EP3899844A1 - Procédé de génération d'une signature aveugle - Google Patents

Procédé de génération d'une signature aveugle

Info

Publication number
EP3899844A1
EP3899844A1 EP19824235.6A EP19824235A EP3899844A1 EP 3899844 A1 EP3899844 A1 EP 3899844A1 EP 19824235 A EP19824235 A EP 19824235A EP 3899844 A1 EP3899844 A1 EP 3899844A1
Authority
EP
European Patent Office
Prior art keywords
emd
subscriber
signature
generated
publisher
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP19824235.6A
Other languages
German (de)
English (en)
Inventor
Tilo FRITZHANNS
Florian Gawlas
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Giesecke and Devrient Advance52 GmbH
Original Assignee
Giesecke and Devrient GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke and Devrient GmbH filed Critical Giesecke and Devrient GmbH
Publication of EP3899844A1 publication Critical patent/EP3899844A1/fr
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • G06Q20/0658Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash e-cash managed locally
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/22Payment schemes or models
    • G06Q20/29Payment schemes or models characterised by micropayments
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3678Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes e-cash details, e.g. blinded, divisible or detecting double spending
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/383Anonymous user system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3257Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using blind signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce

Definitions

  • the invention relates to a method for generating a blind signature for an electronic coin data record, eMD.
  • the invention also relates to a method for obtaining a blind signature in a subscriber.
  • the invention also relates to a method for deriving a partial monetary amount from an already blindly signed eMD by a subscriber.
  • the invention also relates to several methods for checking the blind signature generated / obtained.
  • the invention relates to a payment system for transmitting an electronic coin data record between at least two participants.
  • the "DigiCash” process is available for the anonymous exchange of electronic coin data records based on so-called blind signatures.
  • a principle that is similar to the "DigiCash” process with blind signatures is shown in Fig.l.
  • Blind digital signatures can be generated, for example, using an elliptic curve digital signature algorithm, ECDSA, a variant of the digital signature algorithm, DSA, in which elliptic curve cryptography is used.
  • ECDSA is shown for example in Fig.2.
  • None of the known concepts enables a duplication of the monetary amount (coin denomination) of the signed digital coin. This means that, for example, if a coin data record has a monetary amount of € 1, then for payment of a monetary amount of € 100, one is forced to send and have one hundred generated electronic coin data records verified. This makes verification more difficult and increases the amount of data for transferring large amounts of money.
  • the known concepts are non-transparent for an inspection body and only the authenticity of a signature can be checked without being sure whether a participant has manipulated the eMD. In fact, blind signatures are not accepted in many sales outlets due to this lack of transparency.
  • the monetary amount (coin value) of a signed eMD should be easily divisible without a blind signature losing its invalidity.
  • the aim is to create a direct exchange between participants and the corresponding end devices, which is uncomplicated and fast.
  • a participant should also be able to return appropriate change (change) in the form of an eMD shared by the received eMD.
  • the procedure is intended to remain non-transparent for a third party in order to guarantee anonymous payment.
  • the object is achieved in particular by a method for generating a blind signature for an electronic coin data record, eMD.
  • the method comprises the following steps: Receiving an unsigned, blinded eMD from a subscriber at a signature publisher; Expanding the unsigned, blinded eMD with a publisher information by the signature publisher to obtain an expanded unsigned eMD; Signing the expanded unsigned eMD using a publisher-generated random number 35 and a secret key of the signature publisher to obtain an expanded signed veneered eMD; and sending the expanded signed hidden eMD and the publisher information to the subscriber, the sent publisher information being part of the blind signature.
  • the publisher adds information to the signature, also referred to as a release message.
  • this publisher information becomes an invariable part of the blind signature of the eMD.
  • This publisher information - as well as the signed, blinded eMD - is made available to the participant, for example in plain text. Any unmanipulable information from a publisher is regarded as publisher information.
  • the publisher information is independent and therefore not dependent on the eMD or the participant. Independent information is therefore independent information that is not dependent on other entities.
  • the blind signature generated with this method enables every participant in the payment system to verify the authorship of the signature via a blinded eMD.
  • the publisher information thus serves in a checking step to verify the part of the signature that was formed by the publisher information more thoroughly.
  • the publisher information is not secret and can be transmitted as plain text information in the sending step, for example.
  • the publisher information is preferably provided as independent information, regardless of the signed hidden eMD. This independent provision ensures that the publisher information and the eMD are completely separate information and were originally generated by different instances. While the eMD can be generated by the subscriber himself, the publisher information is from the (trustworthy) signal. tur publisher has been generated. In this way, anonymity in the payment system is preserved, on the one hand, and additional information independent of eMD is also signed by this publisher information. It is also conceivable that the publisher information is made available directly to a test body in an examination procedure.
  • the publisher information used to expand the unsigned, blinded eMD is preferably the result of a scatter value function (hash function) with a publisher value, the publisher value being sent as the publisher information.
  • a scatter value function is a mapping that maps a large input quantity (for example the publisher value or secret key) to a smaller target quantity (the hash values, for example the publisher information).
  • a hash function is therefore generally not injective.
  • the input quantity can contain elements of different lengths, whereas the elements of the target quantity usually have a fixed length. In this way, the signature can be reduced in size without reducing the level of security.
  • the scatter value function is preferably a scatter value function that is fundamentally agreed in the signing method, for example when using an ECDSA, in which, in addition to the curve parameters, the scatter value function to be selected is also specified.
  • the publisher value can be at least one of the following values: a time value, for example a time stamp or a date; identification of the publisher, for example an ID, serial number, contract number; and / or an identifier of the publisher in the signing process; and / or a value generated by the publisher, for example a random number or an otherwise generated date.
  • the publisher's value is preferably transmitted in plain text and placed as a hash value in the blind signature. If you are in possession of the publisher's information, you can check whether the blind signature is correct and verify the authenticity of the blind signature in an improved way by calculating the value again.
  • the generation of the blind signature is preferably based on a standard for digital signatures, for example the digital signature algorithm, or DSA for short.
  • the DSA is based on the discrete logarithm in finite fields. As with all signature methods that are based on the discrete logarithm, in particular for methods based on elliptic curves, security depends essentially on the properties of the random number used by the signature issuer.
  • a random value must be generated by the signature publisher for each signature. This must have sufficient entropy, be kept secret and may only be used once in the system. These requirements are critical, because if the random number is known, the signature issuer's key can be calculated from the signature. If the random number has a low entropy, an attacker can calculate a secret key for every possible random number and then use the public verification key to test which one is the right one.
  • the eMD is preferably the result of a scatter value function from a subscriber-generated serial number and a subscriber-calculated point of an elliptic curve.
  • the transmission of the DSA on elliptic curves is standardized in ANSI X9.62. This enables a high level of security with a minimal key length.
  • the principle of the ECDSA is explained in Fig.2.
  • the DSA is an exemplary standard for digital signatures.
  • Other algorithms for example an asymmetric cryptographic method, RSA, can also be used for digital signing.
  • RSA uses a key pair consisting of a private key (the secret), which is used to decrypt or sign data, and a public key, which is used to encrypt or check signatures.
  • the private key is kept secret and can only be calculated from the public key with a great deal of computing effort.
  • the eMD is preferably the result of a scatter value function consisting of a subscriber-generated public key and a subscriber-calculated point of an elliptic curve, the subscriber-generated public key being derived from the subscriber-generated serial number.
  • the parties involved have checked the respective curve parameters prior to the signing process. agrees.
  • the subscriber-generated serial number remains with the subscriber as a secret (i.e. a private key) and the signature issuer is provided with a public key derived from the serial number.
  • this public key is generated on the subscriber side by linking the serial number to a base point of the elliptic curve, for example a logical link or a simple mathematical operation, for example multiplication.
  • parts of a monetary amount of an eMD can also be transferred from one subscriber to another subscriber, which will be explained later.
  • the signature is created over the entire monetary amount of the eMD; a second participant does not automatically have the right to own the entire amount after transmitting the eMD, since knowledge of the participant-generated serial number remains hidden if only partial amounts are to be transferred.
  • a method for checking a blind signature of an eMD is now also provided, the blind signature being generated in accordance with the previous method.
  • the unsigned, unblended (unblended) eMD and a serial number used to generate the eMD and a signed unblanked (unblended) eMD and the publisher information are obtained.
  • the eMD is now calculated using the received serial number, the signed unblended eMD, the publisher information and a public key of the signature publisher.
  • the blind signature can now be checked for correctness of the publisher information by receiving the (plain text) publisher information.
  • the calculated eMD is compared with the received eMD and the authenticity of the blind signature is verified if the calculated eMD matches the received eMD.
  • the eMD obtained is preferably the result of a scatter value function from a combination of a subscriber-generated serial number with a base point and a subscriber-calculated point of an elliptical curve, a subscriber-generated public key being derived from the subscriber-generated serial number before the eMD is calculated.
  • the blind signature of the eMD with the participant-generated public key instead of the participant-generated serial number.
  • this public key is generated on the subscriber side in that the serial number is linked to a base point of the elliptic curve, for example by a logical link or a simple mathematical operation, for example by multiplication.
  • parts of a monetary amount of an eMD can also be transferred from one subscriber to another subscriber, which will be explained later.
  • the blind signature is nevertheless created over the entire monetary amount of the eMD.
  • the subscriber-generated public key must then be provided to verify the authenticity of the eMD.
  • the verification also transmits the serial number (the secret) of the eMD and if it is successfully verified, the secret is vented and the monetary amount can be redeemed - similar to DigiCash. Now it is often desirable to share the eMD and only hand over partial amounts of the signed eMD.
  • a method for checking a blind signature of an eMD is now provided for this purpose, the blind signature likewise being generated according to the previously described method.
  • the eMD is received; a subscriber-generated public key used to generate the eMD; a signed unblended eMD; a monetary portion of the eMD; a (real) signature via a link between the monetary component and another participant-generated public key; the subscriber-generated secret; and the publisher information.
  • the monetary amount is a fraction of the total monetary amount associated with the eMD. This monetary partial amount can take on any value, it can be out of round and / or it can be the change in a payment process.
  • the subscriber-generated serial number (the secret) is now intentionally not transmitted for checking in order to prevent the entire amount of the eMD from being redeemed.
  • a new (further) secret is generated on the subscriber side, which is based on the subscriber generated serial number is different. This subscriber-generated secret is transmitted for checking instead of the subscriber-generated serial number.
  • another public key on the subscriber side is derived from this secret. This derivation is, for example, a mathematical operation or a logical combination of the subscriber-generated secret with a base point (generator point) or an alternative agreed value.
  • the further public key is calculated from the subscriber-generated secret received.
  • the agreed value for example a base point, is used for this.
  • the signature is calculated from the combination of the monetary partial amount and the calculated further public key.
  • the (real) Sig can be calculated naturally and can be compared with the (real) signature received.
  • the partial amount is authentically signed here, that is, without additional blinding, since otherwise a recipient of the partial amount cannot verify the authenticity and the correct derivation.
  • the eMD is calculated using the subscriber-generated public key, the signed uncovered eMD, the publisher information and a public key of the signature publisher. Finally, the calculated eMD is compared with the received eMD and the authenticity of the blind signature is verified if the calculated eMD matches the received eMD. During this calculation and verification, the participant-generated serial number of the eMD cannot be concluded, so that the blind signature can be checked, but the full monetary amount of the eMD cannot be decrypted. Only the partial amount confirmed with the real signature can be transferred in this way and used by the recipient (participant, inspection body). The verification is preferably carried out by the signature publisher or by a test body different from the signature issuer. This can be seen as a major advantage of the method, because the participant is now not forced to have his eMD checked by the signature issuer, which means less conclusions can be drawn about the payment behavior of a participant and anonymity is increased.
  • the publisher information is preferably also verified during the checking. In this way it can be determined whether the publisher information in the eMD has been changed and a manipulation attempt has been made.
  • the blind signature was preferably generated with an ECDSA, with the curve parameters of the elliptical curve agreed in the ECDSA being provided for checking the blind signature.
  • a payment system for transmitting an electronic coin data record between at least two participants comprises a first participant for generating an unsigned, blinded eMD; a signature issuer for generating a blind signature according to the previously described method and a second subscriber for receiving the generated eMD, a signed unblended eMD and a serial number used for generating the eMD.
  • the second participant checks the received generated eMD, the signed unblended eMD and the serial number used to generate the eMD using the previously described checking method.
  • the eMD is preferably the result of a scatter value function from a link between a subscriber-generated public key and a subscriber-calculated point.
  • the subscriber-generated public key is derived from the subscriber-generated serial number. In this way, the participant-generated serial number is not sent, but a public key derived from it, which enables an eMD to be split.
  • the object is achieved by a method for obtaining a blind signature for an electronic coin data record, eMD, in a subscriber.
  • This process comprises the process steps: gene of a public key from a subscriber-generated serial number by the subscriber; Generating an eMD using the generated public key by the subscriber; Blending the generated eMD to obtain a blended unsigned eMD by the participant; Sending the blinded unsigned eMD from the subscriber to a signature publisher; The subscriber receiving a signed, blinded eMD from the signature publisher; and removing the bezel to obtain a signed unblanked eMD by the subscriber.
  • the subscriber-side generation of the public key from a subscriber-generated serial number by the subscriber has already been explained several times.
  • a value already agreed in the procedure between the participants, the signature issuer and / or the testing authority is used.
  • the value is a base point of the elliptic curve.
  • This agreed value is logically linked to the subscriber-generated serial number, for example via a logical link, such as AND; OR; XOR; NAND; NOR, or via a simple mathematical operation, for example a multiplication or an addition.
  • the step of generating the eMD preferably comprises the steps of: calculating a point of an elliptical curve using agreed curve parameters; Linking the calculated point with the generated public key; Calculate a scatter value function from the combination of the calculated point and the generated public key, the result of the scatter value function being the eMD.
  • the derived public key is now used to obtain the blind signature instead of the subscriber-generated serial number.
  • This subscriber-generated serial number is therefore secret for the signature publisher and remains secret.
  • This method makes it possible that the eMD does not have to be transferred between participants with its full monetary amount (maximum amount of the eMD), but that any partial amounts can also be derived and transferred from the full monetary amount.
  • the signed, blinded eMD obtained is a signed, blinded eMD that is expanded with a publisher's information.
  • the publisher information used to expand the unsigned, blinded eMD is the result of a scatter value function with a publisher, the publisher value being sent as the publisher information and being part of the blind signature.
  • the publisher value is preferably a time value, an identification of the publisher and / or a publisher-generated value.
  • the publisher information is obtained together with the expanded, signed, blinded eMD, with the publisher information preferably being provided as independent information, independently of the signed, blinded eMD.
  • the publisher information thus serves to make the blind signing more transparent by (non-manipulable, non-manipulable, non-secret publisher information from the participant) becoming part of the blinking signature and can be checked.
  • a method for deriving a monetary partial amount of a signed, blinded eMD in a subscriber.
  • the eMD is preserved according to the procedure described above.
  • This deriving method comprises the steps: generation by the subscriber of a subscriber-generated secret and a further public key from the subscriber-generated secret; Determination of a partial monetary amount of the eMD; and calculating a signature via a link from the monetary partial amount and the further public key.
  • the partial amount can be determined arbitrarily. It can be the change in a payment transaction or it can be any value.
  • the subscriber-generated secret is different from the subscriber-generated serial number and is used instead of the serial number to transfer monetary amounts between subscribers. In this case, only a partial amount can advantageously be transferred instead of the full monetary amount of the eMD. With this derivation, an already blindly signed eMD is set up for the transfer of monetary partial amounts.
  • the generation of the subscriber-generated secret can be done by a first subscriber if he wants to divide a partial amount from the total amount. This generation is preferably carried out by a further subscriber who has not generated the subscriber-generated serial number. This means that a partial amount can also be divided by any other participant who has acquired the eMD legit.
  • eMDs can be shared, but the blind signature of the eMD remains valid.
  • payment processes using eMD can now be enabled, in which the eMD recipient (paid) can send back a compartmentalized eMD, for example comparable to change or change in cash transactions or as part of a discount campaign.
  • the further public key is preferably a link between a base point of the elliptic curve and the subscriber-generated secret.
  • This linkage is, for example, a logical linkage or a simple mathematical operation, as a result of which the computation effort is minimized without endangering the security and manipulation resistance of the method.
  • the base point another agreed value can be used.
  • the derivation further comprises generating a second subscriber-generated secret and a second further public key from the second subscriber-generated secret by the subscriber or another subscriber; Determination of a second monetary partial amount of the eMD, the second monetary partial amount being smaller than the monetary partial amount and calculation of a second signature by linking the monetary partial amount and the second further public key.
  • the second subscriber-generated secret can be generated by the first subscriber if he would like to further split a partial amount. This generation is preferably carried out by a subscriber who has not generated the (first) subscriber-generated secret. This means that the partial amount can also be shared by any other participant. In this way, eMDs can be shared several times, although the blind signature remains valid. In addition, payment processes using eMD can now be enabled, in which the eMD recipient (paid) can send back a shared eMD, for example comparable to change or change in cash transactions or as part of a discount campaign.
  • the second partial amount can be set as desired, i.e. it can be any value less than the (first) partial amount.
  • the second further public key is preferably a link between a base point of the elliptic curve and the second subscriber-generated secret.
  • This link is, for example, a logical link or a simple mathematical operation, as a result of which the computation effort is minimized without endangering the security and manipulation resistance of the method.
  • another agreed value can be used as an alternative to the base point.
  • a method for checking a blind signature of an eMD is provided, the blind signature being obtained in accordance with the method described above. Verification includes the following steps: Obtaining the eMD, a serial number used to generate the eMD, and a signed uncovered eMD. Since the serial number and not the public key derived from it is received, the entire monetary amount of the eMD can now be checked, decrypted and transmitted. The transfer of the serial number generally enables the disposal of the entire monetary amount.
  • the public key is calculated from the subscriber-generated serial number.
  • the eMD is calculated using the calculated public key, the signed uncovered eMD and a public key of the signature issuer.
  • the calculated public key is used for verification instead of the serial number, because in this aspect of the invention the serial number remains hidden from the signature issuer and the blind signature is created via the public key. The calculated public key must then be used to check the signature. Finally, the calculated eMD is compared with the received eMD and the authenticity of the blind signature is verified if the calculated eMD matches the received eMD.
  • a further method for checking a blind signature of an eMD in which the blind signature was also generated / obtained according to a previously described method.
  • the further method comprises: obtaining the eMD, the subscriber-generated public key, a signed unblended eMD, a monetary partial amount of the eMD, a signature via a link from the monetary partial amount and another subscriber-generated public key; and a participant-generated secret.
  • the partial amount is preferably the above-mentioned (first) partial amount of the total monetary amount.
  • the further public key is calculated from the subscriber-generated secret; a calculating the Signature using the link between the monetary partial amount and the calculated further subscriber-generated public key; comparing the calculated signature with the received signature and verifying the authenticity of the monetary partial amount; and the calculation of the eMD already described above using the received public key, the signed unblended eMD and a public key of the signature issuer, so that - as already mentioned - the calculated eMD can be compared with the received eMD and the authenticity of the blind Signature is compared when the calculated eMD matches the received eMD.
  • the further method thus enables the authenticity of the eMD to be verified on the basis of the total amount of money, as it was signed (blindly) by the signature issuer.
  • the partial amount can also be verified and used for other payment transactions.
  • the subscriber-generated secret need not have been generated by the subscriber who generated the serial number, as a result of which a transmitted eMD can be further divided without having to be re-signed.
  • a further method for checking a blind signature of an eMD in which the blind signature was also generated / obtained according to a previously described method.
  • the still further method comprises the procedural steps: obtaining the eMD, the subscriber-generated public key, a signed unblended eMD, a monetary partial amount of the eMD, a signature via a link from the monetary partial amount and another subscriber-generated public key, the further subscriber-generated public key ; a second partial monetary amount of the eMD; a second signature via a combination of the second monetary partial amount and a second further subscriber-generated public key; and a second subscriber-generated secret.
  • the second partial amount is preferably the above-mentioned second partial amount of the total monetary amount, which is smaller than the (first) partial amount.
  • the second further public key is calculated from the second subscriber-generated secret; calculating the second signature via the linkage from the monetary partial amount and the calculated second additional one subscriber generated public key; comparing the calculated second signature with the received second signature and verifying the authenticity of the second monetary partial amount.
  • the aforementioned calculation of the signature takes place via the link from the monetary partial amount and the calculated further subscriber-generated public key; comparing the calculated signature with the received signature and verifying the authenticity of the monetary partial amount; calculating the eMD using the received public key, the signed uncovered eMD and a public key of the signature issuer; comparing the calculated eMD with the received eMD and verifying the authenticity of the blind signature if the calculated eMD matches the received eMD.
  • the (first) monetary partial amount and the (first) signature are created by a subscriber by linking the monetary partial amount and a further subscriber-generated public key in accordance with the derivation method described above.
  • the participant does not have to be the participant who generated the serial number. This enables the eMD to be shared with the blind signature fully valid.
  • the second monetary partial amount and the second signature are preferably created by a subscriber by linking the second monetary partial amount and a second further subscriber-generated public key in accordance with the derivation method described above.
  • the publisher information is preferably also obtained in the receive step and this is also used in the calculate step for calculating the eMD.
  • the verification is preferably carried out by the signature issuer or a testing entity other than the signature issuer, for example also another participant.
  • the publisher information is preferably also verified during the checking.
  • the blind signature is preferably generated with an elliptical curve signing algorithm, ECDSA, and agreed curve parameters of the elliptical curve are provided for checking the blind signature.
  • a payment system for transmitting an electronic coin data record, eMD is provided between at least two participants.
  • the payment system comprises a first participant for obtaining a blind signature for an eMD according to the described receiving method; a signature issuer for generating the blind signature and a second participant for receiving the generated eMD, a signed unblended eMD and a serial number used for generating the eMD.
  • the payment system also includes the second participant checking the received generated eMD, the signed unblended eMD and the serial number used to generate the eMD. It is provided that the second participant generates the secret and derives the partial amount and the one belonging to the partial amount. This partial amount is used in a payment process where the blind signature via the eMD remains valid.
  • An eMD is in particular an electronic data record that represents a monetary amount and is also colloquially referred to as a “digital coin” or “electronic coin”. The right to this monetary amount changes in the process from a first account to another account.
  • a monetary amount is understood to be a digital amount that can be credited to an account of a financial institution.
  • the eMD therefore represents cash in electronic form.
  • the eMD differ significantly from electronic data records for data exchange or data transfer because, for example, a classic data transaction takes place on the basis of a question-answer principle or on intercommunication between the data transfer partners.
  • EMD are characterized by uniqueness, uniqueness and security features (signatures, encryption).
  • an eMD contains all the data required for a receiving entity with regard to verification, authentication and forwarding to other entities. Intercommunication is therefore generally not necessary with this type of data record. Exceptions are the change payment transactions.
  • a security element can be provided in a subscriber's terminal for transmission.
  • a security element is preferably a special software, in particular in the form of a secure runtime environment within an operating system of a terminal device, English Trusted Execution Environments, TEE.
  • the security element is designed, for example, as special hardware, in particular in the form of a secured hardware platform module, English Trusted Platform Module, TPM or as an embedded security module, cUICC, eSIM.
  • TPM English Trusted Platform Module
  • cUICC embedded security module
  • eSIM embedded security module
  • the security element provides a trustworthy environment and, for example, also secures a machine-2-machine, M2M application.
  • the communication between two end devices or security element can take place contactlessly or with contacts and can be designed as a secure channel.
  • This is the exchange of the eMD with cryptographic keys, for example a session key negotiated for an exchange of coin data sets or a symmetrical or asymmetrical pair of keys.
  • Any terminal processing a program code with user input output is disregarded as a terminal, for example a PC, a smartphone, a tablet.
  • the terminal can also be part of an M2M environment, for example a machine, tool, machine or container and vehicle understood.
  • a terminal device according to the invention is thus either stationary or mobile.
  • M2M stands for the (fully) automated exchange of information between these end devices, for example using the Internet and the corresponding access networks, such as the mobile network.
  • Fig.l principle of the Digi-Cash method with blind signatures 2 shows a known example for creating and checking a signature using ECDSA;
  • FIG. 3 shows an exemplary embodiment of a process flow diagram of a signature generating method according to the invention
  • FIG. 4 shows an exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD according to the invention
  • 5 shows an embodiment of a process flow diagram of a method according to the invention
  • FIG. 6 shows an exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD with an entire monetary amount and monetary partial amounts divided therefrom according to the invention.
  • FIG. 7 shows an exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD with an entire monetary amount and monetary partial amounts divided therefrom according to the invention.
  • Fig. 1 shows the principle of the "DigiCash" method with blind signatures.
  • a first participant (buyer) TI, a second participant (seller) T2 transmits a coin signed by the signature issuer H.
  • the first participant TI exchanges a monetary amount with a digital coin, the unique identifier, for example a serial number, of which he generates himself in step 1.
  • the unique identifier is encrypted in step 2 and transmitted to the signature issuer H together with the value of the digital coin in step 3.
  • the signature publisher H confirms the validity of the digital coin by signing the encrypted unique identifier in step 4 and sends the digital coin thus signed back to the first subscriber TI in step 5.
  • step 6 the first participant TI decrypts the signature and in step 7 transmits (pays) the digital coin consisting of the unique identifier and the decrypted signature to the second participant T2.
  • the second subscriber T2 requests the signature issuer H to redeem the digital coin in step 8.
  • the signature issuer H verifies the authenticity of the digital coin using the signature in step 9 and thus enables the monetary amount of the digital coin to be redeemed in step 10.
  • 2 shows a method sequence 100 consisting of a method S for providing a signature between a first subscriber TI or its first end device M1 and a publisher H and a method P for checking the created signature between a first subscriber TI and a PI is shown.
  • step 101 all involved instances TI, H and P agree on the curve parameters, f, p, a, b, G, n, h of an elliptical curve.
  • These curve parameters describe a curve used, where f is the order of the body on which the curve is defined; p is the specification of the basis used; a, b two body elements that describe the equation of the curve; G is the generator point (generator point, base point) of the curve; n, is the order of point G; and h is the cofactor.
  • H () to be used, also referred to as a hash function, for example a SHA-2 algorithm.
  • step 102 the publisher H generates a cryptographic key pair d, D based on the base point G and communicates the public part D to the first participant TI and the testing entity PI in steps 103, 103 '.
  • the public key part D is also referred to as a verification key D.
  • the private key part d is not given out as a secret.
  • step 104 the first subscriber TI generates a serial number m and links it to a monetary amount for the electronic coin data record, eMD.
  • the first subscriber TI generates two integer random numbers g, i.
  • step 105 the publisher H generates a random number r and calculates a point R of the curve which is transmitted to the first subscriber TI.
  • step 106 the first participant TI calculates a point on the curve using equation (1):
  • Point A is represented by an x coordinate A x and a y coordinate A y .
  • the blind signature is regarded as confirmed and the eMD as genuine.
  • FIG. 3 shows an exemplary embodiment of a process flow diagram of a signature-generating method 100 according to the invention.
  • FIG. 4 shows an exemplary embodiment of a process flow for generating and checking a blind signature for an eMD according to the invention. The method in Figure 3 is explained in conjunction with Figure 4.
  • the method 100 for creating a blind signature according to FIG. 3 and FIG. 4 is based on the creation of a blind signature with a corresponding check by a testing entity PI according to FIG. 2 and reflects a process sequence in an ECDSA method.
  • the checking with steps 111 and 112 can also be carried out by another subscriber T2, T3, for example in order to verify the monetary amount or partial amount.
  • checking PR with steps 111 and 112 can also take place between two participants T2, T3 who have not generated the serial number m of the eMD c. These participants then want to verify and transmit, for example, a total monetary amount or a partial amount derived therefrom or a second partial amount derived therefrom.
  • ECDSA is only exemplary and any method for generating a blind signature, for example DAS or RSA based, can be operated with the basic idea of the invention, namely the addition of issuer information, possibly in conjunction with the derivation of monetary partial amounts.
  • This is indicated by the dashed lines of steps 101 to 105 in FIG. 4, which are therefore to be regarded as optional steps.
  • the repetition of the explanation of these steps 101 to 105 of FIG. 2 is therefore dispensed with, even though they are part of the inventive method when using an ECDSA method.
  • step 107 the unsigned, blinded eMD c 'described with equation (3) is sent to the publisher H.
  • a publisher value w is generated there in step 113.
  • the publisher value w is, for example, a time stamp or a random value.
  • This publisher value w is converted into publisher information u by means of a scatter value function H ().
  • This scatter value function H () is preferably the scatter value function that was agreed in step 101. This simplifies the procedure with regard to compatibility and agreement of the cryptographic functions to be used.
  • step 109 the extended, signed, blinded eMD s “is transmitted to the first subscriber TI together with the editor value w.
  • the subscriber TI generates the eMD c and blinds it in c 'with the random number g, so that the eMD c is not known to the publisher H.
  • the eMD c is also assigned a monetary maximum amount.
  • the publisher H signs the blinded unsigned eMD c 'without knowing the eMD c or the serial number m. This is called blind signing.
  • the publisher H adds a publisher-generated value w in the form of publisher information u.
  • This publisher information u becomes an unchangeable part of the signed, blinded eMD s ”and, according to equation (13) as the publisher value w, also part of the signed, unblended eMD s.
  • step 111 the unsigned unblended eMD c, the signed unblended eMD s, the subscriber-generated serial number m and the publisher value w are transmitted from the subscriber TI to the testing entity PI, T2, T3.
  • the blind signature is considered to be genuine.
  • FIG. 5 shows an embodiment of a process flow diagram of a signature-obtaining method according to the invention.
  • FIG. 6 shows an exemplary embodiment of a method sequence for obtaining S a blind signature and also for checking PR for a blind signature for an eMD according to the invention.
  • the checking method PR has three different scenarios PR1, PR2, PR3.
  • the method in Figure 5 is explained in connection with Figure 6.
  • the method for obtaining a blind signature according to FIG. 5 and FIG. 6 is based on the creation of a blind signature with a corresponding check by a testing body PI, T2, T3 according to FIG. 2 and reflects a procedure in an ECDSA method.
  • checking PR1, PR2, PR3 with steps 111, 111 ', 111 "and 112, 112% 112" can also be carried out by another participant T2, T3, for example to verify the monetary amount or partial amount .
  • checking PR1, PR2, PR3 with steps 111, 111% 111 "and 112, 112% 112" can also take place between two participants T2, T3 who have not generated the serial number m of the eMD c, for example, to verify and transfer a monetary total amount or a partial amount u derived therefrom or a second partial amount e derived therefrom. Subsequently, the testing entity PI is equated to another participant T2, T3.
  • ECDSA is only an example, and any method for generating / receiving a blind signature, for example DAS or RSA-based, can be carried out with the basic idea of the invention, namely the derivation of partial monetary amounts, possibly using publisher information from the signature publisher H done. Repetition of steps 101 to 105 of FIG. 2 is therefore dispensed with, although when using an ECDSA method they are part of the method according to the invention.
  • the method steps 101 to 105 of FIG. 5 and FIG. 6 are the same as the method steps 101 to 105 of FIG. 2 and reference is made to this FIG. 2 for further explanations.
  • step 114 a public key M described in equation (18) is generated in the subscriber TI:
  • the subscriber-generated serial number m is to be regarded as a secret and the public key G is derived using the (agreed) base point G of the elliptical curve. Alternatively, other agreed values can be used to generate the public key M.
  • the first subscriber TI calculates a point on the curve using equation (1).
  • the point A is represented by an x coordinate A x and a y coordinate A y .
  • step 107 the unsigned, blinded eMD c ′ (M) described with equation (20) is sent to the publisher H.
  • step 110 the signed, blinded eMD s' is obtained by means of equation (5).
  • the subscriber TI generates the eMD c using a public key M instead of the serial number m.
  • This serial number m is secret to the signature publisher H.
  • FIG. 6 now shows three scenarios with which an eMD which can be divided using the signature method S obtained in FIG. 6 can be transmitted, the blind signature nevertheless remaining valid.
  • non-circular amounts can now be transferred very precisely or corresponding change (change) can be generated.
  • the maximum monetary amount of an eMD c could be sent from a first participant TI to a second participant T2 in the test procedure PR1.
  • a partial amount u is then returned as change to the first participant TI by the second participant T2.
  • the first participant TI can now further split the partial amount u and transfer the second partial amount e to the third participant T3 in the test procedure PR3: In the test procedure PR1 in FIG a second participant T2, T3 is to be redeemed.
  • step 111 the unsigned, unblended eMD c, the signed, unblended eMD s and the subscriber-generated serial number m are transmitted from the subscriber TI to the testing entity PI. There, the blind signature is verified in step 112.
  • the subscriber-generated public key M is first calculated using equation (23).
  • the blind signature is valid and the eMD c can be used by the testing body PI, or also by the other participants T2, T3, for further payment processes.
  • the eMD c obtained in equation (24) corresponds to the eMD c sent in step 111, the blind signature is considered confirmed and the eMD is genuine.
  • the derivation of a partial amount u from the monetary total amount is shown first with step 115.
  • the subscriber TI or another subscriber who is in possession of the eMD c
  • the subscriber TI generates a secret p and a further public key P using the subscriber-generated secret p.
  • the secret p is different from the serial number m.
  • the further subscriber-generated key P is different from the subscriber-generated public key M.
  • the subscriber-generated public key P can be obtained by multiplying it by the base point G, see equation (25):
  • U is the partial amount to be derived, which is smaller than the total monetary amount of the eMD c.
  • the real signature s hi is a logical OR combination of the public key P and the partial amount u. Other logical links or mathematical operations are also conceivable for creating the real signature s hi .
  • step 111 the following variables are now exchanged between two participants TI, T2, T3:
  • step 112 ' the authenticity of the blind signature and the authenticity of the real signature s hi can now be checked, as a result of which the partial amount u is considered to be - transmitted between the participants TI, T2, T3.
  • the further public key P is first calculated using the participant-generated secret p and the agreed base point G, see equation (25).
  • the blind signature is checked according to equations (7) to (9) and (24).
  • the real signature is hi the calculated further subscriber-generated public key P and the partial amount u obtained, and if equation (27) matches
  • the partial amount u is considered to be verified and is also transmitted by transmitting the secret p.
  • the test body PI, T2, T3 is not in possession of the subscriber-generated serial number m and can therefore verify the blind signature (using the key M) but does not have the total monetary value.
  • the derivation of a second partial amount e from the partial amount u is shown in step 116.
  • the subscriber TI or another subscriber who is in possession of the eMD c
  • the second secret q is different from the serial number m and from the secret p.
  • the second further subscriber-generated key Q is different from the subscriber-generated public key M and the further ren subscriber-generated key P.
  • the second further subscriber-generated public key Q can be obtained by multiplication by the base point G, see equation (28):
  • Equation (28) also creates a second real signature s r for derivation 116:
  • e is the second partial amount to be derived, which is smaller than the total monetary amount and which is also smaller than the partial amount u of the eMD c.
  • the real signature s r here is a logical OR combination of the public key Q and the partial amount e. Other logical links or mathematical operations are also conceivable for creating the real signature s r .
  • step 111 “the following variables are now exchanged between two participants TI, T2, T3:
  • step 112 “ the authenticity of the blind signature, the authenticity of the real signature s hi and also the authenticity of the second real signature s r can now be checked, as a result of which the second partial amount e is considered to be - between the participants TI, T2, T3 .
  • the second further subscriber-generated public key Q is first calculated using the second subscriber-generated secret q and the agreed base point G, see equation (28).
  • the blind signature is checked in accordance with equations (7) to (9) and (24).
  • the test body PI, T2, T3 does not have the subscriber-generated serial number m or the subscriber-generated secret p.
  • the blind signature and the real signature s hi can be verified (by the subscriber-generated public keys M and P), but the test body PI, T2, T3 does not get the monetary total amount or the (first) partial amount u.
  • any monetary (partial) amounts u, e can now be transferred between any participants, whereby the authenticity of the blind signature and that with the respective partial amounts u, e e connected real signatures s hi and s r can be checked.
  • the receiving entity PI, T2, T3 receives full access rights to the respective partial amounts, whereby the eMD is considered to be transmitted.
  • 7 shows a further exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD with an entire monetary amount and monetary partial amounts divided therefrom according to the invention.
  • the process sequences in FIGS. 4 and 6 were combined with one another.
  • the sharing of monetary amounts according to the invention is now also possible.
  • the checking process PR has three different scenarios PR1, PR2, PR3.
  • the method for obtaining a blind signature according to FIG. 7 is based on the creation of a blind signature with a corresponding check by a testing entity PI according to FIG. 2 and reflects a process sequence in an ECDSA method. It should be noted that checking PR1, PR2, PR3 with steps 111, 111 ', 111 "and 112, 112% 112" can also be carried out by another participant T2, T3, for example by adding the monetary amount or partial amount to verify.
  • checking PR1, PR2, PR3 with steps 111, 111% 111 "and 112, 112% 112" can also take place between two participants T2, T3 who have not generated the serial number m of the eMD c, for example to verify a monetary total amount or a portion derived therefrom or a second portion e derived therefrom and to receive it. Subsequently, the testing entity PI is equated to another participant T2, T3.
  • ECDSA is only exemplary and any method for generating / obtaining a blind signature, for example DAS or RSA-based, can be carried out with the basic idea of the invention, namely the derivation of monetary partial amounts using publisher information u, w of the signature publisher H done.
  • Repetition of steps 101 to 105 in FIG. 2 is dispensed with, although they are part of the method according to the invention when using an ECDSA method.
  • the method steps 101 to 105 of FIG. 7 are the same as method steps 101 to 105 of FIG. 2 and reference is made to this FIG. 2 for further explanations.
  • step 114 the generation of a public key M described in equation (18) in the subscriber TI is described.
  • the first subscriber TI calculates a point on the curve using equation (1).
  • the point A is represented by an x coordinate A x and a y coordinate A y .
  • the x coordinate A x is used with the public key M as the input parameter of the hash function H () in equation (19) in order to obtain an unsigned, unblended eMD c.
  • the unsigned, unblended eMD c is converted into an unsigned, blended eMD c '(M) using equation (20).
  • step 107 the unsigned, blinded eMD c ′ (M) obtained with equation (20) is sent to the publisher H.
  • a publisher worth w is generated there in step 113.
  • the publisher value w is, for example, a time stamp or a random value.
  • This publisher value w is converted into publisher information u by means of a scatter value function H ().
  • This scatter value function H () is preferably the scatter value function that was agreed in step 101. This simplifies the procedure with regard to compatibility and agreement of cryptographic functions to be used.
  • the unsigned, blinded eMD c ' is then expanded in accordance with equation (11) with this publisher information u in step 113.
  • step 109 the extended, signed, blinded eMD s “is transmitted to the first subscriber TI together with the editor value w.
  • step 110 the signed, blinded eMD s “is not blinded using equation (13).
  • the subscriber TI generates the eMD c using a public key M instead of the serial number m.
  • This serial number m is secret to the signature publisher H.
  • the signature publisher also generates H the publisher information u, w and adds this as an integral part of the blind signature.
  • eMD c simplifies the administrative work for the signature issuer H and enables a payment system with eMD c for which change can be paid or in which non-circular amounts of money can be electronically transferred.
  • Fig. 7 three scenarios are now shown, by means of which a divisible eMD obtained with the signing method S shown in Fig. 7 is transmitted and the blind signature nevertheless remains valid.
  • non-circular amounts can now be transferred very precisely or corresponding change (change) can be generated.
  • the maximum monetary amount of an eMD c could be sent from a first participant TI to a second participant T2 in the test procedure PR1.
  • a partial amount u is then returned as change to the first participant TI by the second participant T2.
  • the first participant TI can now further split the partial amount u and transfer the second partial amount e to the third participant T3 in the test procedure PR3:
  • test procedure PR1 of FIG. 7 it is initially shown that the entire monetary amount of an eMD c is to be checked and, if necessary, to be redeemed by a second subscriber T2, T3.
  • Curve parameters and the verification key D is to check the blind signature of the eMD c, which is done, for example, by means of a test entity PI, which is not necessarily the publisher H.
  • step 111 the unsigned, unblended eMD c, the signed, unblended eMD s, the subscriber-generated serial number m and the publisher information w are transmitted from the subscriber TI to the testing entity PI.
  • Ren PR1 of Figure 7 is then checked whether the public key M has been changed and whether w has been changed, which is described below.
  • step 112 the blind signature is verified.
  • the subscriber-generated public key M is first calculated using equation (23).
  • the publisher information u is obtained with equation (15) and with equation (33)
  • A s G + (c ’(M) + u) D (33) it is checked whether the condition of equations (24) is fulfilled. If the calculated eMD c matches the received eMD c, the blind signature is valid and the eMD c can be used by the testing body PI, or for example also by the other participants T2, T3, for further payment processes.
  • step 115 the participant TI (or another participant T2, T3 who is in possession of the eMD c) generates a secret p and a further public key P using the participant-generated secret p.
  • the secret p is different from the serial number m.
  • the further subscriber-generated key P is different from the subscriber-generated public key M.
  • the further public key P generated by the subscriber can be obtained by multiplying by the base point G, see equation (25).
  • a real signature s hi is also created using equation (26).
  • U is the partial amount to be derived, which is smaller than the total monetary amount of the eMD c.
  • the real signature s hi is a logical OR combination of the public key P and the partial amount u. Other logical links or mathematical operations for creating the real signature s hi are also conceivable.
  • step 111 ' the following variables are now exchanged between two participants TI, T2, T3:
  • step 112 ' the authenticity of the blind signature and the authenticity of the real signature s hi can now be checked, as a result of which the partial amount u is considered to be - transferred between the participants PI, TI, T2, T3.
  • the further public key P is first calculated using the subscriber generated secret p and the agreed base point G, see equation (25).
  • the blind signature is checked according to equations (15), (33) and (24).
  • the real signature G m is calculated from the calculated further subscriber-generated public key P and the partial amount u obtained, and if equation (26) matches, the partial amount u is considered to be verified and is transmitted by the secret p.
  • test body PI, T2, T3 is not in possession of the subscriber-generated serial number m and can therefore verify the blind signature (using the key M) but does not have the total monetary amount of the eMD c.
  • a check is therefore carried out to determine whether the public key M has been changed, whether w has been changed and whether the real signature G m has been changed.
  • step 116 the derivation of a second partial amount e from the partial amount u is shown in step 116.
  • the subscriber TI (or another subscriber who is in possession of the eMD c) generates a second secret q and a second further public key Q using the second subscriber-generated secret q.
  • the second secret q is different from the serial number m and from the secret p.
  • the second further subscriber-generated key Q is different from the subscriber-generated public key M and the further subscriber-generated key P.
  • the second further subscriber-generated public key Q can be obtained by multiplication by the base point G, see equation (28). Equation (29) also creates a second real signature s r for derivation 116.
  • e is the second partial amount to be derived, which is smaller than the total monetary amount and which is also smaller than the partial amount u of the eMD c.
  • the real signature s r here is a logical OR combination of the public key Q and the partial amount e. Other logical links or mathematical operations are also conceivable for creating the real signature s r .
  • step 111 “the following variables are now exchanged between two participants TI, T2, T3: the eMD c
  • step 112 “ the authenticity of the blind signature, the authenticity of the real signature s hi and also the authenticity of the second real signature s r can now be checked, as a result of which the second partial amount e is considered to be - between the participants TI, T2, T3 .
  • the second further public key Q is first calculated using the second subscriber-generated secret q and the agreed base point G, see equation (28).
  • the blind signature is checked according to equations (15), (33) and (24).
  • the second real signature s r is calculated from the calculated second further subscriber-generated public key Q and the received second partial amount e and, if equation (30) matches, the partial amount e is verified and is also transmitted by the transmission of the second secret q .
  • test body PI, T2, T3 does not have the participant-generated serial number m or the participant-generated secret p.
  • the blind signature and the real signature s hi can be verified (by the subscriber-generated public keys M and P), but the verifier does not get the total monetary amount or the (first) partial amount u.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

L'invention concerne un procédé permettant de générer une signature aveugle pour un jeu de données de monnaie électronique, eMD, ledit procédé comprenant les étapes suivantes : réception auprès d'un éditeur de signature d'un eMD masqué non signé provenant d'un dispositif utilisateur, élargissement par l'éditeur de signature du eMD masqué non signé d'une information éditeur, de manière à obtenir un eMD non signé élargi, signature de l'eMD non signé élargi par utilisation d'un nombre aléatoire généré par l'éditeur et d'une clé secrète de l'éditeur de signature pour obtenir un eMD masqué signé élargi et envoi au dispositif utilisateur de l'eMD masqué signé élargi et de l'information éditeur. L'invention concerne également des procédés de vérification de la signature aveugle générée et/ou reçue. L'invention concerne par ailleurs un système de paiement destiné à transmettre un jeu de données de monnaie électroniques entre au moins deux dispositifs utilisateurs.
EP19824235.6A 2018-12-18 2019-12-09 Procédé de génération d'une signature aveugle Pending EP3899844A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102018009943.2A DE102018009943A1 (de) 2018-12-18 2018-12-18 Verfahren zum Erzeugen einer blinden Signatur
PCT/EP2019/025438 WO2020126078A1 (fr) 2018-12-18 2019-12-09 Procédé de génération d'une signature aveugle

Publications (1)

Publication Number Publication Date
EP3899844A1 true EP3899844A1 (fr) 2021-10-27

Family

ID=68987652

Family Applications (1)

Application Number Title Priority Date Filing Date
EP19824235.6A Pending EP3899844A1 (fr) 2018-12-18 2019-12-09 Procédé de génération d'une signature aveugle

Country Status (3)

Country Link
EP (1) EP3899844A1 (fr)
DE (1) DE102018009943A1 (fr)
WO (1) WO2020126078A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11651354B2 (en) * 2019-09-11 2023-05-16 Nxp B.V. Efficient partially spendable e-cash
DE102021000570A1 (de) 2021-02-04 2022-08-04 Giesecke+Devrient Advance52 Gmbh Verfahren zum bereitstellen eines nachweisdatensatzes; verfahren zum prüfen eines nachweisdatensatzes; ein münzregister; eine teilnehmereinheit und ein computerprogrammprodukt
DE102021000572A1 (de) 2021-02-04 2022-08-04 Giesecke+Devrient Advance52 Gmbh Verfahren zum erstellen einer münzdatensatz-zusammensetzung, teilnehmereinheit und bezahlsystem
US20220284129A1 (en) * 2021-03-07 2022-09-08 Guardtime Sa Verifiable Splitting of Single-Instance Data Using Sharded Blockchain

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4977595A (en) * 1989-04-03 1990-12-11 Nippon Telegraph And Telephone Corporation Method and apparatus for implementing electronic cash
US5901229A (en) * 1995-11-06 1999-05-04 Nippon Telegraph And Telephone Corp. Electronic cash implementing method using a trustee
EP1838031A4 (fr) * 2004-12-27 2013-08-14 Nec Corp Système de signature aveugle limitée

Also Published As

Publication number Publication date
WO2020126078A1 (fr) 2020-06-25
DE102018009943A1 (de) 2020-06-18

Similar Documents

Publication Publication Date Title
DE102017204536B3 (de) Ausstellen virtueller Dokumente in einer Blockchain
DE102012206341B4 (de) Gemeinsame Verschlüsselung von Daten
WO2020126078A1 (fr) Procédé de génération d'une signature aveugle
DE112011100182B4 (de) Datensicherheitsvorrichtung, Rechenprogramm, Endgerät und System für Transaktionsprüfung
DE19804054B4 (de) System zur Verifizierung von Datenkarten
DE602005002652T2 (de) System und Verfahren für das Erneuern von Schlüsseln, welche in Public-Key Kryptographie genutzt werden
DE60104411T2 (de) Verfahren zur übertragung einer zahlungsinformation zwischen einem endgerät und einer dritten vorrichtung
DE19781841C2 (de) Verfahren zum automatischen Entscheiden der Gültigkeit eines digitalen Dokuments von einer entfernten Stelle aus
DE60031304T2 (de) Verfahren zur authentifizierung von softwarebenutzern
DE69838003T2 (de) Verfahren zum etablieren des vertrauenswürdigkeitgrades eines teilnehmers während einer kommunikationsverbindung
EP0383985A1 (fr) Procédé d'identification d'abonnées ainsi que de génération et de vérification de signatures électroniques dans un système d'échange de données
DE60209809T2 (de) Verfahren zur digitalen unterschrift
WO2020212337A1 (fr) Procédé pour le transfert direct de jeux de données électroniques de monnaie entre des terminaux ainsi que système de paiement
WO2021170645A1 (fr) Procédé de transmission directe de jeux de données de pièces de monnaie électroniques entre terminaux, système de paiement, système de protection et unité de surveillance
DE10143728A1 (de) Vorrichtung und Verfahren zum Berechnen eines Ergebnisses einer modularen Exponentiation
DE19829643A1 (de) Verfahren und Vorrichtung zur Block-Verifikation mehrerer digitaler Signaturen und Speichermedium, auf dem das Verfahren gespeichert ist
DE60212248T2 (de) Informationssicherheitsvorrichtung, Vorrichtung und Verfahren zur Erzeugung einer Primzahl
DE60202149T2 (de) Verfahren zur kryptographischen authentifizierung
EP2893668B1 (fr) Procede de creation d'une instance derivee d'un support de donnees d'origine
WO2020126079A1 (fr) Procédé pour obtenir une signature aveugle
DE102005008610A1 (de) Verfahren zum Bezahlen in Rechnernetzen
EP4111399B1 (fr) Procédé, terminal, entité de surveillance et système de paiement pour gérer des ensembles de données électroniques de pièces de monnaie
WO2023036458A1 (fr) Procédé et système de transaction pour transmettre des jetons dans un système de transaction électronique
DE102022000857B3 (de) Verfahren zur sicheren Identifizierung einer Person durch eine Verifikationsinstanz
DE102021000570A1 (de) Verfahren zum bereitstellen eines nachweisdatensatzes; verfahren zum prüfen eines nachweisdatensatzes; ein münzregister; eine teilnehmereinheit und ein computerprogrammprodukt

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210719

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GIESECKE+DEVRIENT ADVANCE52 GMBH

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230519