EP3899845A1 - Procédé pour obtenir une signature aveugle - Google Patents
Procédé pour obtenir une signature aveugleInfo
- Publication number
- EP3899845A1 EP3899845A1 EP19824236.4A EP19824236A EP3899845A1 EP 3899845 A1 EP3899845 A1 EP 3899845A1 EP 19824236 A EP19824236 A EP 19824236A EP 3899845 A1 EP3899845 A1 EP 3899845A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- emd
- subscriber
- signature
- generated
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
- G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
- G06Q20/065—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
- G06Q20/0658—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash e-cash managed locally
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/22—Payment schemes or models
- G06Q20/29—Payment schemes or models characterised by micropayments
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
- G06Q20/3678—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes e-cash details, e.g. blinded, divisible or detecting double spending
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3823—Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/383—Anonymous user system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3257—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using blind signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
Definitions
- the invention relates to a method for generating a blind signature for an electronic coin data record, eMD.
- the invention also relates to a method for obtaining a blind signature in a subscriber.
- the invention also relates to a method for deriving a partial monetary amount from an already blindly signed eMD by a subscriber.
- the invention also relates to several methods for checking the blind signature generated / obtained.
- the invention relates to a payment system for transmitting an electronic coin data record between at least two participants.
- the "DigiCash” process is available for the anonymous exchange of electronic coin data records based on so-called blind signatures.
- a principle that is similar to the "DigiCash” process with blind signatures is shown in Fig.l.
- Blind digital signatures can be generated, for example, using an elliptic curve digital signature algorithm, ECDSA, a variant of the digital signature algorithm, DSA, in which elliptic curve cryptography is used.
- ECDSA is shown for example in Fig.2.
- None of the known concepts enables a duplication of the monetary amount (coin denomination) of the signed digital coin. This means that, for example, if a coin data record has a monetary amount of € 1, then for payment of a monetary amount of € 100, one is forced to send and have one hundred generated electronic coin data records verified. This makes verification more difficult and increases the amount of data for transferring large amounts of money.
- the known concepts are non-transparent for an inspection body and only the authenticity of a signature can be checked without being sure whether a participant has manipulated the eMD. In fact, blind signatures are not accepted in many sales outlets due to this lack of transparency.
- the monetary amount (coin value) of a signed eMD should be easy to divide without a blind signature losing its invalidity.
- the aim is to create a direct exchange between participants and the corresponding end devices, which is uncomplicated and fast.
- a participant should also be able to return appropriate change (change) in the form of an eMD shared by the received eMD.
- the procedure is intended to remain non-transparent for a third party in order to guarantee anonymous payment.
- the object is achieved in particular by a method for generating a blind signature for an electronic coin data record, eMD.
- the method comprises the following steps: Receiving an unsigned, blinded eMD from a subscriber at a signature issuer; Expanding the unsigned, blinded eMD with a publisher information by the signature publisher to obtain an expanded unsigned eMD; Signing the expanded unsigned eMD using a publisher-generated random number and a secret key of the signature publisher to obtain an expanded signed veneered eMD; and sending the extended signed fade- the eMD and the publisher information to the subscriber, the publisher information sent being part of the blind signature.
- the publisher adds information to the signature, also referred to as a release message.
- this publisher information becomes an unchangeable part of the blind signature of the eMD.
- This publisher information - as well as the signed, blinded eMD - is made available to the participant, for example in plain text. Any unmanipulable information from a publisher is regarded as publisher information.
- the publisher information is independent and therefore not dependent on the eMD or the participant. Independent information is therefore independent information that is not dependent on other entities.
- the blind signature generated with this method enables every participant in the payment system to verify the authorship of the signature via a blinded eMD.
- the publisher information thus serves in a checking step to verify the part of the signature that was formed by the publisher information more thoroughly.
- the publisher information is not secret and can be transmitted as plain text information in the sending step, for example.
- the publisher information is preferably provided as independent information, regardless of the signed hidden eMD. This independent provision ensures that the publisher information and the eMD are completely separate information and are originally different Instances were generated.
- the publisher information has been generated by the (trustworthy) signature publisher. In this way, anonymity in the payment system is preserved, on the one hand, and additional information independent of eMD is also signed by this publisher information. It is also conceivable that the publisher information is made available directly to a test body in an examination procedure.
- the publisher information used to expand the unsigned, blinded eMD is preferably the result of a scatter value function (hash function) with a publisher value, the publisher value being sent as the publisher information.
- a scatter value function (also hash function) is a mapping that maps a large input quantity (for example the publisher value or secret key) to a smaller target quantity (the hash values, for example the publisher information).
- a hash function is therefore generally not injective.
- the input quantity can contain elements of different lengths, whereas the elements of the target quantity usually have a fixed length. In this way, the signature can be reduced in size without reducing the level of security.
- the scatter value function is preferably a scatter value function that is fundamentally agreed in the signing method, for example when using an ECDSA, in which, in addition to the curve parameters, the scatter value function to be selected is also specified.
- a scatter value function that is fundamentally agreed in the signing method, for example when using an ECDSA, in which, in addition to the curve parameters, the scatter value function to be selected is also specified.
- the publisher value can be at least one of the following values: a time value, for example a time stamp or a date; identification of the publisher, for example an ID, serial number, contract number; and / or an identifier of the publisher in the signing process; and / or a publisher-generated value, for example a random number or some other generated date.
- the publisher's value is preferably transmitted in plain text and placed as a hash value in the blind signature. Are you in possession of the publisher information tion can be checked again by calculating the value of the scatter, whether the blind signature is correct and so, the authenticity of the blind signature improved.
- the generation of the blind signature is preferably based on a standard for digital signatures, for example the digital signature algorithm, or DSA for short.
- the DSA is based on the discrete logarithm in finite fields.
- the security depends essentially on the properties of the random number used by the signature issuer.
- a random value must be generated by the signature publisher for each signature. This must have sufficient entropy, be kept secret and may only be used once in the system. These requirements are critical, because if the random number is known, the secret of the signature issuer can be calculated from the signature. If the random number has a low entropy, an attacker can calculate a secret key for every possible random number and then use the public verification key to test which one is the right one.
- the eMD is preferably the result of a scatter value function from a subscriber-generated serial number and a subscriber-calculated point of an elliptic curve.
- a variant of a digital signature algorithm, or DSA for short, namely an elliptic curve cryptography, ECDSA is therefore used.
- the transmission of the DSA on elliptic curves is standardized in ANSI X9.62. This enables a high level of security with a minimal key length.
- the principle of the ECDSA is explained in Fig.2.
- the DSA is an exemplary standard for digital signatures.
- Other algorithms for example an asymmetric cryptographic method, RSA, can also be used for digital signing.
- RSA uses a key pair consisting of a private key (the secret), which is used to decrypt or sign data, and a public key, which is used to encrypt or check signatures.
- the private key is kept secret and can only be calculated from the public key with a great deal of computing effort.
- the eMD is preferably the result of a scatter value function consisting of a subscriber-generated public key and a subscriber-calculated point one elliptical curve, the subscriber-generated public key being derived from the subscriber-generated serial number.
- the parties involved agreed on the respective curve parameters in advance of the signing process.
- the subscriber-generated serial number remains with the subscriber as a secret (i.e. a private key) and the signature issuer is provided with a public key derived from the serial number.
- this public key is generated on the subscriber side by linking the serial number to a base point of the elliptic curve, for example a logical link or a simple mathematical operation, for example multiplication.
- parts of a monetary amount of an eMD can also be transferred from one subscriber to another subscriber, which will be explained later.
- the signature is created over the entire monetary amount of the eMD; a second participant does not automatically have the right to own the entire amount after transmitting the eMD, since knowledge of the participant-generated serial number remains hidden if only partial amounts are to be transferred.
- a method for checking a blind signature of an eMD is now also provided, the blind signature being generated in accordance with the previous method.
- the unsigned, unblended (unblended) eMD and a serial number used to generate the eMD and a signed unblended (unblended) eMD and the issuer information are obtained.
- the eMD is now calculated using the received serial number, the signed unblended eMD, the publisher information and a public key of the signature publisher.
- the blind signature can now be checked for correctness of the publisher information by receiving the (plain text) publisher information.
- the calculated eMD is compared with the received eMD and the authenticity of the blind signature is verified if the calculated eMD matches the received eMD.
- the eMD obtained is preferably the result of a scatter value function from a link between a subscriber-generated serial number and a base point and a subscriber-calculated point of an elliptic curve, a subscriber-generated public key being derived from the subscriber-generated serial number before the eMD is calculated.
- the blind signature of the eMD was created with the subscriber-generated public key instead of the subscriber-generated serial number.
- this public key is generated on the subscriber side in that the serial number is linked to a base point of the elliptic curve, for example by a logical link or a simple mathematical operation, for example by multiplication.
- parts of a monetary amount of an eMD can also be transferred from one subscriber to another subscriber, which will be explained later.
- the blind signature is nevertheless created over the entire monetary amount of the eMD.
- the subscriber-generated public key must then be provided to verify the authenticity of the eMD.
- the verification also transmits the serial number (the secret) of the eMD and if it is successfully verified, the secret is vented and the monetary amount can be redeemed - similar to DigiCash. Now it is often desirable to share the eMD and only hand over partial amounts of the signed eMD.
- a method for checking a blind signature of an eMD is now provided for this purpose, the blind signature also being generated according to the previously described method.
- the eMD is received; a subscriber-generated public key used to generate the eMD; a signed unblended eMD; a monetary portion of the eMD; a (real) signature via a link between the monetary component and another participant-generated public key; the subscriber-generated secret; and the publisher information.
- the monetary amount is a fraction of the total monetary amount associated with the eMD. This monetary partial amount can take on any value, it can be out of round and / or it can be the change in a payment process.
- the subscriber-generated serial number is now intentionally used (the secret) should not be transferred for review to prevent the entire amount of the eMD from being redeemed.
- a new (further) secret is generated on the subscriber side, which is different from the subscriber-generated serial number.
- This subscriber-generated secret is transmitted for checking instead of the subscriber-generated serial number.
- another public key on the subscriber side is derived from this secret. This derivation is, for example, a mathematical operation or a logical combination of the subscriber-generated secret with a base point (generator point) or an alternative agreed value.
- the further public key is calculated from the subscriber-generated secret received.
- the agreed value for example a base point, is used for this.
- the signature is calculated from the combination of the monetary partial amount and the calculated further public key.
- the (real) Sig can be calculated naturally and can be compared with the (real) signature received.
- the partial amount is authentically signed here, that is, without additional blinding, since otherwise a recipient of the partial amount cannot verify the authenticity and the correct derivation.
- the eMD is calculated using the subscriber-generated public key, the signed uncovered eMD, the publisher information and a public key of the signature publisher. Finally, the calculated eMD is compared with the received eMD and the authenticity of the blind signature is verified if the calculated eMD matches the received eMD. During this calculation and verification, the participant-generated serial number of the eMD cannot be concluded, so that the blind signature can be checked, but the full monetary amount of the eMD cannot be decrypted. Only the one with the real signature The confirmed partial amount can be transferred and used by the recipient (participant, test body).
- the verification is preferably carried out by the signature publisher or by a test body different from the signature issuer. This can be seen as a significant advantage of the procedure, because the participant is not forced to have his eMD checked by the signature issuer, which means that less conclusions can be drawn about the payment behavior of a participant and anonymity is increased.
- the publisher information is preferably also verified during the checking. In this way it can be determined whether the publisher information in the eMD has been changed and whether an attempt at manipulation has been made.
- the blind signature was preferably generated with an ECDSA, with the curve parameters of the elliptical curve agreed in the ECDSA being provided for checking the blind signature.
- a payment system for transmitting an electronic coin data record between at least two participants comprises a first participant for generating an unsigned, blinded eMD; a signature issuer for generating a blind signature according to the previously described method and a second participant for receiving the generated eMD, a signed unblended eMD and a serial number used for generating the eMD.
- the second participant checks the received generated eMD, the signed unblended eMD and the serial number used to generate the eMD using the previously described checking method.
- the eMD is preferably the result of a scatter value function from a link between a subscriber-generated public key and a subscriber-calculated point.
- the subscriber-generated public key is derived from the subscriber-generated serial number. In this way, the participant-generated serial number is not sent, but a public key derived from it, which enables an eMD to be split.
- the object is achieved by a method for obtaining a blind signature for an electronic coin data record, eMD, in a subscriber.
- This procedure comprises the steps of: generating a public key from a subscriber-generated serial number by the subscriber; Generating an eMD using the generated public key by the subscriber; Blending the generated eMD to obtain a blended unsigned eMD by the participant; Sending the blinded unsigned eMD from the subscriber to a signature publisher; The subscriber receiving a signed, blinded eMD from the signature publisher; and removing the bezel to obtain a signed unblanked eMD by the subscriber.
- the subscriber-side generation of the public key from a subscriber-generated serial number by the subscriber has already been explained several times.
- a value already agreed in the procedure between the participants, the signature issuer and / or the testing authority is used.
- the value is a base point of the elliptic curve.
- This agreed value is logically linked to the subscriber-generated serial number, for example via a logical link, such as AND; OR; XOR; NAND; NOR, or via a simple mathematical operation, for example a multiplication or an addition.
- the step of generating the eMD preferably comprises the steps of: calculating a point of an elliptical curve using agreed curve parameters; Linking the calculated point with the generated public key; Calculate a scatter value function from the combination of the calculated point and the generated public key, the result of the scatter value function being the eMD.
- the derived public key is now used to obtain the blind signature instead of the subscriber-generated serial number. This subscriber-generated serial number is therefore secret for the signature publisher and remains secret. This method makes it possible that the eMD does not have to be transferred between participants with its full monetary amount (maximum amount of the eMD), but that any partial amounts can also be derived and transferred from the full monetary amount.
- the signed, blinded eMD obtained is a signed, blinded eMD that is expanded with a publisher's information.
- the publisher information used to expand the unsigned, blinded eMD is the result of a scatter value function with a publisher, the publisher value being sent as the publisher information and being part of the blind signature.
- the publisher value is preferably worth a time, an identification of the publisher and / or a publisher-generated value.
- the publisher information is obtained together with the expanded, signed, blinded eMD, the publisher information preferably being provided as independent information, independently of the signed, blinded eMD.
- This publisher information and the corresponding expansion of the signed, blended eMD have already been described in detail above. Reference is expressly made to this description.
- the publisher information thus serves to make blind signing more transparent, since (non-manipulable) non-manipulable, non-secret publisher information becomes part of the blind signature (and can be checked).
- a method for deriving a monetary partial amount of a signed, blinded eMD in a subscriber.
- the eMD is preserved according to the procedure described above.
- This deriving method comprises the steps: generation by the subscriber of a subscriber-generated secret and a further public key from the subscriber-generated secret; Determination of a partial monetary amount of the eMD; and calculating a signature via a link from the monetary partial amount and the further public key.
- the partial amount can be determined arbitrarily. It can be the change in a payment transaction or it can be any value.
- the subscriber-generated secret is different from the subscriber-generated serial number and is used instead of the serial number in order to transfer monetary amounts between participants.
- only a partial amount can advantageously be transferred instead of the full monetary amount of the eMD.
- an already blindly signed eMD is set up for the transfer of monetary partial amounts.
- the generation of the participant-generated secret can either be done by a first participant if he wishes to divide a partial amount from the total amount. This generation is preferably carried out by a further subscriber who has not generated the subscriber-generated serial number. This means that a partial amount can also be divided by any other participant who has legitimately acquired the eMD. In this way, eMDs can be shared, but the blind signature of the eMD remains valid. In addition, payment processes using eMD can now be enabled, in which the eMD recipient (paid) can send back a separate eMD, for example comparable to change or change in cash transactions or as part of a discount campaign.
- the further public key is preferably a link between a base point of the elliptic curve and the subscriber-generated secret. This linkage is, for example, a logical linkage or a simple mathematical operation, as a result of which the computation effort is minimized without endangering the security and manipulation resistance of the method. As an alternative to the base point, another agreed value can be used.
- the derivation further comprises generating a second subscriber-generated secret and a second further public key from the second subscriber-generated secret by the subscriber or another subscriber; Determination of a second monetary partial amount of the eMD, the second monetary partial amount being smaller than the monetary partial amount and calculation of a second signature by linking the monetary partial amount and the second further public key.
- the second subscriber-generated secret can be generated by the first subscriber if he would like to further split a partial amount. This generation is preferably carried out by a participant who has not generated the (first) participant-generated secret. This means that the partial amount can also be shared by any other participant. In this way, eMDs can be shared several times, although the blind signature remains valid.
- the second partial amount can be set as desired, i.e. it can be any value less than the (first) partial amount.
- the second further public key is preferably a link between a base point of the elliptic curve and the second subscriber-generated secret.
- This link is, for example, a logical link or a simple mathematical operation, as a result of which the computation effort is minimized without endangering the security and manipulation resistance of the method.
- another agreed value can be used as an alternative to the base point.
- a method for checking a blind signature of an eMD is provided, the blind signature being obtained in accordance with the method described above. Verification includes the following steps: Obtaining the eMD, a serial number used to generate the eMD, and a signed uncovered eMD. Since the serial number and not the public key derived from it is received, the entire monetary amount of the eMD can now be checked, decrypted and transmitted. The transfer of the serial number generally enables the disposal of the entire monetary amount.
- the public key is calculated from the subscriber-generated serial number.
- the eMD is calculated using the calculated public key, the signed uncovered eMD and a public key of the signature issuer. It should be noted that the calculated public key is used for verification instead of the serial number, because in this aspect of the invention the serial number remains hidden from the signature issuer and the blind signature is created via the public key. The calculated public key must then be used to check the signature.
- the calculated eMD is compared with the received eMD and the authenticity of the blind signature is verified if the calculated eMD matches the received eMD.
- a further method for checking a blind signature of an eMD in which the blind signature was also generated / obtained according to a previously described method.
- the further method comprises: obtaining the eMD, the subscriber-generated public key, a signed uncovered eMD, a monetary partial amount of the eMD, a signature via a link from the monetary partial amount and another subscriber-generated public key; and a participant generated secret.
- the partial amount is preferably the above-mentioned (first) partial amount of the total monetary amount.
- the further public key is calculated from the subscriber-generated secret; calculating the signature via the link from the monetary partial amount and the calculated further subscriber-generated public key; comparing the calculated signature with the received signature and verifying the authenticity of the monetary partial amount; and the calculation of the eMD already described above using the received public key, the signed unblended eMD and a public key of the signature issuer, so that - as already mentioned - the calculated eMD can be compared with the received eMD and the authenticity of the blind signature is compared if the calculated eMD matches the received eMD.
- the further method thus enables the authenticity of the eMD to be verified using the entire amount of money, as it was (blindly) signed by the signature issuer.
- the partial amount can also be verified and used for other payment transactions.
- the subscriber-generated secret need not have been generated by the subscriber who generated the serial number, as a result of which a transmitted eMD can be further divided without having to be re-signed.
- a further method for checking a blind signature of an eMD in which the blind signature was also generated / obtained according to a previously described method.
- the still further method comprises the procedural steps: obtaining the eMD, the subscriber-generated public key, a signed unblended eMD, a monetary partial amount of the eMD, a signature via a link from the monetary partial amount and another subscriber-generated public key, the further subscriber-generated public key ; a second partial monetary amount of the eMD; a second signature via a combination of the second monetary partial amount and a second further subscriber-generated public key; and a second subscriber-generated secret.
- the second partial amount is preferably the above-mentioned second partial amount of the total monetary amount, which is smaller than the (first) partial amount.
- the second further public key is calculated from the second subscriber-generated secret; calculating the second signature via the link from the monetary partial amount and the calculated second further subscriber-generated public key; comparing the calculated second signature with the received second signature and verifying the authenticity of the second monetary partial amount.
- the aforementioned calculation of the signature takes place via the link from the monetary partial amount and the calculated further subscriber-generated public key; comparing the calculated signature with the received signature and verifying the authenticity of the monetary partial amount; computing the eMD using the received public key, the signed uncovered eMD and a public key of the signature issuer; comparing the calculated eMD with the received eMD and verifying the authenticity of the blind signature if the calculated eMD matches the received eMD.
- the (first) monetary partial amount and the (first) signature are created by a subscriber using a combination of the monetary partial amount and a further subscriber-generated public key in accordance with the derivation method described above.
- the participant does not have to be the participant who generated the serial number. This enables the eMD to be shared with the blind signature fully valid.
- the second monetary partial amount and the second signature are preferably created by a subscriber by linking the second monetary partial amount and a second further subscriber-generated public key in accordance with the derivation method described above.
- the publisher information is preferably also obtained in the receive step and this is also used in the calculate step for calculating the eMD.
- the verification is preferably carried out by the signature issuer or a testing entity other than the signature issuer, for example also another participant.
- the publisher information is preferably also verified during the checking.
- the blind signature is preferably generated with an elliptical curve signing algorithm, ECDSA, and agreed curve parameters of the elliptical curve are provided for checking the blind signature.
- a payment system for transmitting an electronic coin data record, eMD is provided between at least two participants.
- the payment system comprises a first participant for obtaining a blind signature for an eMD according to the described receiving method; a signature editor to generate the blind signature and a second participant to receive the generated eMD, a signed unblended eMD and a serial number used to generate the eMD.
- the payment system also includes the second participant checking the received generated eMD, the signed unblended eMD and the serial number used to generate the eMD. It is provided that the second participant generates the secret and derives the partial amount and the one belonging to the partial amount. This partial amount is used in a payment process where the blind signature via the eMD remains valid.
- An eMD is in particular an electronic data record that represents a monetary amount and is also colloquially referred to as a “digital coin” or “electronic coin”.
- the right to this monetary amount changes in the process from a first account to another account.
- a monetary amount is understood to be a digital amount that can be credited to an account of a financial institution.
- the eMD therefore represents cash in electronic form.
- the eMD differ significantly from electronic data records for data exchange or data transfer because, for example, a classic data transaction takes place on the basis of a question-answer principle or on intercommunication between the data transfer partners.
- EMD are characterized by uniqueness, uniqueness and security features (signatures, encryption).
- an eMD contains all the data required for a receiving entity with regard to verification, authentication and forwarding to other entities. Intercommunication is therefore generally not necessary with this type of data record. Exceptions are the change payment transactions.
- a security element can be provided in a subscriber's terminal for transmission.
- a security element is preferably a special software, in particular in the form of a secure runtime environment within an operating system of a terminal device, English Trusted Execution Environments, TEE.
- the security element is designed, for example, as special hardware, in particular in the form of a secured hardware platform module, English Trusted Platform Module, TPM or as an embedded security module, eUICC, eSIM.
- TPM English Trusted Platform Module
- eUICC embedded security module
- eSIM embedded security module
- the security element provides a trustworthy environment and, for example, also secures a machine-2-machine, M2M application.
- the communication between two end devices or security element can take place contactlessly or with contacts and can be designed as a secure channel.
- This is the exchange of the eMD with cryptographic keys, for example a session key negotiated for an exchange of coin data sets or a symmetrical or asymmetrical pair of keys.
- Any terminal processing a program code with user input output is disregarded as a terminal, for example a PC, a smartphone, a tablet.
- the terminal can also be part of an M2M environment, for example a machine, tool, machine or container and vehicle understood.
- a terminal device according to the invention is thus either stationary or mobile.
- M2M stands for the (fully) automated exchange of information between these end devices, for example using the Internet and the corresponding access networks, such as the mobile network.
- Fig.l principle of the Digi-Cash method with blind signatures 2 shows a known example for creating and checking a signature using ECDSA;
- FIG. 3 shows an exemplary embodiment of a process flow diagram of a signature generating method according to the invention
- FIG. 4 shows an exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD according to the invention
- 5 shows an embodiment of a process flow diagram of a method according to the invention
- FIG. 6 shows an exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD with an entire monetary amount and monetary partial amounts divided therefrom according to the invention.
- FIG. 7 shows an exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD with an entire monetary amount and monetary partial amounts divided therefrom according to the invention.
- Fig. 1 shows the principle of the "DigiCash" method with blind signatures.
- a first participant (buyer) TI, a second participant (seller) T2 transmits a coin signed by the signature issuer H.
- the first participant TI exchanges a monetary amount with a digital coin, the unique identifier, for example a serial number, of which he generates himself in step 1.
- the unique identifier is encrypted in step 2 and transmitted to the signature issuer H together with the value of the digital coin in step 3.
- the signature publisher H confirms the validity of the digital coin by signing the encrypted unique identifier in step 4 and sends the digital coin thus signed back to the first subscriber TI in step 5.
- step 6 the first participant TI decrypts the signature and in step 7 transmits (pays) the digital coin consisting of the unique identifier and the decrypted signature to the second participant T2.
- the second subscriber T2 requests the signature issuer H to redeem the digital coin in step 8.
- the signature issuer H verifies the authenticity of the digital coin using the signature in step 9 and thus enables the monetary amount of the digital coin to be redeemed in step 10.
- 2 shows a method sequence 100 consisting of a method S for providing a signature between a first subscriber TI or its first end device M1 and a publisher H and a method P for checking the created signature between a first subscriber TI and a PI is shown.
- step 101 all involved instances TI, H and P agree on the curve parameters, f, p, a, b, G, n, h of an elliptical curve.
- These curve parameters describe a curve used, where f is the order of the body on which the curve is defined; p is the specification of the basis used; a, b two body elements that describe the equation of the curve; G is the generator point (generator point, base point) of the curve; n, is the order of point G; and h is the cofactor.
- H () to be used, also referred to as a hash function, for example a SHA-2 algorithm.
- step 102 the publisher H generates a cryptographic key pair d, D based on the base point G and communicates the public part D to the first participant TI and the testing entity PI in steps 103, 103 '.
- the public key part D is also referred to as a verification key D.
- the private key part d is not given out as a secret.
- step 104 the first subscriber TI generates a serial number m and links it to a monetary amount for the electronic coin data record, eMD.
- the first subscriber TI generates two integer random numbers g, i.
- step 105 the publisher H generates a random number r and calculates a point R of the curve which is transmitted to the first subscriber TI.
- step 106 the first participant TI calculates a point on the curve using equation (1):
- Point A is represented by an x coordinate A x and a y coordinate A y .
- the blind signature is regarded as confirmed and the eMD as genuine.
- FIG. 3 shows an exemplary embodiment of a process flow diagram of a signature-generating method 100 according to the invention.
- FIG. 4 shows an exemplary embodiment of a process flow for generating and checking a blind signature for an eMD according to the invention. The method in Figure 3 is explained in conjunction with Figure 4.
- the method 100 for creating a blind signature according to FIG. 3 and FIG. 4 is based on the creation of a blind signature with a corresponding check by a testing entity PI according to FIG. 2 and reflects a process sequence in an ECDSA method.
- the checking with steps 111 and 112 can also be carried out by another subscriber T2, T3, for example in order to verify the monetary amount or partial amount.
- checking PR with steps 111 and 112 can also take place between two participants T2, T3 who have not generated the serial number m of the eMD c. These participants then want to verify and transmit, for example, a total monetary amount or a partial amount derived therefrom or a second partial amount derived therefrom.
- ECDSA is only exemplary and any method for generating a blind signature, for example DAS or RSA based, can be operated with the basic idea of the invention, namely the addition of issuer information, possibly in conjunction with the derivation of monetary partial amounts.
- This is indicated by the dashed lines of steps 101 to 105 in FIG. 4, which are therefore to be regarded as optional steps.
- the repetition of the explanation of these steps 101 to 105 of FIG. 2 is therefore dispensed with, even though they are part of the inventive method when using an ECDSA method.
- step 107 the unsigned, blinded eMD c 'described with equation (3) is sent to the publisher H.
- a publisher value w is generated there in step 113.
- the publisher value w is, for example, a time stamp or a random value.
- This publisher value w is converted into publisher information u by means of a scatter value function H ().
- This scatter value function H () is preferably the scatter value function that was agreed in step 101. This simplifies the procedure with regard to compatibility and agreement of the cryptographic functions to be used.
- step 109 the extended, signed, blinded eMD s “is transmitted to the first subscriber TI together with the editor value w.
- the subscriber TI generates the eMD c and blinds it in c 'with the random number g, so that the eMD c is not known to the publisher H.
- the eMD c is also assigned a monetary maximum amount.
- the publisher H signs the blinded unsigned eMD c 'without knowing the eMD c or the serial number m. This is called blind signing.
- the publisher H adds a publisher-generated value w in the form of publisher information u.
- This publisher information u becomes an unchangeable part of the signed, blinded eMD s ”and, according to equation (13) as the publisher value w, also part of the signed, unblended eMD s.
- step 111 the unsigned unblended eMD c, the signed unblended eMD s, the subscriber-generated serial number m and the publisher value w are transmitted from the subscriber TI to the testing entity PI, T2, T3.
- the blind signature is considered to be genuine.
- FIG. 5 shows an embodiment of a process flow diagram of a signature-obtaining method according to the invention.
- FIG. 6 shows an exemplary embodiment of a method sequence for obtaining S a blind signature and also for checking PR for a blind signature for an eMD according to the invention.
- the checking method PR has three different scenarios PR1, PR2, PR3.
- the method in Figure 5 is explained in connection with Figure 6.
- the method for obtaining a blind signature according to FIG. 5 and FIG. 6 is based on the creation of a blind signature with a corresponding check by a testing body PI, T2, T3 according to FIG. 2 and reflects a procedure in an ECDSA method.
- checking PR1, PR2, PR3 with steps 111, 111 ', 111 "and 112, 112% 112" can also be carried out by another participant T2, T3, for example to verify the monetary amount or partial amount .
- checking PR1, PR2, PR3 with steps 111, 111% 111 "and 112, 112% 112" can also take place between two participants T2, T3 who have not generated the serial number m of the eMD c, for example, to verify and transfer a monetary total amount or a partial amount u derived therefrom or a second partial amount e derived therefrom. Subsequently, the testing entity PI is equated to another participant T2, T3.
- ECDSA is only an example, and any method for generating / receiving a blind signature, for example DAS or RSA-based, can be carried out with the basic idea of the invention, namely the derivation of partial monetary amounts, possibly using publisher information from the signature publisher H done. Repetition of steps 101 to 105 of FIG. 2 is therefore dispensed with, although when using an ECDSA method they are part of the method according to the invention.
- the method steps 101 to 105 of FIG. 5 and FIG. 6 are the same as the method steps 101 to 105 of FIG. 2 and reference is made to this FIG. 2 for further explanations.
- step 114 a public key M described in equation (18) is generated in the subscriber TI:
- the subscriber-generated serial number m is to be regarded as a secret and the public key G is derived using the (agreed) base point G of the elliptical curve. Alternatively, other agreed values can be used to generate the public key M.
- the first subscriber TI calculates a point on the curve using equation (1).
- the point A is represented by an x coordinate A x and a y coordinate A y .
- step 107 the unsigned, blinded eMD c ′ (M) described with equation (20) is sent to the publisher H.
- step 110 the signed, blinded eMD s' is obtained by means of equation (5).
- the subscriber TI generates the eMD c using a public key M instead of the serial number m.
- This serial number m is secret to the signature publisher H.
- FIG. 6 now shows three scenarios with which an eMD which can be divided using the signature method S obtained in FIG. 6 can be transmitted, the blind signature nevertheless remaining valid.
- non-circular amounts can now be transferred very precisely or corresponding change (change) can be generated.
- the maximum monetary amount of an eMD c could be sent from a first participant TI to a second participant T2 in the test procedure PR1.
- a partial amount u is then returned as change to the first participant TI by the second participant T2.
- the first participant TI can now further split the partial amount u and transfer the second partial amount e to the third participant T3 in the test procedure PR3: In the test procedure PR1 in FIG a second participant T2, T3 is to be redeemed.
- step 111 the unsigned, unblended eMD c, the signed, unblended eMD s and the subscriber-generated serial number m are transmitted from the subscriber TI to the testing entity PI. There, the blind signature is verified in step 112.
- the subscriber-generated public key M is first calculated using equation (23).
- the blind signature is valid and the eMD c can be used by the testing body PI, or also by the other participants T2, T3, for further payment processes.
- the eMD c obtained in equation (24) corresponds to the eMD c sent in step 111, the blind signature is considered confirmed and the eMD is genuine.
- the derivation of a partial amount u from the monetary total amount is shown first with step 115.
- the subscriber TI or another subscriber who is in possession of the eMD c
- the subscriber TI generates a secret p and a further public key P using the subscriber-generated secret p.
- the secret p is different from the serial number m.
- the further subscriber-generated key P is different from the subscriber-generated public key M.
- the subscriber-generated public key P can be obtained by multiplying it by the base point G, see equation (25):
- U is the partial amount to be derived, which is smaller than the total monetary amount of the eMD c.
- the real signature s hi is a logical OR combination of the public key P and the partial amount u. Other logical links or mathematical operations are also conceivable for creating the real signature s hi .
- step 111 the following variables are now exchanged between two participants TI, T2, T3:
- step 112 ' the authenticity of the blind signature and the authenticity of the real signature s hi can now be checked, as a result of which the partial amount u is considered to be - transmitted between the participants TI, T2, T3.
- the further public key P is first calculated using the participant-generated secret p and the agreed base point G, see equation (25).
- the blind signature is checked according to equations (7) to (9) and (24).
- the real signature is hi the calculated further subscriber-generated public key P and the partial amount u obtained, and if equation (27) matches
- the partial amount u is considered to be verified and is also transmitted by transmitting the secret p.
- the test body PI, T2, T3 is not in possession of the subscriber-generated serial number m and can therefore verify the blind signature (using the key M) but does not have the total monetary value.
- the derivation of a second partial amount e from the partial amount u is shown in step 116.
- the subscriber TI or another subscriber who is in possession of the eMD c
- the second secret q is different from the serial number m and from the secret p.
- the second further subscriber-generated key Q is different from the subscriber-generated public key M and the further ren subscriber-generated key P.
- the second further subscriber-generated public key Q can be obtained by multiplication by the base point G, see equation (28):
- Equation (28) also creates a second real signature s r for derivation 116:
- e is the second partial amount to be derived, which is smaller than the total monetary amount and which is also smaller than the partial amount u of the eMD c.
- the real signature s r here is a logical OR combination of the public key Q and the partial amount e. Other logical links or mathematical operations are also conceivable for creating the real signature s r .
- step 111 “the following variables are now exchanged between two participants TI, T2, T3:
- step 112 “ the authenticity of the blind signature, the authenticity of the real signature s hi and also the authenticity of the second real signature s r can now be checked, as a result of which the second partial amount e is considered to be - between the participants TI, T2, T3 .
- the second further subscriber-generated public key Q is first calculated using the second subscriber-generated secret q and the agreed base point G, see equation (28).
- the blind signature is checked in accordance with equations (7) to (9) and (24).
- the test body PI, T2, T3 does not have the subscriber-generated serial number m or the subscriber-generated secret p.
- the blind signature and the real signature s hi can be verified (by the subscriber-generated public keys M and P), but the test body PI, T2, T3 does not get the monetary total amount or the (first) partial amount u.
- any monetary (partial) amounts u, e can now be transferred between any participants, whereby the authenticity of the blind signature and that with the respective partial amounts u, e e connected real signatures s hi and s r can be checked.
- the receiving entity PI, T2, T3 receives full access rights to the respective partial amounts, whereby the eMD is considered to be transmitted.
- 7 shows a further exemplary embodiment of a method sequence for generating and checking a blind signature for an eMD with an entire monetary amount and monetary partial amounts divided therefrom according to the invention.
- the process sequences in FIGS. 4 and 6 were combined with one another.
- the sharing of monetary amounts according to the invention is now also possible.
- the checking process PR has three different scenarios PR1, PR2, PR3.
- the method for obtaining a blind signature according to FIG. 7 is based on the creation of a blind signature with a corresponding check by a testing entity PI according to FIG. 2 and reflects a process sequence in an ECDSA method. It should be noted that checking PR1, PR2, PR3 with steps 111, 111 ', 111 "and 112, 112% 112" can also be carried out by another participant T2, T3, for example by adding the monetary amount or partial amount to verify.
- checking PR1, PR2, PR3 with steps 111, 111% 111 "and 112, 112% 112" can also take place between two participants T2, T3 who have not generated the serial number m of the eMD c, for example to verify a monetary total amount or a portion derived therefrom or a second portion e derived therefrom and to receive it. Subsequently, the testing entity PI is equated to another participant T2, T3.
- ECDSA is only exemplary and any method for generating / obtaining a blind signature, for example DAS or RSA-based, can be carried out with the basic idea of the invention, namely the derivation of monetary partial amounts using publisher information u, w of the signature publisher H done.
- Repetition of steps 101 to 105 in FIG. 2 is dispensed with, although they are part of the method according to the invention when using an ECDSA method.
- the method steps 101 to 105 of FIG. 7 are the same as method steps 101 to 105 of FIG. 2 and reference is made to this FIG. 2 for further explanations.
- step 114 the generation of a public key M described in equation (18) in the subscriber TI is described.
- the first subscriber TI calculates a point on the curve using equation (1).
- the point A is represented by an x coordinate A x and a y coordinate A y .
- the x coordinate A x is used with the public key M as the input parameter of the hash function H () in equation (19) in order to obtain an unsigned, unblended eMD c.
- the unsigned, unblended eMD c is converted into an unsigned, blended eMD c '(M) using equation (20).
- step 107 the unsigned, blinded eMD c ′ (M) obtained with equation (20) is sent to the publisher H.
- a publisher worth w is generated there in step 113.
- the publisher value w is, for example, a time stamp or a random value.
- This publisher value w is converted into publisher information u by means of a scatter value function H ().
- This scatter value function H () is preferably the scatter value function that was agreed in step 101. This simplifies the procedure with regard to compatibility and agreement of cryptographic functions to be used.
- the unsigned, blinded eMD c ' is then expanded in accordance with equation (11) with this publisher information u in step 113.
- step 109 the extended, signed, blinded eMD s “is transmitted to the first subscriber TI together with the editor value w.
- step 110 the signed, blinded eMD s “is not blinded using equation (13).
- the subscriber TI generates the eMD c using a public key M instead of the serial number m.
- This serial number m is secret to the signature publisher H.
- the signature publisher also generates H the publisher information u, w and adds this as an integral part of the blind signature.
- eMD c simplifies the administrative work for the signature issuer H and enables a payment system with eMD c for which change can be paid or in which non-circular amounts of money can be electronically transferred.
- Fig. 7 three scenarios are now shown, by means of which a divisible eMD obtained with the signing method S shown in Fig. 7 is transmitted and the blind signature nevertheless remains valid.
- non-circular amounts can now be transferred very precisely or corresponding change (change) can be generated.
- the maximum monetary amount of an eMD c could be sent from a first participant TI to a second participant T2 in the test procedure PR1.
- a partial amount u is then returned as change to the first participant TI by the second participant T2.
- the first participant TI can now further split the partial amount u and transfer the second partial amount e to the third participant T3 in the test procedure PR3:
- test procedure PR1 of FIG. 7 it is initially shown that the entire monetary amount of an eMD c is to be checked and, if necessary, to be redeemed by a second subscriber T2, T3.
- Curve parameters and the verification key D is to check the blind signature of the eMD c, which is done, for example, by means of a test entity PI, which is not necessarily the publisher H.
- step 111 the unsigned, unblended eMD c, the signed, unblended eMD s, the subscriber-generated serial number m and the publisher information w are transmitted from the subscriber TI to the testing entity PI.
- Ren PR1 of Figure 7 is then checked whether the public key M has been changed and whether w has been changed, which is described below.
- step 112 the blind signature is verified.
- the subscriber-generated public key M is first calculated using equation (23).
- the publisher information u is obtained with equation (15) and with equation (33)
- A s G + (c ’(M) + u) D (33) it is checked whether the condition of the equations (24) are met. If the calculated eMD c matches the received eMD c, the blind signature is valid and the eMD c can be used by the testing body PI, or for example also by the other participants T2, T3, for further payment processes.
- step 115 the participant TI (or another participant T2, T3 who is in possession of the eMD c) generates a secret p and a further public key P using the participant-generated secret p.
- the secret p is different from the serial number m.
- the further subscriber-generated key P is different from the subscriber-generated public key M.
- the further public key P generated by the subscriber can be obtained by multiplying by the base point G, see equation (25).
- a real signature s hi is also created using equation (26).
- U is the partial amount to be derived, which is smaller than the total monetary amount of the eMD c.
- the real signature s hi is a logical OR combination of the public key P and the partial amount u. Other logical links or mathematical operations for creating the real signature s hi are also conceivable.
- step 111 ' the following variables are now exchanged between two participants TI, T2, T3:
- step 112 ' the authenticity of the blind signature and the authenticity of the real signature s hi can now be checked, as a result of which the partial amount u is considered to be - transferred between the participants PI, TI, T2, T3.
- the further public key P is first calculated using the subscriber generated secret p and the agreed base point G, see equation (25).
- the blind signature is checked according to equations (15), (33) and (24).
- the real signature G m is calculated from the calculated further subscriber-generated public key P and the partial amount u obtained, and if equation (26) matches, the partial amount u is considered to be verified and is transmitted by the secret p.
- test body PI, T2, T3 is not in possession of the subscriber-generated serial number m and can therefore verify the blind signature (using the key M) but does not have the total monetary amount of the eMD c.
- a check is therefore carried out to determine whether the public key M has been changed, whether w has been changed and whether the real signature G m has been changed.
- step 116 the derivation of a second partial amount e from the partial amount u is shown in step 116.
- the subscriber TI (or another subscriber who is in possession of the eMD c) generates a second secret q and a second further public key Q using the second subscriber-generated secret q.
- the second secret q is different from the serial number m and from the secret p.
- the second further subscriber-generated key Q is different from the subscriber-generated public key M and the further subscriber-generated key P.
- the second further subscriber-generated public key Q can be obtained by multiplication by the base point G, see equation (28). Equation (29) also creates a second real signature s r for derivation 116.
- e is the second partial amount to be derived, which is smaller than the total monetary amount and which is also smaller than the partial amount u of the eMD c.
- the real signature s r here is a logical OR combination of the public key Q and the partial amount e. Other logical links or mathematical operations are also conceivable for creating the real signature s r .
- step 111 “the following variables are now exchanged between two participants TI, T2, T3: the eMD c
- step 112 “ the authenticity of the blind signature, the authenticity of the real signature s hi and also the authenticity of the second real signature s r can now be checked, as a result of which the second partial amount e is considered to be - between the participants TI, T2, T3 .
- the second further public key Q is first calculated using the second subscriber-generated secret q and the agreed base point G, see equation (28).
- the blind signature is checked according to equations (15), (33) and (24).
- the second real signature s r is calculated from the calculated second further subscriber-generated public key Q and the received second partial amount e and, if equation (30) matches, the partial amount e is verified and is also transmitted by the transmission of the second secret q .
- test body PI, T2, T3 does not have the participant-generated serial number m or the participant-generated secret p.
- the blind signature and the real signature s hi can be verified (by the subscriber-generated public keys M and P), but the verifier does not get the total monetary amount or the (first) partial amount u.
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Physics & Mathematics (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102018009950.5A DE102018009950A1 (de) | 2018-12-18 | 2018-12-18 | Verfahren zum Erhalten einer blinden Signatur |
PCT/EP2019/025439 WO2020126079A1 (fr) | 2018-12-18 | 2019-12-09 | Procédé pour obtenir une signature aveugle |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3899845A1 true EP3899845A1 (fr) | 2021-10-27 |
Family
ID=68987653
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19824236.4A Pending EP3899845A1 (fr) | 2018-12-18 | 2019-12-09 | Procédé pour obtenir une signature aveugle |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP3899845A1 (fr) |
DE (1) | DE102018009950A1 (fr) |
WO (1) | WO2020126079A1 (fr) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112926959A (zh) * | 2021-03-26 | 2021-06-08 | 陈丽燕 | Hash-RSA盲签名的数字货币方案 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5901229A (en) * | 1995-11-06 | 1999-05-04 | Nippon Telegraph And Telephone Corp. | Electronic cash implementing method using a trustee |
WO2006024042A2 (fr) * | 2004-08-27 | 2006-03-02 | Ntt Docomo, Inc. | Schemas de signature provisoires |
WO2006070682A1 (fr) * | 2004-12-27 | 2006-07-06 | Nec Corporation | Système de signature aveugle limitée |
-
2018
- 2018-12-18 DE DE102018009950.5A patent/DE102018009950A1/de not_active Withdrawn
-
2019
- 2019-12-09 EP EP19824236.4A patent/EP3899845A1/fr active Pending
- 2019-12-09 WO PCT/EP2019/025439 patent/WO2020126079A1/fr unknown
Also Published As
Publication number | Publication date |
---|---|
DE102018009950A1 (de) | 2020-06-18 |
WO2020126079A1 (fr) | 2020-06-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102017204536B3 (de) | Ausstellen virtueller Dokumente in einer Blockchain | |
EP3899844A1 (fr) | Procédé de génération d'une signature aveugle | |
DE102012206341B4 (de) | Gemeinsame Verschlüsselung von Daten | |
DE19804054B4 (de) | System zur Verifizierung von Datenkarten | |
DE3485804T2 (de) | Systeme zur blindunterschrift. | |
DE602005002652T2 (de) | System und Verfahren für das Erneuern von Schlüsseln, welche in Public-Key Kryptographie genutzt werden | |
DE69801668T2 (de) | Verfahren und system zum bezahlen mit elektronischem scheck | |
DE112011100182B4 (de) | Datensicherheitsvorrichtung, Rechenprogramm, Endgerät und System für Transaktionsprüfung | |
DE60104411T2 (de) | Verfahren zur übertragung einer zahlungsinformation zwischen einem endgerät und einer dritten vorrichtung | |
DE19781841C2 (de) | Verfahren zum automatischen Entscheiden der Gültigkeit eines digitalen Dokuments von einer entfernten Stelle aus | |
DE60031304T2 (de) | Verfahren zur authentifizierung von softwarebenutzern | |
EP2962439B1 (fr) | Lecture d'un attribut enregistré dans un jeton id | |
DE102017000768A1 (de) | Verfahren zum Durchführen einer Zweifaktorauthentifizierung | |
EP0383985A1 (fr) | Procédé d'identification d'abonnées ainsi que de génération et de vérification de signatures électroniques dans un système d'échange de données | |
DE60209809T2 (de) | Verfahren zur digitalen unterschrift | |
DE10143728B4 (de) | Vorrichtung und Verfahren zum Berechnen eines Ergebnisses einer modularen Exponentiation | |
EP1368929B1 (fr) | Procédé d'authentification | |
DE60212248T2 (de) | Informationssicherheitsvorrichtung, Vorrichtung und Verfahren zur Erzeugung einer Primzahl | |
DE60202149T2 (de) | Verfahren zur kryptographischen authentifizierung | |
EP2893668B1 (fr) | Procede de creation d'une instance derivee d'un support de donnees d'origine | |
EP3899845A1 (fr) | Procédé pour obtenir une signature aveugle | |
EP2730050B1 (fr) | Procédé de création et de vérification d'une signature électronique par pseudonyme | |
DE102007046102B4 (de) | Verfahren zum Schutz vor Veränderung von Daten und zur Authentifizierung des Datensenders bei der Datenübertragung durch Verwendung von Verschlüsselungsverfahren, bei denen mit Kenntnis von verschlüsselten und unverschlüsselten Daten andere Daten nicht mehr als zufällig richtig verschlüsselt werden können. | |
DE102007014971B4 (de) | Versteckte Sicherheitsmerkmale in digitalen Signaturen | |
DE102020105668A1 (de) | Verfahren und System zur elektronischen Fernsignatur |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20210719 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: GIESECKE+DEVRIENT ADVANCE52 GMBH |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230519 |