## A Pairing-based Blind Signature Scheme with Message Recovery

### BibTeX

@MISC{Han_apairing-based,

author = {Song Han and Elizabeth Chang},

title = {A Pairing-based Blind Signature Scheme with Message Recovery},

year = {}

}

### OpenURL

### Abstract

Abstract — Blind signatures enable users to obtain valid signatures for a message without revealing its content to the signer. This paper presents a new blind signature scheme, i.e. identity-based blind signature scheme with message recovery. Due to the message recovery property, the new scheme requires less bandwidth than the identitybased blind signatures with similar constructions. The scheme is based on modified Weil/Tate pairings over elliptic curves, and thus requires smaller key sizes for the same level of security compared to previous approaches not utilizing bilinear pairings. Security and efficiency analysis for the scheme is provided in this paper.

### Citations

1271 | Identity-based encryption from the weil pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...-based public key systems or key agreement protocols. Thanks to their motivations, it is interesting to construct an identity-based blind signature scheme with message recovery. The bilinear pairings =-=[6]-=-, especially modified Weil/Tate pairings have been a useful tool for cryptographic protocols since Joux’s work [18]. Due to the desirable use of the bilinear pairings in public key cryptography, ident... |

467 |
signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ...ryptographic tools which can provide such anonymity for users. Therefore, they are one important tool for electronic cash transmission since the way to ensure anonymity goes through the use of e-cash =-=[9]-=-, [23]. A blind signature scheme is an interactive protocol which involves two entities, a Bank and a user. It enables a user to obtain a valid signature for a message m from a Bank without her seeing... |

321 | Efficient algorithms for pairing-based cryptosystems
- Barreto, Kim, et al.
- 2004
(Show Context)
Citation Context ...tiplicative group of q of F ∗ p2. (2) SA chooses a cryptographic hash function as in [7] H : {0, 1} ∗ ↦→ G1. (3) SA chooses a bilinear pairing, i.e. modified Weil or Tate pairing e(·, ·) described as =-=[8]-=-. where: e : G1 × G1 ↦→ G2. (4) Choose a generator P of G1 and a random number a ∈ Z ∗ q . SA holds a secretly and publishes Ppub = aP . (5) Let f ∈{0, 1} ∗ represent an identifier of the signer, for ... |

305 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ...graphic tools which can provide such anonymity for users. Therefore, they are one important tool for electronic cash transmission since the way to ensure anonymity goes through the use of e-cash [9], =-=[23]-=-. A blind signature scheme is an interactive protocol which involves two entities, a Bank and a user. It enables a user to obtain a valid signature for a message m from a Bank without her seeing the m... |

301 | Short Signatures Without Random Oracles - Boneh, Boyen - 2004 |

172 | Efficient threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme
- Boldyreva
- 2003
(Show Context)
Citation Context ... systems that protect a customer’s privacy or anonymity. Therefore, blind signatures can be applied to secure e-coins and secure e-votings. Thereafter, some blind signature schemes were proposed [1], =-=[4]-=-, [24]. Nyberg and Rueppel [22] introduced the general signatures with message recovery which has been adopted in the recent IEEE standards [17]. Just as what Nyberg and Rueppel reported, based on the... |

159 | Efficient Identity Based Signature Schemes Based on Pairings
- Hess
- 2003
(Show Context)
Citation Context ...ntity-based schemes based on pairings have been proposed. Interesting examples include Boneh and Franklin’s id-based encryption from the Weil pairing [6], Hess’s id-based signatures based on pairings =-=[16]-=-, Han et al’s committal deniable signatures [14] and undeniable signatures [15], Libert and Quisquater’s undeniable signatures based on pairings [21], and Verhel’s self-blindable credential certificat... |

70 | Probably secure blind signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...ems that protect a customer’s privacy or anonymity. Therefore, blind signatures can be applied to secure e-coins and secure e-votings. Thereafter, some blind signature schemes were proposed [1], [4], =-=[24]-=-. Nyberg and Rueppel [22] introduced the general signatures with message recovery which has been adopted in the recent IEEE standards [17]. Just as what Nyberg and Rueppel reported, based on the same ... |

59 | The Tate Pairing and the Discrete Logarithm Applied to Elliptic Curve Cryptosystems - Frey, Muller, et al. - 1999 |

57 |
A one-round protocol for tripartite Diffie-Hellman
- Joux
(Show Context)
Citation Context ...an identity-based blind signature scheme with message recovery. The bilinear pairings [6], especially modified Weil/Tate pairings have been a useful tool for cryptographic protocols since Joux’s work =-=[18]-=-. Due to the desirable use of the bilinear pairings in public key cryptography, identity based cryptography has been re-investigated since Shamir proposed the first identity-based cryptosystem [25]. R... |

57 |
Rueppel, “A new signature scheme based on the DSA giving message recovery
- Nyberg, A
- 1993
(Show Context)
Citation Context ...er’s privacy or anonymity. Therefore, blind signatures can be applied to secure e-coins and secure e-votings. Thereafter, some blind signature schemes were proposed [1], [4], [24]. Nyberg and Rueppel =-=[22]-=- introduced the general signatures with message recovery which has been adopted in the recent IEEE standards [17]. Just as what Nyberg and Rueppel reported, based on the same principles as DSA, a sign... |

51 | Self-blindable credential certificates from the weil pairing
- Verheul
- 2001
(Show Context)
Citation Context ...mittal deniable signatures [14] and undeniable signatures [15], Libert and Quisquater’s undeniable signatures based on pairings [21], and Verhel’s self-blindable credential certificates from pairings =-=[27]-=-. However, no blind signatures with message recovery based on pairings over elliptic curves has been proposed so far. The advantage of the blind signature schemes with message recovery is obvious in c... |

47 |
How to Date Blind Signatures
- Abe, Fujisaki
- 1996
(Show Context)
Citation Context ...yment systems that protect a customer’s privacy or anonymity. Therefore, blind signatures can be applied to secure e-coins and secure e-votings. Thereafter, some blind signature schemes were proposed =-=[1]-=-, [4], [24]. Nyberg and Rueppel [22] introduced the general signatures with message recovery which has been adopted in the recent IEEE standards [17]. Just as what Nyberg and Rueppel reported, based o... |

47 |
Specifications for Public-Key Cryptography
- Standard
(Show Context)
Citation Context ...reafter, some blind signature schemes were proposed [1], [4], [24]. Nyberg and Rueppel [22] introduced the general signatures with message recovery which has been adopted in the recent IEEE standards =-=[17]-=-. Just as what Nyberg and Rueppel reported, based on the same principles as DSA, a signature 0 This work is supported by the Curtin Research Fellowship within the School of Information Systems, Curtin... |

34 | Meta Message Recovery and Meta Blind Signature Schemes Based on the Discrete Logarithm Problem and their Applications - Horster, Petersen, et al. - 1995 |

31 |
Implementing the Tate Pairing, Algorithmic Number Theory Symposium
- Galbraith, Harrison, et al.
- 2002
(Show Context)
Citation Context ...new scheme does not need to transmit the signed message together with its corresponding blind signatures, while [4] does need. At the same time, some computational techniques in [8], [10], [7], [26], =-=[13]-=- can be utilized when the proposed scheme is implemented for practical uses. VII. CONCLUSION This paper has presented a new blind signature scheme, i.e. identity-based blind signatures with message re... |

28 | Efficient group signatures without trapdoors - Ateniese, Medeiros - 2003 |

22 | Security of blind digital signatures (extended abstract
- Juels, Luby, et al.
- 1997
(Show Context)
Citation Context ... the signature later, it must not be possible that Bob can find a relationship between some blinded and unblinded parameters. The formal definition of a blind signature scheme is presented below [9], =-=[19]-=-. Blind Signatures A blind signature scheme consists of three algorithms and two parties (the user and the signer). The details are as follows: (1) (System Key Generation) This is a probabilistic poly... |

20 | Identity based undeniable signatures
- Libert, Quisquater
- 2004
(Show Context)
Citation Context ... [6], Hess’s id-based signatures based on pairings [16], Han et al’s committal deniable signatures [14] and undeniable signatures [15], Libert and Quisquater’s undeniable signatures based on pairings =-=[21]-=-, and Verhel’s self-blindable credential certificates from pairings [27]. However, no blind signatures with message recovery based on pairings over elliptic curves has been proposed so far. The advant... |

14 | Fast Hashing onto Elliptic Curves over Fields of Characteristic 3, Available from http://eprint.iacr.org
- Barreto, Kim
- 2002
(Show Context)
Citation Context ...= x 3 +1 (2) which defines elliptic curves E/Fp and E/Fp2. G1 is an additive group of order q of E/Fp, and G2 a multiplicative group of q of F ∗ p2. (2) SA chooses a cryptographic hash function as in =-=[7]-=- H : {0, 1} ∗ ↦→ G1. (3) SA chooses a bilinear pairing, i.e. modified Weil or Tate pairing e(·, ·) described as [8]. where: e : G1 × G1 ↦→ G2. (4) Choose a generator P of G1 and a random number a ∈ Z ... |

11 | Multiplication on Ordinary Elliptic Curves over Fields of Characteristic Three”, Cryptology ePrint Archive, Report 2002/114
- Smart, Westwood
- 2002
(Show Context)
Citation Context ..., the new scheme does not need to transmit the signed message together with its corresponding blind signatures, while [4] does need. At the same time, some computational techniques in [8], [10], [7], =-=[26]-=-, [13] can be utilized when the proposed scheme is implemented for practical uses. VII. CONCLUSION This paper has presented a new blind signature scheme, i.e. identity-based blind signatures with mess... |

10 |
Identity-based Confirmer Signatures from Pairings over Elliptic Curves
- Han, Yeung, et al.
- 2003
(Show Context)
Citation Context ...include Boneh and Franklin’s id-based encryption from the Weil pairing [6], Hess’s id-based signatures based on pairings [16], Han et al’s committal deniable signatures [14] and undeniable signatures =-=[15]-=-, Libert and Quisquater’s undeniable signatures based on pairings [21], and Verhel’s self-blindable credential certificates from pairings [27]. However, no blind signatures with message recovery based... |

5 |
K.Lauter and P.L.Montgomery, “An efficient procedure to double and add points on an elliptic curve,” Cryptology ePrint Archive, Report 2002/112
- Eisentraeger
(Show Context)
Citation Context ...cation cost, the new scheme does not need to transmit the signed message together with its corresponding blind signatures, while [4] does need. At the same time, some computational techniques in [8], =-=[10]-=-, [7], [26], [13] can be utilized when the proposed scheme is implemented for practical uses. VII. CONCLUSION This paper has presented a new blind signature scheme, i.e. identity-based blind signature... |

5 |
and W.Liu, “Committal deniable signatures over elliptic curves
- Han
- 2004
(Show Context)
Citation Context ...proposed. Interesting examples include Boneh and Franklin’s id-based encryption from the Weil pairing [6], Hess’s id-based signatures based on pairings [16], Han et al’s committal deniable signatures =-=[14]-=- and undeniable signatures [15], Libert and Quisquater’s undeniable signatures based on pairings [21], and Verhel’s self-blindable credential certificates from pairings [27]. However, no blind signatu... |

5 | Quisquater: New identity based signcryption schemes from pairings - Libert, J - 2003 |

3 |
A provably secure Nybery-Rueppel siganture variant with applications. Cryptology ePrint Archive, Report 2004/093
- Ateniese, Medeiros
(Show Context)
Citation Context ...he blind signatures with message recovery by utilizing bilinear pairings. This paper proposes an id-based blind signature scheme with message recovery. The proposed scheme is motivated by the work of =-=[3]-=-, [27]. From the perspective of both blind signatures and id-based cryptosystems from the Gap-DiffieHellman groups, the new scheme is comparable with [4]. The organization of the rest of the paper is ... |

3 |
cryptosystems and signatures
- Shamir
- 1985
(Show Context)
Citation Context ...rk [18]. Due to the desirable use of the bilinear pairings in public key cryptography, identity based cryptography has been re-investigated since Shamir proposed the first identity-based cryptosystem =-=[25]-=-. Recently, some identity-based schemes based on pairings have been proposed. Interesting examples include Boneh and Franklin’s id-based encryption from the Weil pairing [6], Hess’s id-based signature... |