CC BY
6
2023 Математические методы криптографии № 62
МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ
УДК 519.7 DOI 10.17223/20710410/62/2
ON BLINDNESS OF SEVERAL ELGAMAL-TYPE BLIND SIGNATURES
A. A. Babueva*, L. R. Akhmetzyanova*, E. K. Alekseev*, O. G. Taraskin**
* CryptoPro, Moscow, Russia **
E-mail: babueva@crvptopro.ru, lah@crvptopro.ru, alekseev@crvptopro.ru,
tog.postquant@gmail.com
Blind signature schemes are the essential element of many e-cash and e-voting systems. Anonymity in such systems is ensured through the blindness property of the signature schemes. We discuss the blindness property and analyze several ElGamal-type blind signature schemes regarding this property. We present effective attacks violating blindness on three schemes.
Keywords: blind signature scheme, blindness, ElGamal-type blind signature.
О СВОЙСТВЕ НЕОТСЛЕЖИВАЕМОСТИ НЕСКОЛЬКИХ СХЕМ ПОДПИСИ ВСЛЕПУЮ НА ОСНОВЕ УРАВНЕНИЯ ЭЛЬ-ГАМАЛЯ
А. А. Бабуева*, Л. Р. Ахметзянова*, Е, К. Алексеев*, О. Г. Тараскин** *
**
Схемы подписи вслепую являются неотъемлемым элементом большого количества систем электронных платежей и систем дистанционного электронного голосования. Анонимность в таких системах обеспечивается за счёт свойства неотсле-живаемости схем подписи вслепую. Настоящая работа посвящена анализу некоторых схем подписи вслепую на основе уравнения Эль-Гамаля с точки зрения обеспечения свойства неотслеживаемости. Построены атаки, нарушающие свойство неотслеживаемости, на три схемы подписи вслепую указанного типа.
Ключевые слова: схема подписи вслепую, свойство неотслеживаемости, схема подписи вслепую типа Эль-Гамаля.
1. Introduction
The blind signature mechanism was originally proposed by Chaum in 1982 in [1] for e-cash systems. Signature issuing protocol is the interactive protocol that runs between two parties: a Signer and a Requester. As the result, the Requester receives the signature for a message without the Signer receiving any information about the message or the signature value. The application of blind signature schemes includes electronic voting systems, anonymous e-cash systems, direct anonymous attestation, anonymous credentials, etc.
Blind signature schemes should provide two security properties: unforgeabilitv and blindness. The first one is standard for all signature schemes and ensures that a valid signature can be generated only during the interaction with the secret signing key holder. The second property is more specific for this class of signature schemes and provides that a Signer learns no additional information during the protocol execution. However, the way to determine this information is not obvious. Intuitively, it seems that the message to be signed should be hidden from the Signer, but it turns out that this is not enough.
In the paper, we discuss the blindness property and analyze several blind signature schemes based on ElGamal equation (ElGamal-tvpe blind signature schemes) regarding this property. We present attacks violating blindness on schemes introduced in [2-4], It seems that one of them [3] was broken due to a misunderstanding of blindness property,
2. Blindness property
Before we talk about blindness, let us recall the definition of a blind signature scheme. It is determined by three algorithms:
— (sk,pk) ^ KeyGen(): a key generation algorithm that outputs a secret key sk and a public key pk;
— (b, a) ^ (Signer(sk), Requester(pk, m)}: an interactive signing protocol that is run between a Signer with a secret key sk and a Requester with a public key pk and a message m; the Signer outputs b = 1, if the interaction completes successfully, and b = 0 otherwise, while the Requester outputs a signature a, if it terminates correctly, and a fail indicator ± otherwise;
— b ^Verify (pk, m, a): a (deterministic) verification algorithm that takes a public key pk, a message m, and a signature a, and returns 1 if a is valid on m under pk and 0 otherwise.
Blindness. Informally, the blind signature scheme provides blindness if there is no way to link a (message, signature) pair to the certain execution of the signing protocol. In other words, the blindness is broken if the particular protocol execution for some fixed message leads to fixing the signature value in an unambiguous way or at least to significant narrowing the set of possible signature values. It means that for each protocol transcription and message there exists only the small set of valid signature values (and hence, blinding factors values) that could be produced during such protocol execution.
For a deeper understanding, we consider the example of using blind signature schemes in e-voting systems. Suppose, that the authenticated voter performs a blind signature protocol with the Registrar and receives a signature for his ballot (the ballot acts as the message in this scenario). Note that in this case the transcription of the protocol is tied to a specific person, his full name and personal information. After receiving the signature, the voter sends a signed ballot to the ballot box anonymously. Thus, if one can link the protocol transcription to the (message, signature) pair, then he can link the ballot to the specific person and violate anonymity.
Towards formalizing. Let describe the regular blindness security notion introduced in [5, 6], An adversary acts as a malicious Signer and is powered to run the signing protocol with the Requester twice. It is assumed that the Requester behaves correctly (according to the protocol). After two successful interactions the Requester outputs two (message, signature) pairs simultaneously. If at least one of the interactions failed, the Requester outputs fail indicator.
The adversary's task (threat) is to link the transcription to the corresponding (message, signature) pair with a probability of success significantly greater than 1/2, A strong and a weak attacks may be also distinguished by the following criteria [7]:
— by key generation way (weak attack — the adversary generates key pair according to the protocol, strong —in the malicious way);
— by the method of choosing messages, the signature for which the adversary should distinguish (weak attack —the messages are chosen by the Requester, strong —by the adversary),
Note that regular blindness assumes that all interactions terminates successfully. However, extended security notions, that allow an adversary to initiate aborts, were also introduced: a-posteriori blindness [8], selective-failure blindness [9]. The latter notion was also extended to the multiple interaction case [10]. A-posteriori blindness originally considers blindness of multiple executions between the Signer and the Requester, and guarantees unlinkabilitv of execution with (message, signature) pairs only for non-aborted sessions. An adversary is powered to control the distribution on the signed messages, but not to choose them. However, a-posteriori blindness does not imply ordinary blindness and vice versa [8]. Selective-failure blindness guarantees that adversary could not force Requester to abort the signing protocol because of a certain property of the Requester message, which would disclose some information about the message to the adversary. Selective-failure blindness is a strictly stronger notion than regular blindness [10].
3. Broken schemes
This section presents three EIGamal-type blind signature schemes that do not provide blindness and the corresponding attacks. To address specific schemes, we name them by the authors' initials and the date of paper publication.
All considered schemes are based on the elliptic curve discrete logarithm problem. If p is a prime number, then the set Zp is a finite field with characteristic p. We assume the canonic representation of the elements in Zp as a natural number in the set {0,... ,p — 1}, We define Z* as the set Zp without zero element. We denote the group of points of elliptic curve over the field Zp by G, the order of the prime subgroup of G by q and elliptic curve point of order q by P. For simplicity, we assume that p < q, A key generation algorithm KeyGen in all schemes involves picking random d torn Z* (secret signing key) and defining Q = dP (public verifying key). We denote by H the hash function that maps binary strings to elements from Zq and assume that all field operations are performed modulo q.
To avoid trivial attacks, we assume that during the signing protocol both the Signer and the Requester check that field elements are nonzero, points belong to the used elliptic curve and are not equal to the zero point. Moreover, the Requester should always check that the values obtained from the Signer are valid for its query. If one of these checks fails, the participant should abort the protocol with fail indicator.
All the proposed attacks are applied in the weak security model:
— key pair is generated correctly;
— Requester chooses the messages for signing on its own;
— an adversary does not need to know secret signing key;
— an adversary does not need to initiate aborts on the Requester side.
In fact, all these attacks may be performed by any external observer, not only the Signer,
3,1, GYP16 schemes Four blind signature schemes, based on ECDSA, GDSA, KCDSA, and DSTU schemes, were proposed in [2] in 2016, We present the definition of ECDSA-based scheme and attack on it. The attacks on other schemes are constructed similarly.
Scheme description. The signing protocol is defined at Fig, 1, The signing protocol
Signer(d, Q) Requester(Q, m)
k i $ Zg
R — kP
R
->
a — Zg R' — aR r — R.x mod q r' — R' .x mod q e' — H(m) e — r(r')-1e' (1)
e
<-
r ^ R.x mod q s ^ k-1 (dr + e)
s
-►
11
s i— sa r r
a — (r', s')
Fig. 1. GYP16 scheme: the signing protocol
The verification procedure for the message m and the signature (r, s) assumes computing point R = s-1(rQ + eP), where e = H(m), and verifying the equality R.x mod q = r.
Attack. We show that for fixed protocol transcription and message there exists only the small set of valid signature values that could be produced during the given protocol
(R, e, s) m
r = R.x mod ^d e' = H(m) values are also fixed. The line (1) allows to define the r' component of the signature unambiguously as r' = re-1e' and thus R' point is fixed up to sign. For each possible value R', there exists the unique a such that R' = aR, But the a values are chosen uniformly at random, so the probability to choose a, such that (aR).x mod q = re-1e', during several protocol executions is negligible. Therefore, with
r
(1)
(1)
(R, e, s) m (r , s )
following condition holds:
e = r(r' )-1 e',
where e' = H (m),
3,2, E00 scheme
Two blind signature schemes based on Schnorr and ElGamal (specifically, GOST) signatures were proposed in [3] in 2000, Both of them are vulnerable to the same attack. Let us show it on the GOST-based blind signature example.
Further, we assume that elliptic curve points can be represented as binary strings (corresponding to their coordinates) and therefore may be passed as input to the hash H
Scheme description. The signing protocol is defined at Fig, 2, The signing protocol
Signer(d, Q) Requester(Q, m)
k ^ $ Zg
R ^ kP r ^ H(R)
R
a Zg
R' ^ aR (1)
r' ^ H(R') (2) r ^ H(R)
P ^ r'r-1 (3)
e' ^ H(m) e ^ aP-1e' (4)
e
<-
s ^ ke + dr
s
->
s' ^ sP a ^ (R',s')
Fig. 2. R00 scheme: the signing protocol
The verification procedure for the message m and the signature (R, s) assumes verifying the equality sP = H(R)Q + eR where e = H(m).
Attack. Similar to the previous scheme, we show that for a fixed protocol transcription and message there are only few valid signatures that could be produced during the given protocol execution. Indeed, if the protocol transcription (R, e, s) and message m are fixed, then the r = H(R) and e' = H(m) values are also fixed. Consider the line (4) of the protocol
keeping in mind the relations from lines (1)-(3):
e = = a(r'r-1)-V = a(r' )-1re' = aH (aR)-1re'.
The equation e = aH(aR)-1re' for a has only few roots. However, a values are chosen
a
during several protocol executions is negligible. Therefore, with overwhelming probability there exists only one signature with R' = aR component for which a satisfies the condition in line (4),
Hence, the criteria for breaking blindness can be constructed from the lines (1)-(4). The exact transcription (R, e, s) corresponds to the certain message m with hash-value e' and signature (R',s') iff the following condition holds:
aR = R',
where a = e(e')-1H(R')H(R)-1.
The attack on Schnorr-based blind signature [3] is defined using the same considerations. Blindness understanding. The attack seems to become possible due to misunderstanding of blindness property. The authors of [3] considered blindness as the
m
execution. However, blindness property is much wider. Indeed, the protocol transcription may leak information about the signature value that also may violate blindness,
3.3. TNHV18 scheme The similar attack is applicable to the aggregate blind signature scheme that was proposed in 2018 in [4] (more precisely, two cases of Signing protocol differring on the Requester side were proposed). It is also GOST-based scheme. Without loss of generality, we omit the aggregation property and present the description of the scheme in the case of a single Signer. Indeed, the following attack does not need the secret key knowledge and can be performed by anyone who can view the set of protocol transcriptions and the set of generated (message, signature) pairs.
Scheme description. The signing protocol is defined at Fig. 3. The verification procedure for message m and signature (r, s) in both cases assumes computing point R = e-1sP — e-1rQ, where e = H(m), and verifying the equality R.x = r mod q.
Attack. Consider the first case of the scheme. As usual, we show that for a fixed protocol transcription and message there are only few valid signatures that could be produced during the given protocol execution. If the protocol transcription (R,r, e,s) and m e = H(m) (4)
(1) (3)
r = r'^-1a = (R'.x mod q)A-1e(e')-1 = ((5R + aP).x mod q)A-1e(e')-1 = = ((AR + e(e')-1P).x mod q)£-1e(e')-1.
The equation
r = ((AR + e(e')-1P).x mod q)A-1e(e')-1
for A has only few roots. However, A values are chosen uniformly at random, so the probability to choose A, such that the equation above is satisfied, during several protocol executions is negligible. Therefore, with overwhelming probability there is only one signature
The signing protocol
Signer(d, Q)
k Z* R^kP
s ^ ke + dr
R
r, e
Requester(Q, m) Case 1 Case 2
a, $ Z*
H (m)
e
a, $ Z*
H(m)
e
e
$e'
(1)
e ^ ae
R ^ $R + aP R ^ a-lR + P + Q(2) r' ^ R'.x mod q r' ^ R.x mod q (3)
r ^ r'$ 1a r ^ a$(r' + e')
(4)
s' ^ $a s + ae' s' ^ $ a s + e
a
(r , s )
a
(r , s )
Fif. 3. TNHV18 scheme: the signing protocol
s
with r' component equal to (PR + e(e')-1P).x mod q, for which p satisfies the condition in line (4),
Hence, lines (1)-(4) provide the following criteria for breaking blindness. The exact transcription (R, r, e, s) corresponds to the certain message m with hash-value e' and signature (r',s') iff the following condition holds:
R'.x mod q = r',
where R' = PR + aP, a = e(e')-1, P = r'r-1a.
The attack on the second case of the scheme is justified similarly. The exact transcription (R, r, e, s) corresponds to the certain message m with hash-value e' and signature (r', s') iff the following condition holds:
R'.x mod q = r', where R' = a-1R + P + Qa = rP-1(r' + e')-1, p = e(e')-1.
REFERENCES
1. Chaum D. Blind signatures for untraceable payments. D. Chaum, R. L. Rivest, and A.T. Sherman (eds.). Advances in Cryptologv. Boston, MA, Springer, 1983, pp. 199-203.
2. Gorbenko I., Yesina M., and Ponomar V. Anonymous electronic signature method. Third Intern. Conf. PIC S&T, Kharkiv, Ukraine, 2016, pp. 47-50.
3. Rostovtsev A. G. Podpis' "vslepuvu" na ellipticheskov krivov diva elektronnvkh deneg [Blind signature on elliptic curve for e-cash]. Information Security Problems. Computer Systems, 2000, no. 1, pp. 40-45. (in Russian)
4. Tan D. N., Nam if. N., Hieu M. N., and Van if. N. New blind muti-signature schemes based on ECDLP. IJECE, 2018, vol.8, no. 2, pp. 1074-1083.
5. Juels A., Luby M., and Ostrovsky R. Security of blind digital signatures. LNCS, 1997, vol. 1294, pp. 150-164.
6. Pointcheval D. and Stern J. Security arguments for digital signatures and blind signatures. J. Cryptologv, 2000, vol.13, no. 3, pp. 361-396.
7. Okamoto T. Efficient blind and partially blind signatures without random oracles. LNCS, 2006, vol.3876, pp. 80-99.
8. Hazay C., Katz J., Koo C. Y., and Lindell Y. Concurrently-secure blind signatures without random oracles or setup assumptions. LNCS, 2007, vol.4392, pp. 323-341.
9. Camenisch J., Neven G., and Shelat A. Simulatable adaptive oblivious transfer. LNCS, 2007, vol.4515, pp.573-590.
10. Fischlin M. and Schroder D. Security of blind signatures under aborts. LNCS, 2009, vol. 5443, pp.297-316.
