Linkability of Some Blind Signature Schemes

1. Linkability of Some Blind Signature Schemes Swee-Huay Heng1, Wun-She Yap1 Khoongming Khoo2 1Multimedia University, 2DSO National Laboratories

2. Introduction

3. Blind Signature Schemes • A blind signature scheme is a 2-party protocol between a user and a signer. • It allows a signer to sign a document submitted by a user blindly, i.e. without obtaining any information on the document.

4. ID-based Blind Signature Schemes (IBBS) • A blind signature scheme is an asymmetric system which involves a public-private key pair. • An ID-based blind signature scheme (IBBS) is a blind signature scheme where the signer’s public key is replaced by the signer’s ID. • In that way, we can do away with a certification authority which saves cost and set-up time.

5. ID-based Blind Signature Schemes • An ID-based blind signature scheme (IBBS) consists of the following steps: • Setup: Define and publicize parameters of the IBBS. • Extract: Private Key Generator (PKG) issues a secret key to each signer based on his ID. • Sign: A user Bob engages in a two-party protocol (usually 3-pass) with the signer to sign his document blindly. • Verify: Alice receives Bob’s document and checks if the signature is correct.

6. Signer ID-based Blind Signature Schemes Alice PKG Verifies Signed message Issue Private Key based on Signer’s ID Signed message Bob Commit Blinded message Signed blinded message Unblinds signed blinded message to get signed message

7. Existing Blind Signature Schemes • The first IBBS were introduced by Zhang and Kim at Asiacrypt 2002. They provided an improvement at ACISP 2003. • Later, Huang et. al. proposed a new scheme at CANS 2005 which offers runtime, memory and communications advantages over the Zhang-Kims’ schemes

8. Linkability of Blind Signature Schemes • A blind signature scheme is called linkable if an attacker can link a message to its signature. • At ICCSA 2006, Zhang et. al. showed that the Huang et. Al. scheme is linkable. • At ICICIC 2006, the same authors showed that the Zhang-Kim scheme is linkable.

9. Linkability of Blind Signature Schemes • In this talk, we shall show that the linkability argument of Zhang et al may not be correct. • Therefore, the Zhang-Kims’ schemes and Huang et. al. scheme are still secure against Zhang et al’s linkability attack.

10. Example of Linkability Attack

11. The Huang et. al. Scheme • Setup: G1 is cyclic additive group of order q with generator P. G2 is cyclic multiplicative group. e : G1G1G2 is a bilinear pairing. Randomly pick master secret key s and Ppub=sP. Let H1,H2 be hash functions. Publicize (G1 ,G2 ,e ,q ,P ,Ppub ,H1 ,H2) • Extract: Given an identity ID, compute PID=H2(ID) and return SID=sPID, the secret key of ID.

12. The Huang et. al. Scheme • Issuing Signatures: User chooses P1 and computes e(P1,P). Signer randomly chooses r and computes R’=e(PID,Ppub)r, sends R’ to user as commitment. User randomly chooses t1,t2 and computes R=R’t1e(P1,P)t2, h=H1(m,R), and sends h’=ht1 to signer (blinding). Signer sends back V’=(rh’+1)SID User checks whether e(V’,P)=R’h’e(PID,Ppub). If yes then he outputs signature =(R,V) where V=V’+ht2P1. • Verification: Given =(R,V), verifier checks whether e(V,P)=RH1(m,R)e(PID,Ppub)

13. Zhang’s Linkability Attack on Huang et al’s IBBS For signature =(R,V) and message m, the signer • Computes =e(V-V’,P) (V’ is generated by signer) • Computes =R’h’ (h’=ht1 is known to signer) • Computes h=H1(m,R) and check whether  = Rh. Since V=V’+ht2P1, =e(V-V’,P)=e(ht2P1,P)=e(P1,P)ht2  = e(P1,P)ht2R’ht1 = [e(P1,P)t2R’t1]h = Rh Thus Zhang et. al. conclude that message m can be linked to signature =(R,V) because  = Rh is true whenever  is a valid signature of m.

14. Linkability Attack on other IBBS • The linkability attack was applied to Zhang-Kim’s scheme in a similar way at ICICIC 2006. • At ICCSA 2006, Zhang et al proposed their own IBBS scheme which they claim is resistant against their linkability attack. • We showed that their linkability attack (if it is valid) can be extended in a natural way to work on their IBBS too. So their claim is not true.

15. Soundness of Linkability Attack

16. Soundness of Linkability Attack • We shall show that a signer can always link two messages m0m1 using Zhang et al’s method. • In his method, the signer will try to link m0’s information (m0,h0’,V0’) with the signature of m1, (m1)=(R1,V1).

17. Soundness of Linkability Attack In this case, the signer: • Computes =e(V1-V0’,P) • Computes =R0’h0’ • Computes h1=H1(m1,R1) and checks whether  = R1h1. By working out the details, we see that the relation  = R1h1 always holds.

18. Soundness of Linkability Attack • Therefore any message m0 can be linked to the signature of a different message (m1). • Therefore Zhang’s et al’s attack on Huang et al’s IBBS scheme is not valid. • In a similar way, the linkability attacks on Zhang-Kim’s scheme and on their own proposed scheme at ICCSA 2006 are also not valid.

19. Comparison of Huang et al’s scheme and Zhang et al’s scheme • Since we have seen that the Zhang et al IBBS and Huang et al IBBS are both not susceptible to the linkability attack. Which IBBS should we use? • A comparison shows that the Huang et al IBBS is more efficient than the Zhang et al IBBS.

20. Conclusion • We have shown that the linkability attack of Zhang et al’s at ICCSA 2006 and ICICIC 2006 is not valid. • Therefore the Zhang-Kim’s IBBS and Huang et al’s IBBS are still secure. • We also showed that their proposed IBBS at ICCSA 2006 may not be as efficient and does not seem to offer additional security