New Blind Muti-signature Schemes based on ECDLP

ABSTRACT


INTRODUCTION
David Chaum first proposed the idea of blind signatures based on the RSA signature scheme in 1983 [1]. Subsequently, a number of research studies on blind signatures was completed to protect the anonymity of users and prevent fake online transactions.
In recent decades, elliptic curves have emerged as important factors in digital and crypto theory. The security level of cryptography systems is based on elliptic curve cryptography (ECC) and the difficulty of elliptic curve discrete logarithm problems (ECDLPs). The advantages of ECC cryptosystems compared with other public-key cryptography systems is that ECC ciphers provide security attributes comparable to traditional public-key cryptography systems despite their smaller key lengths. Reports have estimated that the 3248-bit length in the RSA cryptosystem has the same security level as the 256-bit length of the ECC cryptosystem. Thus, the installation of ECC consumes less system resources and energy and provides a higher level of security. Because of the advantage of small key length, ECC has been widely applied in many fields.
Digital signatures based on the difficulty of ECDLPs were first introduced in 1991 in the independent research of NealsKoblitz [2]. Since the 2000s, the USA, Russia, Japan, Korea and several European countries have investigated these problems and have developed standard system solutions, such as the standards by ISO, ANSI, IEEE, SECG, and FIPS. ECDLP is the predominant cryptosystem in Russia. In 2001, Russia produced the GOST R34.10-2001 digital signature standard based on ECDLP with a 256-bit key length. The newest Russia version of the digital signature is GOST R34.10-2012 [3], which has a key length between 256 bits and 512 bits. In 1999, Popescu [4] presented blind multi-signatures based on elliptic curves. In 2005, Chow et al. proposed two blind signature schemes partially based on Bilinear Pairings [5]. In 2011, Moldovyan [6] presented a blind signature scheme based on the GOST R34.10-2001 signature standard. In 2012, Nguyen and Dang [7] provided enhanced security for voting protocols on the Internet using blind signatures; Swati Verma et al. also presented New Proxy Blind Multi Signature based on Integer Factorization and Discrete-Logarithm Problems [8]. In 2013, Panda et al. researched blind signing authorizations in electronic voting processes [9]. In 2014, Hua Sun et al. proposed New Certificateless Blind Ring Signature Scheme [10]. In 2016, Shilbayeh et al. proposed security schemes for electronic voting processes [11]. In 2017, Minh H et al. New Blind Signature Protocols based on a New Hard Problem [12]; Salome James et al. proposed Identity-Based Blind Signature Scheme with Message Recovery [13].
In the next section, details on the ECDLP will be presented, the blind multi-signature schemes based on digital signature standards will be proposed, security through the Random Oracle Model (ROM) will be demonstrated and a comparison between the proposed schemes and available schemes will be performed.

BACKGROUND
Definition 1 (BMS): A blind multi-signature scheme can be described by following five algorithms: setup, blind, sign, unblind, and verification.
A third trust party (TTP) is used, and the process is detailed as follows. a. Setup: Create public arguments based on the GF(p) field and open the argument (p,q,G,P) to the public. Each user in the group can use their private key as identification and calculate the value of the public key. b. Blind: Users chose two random arguments and combine them with the hash of message M to make the content of M blind. The first part of the signature value (r) is simultaneously blinded in this part and sent to the signing group. c. Sign: Each user in the signing group calculates their own signature, and the TTP calculates the signature of the group and sends it back to the requesting user. d. Unblind: The requesting user unblinds the signature. The result is the set (r,s), which is the blind multi-signature on message M. e. Verify: the checking user verifies the signature, which is only accepted if the verification process is satisfied; otherwise, the signature is not accepted.
The digital signature parameters are: a. p is a large prime number, which composes the field GF(p) of EC. b. EC is determined by the description in Part 2. c. integer m is an elliptic curve EC points group order: m = nq, n belongs to Z, g. d is a private key of user (0<d< q).

GOST R 34-10-2012 Standard [3]
a. Setup: Calculate the public key point as follows: P = d × G. The signing party choses a random number k that satisfies (0< k < q) and calculates C = k × G. b. Sign: Calculate the hash value of message M. Determine the first part of signature r as follows: mod , If rʹ= r, then the digital signature is accepted; otherwise, the digital signature is not accepted.

EC-Schnorr scheme [14]
a. Setup: Calculate the public key point: P = d × G. The signing party choses a random number k that satisfies (0<k<q) and calculates C = k × G. b. Sign: Calculate the first part of the signature. Determine the first part of signature as ( , ) mod .
If s = 0, then the process is started again.
The output of the algorithm is the set (r,s), which is used as the digital signature on message M.
Compare rʹ with r. If rʹ = r, then the digital signature is accepted; otherwise, the digital signature is not accepted.

Blind Multi-signature
Assume that user U asks the entire group S who has the authority to include n signers to sign document M; however, this user does not want this authorized group to know the content of M. First, this user blinds the document M, which becomes document Mʹ. Then, Mʹ is sent to the authorized signing group. This group signs Mʹ and sends it back to the requesting user. Then, the user unblinds Mʹ to M and checks the received signature. If the signature is valid, then the user has a valid signature on document M.

Random Oracle Model
In 1993, Bellare and Rogaway [15] generalized a model that allowed for the security of different coding schemes. A blind digital signature scheme is considered safe when its characteristics of blindness and anti-forgery can be ensured in a random predictive model. Definition 3: (Blindness). With all polynomial time algorithms of attacker A acting as the signer, the probability of success of the experiment below is a negligibly small function.
There are two trusted users U 0 , U 1 , which join the blind multi-signature signature scheme with A on the message 1   ( , ) ( , ) .

ANALYSIS OF THE PROPOSED BMS SECURITY 4.1. Security Analysis
A security blind multi-signature scheme is determined by the following two characteristics: blindness and unforgeability. Theorem 1. (Blindness) The proposed blind multi-signature schemes are blind. Proof [16], [17]: Definition 3 is used for the proof. First, the signature pair The output is the linear equation x, which solves the discrete logarithm problems.