WO2011144247A1 - Digital signature method and apparatus - Google Patents

Digital signature method and apparatus Download PDF

Info

Publication number
WO2011144247A1
WO2011144247A1 PCT/EP2010/057002 EP2010057002W WO2011144247A1 WO 2011144247 A1 WO2011144247 A1 WO 2011144247A1 EP 2010057002 W EP2010057002 W EP 2010057002W WO 2011144247 A1 WO2011144247 A1 WO 2011144247A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
signer
signature
msgo
msg1
Prior art date
Application number
PCT/EP2010/057002
Other languages
French (fr)
Inventor
Liqun Chen
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/EP2010/057002 priority Critical patent/WO2011144247A1/en
Publication of WO2011144247A1 publication Critical patent/WO2011144247A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Definitions

  • the privacy of a signer in a digital signature scheme usually includes two properties.
  • One is signer anonymity, which means that a digital signature does not reveal the identity of the signer.
  • the other is signature unlinkability, which means that it is not possible to tell whether two signatures have been signed by the same signer or not.
  • DAA Direct Anonymous Attestation
  • this signer privacy feature can be too strong, because a malicious but still legitimate signer can abuse the system by creating multiple signatures in the way that a verifier would think that the signatures might have been created by multiple signers.
  • each customer may be asked to provide a single set of comments on particular goods or a particular buyer/seller, for example when recommending certain goods or a certain buyer/seller in eBay or Amazon.
  • each voter is allowed to make a single vote to an arbitrary voting result according to his own choice.
  • each reviewer is required to make a single review report in relation to a certain item (for example a paper or a book).
  • a certain item for example a paper or a book.
  • Figure 1 illustrates how the degree of user privacy varies for different signature schemes
  • Figure 2a illustrates an example of an implementation of a signed message
  • Figure 2b illustrates the steps performed by a signer computing entity according to an example of an implementation
  • Figure 3 illustrates the steps performed by a signer computing entity according to an example an implementation
  • Figure 4 illustrates the steps performed by a verifier computing entity according to an example of an implementation of validating a single signature
  • Figure 5a illustrates the steps performed by a verifier computing entity according to an implementation of validating two signatures
  • Figure 5b illustrates the steps performed by a verifier computing entity according to another implementation of validating two signatures
  • Figure 6 illustrates the steps performed in an implementation for deriving the public key of a signer
  • Figure 7 illustrates the steps performed by a signer computing entity according to an example of another implementation
  • Figure 8 illustrates the steps performed by a verifier computing entity according to an example of another implementation of validating a single signature
  • Figure 9 illustrates an example of an implementation of a signer computing entity apparatus
  • Figure 10 illustrates an example of an implementation of a verifier computing entity apparatus.
  • the implementations described below relate to a digital signature method and apparatus and in particular, but not exclusively, to a digital signature method and apparatus that enables a message to be signed anonymously but only once.
  • the examples described in the various implementations offer a digital signature scheme that allows a verifier to detect that two messages relate to the same subject or topic, and that two signatures are from the same signer.
  • the implementations described below also offer a digital signature scheme that allows the verifier to determine the identity of the signer where two signatures are from the same signer.
  • a signer acts maliciously, i.e. submits two signatures on the same subject, the anonymity of the signer will be broken because the public key of the signer can be computed from the two signatures.
  • the anonymity of the signer remains intact.
  • Ring signatures convinces an external verifier that a message has been signed by one of a number of possible independent signers without allowing the verifier to identify the signer.
  • a ring signature convinces an external verifier that a message has been signed by one of a number of possible independent signers without allowing the verifier to identify the signer.
  • these two signatures could have been signed by any one or two signers within the signer ring. As such, it is not possible to determine whether a malicious signer has anonymously signed a message more than once.
  • DAA Direct Anonymous Attestation
  • a conventional signature scheme based on a public key operates as follows:
  • the verifier can determine whether the signature is valid with respect to y by checking:
  • 1/0 Verify(y, m, s), where "1 " indicates accept and "0" reject.
  • Figure 2a shows an example of an implementation for providing signing controls on a message m, such as multiple signing controls.
  • the signed message m is partitioned into first and second parts.
  • a first part MSGO relates to a message title (or message identifier) and the second part MSG1 relates to the message body.
  • the first message part MSGO could relate to a subject such as "review on Handbook of Applied Cryptography", while the second message part MSG1 could relate to a response randomly created by a particular signer.
  • the first message part MSGO could relate to a subject such as "comment on GOODS 1234”, while the second message part MSG1 could relate to a comment generated by a particular customer.
  • the first message part MSGO could relate to a subject such as "Gloucestershire Council Vote 2010”
  • the second message part MSG1 could be the vote listed by a particular signer.
  • the first message part MSGO can be used as a form of index to a particular message subject, while the second message part MSG1 can be used as a distinguishing symbol of a signature.
  • step 201 shows how a message m to be signed is partitioned into a first message part MSGO and a second message part MSG1.
  • the first message part MSGO is mapped using a first hash function HO to form a first digest hO
  • step 203 and the second message part MSG1 is mapped using a second hash function H1 to form a second digest hi .
  • the first digest hO and second digest hi are combined in step 207 to form a temporary base value b (the temporary base value b being a form of ephemeral base value or session base value).
  • a temporary public key PK is formed.
  • the message m is signed using the temporary base value b and the temporary public key Y, step 21 1 .
  • implementations can be used with any form of digital signature technique, and with any of the anonymity schemes described above.
  • a digital signature method uses a digital signature generated using a temporary or ephemeral base value and a corresponding public key in conjunction with a DAA signature or a group signature as described above.
  • a signature of this type can be a Schnorr-type digital signature, although it will be appreciated to those skilled in the art that other such digital signature schemes can be similarly employed.
  • a suitable digital signature scheme is described in, for example, "Efficient signature generation by smart cards" C. Schnorr. , in the Journal of Cryptology, 4(3): 161 -1 74, 1 991 , the contents of which are incorporated herein in their entirety by reference.
  • the signer chooses a random number r e Z q ;
  • the signer computes the challenge c and signature
  • Verification that the signature is from the sender and is on message m is effected by a verifier (who knows the public key of the signer y, i.e. g x ) by seeking to generate a value c' that should match the value of c in the signature.
  • the verifier does this as follows:
  • FIG. 3 illustrates an example of the steps that may be performed in a signer computing entity according to one implementation.
  • Each signer also has a group member credential "ere" to achieve signer anonymity, since with the values of x and ere, the signer can create a DAA signature or group signature, which can be verified without the value PK.
  • a challenge value c H1(g, h0, h1, Y, T, Z) and where Z denotes some other part of the signature used in either the DAA signature or the group signature.
  • the final signature includes the values (Y, c, s, Z) on the message m which is comprised of a first message part MSG0 and a second message part MSG1.
  • the values (c, s) are also part of the DAA signature or group signature.
  • the following steps may be performed in an implementation of the verification method by a verifier computing entity.
  • step 409 it is determined whether the following equation holds true.
  • c H1(g, h0, h1, Y, T, Z)
  • the verifier can first perform the validation procedure described above with reference to Figure 4, in order to verify the validation of each signature. Otherwise, if either of the two signatures being compared were invalid, then finding the linkage or the identity of the signer would not
  • this shows an implementation of a method that is first able to determine that two received massages relate to the same subject or topic, i.e. that the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2.
  • the verifier computing entity receives a first message ml in step 501 , and a second message m2 in step 503.
  • the verifier computing entity may (or may not) have already processed these messages as shown in the implementation of Figure 4 (i.e. to first determine that each signature is valid).
  • step 505 the verifier computing entity uses the temporary base value b of the first received message ml and the temporary base value b of the second received message m2 to determine whether the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2.
  • the verifier computing entity is able to determine using the temporary base values b whether or not two messages relate to the same subject or topic. In some applications this procedure alone can be used to provide useful information, such as how many votes have been received on a certain ballot, or how many reviews have been received against a certain book.
  • Figure 5b shows an implementation of a method that is able to determine that two received massages have been signed by the same signer computing entity.
  • the verifier computing entity receives a first message ml n step 51 1 , and a second message m2 in step 513.
  • the verifier computing entity may (or may not) have already processed these messages as shown in the implementation of Figure 4 (i.e. to first determine that each signature is valid).
  • the verifier computing entity determines whether the first and second received messages ml, m2 have been signed by the same computer signing entity, based on the temporary base value b and the temporary public key V of the first received message ml and the temporary base value b and the temporary public key V of the second received message m2.
  • the verifier computing entity compares the values b and V of message ml with the values b and V of message m2, step 515.
  • the verifier determines whether the values b and V of message ml match the values b and Y of message m2. If the signatures of messages ml and m2 have the same values of b and V, i.e. the temporary base values and temporary public keys match, this provides an indication that messages ml and m2 have been signed by the same signer, step 519, such that the verifier computing entity can then take appropriate action.
  • the action taken by a verifier computing entity can vary depending on a particular application.
  • the verifier computing entity may decide to ignore any messages that have been received from a signer that has signed twice, or the verifier computing entity may decide to only take one signature into account and ignore the remaining one (or remaining ones if multiple messages have been signed by the same signer).
  • the temporary base values b of the first and second messages ml, m2 enable the verifier computing entity to determine that the first and second messages ml, m2 relate to the same subject or topic, while the temporary public keys V of the first and second messages ml, m2 enable the verifier computing entity to determine that the messages ml, m2 have been signed by the same signer computing entity.
  • the verifier computing entity if the two signatures have the same value of b and V the verifier computing entity is able to determine that these two signatures are signed by the same signer, but cannot determine the identity of the signer.
  • a signer computing entity signs first and second messages ml, m2, such that the first and second messages ml, m2 each have the same first message part MSGO but have different second message parts MSG1, (for example the first message ml having a second message part MSG1 a and the second message m2 having a second message part MSG ), there will be one digest value hO, two digest values hi, two temporary base values b and two temporary public key values V.
  • Y b R x .
  • the value of the public key PK of the signer can be computed in step 615 as follows:
  • the first message part MSGO 1 of the first message ml will differ from the first message MSG0 2 of the second message m2 (i.e. MSGO1 relating to "review on Handbook of Applied Cryptography” and MSG0 2 relating to "review on Digital Signature Techniques”). It will be appreciated that such a scenario is a legitimate signature procedure by the signer, and as such the unlinkability of the two signatures is a desirable result.
  • the implementations described above have the advantage of enabling a malicious signing behaviour by a signer to be detected, and where necessary the identity of the malicious signer to be determined.
  • the digital signature scheme described in the implementations above can form part of an anonymous digital signature scheme, such as a group signature scheme or a direct anonymous attestation (DAA) scheme.
  • DAA direct anonymous attestation
  • the first and second message parts MSGO, MSG1 may be used as a replacement to the basenames used in DAA (i.e. in place of the basenames of DAA).
  • Such an implementation involves the computing of a challenge c as described in further detail later in the application.
  • the first message part and the second message part MSGO, MSG1 may be used alongside, or in parallel to the basenames, i.e. rather than being a replacement of the basename.
  • Such an implementation may be used when the basename might still need to play its own role of the user-controlled linkability.
  • Such an implementation involves the computing of a challenge c as described in further detail later in the application.
  • the following is an example of an implementation where the first and second message parts MSGO, MSG1 are used as replacements to the basenames in DAA.
  • FIG. 7 shows the steps performed by a signing computing entity during a signing procedure in such an implementation, where BSN is a basename of a DAA scheme.
  • a value X is computed, where:
  • X h x where x is the private key SK of the signer.
  • R a value R is computed, where:
  • R h r where r is a random number.
  • Figure 8 shows the steps performed during verification by a verifier computing entity in relation to a message signed by a signer computing entity as described in Figure 7.
  • step 809 If the equation does not hold, the signature is deemed invalid, step 809.
  • an implementation can have either or both of the basename and MSG0/MSG1.
  • This implementation enables a flexible threshold signature verification to be built. For example, an arbitrary verifier can find out how many signers have signed a certain event MSGO without revealing who they are. Based on the total number of second message parts MSG1s or the number of positive or negative second message parts MSG1s, the verifier can decide whether the result passes a threshold or not.
  • the implementations described above differ from a basename of a verifier in the DAA scheme in that the implementations provide a message specific signature, instead of a signature specific to a verifier's input.
  • the implementations described above therefore break the anonymity of a malicious signer, which is not otherwise possible in DAA.
  • Figure 9 shows an implementation of digital signature apparatus, and in particular a signer computing entity apparatus 901 .
  • the signer computing entity apparatus 901 is adapted to provide a digital signature by which the signer computing entity is able to perform a one-time anonymous signature on a message m.
  • the signer computing entity apparatus 901 comprises a
  • partitioning unit 903 adapted to partition the message m into a first message part MSGO and a second message part MSG1.
  • a mapping unit 905 is adapted to map the first message part MSGO with a first hash function HO to form a first digest hO, and map the second message part MSG1 with a second hash function H1 to form a second digest hi.
  • a combining unit 907 is adapted to combine the first digest hO and the second digest hi to form a temporary base value b.
  • a forming unit 909 is adapted to form a temporary public key V.
  • the public key V may be formed from the temporary base value b and the secret key SK.
  • a signing unit 91 1 is adapted to sign the message m using the temporary base value b and the temporary public key V (which is based on the secret key SK).
  • Figure 1 0 shows an implementation of digital signature apparatus, and in particular a verifier computing entity apparatus 1001 .
  • the verifier computing entity apparatus 1001 is adapted to determine whether first and second messages have the same first message part MSGO, and comprises a receiving unit 1003 adapted to receive a first message ml and a second message m2 which have been signed using a signer computing entity apparatus, for example an apparatus as described in Figure 9 above.
  • the verifier computing entity apparatus 1001 comprises a processing unit 1005 adapted to determine whether the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2, based on the temporary base value b of the first received message ml and the temporary base b of the second received message m2.
  • the verifier computing entity apparatus 1001 may be further configured such that the processing unit 1005 is adapted to determine whether the first and second received messages ml, m2 have been signed by the same computer signing entity, based on the temporary public key V of the first received message ml and the temporary public key V of the second received message m2.
  • the verifier computing entity apparatus 1001 may be further configured such that the processing unit 1005 is adapted to determine the public key PK of the signer computing entity if a second message part MSG1 a of the first received message ml differs from a second message part MSG1R of the second received message m2.
  • the processing unit 1005 may be adapted to determine the public key PK of the signer computer entity by computing:
  • the implementations described above also have the advantage of enabling a flexible threshold signature scheme to be provided for free, for example without a trusted threshold share distributor.

Abstract

The digital signature method and apparatus enable a message to be signed anonymously but only once. The examples described in the various implementations offer a digital signature scheme that allows a verifier to detect that two signatures are from the same signer. The implementations offer a digital signature scheme that allows the verifier to determine the identity of the signer where two signatures are from the same signer, such that if any signer acts maliciously, i.e. submits two signatures on the same subject, the anonymity of the signer will be broken because the public key of the signer can be computed from the two signatures.

Description

DIGITAL SIGNATURE METHOD AND APPARATUS
Background
Electronic transactions frequently involve the use of digital signatures. One feature of such digital signatures is the privacy of the signer.
The privacy of a signer in a digital signature scheme usually includes two properties. One is signer anonymity, which means that a digital signature does not reveal the identity of the signer. The other is signature unlinkability, which means that it is not possible to tell whether two signatures have been signed by the same signer or not.
There are several known methods of providing user privacy. These include ring signatures, group signatures and a scheme known as Direct Anonymous Attestation (DAA). Figure 1 shows how the degree of user privacy for each of these schemes compares to a standard public key, i.e. which has no user privacy. As can be seen DAA provides a more robust version of user privacy compared to the others, since it provides both an anonymous and unlinkable digital signature scheme in which the anonymity and unlinkability properties do not rely on a fully trusted third party.
Sometimes, however, this signer privacy feature can be too strong, because a malicious but still legitimate signer can abuse the system by creating multiple signatures in the way that a verifier would think that the signatures might have been created by multiple signers.
This can be a problem in applications whereby a legitimate user is asked to make a signature on a certain message anonymously, but once only. The following are examples of such applications:
In an e-commerce system, each customer may be asked to provide a single set of comments on particular goods or a particular buyer/seller, for example when recommending certain goods or a certain buyer/seller in eBay or Amazon.
In an e-voting system, each voter is allowed to make a single vote to an arbitrary voting result according to his own choice.
In an e-review system, each reviewer is required to make a single review report in relation to a certain item (for example a paper or a book). It will be appreciated that user privacy can cause problems in such applications, because if a signer is malicious but still legitimate, the signer can successfully submit multiple signatures and pretend they have come from multiple users.
It follows that anonym ity/unlinkability and the provision of multiple signing controls are conflicting properties.
Brief description of the drawings
For a better understanding of the present invention, and to show more clearly how it may be carried into effect, reference will now be made, by way of example only, to the following drawings in which:
Figure 1 illustrates how the degree of user privacy varies for different signature schemes;
Figure 2a illustrates an example of an implementation of a signed message;
Figure 2b illustrates the steps performed by a signer computing entity according to an example of an implementation;
Figure 3 illustrates the steps performed by a signer computing entity according to an example an implementation; Figure 4 illustrates the steps performed by a verifier computing entity according to an example of an implementation of validating a single signature; Figure 5a illustrates the steps performed by a verifier computing entity according to an implementation of validating two signatures;
Figure 5b illustrates the steps performed by a verifier computing entity according to another implementation of validating two signatures;
Figure 6 illustrates the steps performed in an implementation for deriving the public key of a signer;
Figure 7 illustrates the steps performed by a signer computing entity according to an example of another implementation;
Figure 8 illustrates the steps performed by a verifier computing entity according to an example of another implementation of validating a single signature; Figure 9 illustrates an example of an implementation of a signer computing entity apparatus; and
Figure 10 illustrates an example of an implementation of a verifier computing entity apparatus.
Detailed description
The implementations described below relate to a digital signature method and apparatus and in particular, but not exclusively, to a digital signature method and apparatus that enables a message to be signed anonymously but only once. The examples described in the various implementations offer a digital signature scheme that allows a verifier to detect that two messages relate to the same subject or topic, and that two signatures are from the same signer. The implementations described below also offer a digital signature scheme that allows the verifier to determine the identity of the signer where two signatures are from the same signer. As such, if a signer acts maliciously, i.e. submits two signatures on the same subject, the anonymity of the signer will be broken because the public key of the signer can be computed from the two signatures. However, in circumstances where a signer has not acted maliciously, the anonymity of the signer remains intact.
Before discussing the different examples of the implementations, an explanation will first be given of three types of anonymous signature schemes as follows: 1 . Ring signatures. A ring signature convinces an external verifier that a message has been signed by one of a number of possible independent signers without allowing the verifier to identify the signer. Thus, if a single signer creates two signatures, from the point of view of a verifier these two signatures could have been signed by any one or two signers within the signer ring. As such, it is not possible to determine whether a malicious signer has anonymously signed a message more than once.
2. Group signatures. If a single group member creates two signatures, a group manager could in theory determine that this has occurred, since the group manager has authorisation rights to identify any signer from his signature.
However, in many applications, potential problems can arise as follows. For example, a super manager can be a bottle neck because the super manager can break signer privacy. Also, such a super manager is most likely to be operating "offline", and therefore only available when an actual dispute occurs. However, since multiple signing is not detectable, nobody will ever report such a "dispute" for the super manager to investigate. 3. Direct Anonymous Attestation (DAA). DAA provides a stronger scheme of user privacy compared to the ring signature scheme and group signature scheme described above, but as a consequence also has the largest problem with respect to multiple signing controls. If a single signer creates two signatures by using two different basenames, from the point of view of any third party (including the DAA issuer) these two signatures could have been signed by any one or two signers within the whole set of DAA signers associated with the same DAA issuer. A conventional signature scheme based on a public key operates as follows:
Let the private key of a signer be x.
Let the public key of the signer be y,
From the point of view of a verifier who receives a message m signed by a public key y, the signature s equals: s = Sign (x, m).
The verifier can determine whether the signature is valid with respect to y by checking:
1/0 = Verify(y, m, s), where "1 " indicates accept and "0" reject.
Now consider that the signer is part of a group, the group having a group public key Gy and the signer, say /', within that group having a group membership private key ,. If a verifier receives a message signed by a signer from that group, i.e. (m, s, Gy), where: s = GSign(Xj, m), and
1/0 = GVerify(Gy, m, s), then the message is anonymously signed to the extent that a verifier cannot tell who signed the message, only that someone from that group signed the message.
Figure 2a shows an example of an implementation for providing signing controls on a message m, such as multiple signing controls. For certain applications, for example where each signer is asked to make a single signature on a message m, the signed message m is partitioned into first and second parts. A first part MSGO relates to a message title (or message identifier) and the second part MSG1 relates to the message body.
For example, in an e-commerce application, the first message part MSGO could relate to a subject such as "review on Handbook of Applied Cryptography", while the second message part MSG1 could relate to a response randomly created by a particular signer. In another e-commerce application, the first message part MSGO could relate to a subject such as "comment on GOODS 1234", while the second message part MSG1 could relate to a comment generated by a particular customer. In an electronic voting system the first message part MSGO could relate to a subject such as "Gloucestershire Council Vote 2010", while the second message part MSG1 could be the vote listed by a particular signer. It will be appreciated that these are merely examples, and that the implementations described herein can be used with any application whereby it is desirable to be able to determine whether a message has been signed by the same party two or more times, and/or to identify the signer in a situation where a particular message has been signed by the same signer two or more times.
The first message part MSGO can be used as a form of index to a particular message subject, while the second message part MSG1 can be used as a distinguishing symbol of a signature.
Referring to Figure 2b, step 201 shows how a message m to be signed is partitioned into a first message part MSGO and a second message part MSG1. The first message part MSGO is mapped using a first hash function HO to form a first digest hO, step 203, and the second message part MSG1 is mapped using a second hash function H1 to form a second digest hi . The first digest hO and second digest hi are combined in step 207 to form a temporary base value b (the temporary base value b being a form of ephemeral base value or session base value). In step 209 a temporary public key PK is formed. The message m is signed using the temporary base value b and the temporary public key Y, step 21 1 .
Further details of this implementation will be described below, together with details of how a verifier computing entity is able to determine that a message has been signed twice by the same signer, and how the identify of a signer may be identified.
It is noted that the implementations can be used with any form of digital signature technique, and with any of the anonymity schemes described above.
According to an embodiment, a digital signature method uses a digital signature generated using a temporary or ephemeral base value and a corresponding public key in conjunction with a DAA signature or a group signature as described above. A signature of this type can be a Schnorr-type digital signature, although it will be appreciated to those skilled in the art that other such digital signature schemes can be similarly employed. A suitable digital signature scheme is described in, for example, "Efficient signature generation by smart cards" C. Schnorr. , in the Journal of Cryptology, 4(3): 161 -1 74, 1 991 , the contents of which are incorporated herein in their entirety by reference.
According to this signature scheme, there are two large primes p and q selected such that g|p-1 , (whereby g|p-1 means that q is a factor of p-1 , i.e. for an integer k, the equation kq = p-1 holds), which are published with an element g of (Z/pZ)* of order q. A signer with private key x and public key y = gx signs a message m as follows:
The signer chooses a random number r e Z q;
The signer computes the challenge c and signature
c = Hash (g r, m)
s = r + x c
• The signer outputs (c, s) as its signature on message m.
Verification that the signature is from the sender and is on message m is effected by a verifier (who knows the public key of the signer y, i.e. gx) by seeking to generate a value c' that should match the value of c in the signature.
The verifier does this as follows:
• The verifier first computes:
Figure imgf000010_0001
c' = Hash ( gr, m)
where m is the received message
• The verifier then compares c' and c which, if equal, proves that the message m was signed by the party having the public key mod p. Figure 3 illustrates an example of the steps that may be performed in a signer computing entity according to one implementation. Let G = <g> be a group of large primes of order q, wherein each signer has a public key, PK = gx in G and the corresponding private key SK is the integer x such that 1 < x < q. Each signer also has a group member credential "ere" to achieve signer anonymity, since with the values of x and ere, the signer can create a DAA signature or group signature, which can be verified without the value PK.
In step 301 the first message part is mapped using a first hash function HO to compute a first digest hO, where: hO = HO(MSGO) and where HO: {0, 1 }* -> G.
In step 303 the second message part is mapped using a second hash function H1 to compute a second digest hi , where: hi = H1(MSG1) and where H1: {0, 1}* -> {0, l†q (where the value |g| is the bit length of q).
In step 305, an element b of G is computed (b being a temporary or ephemeral base value) as: b = g hO
In step 307, a temporary public key V is computed, where: Y = bx = (PK) 1 (h0)x and where x is the private key SK of the signer. In step 309, a commitment value T is computed, where: T = br and where r is a random number.
In step 31 1 , a challenge value c is computed, where: c = H1(g, h0, h1, Y, T, Z) and where Z denotes some other part of the signature used in either the DAA signature or the group signature. Then, in step 313 the signature s is computed as: s = r + cx
In the implementation of the signing method described above, the final signature includes the values (Y, c, s, Z) on the message m which is comprised of a first message part MSG0 and a second message part MSG1. The values (c, s) are also part of the DAA signature or group signature.
Using the signature that has been generated according to the implementation shown in Figure 3, the following steps may be performed in an implementation of the verification method by a verifier computing entity.
Referring to Figure 4, the method steps describe an implementation of a procedure for verifying whether or not the signature of a signer is valid. In step 401 the first part of the received message is mapped using a first hash function HO to compute a first digest hO, where: hO = HO(MSGO)
In step 403, the second part of the received message is mapped using a second hash function HO to compute a second digest hi, where: hi = H1(MSG1)
In step 405, an element b of G is computed, (b being a temporary or ephemeral base value) where: b = g 1 hO
In step 407, a commitment value T is computed, where: T = b s Y -c
Then in step 409, it is determined whether the following equation holds true. c = H1(g, h0, h1, Y, T, Z)
If the equation holds, then the signature s is deemed to be valid, step 41 1 . Otherwise, if the equation does not hold, the signature s is deemed to be invalid, step 413. Thus, in order to determine whether two signatures were signed by the same signer or not, and/or to find the identity of the signer if they were (as will be described below), the verifier can first perform the validation procedure described above with reference to Figure 4, in order to verify the validation of each signature. Otherwise, if either of the two signatures being compared were invalid, then finding the linkage or the identity of the signer would not
necessarily be accurate, since any invalid signature could have been forged. There are four possible cases regarding the message to be signed:
1 . If a signer signs first and second messages ml, m2, whereby the first message part MSGO and the second message part MSG1 are the same in both messages ml, m2, the values b and V will appear in both the signatures. This means that any receiving party, i.e. verifier computing entity, can detect that the two signatures are in fact the same signature.
For example, referring to Figure 5a, this shows an implementation of a method that is first able to determine that two received massages relate to the same subject or topic, i.e. that the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2. The verifier computing entity receives a first message ml in step 501 , and a second message m2 in step 503. The verifier computing entity may (or may not) have already processed these messages as shown in the implementation of Figure 4 (i.e. to first determine that each signature is valid). In step 505 the verifier computing entity uses the temporary base value b of the first received message ml and the temporary base value b of the second received message m2 to determine whether the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2. As such, the verifier computing entity is able to determine using the temporary base values b whether or not two messages relate to the same subject or topic. In some applications this procedure alone can be used to provide useful information, such as how many votes have been received on a certain ballot, or how many reviews have been received against a certain book.
Figure 5b shows an implementation of a method that is able to determine that two received massages have been signed by the same signer computing entity. The verifier computing entity receives a first message ml n step 51 1 , and a second message m2 in step 513. The verifier computing entity may (or may not) have already processed these messages as shown in the implementation of Figure 4 (i.e. to first determine that each signature is valid). The verifier computing entity determines whether the first and second received messages ml, m2 have been signed by the same computer signing entity, based on the temporary base value b and the temporary public key V of the first received message ml and the temporary base value b and the temporary public key V of the second received message m2. For example, in the example of the implementation shown in Figure 5b, the verifier computing entity compares the values b and V of message ml with the values b and V of message m2, step 515. In step 517 the verifier determines whether the values b and V of message ml match the values b and Y of message m2. If the signatures of messages ml and m2 have the same values of b and V, i.e. the temporary base values and temporary public keys match, this provides an indication that messages ml and m2 have been signed by the same signer, step 519, such that the verifier computing entity can then take appropriate action. The action taken by a verifier computing entity can vary depending on a particular application. For example, the verifier computing entity may decide to ignore any messages that have been received from a signer that has signed twice, or the verifier computing entity may decide to only take one signature into account and ignore the remaining one (or remaining ones if multiple messages have been signed by the same signer). From the above it will be appreciated that the temporary base values b of the first and second messages ml, m2 enable the verifier computing entity to determine that the first and second messages ml, m2 relate to the same subject or topic, while the temporary public keys V of the first and second messages ml, m2 enable the verifier computing entity to determine that the messages ml, m2 have been signed by the same signer computing entity.
In the implementation above, if the two signatures have the same value of b and V the verifier computing entity is able to determine that these two signatures are signed by the same signer, but cannot determine the identity of the signer. However, in certain applications where one wants to avoid this from happening, the signer computing entity and verifier computing entity can agree to introduce some randomness into the second message part MSG1 during the original signing procedure. For example, let MSG1 = MSG1 \\ Z (i.e. let MSG1 be the concatenation of the original MSG1 and other part of the DAA or group signature). As a result the values "b" and " V" do not have the same value, in any two signatures. Such a modification provides the same result as in the next case, in which the identity of the signer can be discovered from any two signatures with the same MSGO and different MSG1s signed by the same signer. In other words, this means that the identity of a malicious signer computing entity can be determined (for example as described below in the implementation where it is assumed that the second message parts MSG1 of the first and second messages are purposely made different by the signer computing entity).
2. If a signer computing entity signs first and second messages ml, m2, such that the first and second messages ml, m2 each have the same first message part MSGO but have different second message parts MSG1, (for example the first message ml having a second message part MSG1a and the second message m2 having a second message part MSG ), there will be one digest value hO, two digest values hi, two temporary base values b and two temporary public key values V. These are shown in steps 601 to 613 of Figure 6, whereby:
hO = HO(MSGO), h1a = H1(MSG1a), h1a = H1(MSG ), ba = 9h1a hO, ba = gh h0, Ya = bax,
Y = bR x. In this implementation the value of the public key PK of the signer can be computed in step 615 as follows:
Figure imgf000017_0001
From the above, it can be seen that the implementation enables the identity of the signer to be determined. It is noted that, if two signatures with the same MSGO are signed by two different signer computing entities, since these two signers have different x values, say x1 and x2, then h( 1 will not be equal to h( 2, and hence (Ya/
YB /(hi a - ni B) wi || not be equa| tQ either pK1 or pK2 but a random va|ue with a very high probability. As such, it is not possible to determine the public key of a signer when two signatures with the same MSGO are signed by two different signers, hence keeping the anonymity of a signer in a legitimate scenario.
3. If a signer computing entity creates two signatures with different first message parts MSGO but the same second message part MSG1, these two signatures are unlinkable, since H0(MSG0a)x and H0(MSG0R)x do not show the fact that the same x was used. As such, the anonymity and unlinkability of the signer is maintained. This is a desired result, because the signer will not have been behaving maliciously, but merely providing comments on two different subjects (i.e. two different first message parts MSGOs).
For example, in an e-commerce application, a signer may wish to give a comment such as "Good Book" on two separate books, one book being "Handbook of Applied Cryptography" and the other book being "Digital Signature Techniques". In such a scenario, although the second message part MSG1i of the first message ml is the same as the second message part
MSG of the second message m2 (i.e. both relating to "Good Book"), the first message part MSGO1 of the first message ml will differ from the first message MSG02 of the second message m2 (i.e. MSGO1 relating to "review on Handbook of Applied Cryptography" and MSG02 relating to "review on Digital Signature Techniques"). It will be appreciated that such a scenario is a legitimate signature procedure by the signer, and as such the unlinkability of the two signatures is a desirable result.
4. If a signer computing entity creates two signatures with different first message parts MSGO and different second message parts MSG1, these two signatures are unlinkable. As in the third scenario described above, this is a desirable result since this is a legitimate signing procedure by the signer.
The implementations described above have the advantage of enabling a malicious signing behaviour by a signer to be detected, and where necessary the identity of the malicious signer to be determined.
The digital signature scheme described in the implementations above can form part of an anonymous digital signature scheme, such as a group signature scheme or a direct anonymous attestation (DAA) scheme. For example, in one implementation, when used in the DAA scheme, the first and second message parts MSGO, MSG1 may be used as a replacement to the basenames used in DAA (i.e. in place of the basenames of DAA). Such an implementation involves the computing of a challenge c as described in further detail later in the application.
According to another implementation, when used in the DAA scheme, the first message part and the second message part MSGO, MSG1 may be used alongside, or in parallel to the basenames, i.e. rather than being a replacement of the basename. Such an implementation may be used when the basename might still need to play its own role of the user-controlled linkability. Such an implementation involves the computing of a challenge c as described in further detail later in the application. The following is an example of an implementation where the first and second message parts MSGO, MSG1 are used as replacements to the basenames in DAA.
Figure 7 shows the steps performed by a signing computing entity during a signing procedure in such an implementation, where BSN is a basename of a DAA scheme. In step 701 a digest value h is computed, where: h = HO(BSN) In step 703 a value X is computed, where:
X = hx where x is the private key SK of the signer. In step 705 a value R is computed, where:
R = h r where r is a random number.
In step 707 the challenge c is computed as: c = H1(h, X, R, Z) where Z denotes some other part of the signature used in the DAA signature. Then, in step 709 the signature s is computed as: s = r + cx
Figure 8 shows the steps performed during verification by a verifier computing entity in relation to a message signed by a signer computing entity as described in Figure 7.
In step 801 a digest value h is computed, where: h = H0(BSN)
In step 803 a value R is computed, where: R = h s X-c
In step 805 it is determined whether the following equation holds true: c = H1(h, X, R, Z) If the equation holds, then the signature is deemed to be valid, step 807.
Otherwise, if the equation does not hold, the signature is deemed invalid, step 809.
It is noted that in an implementation where the first and second message parts MSG0, MSG1 are used in place of the basenames in DAA, the values Y, T, b, hO, hi are used in place of the value X, R, h shown above. In an
implementation where the first and second message parts MSG0, MSG1 are used in parallel with the basenames, all of the values are kept (i.e. all of h, hO, hi, X, Y, R, 7), in which case the challenge is written as: c = H1(h, hO, M, b, X, Y, R, T, Z) where Z denotes some other part of the signature used in the DAA signature.
Other parts of the implementations described above for determining whether or not two messages have been signed by the same signer, or determining the identity of the signer, are performed the same regardless of whether the first and second message parts MSGO, MSG1 are used in place of, or in parallel with the baseneames in a DAA scheme.
It is therefore noted that in any group signature scheme or direct anonymous attestation schemes, an implementation can have either or both of the basename and MSG0/MSG1. This implementation enables a flexible threshold signature verification to be built. For example, an arbitrary verifier can find out how many signers have signed a certain event MSGO without revealing who they are. Based on the total number of second message parts MSG1s or the number of positive or negative second message parts MSG1s, the verifier can decide whether the result passes a threshold or not.
The implementations described above differ from a basename of a verifier in the DAA scheme in that the implementations provide a message specific signature, instead of a signature specific to a verifier's input. The implementations described above therefore break the anonymity of a malicious signer, which is not otherwise possible in DAA.
Figure 9 shows an implementation of digital signature apparatus, and in particular a signer computing entity apparatus 901 . The signer computing entity apparatus 901 is adapted to provide a digital signature by which the signer computing entity is able to perform a one-time anonymous signature on a message m. The signer computing entity apparatus 901 comprises a
partitioning unit 903 adapted to partition the message m into a first message part MSGO and a second message part MSG1. A mapping unit 905 is adapted to map the first message part MSGO with a first hash function HO to form a first digest hO, and map the second message part MSG1 with a second hash function H1 to form a second digest hi. A combining unit 907 is adapted to combine the first digest hO and the second digest hi to form a temporary base value b. A forming unit 909 is adapted to form a temporary public key V. The public key V may be formed from the temporary base value b and the secret key SK. A signing unit 91 1 is adapted to sign the message m using the temporary base value b and the temporary public key V (which is based on the secret key SK).
Figure 1 0 shows an implementation of digital signature apparatus, and in particular a verifier computing entity apparatus 1001 . The verifier computing entity apparatus 1001 is adapted to determine whether first and second messages have the same first message part MSGO, and comprises a receiving unit 1003 adapted to receive a first message ml and a second message m2 which have been signed using a signer computing entity apparatus, for example an apparatus as described in Figure 9 above. The verifier computing entity apparatus 1001 comprises a processing unit 1005 adapted to determine whether the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2, based on the temporary base value b of the first received message ml and the temporary base b of the second received message m2.
The verifier computing entity apparatus 1001 may be further configured such that the processing unit 1005 is adapted to determine whether the first and second received messages ml, m2 have been signed by the same computer signing entity, based on the temporary public key V of the first received message ml and the temporary public key V of the second received message m2.
The verifier computing entity apparatus 1001 may be further configured such that the processing unit 1005 is adapted to determine the public key PK of the signer computing entity if a second message part MSG1a of the first received message ml differs from a second message part MSG1R of the second received message m2.
The processing unit 1005 may be adapted to determine the public key PK of the signer computer entity by computing:
ΡΚ = (Υα/ Υβ)1/(Μα- β>, where:
Figure imgf000023_0001
h = H1(MSG ), ba = gh1a h0, ba = g 1BhO,
Ya = ba x, and
Figure imgf000023_0002
The implementations described above have the advantage of being easily incorporated into any group signature scheme or DAA signature scheme.
The implementations described above also have the advantage of enabling a flexible threshold signature scheme to be provided for free, for example without a trusted threshold share distributor.
The implementations described above are also efficient in terms of
computational complexity.
It will be appreciated that the security of the implementations in the examples described above are based on the security of the Schnorr signature scheme, which holds a known provable security. It is noted, however, that other signature schemes, i.e. other than the Schnorr signature scheme may be used.
The implementations described above have the advantage of holding the nature of user-controlled privacy, and offer a good balance between strong privacy and robust security.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. The word "comprising" does not exclude the presence of elements or steps other than those listed in a claim, "a" or "an" does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the claims. Any reference signs in the claims shall not be construed so as to limit their scope.

Claims

1 . A digital signature method by which a signer computing entity is able to perform a one-time anonymous signature on a message m, the method comprising the signer computing entity:
partitioning the message m into a first message part MSGO and a second message part MSG1 ;
mapping the first message part MSGO with a first hash function HO to form a first digest hO;
mapping the second message part MSG1 with a second hash function H1 to form a second digest hi ;
combining the first digest and second digest to form a temporary base value b;
forming a temporary public key Y; and
signing the message m using the temporary base value b and the temporary public key Y.
2. A method as claimed in claim 1 wherein:
the step of forming the temporary base value b comprises computing b = gh1 hO in G,
whereby G = <g>, a group of a large prime order q, wherein each signer computing entity has a public key PK, wherein PK = gx in G, wherein x is an integer corresponding to a private key SK of the signer computing entity, and wherein x is greater than one and less than q; and
the step of forming the temporary public key comprises computing Y = bx = (PK)h1 (h0)x in G.
A method as claimed in claim 2, wherein:
the first digest hO = HO(MSGO),
the first hash function HO relates to the function {0, 1 }* -> G the second digest hi = H1 (MSG1 );
the second hash function H1 relates to the function {0, 1 }* - and wherein the method further comprises the steps of:
computing a commitment value T, wherein T = br in G, and wherein r is a random number; computing a challenge value c, wherein c = H1 (g, hO, hi , Y, T, Z), and wherein Z denotes some other part of the signature used in either a direct anonymous attestation (DAA) signature or a group signature; and
wherein the signature s of the message m is computed as
s = r + cx mod q.
4. A digital signature method in a verifier computing entity, the method comprising the steps of:
receiving a first message ml which has been signed according to the method defined in claim 1 ,
receiving a second message m2 which has been signed according to the method defined in claim 1 ; and
determining whether the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2, based on the temporary base value b of the first received message ml and the temporary base value b of the second received message m2.
5. A method as claimed in claim 4, wherein the verifier computing entity further performs the steps of:
determining whether the first and second received messages ml , m2 have been signed by the same computer signing entity, based on the temporary public key Y of the first received message ml and the temporary public key Y of the second received message m2.
6. A method as claimed in claim 5 wherein, if a second message part MSG1 a of the first received message ml differs from a second message part MSG1 of the second received message m2, the verifier computing entity further performs the step of determining the public key PK of the signer computing entity.
7. A method as claimed in claim 6, wherein the step of determining the public key PK of the signer computer entity comprises computing:
ΡΚ=(Υαβ)1 (Μα-Μβ), where: h1c = H1(MSG1c), h1B = H1(MSG1B), ba = gh1a hO, bR = ghmhO, Ya = ba x, and
Figure imgf000027_0001
8. A method as claimed in claim 1 , wherein the digital signature scheme forms part of an anonymous digital signature scheme, a group signature scheme or a direct anonymous attestation (DAA) scheme.
9. A method as claimed in claim 8, wherein the step of signing a message comprises the steps of computing a challenge value c, where c = H1(g, hO, hi, Y, T, Z), and where:
Z denotes some other part of the signature used in an anonymous signature, a direct anonymous attestation (DAA) scheme or a group signature; hO = HO(MSGO); hi = H1 (MSG1 ); b = gm hO in G; T = bs Y"c in G, where T is a commitment value; and
Y = bx = (PK)h1 (hO)x.
10. A method as claimed in claim 8, wherein the first message part MSGO and second message part MSG1 are used in place of the base names of a direct anonymous attestation (DAA) signature scheme.
1 1 . A method as claimed in claim 10, further comprising the steps of computing a challenge c, where: c = H1 (g, hO, hi , Y, T, Z), and where:
Z denotes some other part of the signature used in a direct anonymous attestation (DAA) scheme other than the basename; hO = HO(MSGO); hi = H1 (MSG1 ); b = gh1 hO;
T = b s Y "c, where T is a commitment value; and
Y = bx = (PK)h1 (hO)x.
12. A method as claimed in claim 8, wherein the first message part (MSGO) and second message part (MSG1 ) are used in parallel with base names of a direct anonymous attestation (DAA) signature scheme.
13. A method as claimed in claim 12, further comprising the step of computing a challenge c, where: c = H1 (h, hO, hi , b, X, Y, R, T, Z), and where; h = H0(BSN);
hO = HO(MSGO); hi = H1 (MSG1 ); b = gh1 h0;
X = hx;
Y = bx = (PK)h1 (h0)x;
R = h s X -c;
T = b s Y "c, where T is a commitment value; and
Z denotes some other part of the signature used in a direct anonymous attestation (DAA) signature.
14. A signer computing entity apparatus adapted to provide a digital signature by which the signer computing entity is able to perform a one-time anonymous signature on a message m, the apparatus comprising:
a partitioning unit adapted to partition the message m into a first message part MSGO and a second message part MSG1 ; a mapping unit adapted to map the first message part MSGO with a first hash function HO to form a first digest hO, and map the second message part MSG1 with a second hash function H1 to form a second digest hi ; a combining unit adapting to combine the first digest hO and the second digest hi to form a temporary base value b;
a forming unit adapted to form a temporary public key Y; and a signing unit adapted to sign the message m using the temporary base value b and the temporary public key Y.
15. A verifier computing entity apparatus adapted to determine whether first and second messages have the same first message part MSGO, the apparatus comprising:
a receiving unit adapted to receive a first message ml and a second message m2 which have been signed using an apparatus as defined in claim 14;
a processing unit adapted to determine whether the first message part MSGO of the first received message ml is the same as the first message part MSGO of the second received message m2, based on the temporary base value b of the first received message ml and the temporary base b of the second received message m2.
16. An apparatus as claimed in claim 15, wherein the processing unit is further adapted to determine whether the first and second received messages ml , m2 have been signed by the same computer signing entity, based on the temporary public key Y of the first received message ml and the temporary public key Y of the second received message m2.
17. An apparatus as claimed in claim 16, wherein the processing unit is further adapted to determine the public key PK of the signer computing entity if a second message part MSG1 a of the first received message ml differs from a second message part MSG1 of the second received message m2.
18. An apparatus as claimed in claim 17, wherein the processing unit is adapted to determine the public key PK of the signer computer entity by computing: ΡΚ=(Υαβ)1 (Μα-Μβ), where:
Figure imgf000031_0001
gh1a hO,
Ya = ba x, and
Υβ = bR x
PCT/EP2010/057002 2010-05-20 2010-05-20 Digital signature method and apparatus WO2011144247A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2010/057002 WO2011144247A1 (en) 2010-05-20 2010-05-20 Digital signature method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2010/057002 WO2011144247A1 (en) 2010-05-20 2010-05-20 Digital signature method and apparatus

Publications (1)

Publication Number Publication Date
WO2011144247A1 true WO2011144247A1 (en) 2011-11-24

Family

ID=43569363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2010/057002 WO2011144247A1 (en) 2010-05-20 2010-05-20 Digital signature method and apparatus

Country Status (1)

Country Link
WO (1) WO2011144247A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017071581A1 (en) * 2015-10-30 2017-05-04 中国银联股份有限公司 Electronic signature generation method and system
CN107743066A (en) * 2017-11-07 2018-02-27 中证技术股份有限公司 A kind of anonymity signature method and system supervised
WO2021081493A1 (en) * 2019-10-24 2021-04-29 Qualcomm Incorporated User equipment messaging techniques and applications
WO2021183441A1 (en) * 2020-03-09 2021-09-16 Sony Group Corporation Privacy-preserving signature
WO2022174933A1 (en) * 2021-02-19 2022-08-25 NEC Laboratories Europe GmbH User-controlled linkability of anonymous signature schemes
WO2022193789A1 (en) * 2021-03-19 2022-09-22 杭州复杂美科技有限公司 Anonymous multi-signature method, computer device, and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010011351A1 (en) * 2000-01-21 2001-08-02 Nec Corporation Anonymous participation authority management system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010011351A1 (en) * 2000-01-21 2001-08-02 Nec Corporation Anonymous participation authority management system

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
"Chapter 11: Digital Signatures ED - Menezes A J; Van Oorschot P C; Vanstone S A", 1 October 1996, HANDBOOK OF APPLIED CRYPTOGRAPHY; [CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS], CRC PRESS, BOCA RATON, FL, US, PAGE(S) 425 - 488, ISBN: 978-0-8493-8523-0, XP001525011 *
C. SCHNORR.: "Efficient signature generation by smart cards", JOURNAL OF CRYPTOLOGY, vol. 4, no. 3, 1991, pages 161 - 174
CAMENISCH J ET AL: "A signature Scheme with Efficient Protocols", 20030101, vol. 2576, 1 January 2003 (2003-01-01), pages 268 - 289, XP002456613, ISBN: 978-3-540-24128-7, DOI: DOI:10.1007/3-540-36413-7_20 *
CAMENISCH J ET AL: "EFFICIENT GROUP SIGNATURE SCHEMES FOR LARGE GROUPS", ADVANCES IN CRYPTOLOGY - CRYPTO '97. SANTA BARBARA, AUG. 17 - 21, 1997; [PROCEEDINGS OF THE ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO)], BERLIN, SPRINGER, DE, vol. CONF. 17, 17 August 1997 (1997-08-17), pages 410 - 424, XP000767547, ISBN: 978-3-540-63384-6 *
ERNIE BRICKELL ET AL: "Direct Anonymous Attestation", PROCEEDINGS OF THE 11TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY : WASHINGTON, DC, USA, OCTOBER 25 - 29, 2004; [ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY], NEW YORK, NY : ACM PRESS, 25 October 2004 (2004-10-25), pages 132 - 145, XP007917346, ISBN: 978-1-58113-961-7, DOI: DOI:10.1145/1030083.1030103 *
RONALD L RIVEST ET AL: "How to Leak a Secret: Theory and Applications of Ring Signatures", 1 January 2006, THEORETICAL COMPUTER SCIENCE LECTURE NOTES IN COMPUTER SCIENCE;;LNCS, SPRINGER, BERLIN, DE, PAGE(S) 164 - 186, ISBN: 978-3-540-32880-3, XP019029104 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017071581A1 (en) * 2015-10-30 2017-05-04 中国银联股份有限公司 Electronic signature generation method and system
TWI624795B (en) * 2015-10-30 2018-05-21 Electronic signature generation method and system
CN107743066A (en) * 2017-11-07 2018-02-27 中证技术股份有限公司 A kind of anonymity signature method and system supervised
WO2021081493A1 (en) * 2019-10-24 2021-04-29 Qualcomm Incorporated User equipment messaging techniques and applications
WO2021183441A1 (en) * 2020-03-09 2021-09-16 Sony Group Corporation Privacy-preserving signature
WO2022174933A1 (en) * 2021-02-19 2022-08-25 NEC Laboratories Europe GmbH User-controlled linkability of anonymous signature schemes
WO2022193789A1 (en) * 2021-03-19 2022-09-22 杭州复杂美科技有限公司 Anonymous multi-signature method, computer device, and storage medium

Similar Documents

Publication Publication Date Title
CN110999207A (en) Computer-implemented method of generating a threshold library
US8654975B2 (en) Joint encryption of data
Lou et al. Efficient three‐party password‐based key exchange scheme
Bin Muhaya Cryptanalysis and security enhancement of Zhu's authentication scheme for Telecare medicine information system
WO2011144247A1 (en) Digital signature method and apparatus
Singh et al. A novel credential protocol for protecting personal attributes in blockchain
Kulyk et al. Coercion-resistant proxy voting
US11831778B2 (en) zkMFA: zero-knowledge based multi-factor authentication system
EP3387783B1 (en) Secure electronic device with mechanism to provide unlinkable attribute assertion verifiable by a service provider
Wu et al. A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof
Chiou et al. Design and implementation of a mobile voting system using a novel oblivious and proxy signature
Helbach et al. Code voting with linkable group signatures
CN110278073A (en) A kind of group&#39;s digital signature, verification method and its equipment and device
Hsu et al. Pairing‐based strong designated verifier proxy signature scheme with low cost
Kim Certificateless Designated Verifier Proxy Signature
Sejfuli-Ramadani The Role and the Impact of Digital Certificate and Digital Signature in Improving Security During Data Transmittion
Sorge The legal classification of identity-based signatures
Audithan et al. An Efficient Authentication Scheme for Mobile Cloud Computing Services.
Hwang A note on an identity-based ring signature scheme with signer verifiability
Brickell et al. ENHANCED PRIVACY ID: A REMOTE ANONYMOUS ATTESTATION SCHEME FOR HARDWARE DEVICES.
Lax et al. A new approach for electronic signature
Lee et al. Countermeasure on password-based authentication scheme for multi-server environments
Asaar et al. A provably secure identity‐based proxy ring signature based on RSA
Zhang et al. A new non-interactive deniable authentication protocol based on generalized ElGamal signature scheme
WO2023131537A1 (en) Methods and apparatuses for signing in or signing up a user

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10726921

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10726921

Country of ref document: EP

Kind code of ref document: A1