## Group Blind Digital Signatures: Theory and Applications (1999)

Venue: | Master Thesis, MIT |

Citations: | 2 - 0 self |

### BibTeX

@INPROCEEDINGS{Rivest99groupblind,

author = {Ronald L. Rivest and Zulfikar Amin Ramzan and Zulfikar Amin Ramzan},

title = {Group Blind Digital Signatures: Theory and Applications},

booktitle = {Master Thesis, MIT},

year = {1999},

pages = {199--203},

publisher = {Plenum Press}

}

### OpenURL

### Abstract

In this thesis we introduce a new cryptographic construct called a Group Blind Digital Signature. This construct combines the already existing notions of a Group Digital Signature and a Blind Digital Signature. A group blind signature allows individual members of a possibly large group to digitally sign a message on behalf of the entire group in a cryptographically secure manner. In addition to being hard to forge, the resulting digital signatures are anonymous and unlinkable, and only a pre-specified group manager can determine the identity of the signer. Finally, the signatures have a blindness property, so if the signer later sees a message he has signed, he will not be able to determine when or for whom he signed it. Group Blind Digital Signatures are useful for various aspects of electronic commerce. In particular, through the use of such signatures we can design protocols for secure distributed electronic banking, and secure online voting with multiple voting centers. In this the...

### Citations

2913 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...d Hellman did not provide concrete constructions for how this concept of public-key cryptography could be implemented in practice. It was not until the fundamental work of Rivest, Shamir, and Adleman =-=[33]-=- that the first public-key cryptosystem was realized. Like the system of Diffie and Hellman, it was also based on a certain number-theoretic assumption (the intractability of computing e \Gamma th roo... |

2716 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...o this raised the question of whether or not the processes of secure encryption and decryption could occur without the prior exchange of a secret key. In their path-breaking paper, Diffie and Hellman =-=[16]-=- gave a solution to this problem. Their solution enabled two parties to securely agree on a secret key over a possibly insecure channel without requiring any form of prior communication between the co... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... g generates the entire group G. ffl For a binary string c we let c[i] denote the i \Gamma th most significant bit of c. For example, in the string 01011, c[1] = 0, c[2] = 1, c[3] = 0, c[4] = 1, and c=-=[5]-=- = 1. 1.5.2 Use of a Hash Function We assume the existence of an ideal hash function H. We assume this ideal hash function has the following properties: ffl H is collision resistant. In other words, i... |

1114 |
A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...key to verify, this notion was achieved. As time passed, several other realizations of public-key cryptosystems and digital signatures were proposed; see for example the papers of ElGamal and Schnorr =-=[17, 36]-=-. Once people understood these techniques, they tried to use them in designing more complex signature protocols which were geared toward more complex tasks. This thesis presents such a protocol: the G... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...on based on a number-theoretic assumption was given by Rivest, Shamir and Adleman [33]. The formal definitions of security for digital signatures were first outlined by Goldwasser, Micali, and Rivest =-=[20]-=-. They discussed the notion of an existential adaptive chosen-message attack which is the strongest form of possible attack one could imagine on a digital signature. Furthermore, they also presented a... |

832 | A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ng that they are secure. The two most common approaches seen in the literature are the complexity-based proof of security [4, 16, 20, 21, 26, 34], and the random-oracle-model based proofs of security =-=[5, 18, 30]-=-. We elaborate on these two notions: 1. Complexity-Based Proofs: The complexity based proof approach was first used in the seminal paper of Diffie and Hellman [16]. The idea is to start by making a we... |

784 |
Applied Cryptography: Protocols, Algorithms, and Source Code in C
- Schneier
- 1995
(Show Context)
Citation Context ...m context, we omit writing the l. In practice, one could replace H by an appropriately modified version of SHA-1 [28] or MD5 [32] which are believed to possess the types of properties mentioned above =-=[35]-=-. We require these assumptions to prove security of our scheme in the random oracle model [30, 5]. 1.6 Organization of this Thesis Chapter 2: We give a more detailed exposition on blind digital signat... |

493 |
Heyst. Group signatures
- Chaum, van
- 1991
(Show Context)
Citation Context ...lex tasks. This thesis presents such a protocol: the Group Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature =-=[3, 1, 2, 6, 8, 9, 14, 15]-=- and the Blind Digital Signature [12, 13, 11, 21, 30]. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis firs... |

313 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...law-Free permutations -- which exist if factoring is hard. Subsequently, schemes with this level of security were constructed based on the existence of trapdoor permutations [4], one-way permutations =-=[26]-=-, and finally on the existence of general one-way functions [34]. An interesting variant on the basic digital signature is the blind digital signature. The concept of a Blind Digital Signature was int... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...key to verify, this notion was achieved. As time passed, several other realizations of public-key cryptosystems and digital signatures were proposed; see for example the papers of ElGamal and Schnorr =-=[17, 36]-=-. Once people understood these techniques, they tried to use them in designing more complex signature protocols which were geared toward more complex tasks. This thesis presents such a protocol: the G... |

260 | Untraceable electronic cash
- Chaum, Fiat, et al.
(Show Context)
Citation Context ...Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature [3, 1, 2, 6, 8, 9, 14, 15] and the Blind Digital Signature =-=[12, 13, 11, 21, 30]-=-. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis first appeared in a paper by Lysyanskaya and Ramzan [24].... |

248 |
New directions in cryptography
- e, Hellman
- 1976
(Show Context)
Citation Context ... so this raised the question of whether or not the processes of secure encryption and decryption could occur without the prior exchange of a secret key. In their path-breaking paper, Di e and Hellman =-=[16]-=- gave a solution to this problem. Their solution enabled two parties to securely agree on a secret key over a possibly insecure channel without requiring any form of prior communication between the co... |

236 |
A practical secret voting scheme for large scale elections
- Fujioka, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...it is simple and easy to present. Our techniques can possibly be applied to other, perhaps more complex and 56 secure, online voting protocols; for example, the protocol of Fujioka, Okamoto, and Ohta =-=[19]-=-. Suppose that we have three entities: A voter Alice, a local registration facility (LRF), and vote submission facility (VSF). Moreover, there are many such LRF's -- and each voter can only register w... |

207 | Riemann’s hypothesis and tests for primality - Miller - 1976 |

196 | One-Way Functions Are Necessary and Sufficient for Digital Signatures - Rompel - 1990 |

152 |
Signatures for Untraceable Payments
- Blind
(Show Context)
Citation Context ...Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature [3, 1, 2, 6, 8, 9, 14, 15] and the Blind Digital Signature =-=[12, 13, 11, 21, 30]-=-. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis first appeared in a paper by Lysyanskaya and Ramzan [24].... |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...d therefore is not suitable for practical use. Pointcheval and Stern [30] presented blind variants of various digital signature schemes. The signature schemes they addressed included those of Okamoto =-=[29]-=- and Schnorr [36]. The proofs of security in these schemes required various numbertheoretic conjectures and were given in the Random Oracle Model. Having presented some of the history of blind digital... |

102 | signatures system - Chaum, “Blind - 1983 |

90 |
The MD5 message-digest algorithm. Internet Request for Comments
- Rivest
- 1992
(Show Context)
Citation Context ...s we write H l (x) to denote the first l bits of H(x). When it is clear from context, we omit writing the l. In practice, one could replace H by an appropriately modified version of SHA-1 [28] or MD5 =-=[32]-=- which are believed to possess the types of properties mentioned above [35]. We require these assumptions to prove security of our scheme in the random oracle model [30, 5]. 1.6 Organization of this T... |

84 |
A group signature scheme with improved efficiency
- Camenisch, Michels
- 1998
(Show Context)
Citation Context ...lex tasks. This thesis presents such a protocol: the Group Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature =-=[3, 1, 2, 6, 8, 9, 14, 15]-=- and the Blind Digital Signature [12, 13, 11, 21, 30]. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis firs... |

72 | Identity escrow - Kilian, Petrank - 1998 |

70 | Efficient and generalized group signatures - Camenisch - 1997 |

69 | Provably secure blind signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature [3, 1, 2, 6, 8, 9, 14, 15] and the Blind Digital Signature =-=[12, 13, 11, 21, 30]-=-. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis first appeared in a paper by Lysyanskaya and Ramzan [24].... |

68 | Some open issues and new directions in group signatures
- Ateniese, Tsudik
- 1999
(Show Context)
Citation Context ...e defined the signature of knowledge of the discrete logarithm as follows: Definition 9 An (l + 1)-tuple (c; s 1 ; : : : ; s l ) 2 f0; 1g l \Theta Z l n satisfying c = H l (m;y;g;g s1 y c[1] ;g s2 y c=-=[2]-=- ; : : : ;g s l y c[l] ) is a signature of knowledge of the discrete logarithm of y 2 G to the base g on a message m, with respect to security parameter l, denoted SKLOG l [ff j y = g ff ](m): Now, ou... |

68 | Digital payment systems with passive anonymity-revoking trustees
- Camenisch, Maurer, et al.
- 1997
(Show Context)
Citation Context ...cheme; this enables the vendor to collect all electronic coins, and deposit them with his bank in a single shot. A trustee based electronic cash scheme was presented by Camenisch. Maurer, and Stadler =-=[7]-=-. Their scheme used trustees who were involved only when it came time for anonymity revocation, and at no other time. Their scheme only involved a single bank model. Our scheme, on the other hand, wor... |

43 |
How to Sign Given Any Trapdoor Function
- Bellare, Micali
- 1988
(Show Context)
Citation Context ...ite G = hgi if g generates the entire group G. ffl For a binary string c we let c[i] denote the i \Gamma th most significant bit of c. For example, in the string 01011, c[1] = 0, c[2] = 1, c[3] = 0, c=-=[4]-=- = 1, and c[5] = 1. 1.5.2 Use of a Hash Function We assume the existence of an ideal hash function H. We assume this ideal hash function has the following properties: ffl H is collision resistant. In ... |

38 |
Security of blind digital signatures
- Juels, Luby, et al.
- 1997
(Show Context)
Citation Context |

35 | One-way functions are necessary and su cient for secure signatures, STOC - Rompel - 1990 |

30 | Group blind digital signatures: a scalable solution to electronic cash
- Lysyanskaya, Ramzan
- 1998
(Show Context)
Citation Context ...of the results in this thesis are joint work with Anna Lysyanskaya and a preliminary version of the results were published in the proceedings of The International Conference on Financial Cryptography =-=[24]-=-. Thesis Supervisor: Ronald L. Rivest Title: Webster Professor of Electrical Engineering and Computer Science Group Blind Digital Signatures: Theory and Applications by Zulfikar Amin Ramzan Submitted ... |

18 | Group signature a la carte
- ATENIESE, TSUDIK
- 1999
(Show Context)
Citation Context ...lex tasks. This thesis presents such a protocol: the Group Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature =-=[3, 1, 2, 6, 8, 9, 14, 15]-=- and the Blind Digital Signature [12, 13, 11, 21, 30]. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis firs... |

17 |
Yiannis Tsiounis. Easy come – easy go divisible cash
- Chan, Frankel
- 1998
(Show Context)
Citation Context ...ere are several more efficient methods for doing this which do not reveal information about x + fl; for example, see the paper of Camenisch and Michels [8], or the paper of Chan, Frankel and Tsiounis =-=[10]-=- and the references therein. Group Manager Round 4 1. The group manager verifies that y = y 0 \Delta a fl (mod n)-- this condition should hold if Alice computed y according to the protocol. Alice Roun... |

11 |
How to make a mint: the cryptography of anonymous electronic cash
- Law, Sabett, et al.
- 1996
(Show Context)
Citation Context ...flaws in it, but standard techniques exist to remedy these flaws. There are several more comprehensive works on electronic cash which discuss this, as well as other well-known electronic cash schemes =-=[23, 38]-=-. In the protocol we present, we assume that there is a person Alice who wants to buy a cryptography textbook, which costs $50 from the fictitious online vendor Online Crypto Books. Furthermore, Alice... |

10 |
cient identi cation and signatures for smart cards
- Schnorr
- 1989
(Show Context)
Citation Context ...key to verify, this notion was achieved. As time passed, several other realizations of public-key cryptosystems and digital signatures were proposed; see for example the papers of ElGamal and Schnorr =-=[17, 36]-=-. Once people understood these techniques, they tried to use them in designing more complex signature protocols which were geared toward more complex tasks. This thesis presents such a protocol: the G... |

7 | G.2000.Apracticalandprovablysecure coalition-resistant group signature scheme
- ATENIESE, CAMENISCH, et al.
(Show Context)
Citation Context |

7 |
Efficient group signatures for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context |

7 |
New group signature schemes (extended abstract
- Chen, Pedersen
(Show Context)
Citation Context |

4 |
Provably secure and practical identi cation schemes and corresponding signature schemes
- Okamoto
(Show Context)
Citation Context ...d therefore is not suitable for practical use. Pointcheval and Stern [30] presented blind variants of various digital signature schemes. The signature schemes they addressed included those of Okamoto =-=[29]-=- and Schnorr [36]. The proofs of security in these schemes required various numbertheoretic conjectures and were given in the Random Oracle Model. Having presented some of the history of blind digital... |

2 |
A group signature scheme with improved e ciency
- Camenisch, Michels
- 1998
(Show Context)
Citation Context ...lex tasks. This thesis presents such a protocol: the Group Blind Digital Signature. This type of signature combines two notions which previously existed in the literature: the Group Digital Signature =-=[3, 1, 2, 6, 8, 9, 14, 15]-=- and the Blind Digital Signature [12, 13, 11, 21, 30]. These group blind digital signatures are useful for applications such as electronic cash and online voting. The central ideas in this thesis rst ... |

1 |
Group blind signatures a' la carte. Unpublished Manuscript
- Ramzan
- 1998
(Show Context)
Citation Context ...bsequent work on Group Digital Signatures was done by Ateniese and Tsudik [3]. We developed a blinded variant of this scheme using slightly different techniques than the ones presented in this thesis =-=[31]-=-. Unfortunately, there are coalition attacks on this group signature scheme as well as against another scheme developed by Ateniese and Tsudik [1]. These attacks were discovered by Traore [37]. 32 3.6... |