Identity-Based Blind Signature Scheme with Message Recovery

ABSTRACT


INTRODUCTION
A digital signature scheme with message recovery is a signature scheme in which the original message of the signature is not required to be transmitted together with the signature since it has been appended to the signature and can be recovered according to the verification/message recovery process.It is different to an authenticated encryption scheme or signcryption scheme, since in this scheme, the embedded message can be recovered by anyone without the secret information.The purpose of this kind of signatures is to minimize the total length of the original message and the appended signature.So, these are useful in any organization where bandwidth is one of the main concern or for the application in which small message should be signed.
Blind signature scheme was introduced by Chaum [1] in 1982 to provide the anonymity of the user and plays a central role in cryptographic protocols such as e-voting, e-payment [2], [3].Such a signature allows a user to obtain a signature of a message in a way that the signer learns neither the message nor the resulting signature.The scheme can ensure untraceability and unlinkability.
With the advantages of ID-based cryptography, several ID-based signature schemes and and their variants have been proposed in the literature [2]- [4].The first ID-based blind signature scheme was proposed by Zhang and Kim [5] in Asiacrypt 2002.Later, in 2003, Zhang and Kim [6] proposed a new ID-based blind signature scheme based on bilinear pairings.In 2005, Huang et al. [7] proposed ID-based blind signature schemes using bilinear pairings and showed that the schemes are not secure if the ROS problem is solvable.In 2006, Zhao et al. [8] presented another blind signature scheme is efficient than Zhang and Kim's schemes [5], [6].A generalized ID-based blind signature from bilinear pairings was proposed in 2007 by Kalkan et al. [9].An ID-based authenticated blind signature scheme from bilinear pairings was proposed by Zhao et al. in 2007 [10].In 2010, B.U. Rao et al. [11] [12] proposed and ID-based blind signature scheme with unlinkability.In 2014, Pance et al. [13] proposed a comparison of ID-based blind signatures from pairings for e-voting protocols.
A blind signature with message recovery is important in communication which requires the smaller bandwidth for signed messages than signatures without message-recovery.In 2005, Han et al. [14] proposed a pairing-based blind signature scheme with message recovery based on modified Weil/ Tate pairings over elliptic curves.This scheme needs smaller bandwidth and improves the communication efficiency than other previous ID-based blind signatures.Also this scheme provides high security with smaller keys in size.In 2009, Wang et al. [15] proposed optimal blind signature padding with message recovery.This scheme uses an ideal cipher with a smaller block size to design a secure two-move blind signature with an optimal padding.Their scheme has the message recovery property with less bandwidth.Zhang et al. [16] proposed a kind of message-recoverable fairness blind digital signature scheme in 2011.ID-based blind signature schemes with message recovery schemes are also proposed [17]- [19].In 2005, Han et al. [13] proposed a pairing-based blind signature with message recovery.In 2006, Hassan et al. [17] proposed a new blind IDbased signature scheme with message recovery which improves the computational efficiency in the Han et al. scheme [14].It achieves bandwidth savings and is suitable for signing short messages.
In this paper, by considering the above advantages, we designed a new blind signature scheme with message recovery in the identity-based setting.The proposed IBBSSMR scheme is based on the bilinear pairings over elliptic curves and is designed for the messages of fixed length.The scheme is useful where the anonymity of the users and bandwidth constraints are of great concern.The proposed scheme is unforgeable with the assumption that the Computational Diffie-Hellman problem is hard.
The rest of the paper is organized as follows.In section 2, mathematical preliminaries are provided.Section 3 presents the syntax and security model of the proposed IBBSSMR scheme.In Section 4, an identity-based blind signature scheme with message recovery is proposed.In Section 5, the proof of correctness, security analysis and the efficiency analysis of the proposed scheme are presented.Finally, Section 6 concludes the paper.

PRELIMINARIES
In this section, we will briefly discuss the basic concepts on bilinear pairings and related computational hard problems.

Bilinear Pairings
It is an important cryptographic primitive and is widely adopted in many positive applications of cryptography.Let  

,
G  and   2 , .G be two cyclic groups of same prime order q.Let P be a generator of 1 .
G A bilinear pairing is a map ê defined by

Bilinear Pairings over Elliptic Curves
The modified Weil pairing and Tate pairing are admissible instantiations of bilinear pairings.The modified Weil pairing settings are briefly discussed.Let p be a sufficiently large prime such that 2 mod 3 p  and 1 p lq  , where q is also a large prime.Let E be an elliptic curve defined by the equation 23  F of order q .The modified Weil pairing is thus defined by p lq    , where q is also prime.Let E be the elliptic curve defined by the equation 23 1 yx  over p F .Let 1 G be the subgroup of points on E of order q .Suppose we already have a hash function   * 1 : 0,1 p HF  .A Map-to-Point algorithm works as follows on input 0

Computational Problems
This section presents some computational problems which will form the basis of security for our IBBSSMR scheme.

SYNTAX AND SECURITY OF THE PROPOSED IBBSSMR SCHEME
In this section we present the syntax and security model of the proposed IBBSSMR scheme.

Syntax of IBBSSMR
Our blind signature scheme with message recovery is an extension of ordinary blind signature scheme.This scheme consists of the following four algorithms: System Setup, Key Extract, Blind Signature Generation, Blind Signature Verification with Message Recovery.The detailed description of these algorithms is described.
1. System Setup: For a given security parameter , kZ   the Key Generation Centre (KGC) run this algorithm and generates the system parameters Params and the master key s.Params are made public and s is kept secret.Params are implicit input to all the following algorithms.2. Key Extract: For a given user's identity ID, the KGC runs this algorithm to generate the public key ID Q and the private key .

ID d KGC sends
ID d to the corresponding user through a secure channel.3. Blind Signature Generation: This is an interactive and probabilistic polynomial time protocol, which is operated by the user and the signer.The user first blinds the message M and obtains a new version h of , M and then sends it to the signer.The signer uses his/her private key to sign on h and obtains , V and then sends it to the user.The user unblinds it to obtain , V which is a blind signature on the original .M 4. Blind Signature Verification with Message Recovery: For a signer's identity ID and a blind signature ,  a verifier runs this algorithm to recover the message and check the validity of the blind signature ,  more precisely, the algorithm Verify ( , ) ID  outputs 1 if accepted, or 0 if rejected.

Security Requirements of the Proposed IBBSSMR
A secure blind signature scheme must satisfy the following requirements: 1. Correctness: If the user and the signer, both comply with the algorithm of blind signature generation, then the blind signature V will always be accepted.2677 signature of a message signed through the signature scheme can be checked by anyone using the signer's public key.2. Blindness : A signature is said to be blind if a given message-signature pair and the signer's view are statistically independent.While correctly operating one instance of the blind signature scheme, let the output be ( , ) MV (i.e, message-signature pair) and the view of the protocol .V  At a later time, the signer is not able to link V  to ( , ).
MV The content of the message should be blind to the signer; the signer of the blind signature does not see the content of the message.3. Unforgeability : It is with respect to the user especially, i.e. the user is not able to forge blind signatures which are accepted by the algorithm of verification of blind signatures.Only the signer can give a valid signature for the associated message.

PROPOSED ID-BASED BLIND SIGNATURE SCHEME WITH MESSAGE RECOVERY
In this section, we present our ID-based blind signature scheme with message recovery (IBBBSSMR) scheme.As discussed in Section 3.1, the detailed functionalities of these algorithms are presented.FF  c.Now KGC publishes the system parameters as

Params G G e q P P H H F F 
as public and keeps the master key s  as secret.2. Key Extract : Given an user's identity ID, the KGC computes the corresponding private key is the public key of the user and then sends it to the corresponding user ID through a secure channel.
3. Blind Signature Generation : In order to sign a message 1 {0, 1} l M  blindly by a signer, whose identity is ID; the user and the signer should run the blind signature protocol.
[Blind Signature Issuing Protocol] Suppose that M is the message to be signed.The blind signature protocol is shown in Figure 1.
a.The signer randomly chooses a number * , q rZ  computes

ANALYSIS OF THE PROPOSED IBBSSMR
In this section, we present the proof of correctness, security and efficiency analysis of the proposed IBBSSMR scheme.

Proof of Correctness
The following equations give the correctness of the proposed scheme.Consider ˆˆˆˆ ( , ) ( ,

Security Analysis
In the following, we will show that proposed IBBSSMR satisfies all the security requirements stated in section 3.2.

Blindness Property
In order to prove the blindness property, we will show that for a given message-signature pair ( , , ) M h V and the signer's view ( , , ) M h V  , there always exists a unique pair of blinding factors , ab that maps ( , , ) M h V  to ( , , ) M h V .Since the user chooses the blinding factors , ab randomly, the signer cannot get any information from his/her view and the signature scheme will be blind.For a signature ( , )  hV generated on a message M , during the protocol, the following equations must hold.

P pub a V bV q 
The above formula, for a involves the elliptic curve discrete logarithm of Obviously, due to the non-degenerate property of the bilinear pairings, we have  Thus, the unique solutions of Equations ( 2) and (3) satisfy Equation (1).Since the blinding factors are unique and randomly chosen during the protocol, hence the blindness property of the proposed scheme follows.

Unforgeability
In order to prove unforgeability, we first assume that there exists a probabilistic polynomial time algorithm A , which can create forged signatures of the signer.We can then use A to solve the CDH (Computational Diffie-Hellman) problem.Assume that A is able to forge valid blind signatures which can be accepted by the verification algorithm with non-negligible probability.By the Oracle replay attack and the Forking Lemma [18] which is a contradiction, which arises due to the assumption that A successfully constructed two different valid blind signatures for M .Hence the blind signature is unforgeable.

Efficiency of the Proposed IBBSSMR
In this section, we analyze the performance of our IBBSSMR scheme and then we compare it with the related schemes in terms of computational and communicational (signature length) cost point of view.From the experimental results [19]- [21], to achieve the comparable security with 1024-bit RSA key where the bilinear pairing (Tate pairing) is defined over the supersingular elliptic curve

TT 
We summarize these computational results in Table 1.We analyze the efficiency of our proposed IBBSSMR scheme by comparing it with the existing schemes [14], [17].The comparison is summarized in Table 2. Table 2. Efficiency comparison of our Scheme with related schemes From Table 2, it is clear that the signature length of the proposed IBBSSMR scheme is 1 (

Table 1. Notations and descriptions of various cryptographic operations and their conversions
), qG  which is less than Han et al. [14] scheme and equal length with Hassan et al. scheme [17].Also, the computational cost for signing and verification of the proposed IBBSSMR scheme is 475.84ML T  which is less than Han et al. [14] and Hassan et al. [17] schemes; and so our scheme is computationally more efficient than the Han et al. [14] and Hassan et al. [17] schemes.Hence, from the above discussion, the proposed IBBSSMR scheme is computationally and communicationally efficient than the related schemes.

CONCLUSION
In this paper, we proposed a new blind signature scheme with message recovery in the ID-based setting using bilinear pairings over elliptic curves.This scheme combines the advantages of blind signature, message recovery with ID-based cryptography and plays an important role in cryptographic protocols such as e-voting and e-payment.The Blindness property of our scheme provides the anonymity of the user and message recovery property provides to work with low band width devices like PDAs, mobile devices etc.Also the proposed scheme is secure with the assumption that the CDH problem is intractable.Efficiency analysis of our scheme with other schemes shows that the proposed IBBSSMR is efficient in terms of computational and communicational point of view.
function L is called Map-to-Point.Again, let p be a prime satisfying 2 mod 3 and 1 p

Figure 1 .
Figure 1.The blind signature issuing protocol with respect to the base pub P .So we can use pub aP in the rest of the proof instead.It is obvious that * ,

T
Time needed to execute addition of 2 elliptic curve points.(point addition in 1 Blind Signature Scheme with Message Recovery (Salome James) 2681 .
, assume A has constructed two different valid blind signatures for a message M .
[23]g et al. (2007)sider the running time calculated for different cryptographic operations in Cao et al.[19],He et al.[20], Ren et al.[21]using MIRACL [22], a standard cryptographic library and implemented on a hardware platform PIV (Pentium-4) 3GHZ processor with 512-MB memory and a windows XP operating system.Furthermore,Chung et al. (2007)[23], indicate that the time needed to execute the elliptic curve scalar multiplication() [20]It was also mentioned in Cao et al.[19]andHe et al.[20]that the time needed to execute one pairing based scalar multiplication () PX BP