, otherwise they will have no recourse if it turns out that the same signature has already been shown to more than a single third party.
OBJECTS OF THE INVENTION
Accordingly, it is an object of the present invention to provide a public-key digital signature system that allows signatures to be issued by a first party to a second party and for the second party to provide them to a third party, where cooperation of the first and third
parties is unable trace second parties that do not show any signature more than once.
Another object of the present invention is to allow such untraceability to be unconditional, in the sense that
5 (still assuming the second party does not show any signature more than once) even if unlimited computing resources were to become available to the first and third parties, tracing would remain impossible. A further object of the present invention is to allow
10 the first and third parties to efficiently detect and trace (back to the particular issue of the signature by the first party) a second party who shows any single signature more than once. An additional object of the present invention is to
15 allow said detecting and tracing to be done at any time after a signature is shown more than once.
A still further object of the present invention is to allow the second party to encode a number into the form of the signature that is shown.
20 Yet another object of the present invention is to allow said number to represent a value, and for the second party to be able to later obtain a refund for the difference between the value shown and the maximum value. An even further object of the present invention is to
25 allow the refund of value to be obtained for at least parts of more than one signature shown, in such a way that the particular value originally shown is not revealed during refund. Still another object of the present invention is to
30 allow efficient, economical, and practical apparatus and methods fulfilling the other objects of the invention.
Other objects, features, and advantages of the present invention will be appreciated when the present description and appended claims are read in conjunction with
35 the drawing figures.
BRIEF DESCRIPTION OF THE DRAWING
FIGURES
FIG. 1 shows a flowchart of a preferred embodiment 40 of a first exemplary one-show blind signature obtaining protocol in accordance with the teachings of the present invention.
FIG. 2 shows a flowchart of a preferred embodiment of a first exemplary one-show blind signature showing 45 protocol in accordance with the teachings of the present invention.
FIG. 3 shows a flowchart of a preferred embodiment of a first exemplary multiple-showing detection and tracing protocol in accordance with the teachings of the 50 present invention.
FIG. 4 shows a flowchart of a preferred embodiment of a second exemplary one-show blind signature obtaining system extension to FIG. 1 in accordance with the teachings of the present invention. 55 FIG. 5 shows a flowchart of a preferred embodiment of a second exemplary one-show blind signature showing system extension to FIG. 2 in accordance with the teachings of the present invention. FIG. 6 shows a flowchart of a preferred embodiment 60 of a refund signature showing system, for the exemplary embodiments of FIG. 4 and FIG. 5, in accordance with the teachings of the present invention.
BRIEF SUMMARY OF THE INVENTION
65 In accordance with these and other objects of the present invention, a brief summary of an exemplary embodiment will now be presented. Some simplifications and omissions may be made in this brief summary,
3
which is intended only to highlight and introduce some aspects of the invention, but not to limit its scope. Detailed descriptions of preferred exemplary embodiments adequate to allow those of ordinary skill in the art to make and use the inventive concepts are provided later. 5
The basic protocol is in three parts: party P obtaining a one-show signature from party B; P showing a oneshow signature to party S; and B detecting and tracing signatures that have been shown more than once. (These letters have been chosen as mnemonic devices 10 for clarity only to stand for payer, bank, and shop, without any limitation on applications being implied.)
There is a certain structure that B ensures is built into signatures when they are issued'. When they are shown, certain parts of this structure are exposed, with the 15 choice of what parts being at least somewhat out of the control of P. If even one more part of the signature were exposed, then a simple computation would allow an identifier that was built-into the structure of the signature to be determined. If the signature were to be 20 shown a second time, different parts of the structure can be expected to be revealed, and hence it will become traceable via the identifier.
More specifically, a particular case of the preferred embodiment (denoted as t = 1 in the later descriptions) 25 involves a signature on a value of the form f(g(a,c), g(a©u,d)), where f and g are one-way functions. When this signature is shown, the pre-images under one of the g's must be shown to S but only the image of the other g need be shown. This data can be tested by S, simply 30 by applying the public functions and checking that what results is the message of the digital signature it receives.
Suppose now that the pre-images under the other g are also learned in a second showing of the signature. First notice that the two showings are easily associated 35 with each other since they would involve exactly the same image under f. The identifying information u would then easily be derived simply by forming u=a-1®(a©u), where © is a group operation.
The choice of which g will have its arguments re- 40 vealed can be encoded as a single bit. More generally, there are t terms in the signature, each of the same form as the one shown. A t-bit string is a challenge that determines which half will be opened for each term. If these challenges differ, even in one bit position, then enough 45 will be revealed to allow u to be easily determined.
For untraceability, it is of course necessary that a g cannot be inverted to recover its pre-images. If the c and d arguments are randomly chosen from a set at least as large as the range of g, then it may not be possible to 50 invert g uniquely.
A variation encodes an amount of, say, money in some part of the challenge string. Other signatures are also issued by B that can be shown only if the corresponding bit of the challenge string is shown as 0. These 55 allow P to get change for the unspent value. But since they can be separate signatures, change from more than one original signature can be obtained at once, thereby hiding the exact amounts used in each payment.
GENERAL DESCRIPTION 60
The cryptographic method and means described here may be divided into a basic first embodiment and a second extended embodiment. In the first embodiment, a first transaction (FIG. 1) allows party P to obtain a 65 signature from a party B. The second transaction (FIG. 2) allows this signature to be accepted from P by S responsive to a number w that may be unknown to P a
4
priori. The third transaction allows B to uncover u (an identifier) that B associates with P if and only if P shows the signature with sufficiently different w (FIG. 3). The second embodiment can use this third transaction unmodified, but has a modified issuing transaction between P and B (FIG. 4), a modified showing transaction between P and S (FIG. 5), and an unshown reclaim transaction between P and B (FIG. 6).
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
While it is believed that the notation of FIGS. 1-6 would be clear to those of ordinary skill in the art, it is first reviewed here for definiteness.
The operations performed are grouped together into flowchart boxes. The column that a box is in indicates which party performs the operation defined in that box. The columns are labeled by party name across the top. The operation of saving a value under a symbolic name is denoted by the symbolic name on the left of an equal sign and an expression for the value on the right-hand side. Another kind of operation is an equality test. The "?=?" symbol is used to indicate these tests, and the testing party terminates the protocol if the test does not hold. (If the test is the last operation to be performed by a party during a protocol, then the success or failure of the test determines the party's success or failure with the protocol.) The final kind of operation is that of sending a message. This is shown by a message number on the left; followed by the name of the recipient party and an arrow (these appear for readability as either a recipient name then left pointing arrow, when the recipient is on the left; or right pointing arrow then recipient name, when the recipient is on the right); followed by a colon; finally followed by an expression denoting the actual value of the message that should be sent.
Several kinds of expressions are used. One is just the word "random". This indicates that a value is preferably chosen uniformly from an appropriate set, defined in the text, and independently of everything else in the protocol. Thus a party should preferably employ a physical random number generator for these purposes, possibly with appropriate post-processing. In practice, however, well known cryptographic and pseudo-random techniques may be applied possibly in combination with physical sources.
Another kind of expression involves exponentiation. All such exponentiation is preferably over the residues modulo a composite M, whose factorization is preferably available only to party B, such moduli being well known in the art, as first proposed in "A method for obtaining digital signatures and public-key cryptosystems," by Rivest, Shamir and Adleman, Communications of the ACM, Feb. 1978, pp. 120-126. When no operation is shown explicitly, multiplication modulo M is assumed.
Different public exponents may be used with the modulus M. In FIG. 1, 2, and 3, only public exponent p is used. This might be any suitable number: 2, a modest size odd prime, a prime large enough to ensure that it is coprime with the order of the reduced residue system, or any other integer. In the extension of FIG. 4, 5, and 6, p = GCD(p(l), p(2), . . . , p(t)) and q = GCD(q(l), q(2), . . . ,q(t)). The p(i) and q(i) might each contain a distinct prime factor, as well as other common factors; or they might contain increasing multiplicities of some factor or factors. For example, p(i)=2' and q(i)=2', is believed to be secure and to offer economy in computa5
tion, particularly when the convention is taken that smaller exponents stand for lower denominations.
Even public exponents do require extra attention, as would be obvious to those of skill in the art, since for one thing square roots do not exist for many residues. 5 Thus, B's choice of things to sign (determined by the set called v, as will be described) would necessarily avoid the unsigneable. Another way to address this issue is by application of the well known special composite form with exactly two factors, each congruent to 3 modulo 4: 10 the blinding factors would randomly include a standard public non-square with Jacobi symbol 1 along with an image under f adjusted to have Jacobi symbol 1; each term of a signature under a distinct even exponent would have at B's option the public non-square in- 15 eluded under the signature; and signatures would be accepted of images under f with an optional multiple of the public non-square. Notice further that if both parties put the public non-square in, then it can be taken out of the signature by P when its square root is also public. 20 Care must also of course be taken that s is large enough that the chance of a square root on a chosen message being learned by a cheater is acceptably small.
When "/" is used in the base, the multiplicative inverse is first calculated for the expression on the right 25 and then this is multiplied by the expression on the left; when used in the exponent by B, it denotes the same operation just describe, but the arithmetic is modulo the order of the group of residues modulo M; when used in the exponent by a party other than B, it denotes integer 30 division. The results of all operations are assumed for convenience and clarity to be encoded as binary integers (the least positive representative is assumed for residue classes). Concatenation, denoted by " || ", is thus defined as juxtaposition of the bit vectors representing 35 values.
The functions f and g are preferably publicly-agreed one-way functions, (being thought of as) having two arguments, such functions well know in the art. Each image under g may be assumed to be conformable as an 40 argument for f, and each image under f in turn is representable as a residue modulo M, all in some standard way. These functions should preferably be "collision free," in the sense that it is difficult to find more than one valid argument pair that yields the same result, a 45 property commonly achieved in the cryptographic art.
A further desirable property of g is that for each particular allowed first argument, there exist the same number of second arguments that produce each possible output; in other words, fixing any first argument gives a 50 k-to-one map from the second argument to the output. This novel and inventive property is believed to offer the advantage of "unconditional" protection against tracing; that is, even infinite computing power is thought to be unable to determine the first argument of 55 a g given only its result. In any case, functions believed to have such properties, or to be close to them in some absolute or merely computational sense, may offer similar advantages. Since a "random" one-way function from the concatenation of the (suitably-sized) argu- 60 ments may be expected to come rather close to the desired properties, it is believed that almost any oneway function could be used.
One exemplary way to construct a preferred such function is to apply a bijective one-way function, such 65 as are well known in the public key cryptographic art as "discrete-log" problems over some group, to the second argument and to use the group operation involved to
6
combine the result with the image under a one-way function of the first argument. For instance, the first argument might be used as the exponent of a primitive element modulo a first large prime and the result (possibly after applying, say DES with a fixed key or the like) added, modulo a second large prime, to the result of raising a primitive element modulo the second prime to the second argument power. Bijective post-scrambling of the final result might be provided by a final application of, say, DES with a fixed key; and similar prescrambling of each of the original two arguments may also be used.
The infix operator "©" is the group operation of addition modulo a prime as large as any u, to be described. It would be obvious to those of skill in the art how bit-wise exclusive-or, or any suitable group operation could also be used.
Subscripts, on both symbolic names and message numbers, denote indexes that for clarity are taken to be over the natural numbers; set notation (including set difference) is used to indicate the ordered sets over which these range. Symbolic names i, j, and k are used for indices. Cardinality of sets is shown as usual by surrounding them with "1" symbols. A special operation shown as "@" is used for clarity as a prefix on the symbolic name of an index; this denotes the position of the index within its ordered index set. (For example, if i«{3, 1, 4} and gi, g2, g3, g4=4,8,l,7 then g,-1,4,7 and g/+g@i—5,12,8). The usual It notation is used for products modulo M, where the index in the expression following the ir is taken to run over its full index set.
Two parameters, s and t, are assumed known and agreed to all parties using them; they determine the size of the index sets used and increasing them increases security. Quite high security is believed to result form taking t= 100 and s=200, but far smaller values may be used in practice. This is especially true when multiple instances of FIG. 1 are conducted together, as mentioned later. The value of u is known to at least P and B, and might be a unique identifier for the particular transaction or for such combined transactions as mentioned.
Turning now to FIG. 1, the first part of a flowchart for the preferred embodiment will now be described in detail.
Box 101 shows P choosing r,-, a/, c; and d,- at random, such random selection as already mentioned, where i runs over the first s natural numbers. The r,- are used to form "blinding factors" by being raised to public exponents, and hence they are preferably chosen from {l,.. . , M—1}, as is known in the art. The a,-are preferably uniform to reduce the chance that two different payers choose the same one. The c; and d; will be used as the second argument to g, and are thus preferably chosen to maximize the desired properties already described for g, such as being chosen uniformly from the domain of the second argument of g. Then P computes the x;by applying g to the corresponding a,- as first argument and c< as second argument. Next the y,- are computed in a similar way, but each a,- is combined by the group operation © with u to form the first argument to g and the d,- are taken as the second argument, with the result denoted symbolically as the corresponding y,\ Next s messages are formed and sent to B as indicated by the notation already described. The ith message [11.1]/ is a product modulo M of r; raised to the p times f applied to first argument x,- and second argument y/.
Box 102 indicates that, after receiving messages [11.1], B first chooses v at random uniformly from the
|
