## Provably Secure Blind Signature Schemes (1996)

Citations: | 69 - 10 self |

### BibTeX

@INPROCEEDINGS{Pointcheval96provablysecure,

author = {David Pointcheval and Jacques Stern},

title = {Provably Secure Blind Signature Schemes},

booktitle = {},

year = {1996},

pages = {252--265},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

In this paper, we give a provably secure design for blind signatures, the most important ingredient for anonymity in off-line electronic cash systems. Previous examples of blind signature schemes were constructed from traditional signature schemes with only the additional proof of blindness. The design of some of the underlying signature schemes can be validated by a proof in the so-called random oracle model, but the security of the original signature scheme does not, by itself, imply the security of the blind version. In this paper, we first propose a definition of security for blind signatures, with application to electronic cash. Next, we focus on a specific example which can be successfully transformed in a provably secure blind signature scheme.

### Citations

3136 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... signature schemes. Here are the most well-known. In what follows, H is a hash function. The Blind RSA Signature Wesrst present a blind signature which is a transformation of the RSA signature scheme =-=[23]-=-. It was used by Chaum [6-8] for the withdrawal protocols of hissrst electronic cash system. In the RSA context, we have a large composite number n, a public key e, and a secret key d. The signature o... |

1412 | Random oracles are practical: A paradigm for designing efficient protocols
- BELLARE, ROGAWAY
- 1993
(Show Context)
Citation Context ... that, with s 0 = s mod q, (e 0 ; s 0 ) is a valid Schnorr signature of m since it satises e 0 = H(m; g s 0 y e 0 mod p). 2 Security Proofs 2.1 The Random Oracle Model In 1993, Bellare and Rogaway [1=-=]-=- formalized a model which allows proofs of security for various cryptographic schemes. Many of these algorithms use hash functions and cannot be proved secure from basic properties like one-wayness or... |

877 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...iated to a same public key. Furthermore, the views of two identications using two distinct secret keys associated to a same public key are indistinguishable. For example, in the Fiat-Shamir protocol [=-=1-=-5], the verier cannot distinguish which square root the prover uses. Okamoto, in [21], proposed a witness indistinguishable adaptation of both the Schnorr [24] and the Guillou-Quisquater [17] identica... |

861 | A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...use of this scheme by the authority. 2.2 The Security of Signature Schemes In recent years, general techniques for proving the security of signature schemes have been proposed. We refer the reader to =-=[16] for-=- the various denitions of security. The most general one is the \no-existential forgery under adaptively chosen-message attacks". It corresponds to a scenario where an attacker can ask the signat... |

448 | Signatures for Untraceable Payments - Chaum, Blind - 1982 |

440 | Security without identification: transaction systems to make big brother obsolete - Chaum - 1985 |

352 | The exact security of digital signatures - How to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ... [23] and the Schnorr [24] signature schemes have been proved secure in the random oracle model. Proofs were given in the asymptotic framework of complexity theory. More recently, Bellare and Rogaway =-=[2-=-] modied the original RSA scheme in order to obtain an exact security result. At the same time, Pointcheval and Stern [22] obtained a proof of security for any signature scheme which comes from a fair... |

332 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...a way to validate the design of a cryptographic scheme and to eliminate \poor" designs. For example, in their paper [22], Pointcheval and Stern suggested that the original El Gamal's signature sc=-=heme [11] an-=-d DSS [19] did not follow a \good" design principle. This is in contrast with the Schnorr's signature scheme or, more generally, any transformation of a fair verier zero-knowledge identication sc... |

321 |
Efficient identification and signatures for smart cards
- Schnorr
(Show Context)
Citation Context ...ture oe 0 of m 0 such that oe 0 e = m 0 = r e H(m) mod n. Then, it is easy to remark that oe = oe 0 r \Gamma1 mod n is a valid signature of m. The Blind Schnorr Signature The Schnorr signature scheme =-=[24] can also -=-be turned into a blind signature scheme. The transformation was used in the first electronic cash systems without "cut-and-choose". We have two large prime integers p and q, such that q j p ... |

271 | Untraceable electronic cash
- Chaum, Fiat, et al.
- 1988
(Show Context)
Citation Context ...f payment is o-line, there is no direct way to prevent a user to copy a coin and use it twice. This forgery is called \double spending". As a second step in the E-cash research, Chaum, Fiat and N=-=aor [10]-=- introduced the identity in the coin in such a way that the identity remains concealed, unless double spending happens, in which case it is revealed. This imposes a special format for the coin. Since ... |

233 | Untraceable Off-line Cash in Wallets with Observers
- Brands
- 1993
(Show Context)
Citation Context ...e communication load between the Bank and the user and the space needed to store coins. There were several improvements [9, 20], and in 1993, appeared schemes without the "cutand -choose" me=-=thodology [4, 3, 14, 13]-=-. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research [18... |

223 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ... function by some \ideal" object. Nevertheless, we feel that the resulting proof is a way to validate the design of a cryptographic scheme and to eliminate \poor" designs. For example, in th=-=eir paper [22], Poi-=-ntcheval and Stern suggested that the original El Gamal's signature scheme [11] and DSS [19] did not follow a \good" design principle. This is in contrast with the Schnorr's signature scheme or, ... |

204 |
A practical zero-knowledge protocol fitted to security processor minimizing both transmission and memory
- Guillou, Quisquater
(Show Context)
Citation Context ... protocol [15], the verier cannot distinguish which square root the prover uses. Okamoto, in [21], proposed a witness indistinguishable adaptation of both the Schnorr [24] and the Guillou-Quisquater [=-=17-=-] identication schemes. 5 3.2 Provably Secure Blind Signature Schemes As was already remarked, the technical diculty to overcome comes from the fact that, in the colluding step, we no longer can simul... |

173 | Witness indistinguishable and witness hiding protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...ecic three-pass \witness indistinguishable" identication scheme, and its transformation into a blind signature scheme. The notion of \witness indistinguishability" was dened by Feige and Sha=-=mir in [1-=-2] for the purpose of identication. In such a scheme, many secret keys are associated to a same public key. Furthermore, the views of two identications using two distinct secret keys associated to a s... |

155 |
Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...stinct secret keys associated to a same public key are indistinguishable. For example, in the Fiat-Shamir protocol [15], the verifier cannot distinguish which square root the prover uses. Okamoto, in =-=[21]-=-, proposed a witness indistinguishable adaptation of both the Schnorr [24] and the Guillou-Quisquater [17] identification schemes. 5 3.2 Provably Secure Blind Signature Schemes As was already remarked... |

141 | An Efficient Off-line Electronic Cash System Based On The Representation Problem
- BRANDS
- 1993
(Show Context)
Citation Context ...e communication load between the Bank and the user and the space needed to store coins. There were several improvements [9, 20], and in 1993, appeared schemes without the "cutand -choose" me=-=thodology [4, 3, 14, 13]-=-. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research [18... |

103 |
Universal Electronic Cash
- Okamoto, Ohta
- 1992
(Show Context)
Citation Context ...ucture of some of them. The drawback of this technique is that this increases the communication load between the Bank and the user and the space needed to store coins. There were several improvements =-=[9, 20], and-=- in 1993, appeared schemes without the \cutand -choose" methodology [4, 3, 14, 13]. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes... |

60 | Single Term Off-Line Coins
- FERGUSON
- 1993
(Show Context)
Citation Context ...e communication load between the Bank and the user and the space needed to store coins. There were several improvements [9, 20], and in 1993, appeared schemes without the "cutand -choose" me=-=thodology [4, 3, 14, 13]-=-. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research [18... |

42 | Privacy protected payments: Unconditional payer and/or payee untraceability - Chaum - 1989 |

39 |
Revokable and versatile electronic money
- Jakobsson, Yung
- 1996
(Show Context)
Citation Context ...13]. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research =-=[18]-=-. 1.2 Blind Signatures Since the beginning of E-cash, blind signature has been the most important tool. It is an interactive protocol which involves two entities, a Bank and a user. It allows a user t... |

26 |
Untraceable o-line cash in wallet with observers (extended abstract
- Brands
(Show Context)
Citation Context ...e communication load between the Bank and the user and the space needed to store coins. There were several improvements [9, 20], and in 1993, appeared schemes without the \cutand -choose" methodo=-=logy [4, 3, 14, 13]-=-. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research [18... |

23 |
An ecient o-line electronic cash system based on the representation problem", CWI
- Brands
- 1993
(Show Context)
Citation Context ...e communication load between the Bank and the user and the space needed to store coins. There were several improvements [9, 20], and in 1993, appeared schemes without the \cutand -choose" methodo=-=logy [4, 3, 14, 13]-=-. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research [18... |

23 | Off-Line Electronic Cash Based on Secret-Key Certificates
- BRANDS
- 1995
(Show Context)
Citation Context ... after ` blind signatures of the Bank, the user must not be able to create more than ` coins. This form of security was more or less informally assumed in connection with several schemes, for example =-=[5]. D-=-enition 1 (The \one-more" forgery). For any integer `, an (`, ` + 1)- forgery comes from a probabilistic polynomial time Turing machine A that can compute, after ` interactions with the signer , ... |

19 |
Effcient offline electronic checks
- Chaum, Boer, et al.
- 1989
(Show Context)
Citation Context ...ucture of some of them. The drawback of this technique is that this increases the communication load between the Bank and the user and the space needed to store coins. There were several improvements =-=[9, 20], and in 1-=-993, appeared schemes without the "cutand -choose" methodology [4, 3, 14, 13]. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes... |

18 |
Ecient Identi and Signatures for Smart Cards
- Schnorr
- 1989
(Show Context)
Citation Context ...ns a signature 0 of m 0 such that 0 e = m 0 = r e H(m) mod n. Then, it is easy to remark that = 0 r 1 mod n is a valid signature of m. The Blind Schnorr Signature The Schnorr signature scheme [24]=-= can -=-also be turned into a blind signature scheme. The transformation was used in thesrst electronic cash systems without \cut-and-choose". We have two large prime integers p and q, such that q j p 1.... |

14 | Security without Identi Transaction Systems to Make Bib Brother Obsolete - Chaum |

11 |
Provably Secure and Practical Identi Schemes and Corresponding Signature Schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...istinct secret keys associated to a same public key are indistinguishable. For example, in the Fiat-Shamir protocol [15], the verier cannot distinguish which square root the prover uses. Okamoto, in [=-=21-=-], proposed a witness indistinguishable adaptation of both the Schnorr [24] and the Guillou-Quisquater [17] identication schemes. 5 3.2 Provably Secure Blind Signature Schemes As was already remarked,... |

11 |
collisions on DSS
- Hidden
- 1996
(Show Context)
Citation Context ... signature scheme or, more generally, any transformation of a fair verier zero-knowledge identication scheme, which are validated by a proof in the random oracle model. For the DSS design, Vaudenay [2=-=5]-=- later showed a weakness which opens the way to a possible misuse of this scheme by the authority. 2.2 The Security of Signature Schemes In recent years, general techniques for proving the security of... |

8 |
Extensions of Single Term Coins
- Ferguson
- 1994
(Show Context)
Citation Context ...e communication load between the Bank and the user and the space needed to store coins. There were several improvements [9, 20], and in 1993, appeared schemes without the \cutand -choose" methodo=-=logy [4, 3, 14, 13]-=-. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes [26], and escrow-based schemes were put forward as a new direction of the research [18... |

3 |
Single Term O-Line Coins
- Ferguson
- 1994
(Show Context)
Citation Context |

1 |
Ecient O-line Electronic Checks
- Chaum, Boer, et al.
- 1990
(Show Context)
Citation Context ...ucture of some of them. The drawback of this technique is that this increases the communication load between the Bank and the user and the space needed to store coins. There were several improvements =-=[9, 20], and-=- in 1993, appeared schemes without the \cutand -choose" methodology [4, 3, 14, 13]. More recently, unconditional anonymity has been criticized because of money laundering or other possible crimes... |