A New Partially Blind Signature Based on Factoring and Discrete Logarithms

: Partially blind signatures played an important role in many electronic commerce applications. Many existing partially blind signature scheme based on a single hard problem but not secure. In this study, we propose a secure partially blind signature scheme based on factoring and discrete logarithms and show that the proposed scheme satisfies the partial blindness, randomization, unlinkability and unforgeability properties. We also analyse the computation cost of the proposed scheme.


INTRODUCTION
The blind signature technique was first introduced by Chaum [3] to protect the right of an individual's privacy. It is a special form of digital signature. Creating blind signature for a message involves two parties, which we call the signer and a group of signature requesters.
The requester requests the signer to sign on a blinded data. It means the signer does not know the content of the message. The requester then unblinds the signed message from the signed blinded data. The signer's signature on the message can be verified by checking if the corresponding public verification formula with the signature-message pair as parameter is true. In a secure blind signature scheme, the signer is unable to link (trace) this signed message to the previous signing process instance. This property is usually referred to as the unlinkability property. Due to the unlinkability (blindness) property, blind signature techniques have been widely used in the anonymous electronic cash (e-cash) and anonymous voting systems.
In the e-cash system, since the e-cash may easily be duplicated, hence to prevent double spending, the bank has to record all spent e-cash to check whether a specified e-cash has been spent or not by searching the database. However, the database kept by the bank may grow unlimitedly. In order to prevent the bank's database from growing unlimitedly, the techniques of partially blind signatures were proposed in Abe and Fujisaki [1] , Abe and Okamoto [2] and Fan and Lei [4] .
In the partially blind signature scheme, the signer can impose the common information, for example, the date information on the signature so that the verifier needs the message, the common information, and the signature to check the validity of this signature. This common information is a pre-defined format negotiated and agreed by all requesters and the signer. By, using RSA, Abe and Fujisaki [1] proposed the partially blind signature scheme of which the signer (the bank) assures that the signed blind signature (e-cash) contains the agreed common information such as the date information. By embedding an expiration date into each e-cash, the bank only has to keep the existing cash in the database to prevent double spending. Those expired e-cash recorded in the database can be removed. This technique can be used for dealing with the unlimited growth problem of the bank's database in the e-cash system. This partial blindness preserves the unlinkability property of the blind signature and it also embeds the common information on the blind signature. However, in most of the blind signature schemes, there are several modular exponentiations and inverse computations needed by the signature requesters and the signer. Later, based on Quadratic Residue (QR) theory, Fan and Lei [4] proposed the partially blind signature scheme, and there is no modular exponentiation and inverse computations performed by the signature requesters.
Moreover, there are only several modular additions and multiplications required for a requester to obtain and verify a signature in their protocol. Comparing with the blind signature schemes proposed in the literatures, Fan and Lei's scheme [4] reduces the amount of computations for the signature requesters or users by nearly 98% under a 1024-bit modulus, but it does not decrease the computation load for the signer. So their scheme is especially suitable for mobile signature requesters and smart-card users. However, in 2002, Hwang, Lee and Lai [6] showed that Fan-Lei's [4] scheme could not meet the untraceability property of a blind signature. Recently, Huang and Chang [5] proposed a new design of efficient partially blind signature based on discrete logarithm and the Chinese Remainder, but Zhang and Chen [7] show that Huang and Chang partially blind signature scheme is not secure. However, all developed partially blind signature schemes in the literature are based on a single hard problem like factoring, discrete logarithm or elliptic curve discrete logarithm problem. In the future, if one finds a solution of one of these problems, the related partially blind signature will be no longer secure. Thus, in this study we propose a secure partially blind signature scheme based on discrete logarithms and factoring problem plus our scheme maintains the amount of computations for both the signature requester and the signer.
Preliminaries: Throughout the article, we need the following tools to describe our new partially blind signature scheme and to discuss its security analysis and efficiency performances: A cryptographic hash function h (.), that maps any arbitrary length of input and output a t-bit length and assume t = 128. A large number prime p and n (a factor of p-1) is the product of two safe prime (which contains no small prime divisors). A phi-Euler function, φ(n). An integer g is a primitive element in Z * p = {1, 2,..., p-1} with order n satisfying g n ≡ 1 (mod p) and gcd (a,b) be the greatest common divisor of a and b.

MATERIALS AND METHODS
We now propose an efficient and secure partially blind signature for both parties of the signer and the requester to obtain a signature. There are two types of participants, a signer and a signature requester A in a partially blind signature scheme. We give a process of their interactions of the scheme: • Suppose a requester would request a partially blind signature from the signer. In this case, the requester will notify the signer • Then, the requester provides the blinded data/message and the common information and sends them to the signer. For this stage, the signer will decide on this common information • If the signer agrees on this common information, then he signs the blinded data with this common information embedded on the signature • For the partial blindness property, the requester derives the signature from the signed data, but he cannot remove or change the embedded common information. So the agreed common information should be genuinely shared among the requester, the signer and the verifiers The proposed partially blind signature scheme consists of four phases: (1) initialization, (2) requesting, (3) signing, and (4) extraction. The signer publishes the necessary information in the initialization. In the requesting phase, a requester submits the blinded data and the common information to the signer. In the signing phase, the signer signs the blinded data with this common information imposed on it and then sends the result back to the requester. Finally, the requester extracts the signature from the signed data in the extraction phase. The details of the proposed partially blind signature scheme are described as follows.
The above process of partially blind signature is taken from Huang and Chang [5] .
Initialization: Pick randomly an integer e∈Z * n = {1,2,...,n-1} such that gcd (e, n) = 1. Calculate an integer d satisfying the congruence ed ≡ 1 (modφ(n)). Next select at random an integer x from Z * p and compute y ≡ g x (mod p). Finally, publishes (e, y) as a pair of public key whereas kept (d, x) as a pair of secret key of the scheme.
Requesting: Suppose requester A wants to obtain a signature on message, h(m). Firstly, he must notify the signer and then: • A signer selects an integer r<n such that gcd (r,n) = 1 and compute • Then the signer checks that gcd ( z,n) 1 = . If this not the case, he/she goes back to select another integer r. Otherwise, he/she sends ẑ to the requester A.
• After receiving ẑ , requester A checks that ĝcd(z, n) 1 ≡ and prepares the common information a, according to a pre-defined format. Then the value "a" is a common input of both the requester A and the signer.
• The requester A also randomly select two blinding factors * n n u z ,v z ∈ ∈ and compute u v z z g = (modp) and checks whether gcd (z, n) = 1. If this is not case, he/she goes back to selects another blinding factor.
Other wise, he/she compute Now we show how to obtain a partially blind signature using the above example. We describe it using a Fig. 1.

RESULTS
In this study, we give our results in terms of security analysis and efficiency performance of our proposed partially blind signature scheme.

Security:
In this study, we discuss some security properties of our partially blind signature scheme. A secure partially blind signature scheme should satisfy the following requirements and we show that our proposed scheme satisfied the requirements. a) Partial blindness: It allows a user to acquire a signature on a message without revealing anything about the message to the signer. Blindness property ensures that no one can derive a link between a view and valid blind signature except the signature requester. A view of the signer is defined to be the set of all messages that the signer has received and generated when issuing the signature. Owing to the blindness property, blind signatures have been widely used in untraceable electronic cash systems. b) Randomization: The signer had better inject one or more randomizing factors into the blinded message such that the attackers cannot predict the exact content of the message the signer signs. In a secure randomized signature scheme, a user cannot remove the signer's randomizing factor. c) Unlinkability: In a secure blind signature scheme, it is computationally infeasible for the signer to link asignatureshown for verification to the instance of the signing protocol that produced that signature. This property is usually referred to as the unlinkability property.

d) Unforgeability:
It means that only the signer can generate the valid signatures.

Partial blindness:
The partial blindness property of all signature issued by the signer contain a clear common information a according to the predefined format negotiated and agreed by all the requester and the signer and the requester is unable to change or remove the embedded information a while keeping the verification of signature successful. In the proposed scheme, the requester A has to submit the common information a and the blinded data σ to the signer and then the signer computes and sends ( )ŝ xa zr modn = σ + to the requester A. If the requester A can successfully change or remove this common information a from the corresponding signature (a, z, ) γ , then he or she computes ˆŝ ( xa zr ) = σ + mod n. However, it is difficult to derive the secret key x. Also the requester A has to submit the blinded data s to the signer then the signer computes and sends γ to the requester. The requester A cannot change or remove ( ) d s mod n γ ≡ because it is difficult to derive the secret key d. Hence, in the proposed scheme, the requester A cannot change or remove the a and γ and from the corresponding signature (a, z, ) γ of message m to forge the unblinded part of the signature.

Randomization:
In the proposed scheme, the signer randomizes the blinded data using the random factor r before signing it in the signing phase. In the requesting phase, the signer select an integer r such that r z g = mod p and submit ẑ to the requester. Then the requester A sends σ to the signer and the signer returns ˆŝ ( xa zr) = σ + mod n to the requester A. If the requester A tries to remove r from ˆŝ xa zr = σ + mod n, then he has to derive x from x y g = mod p. However, it is difficult to determine x because that the derivation is discretelog problem. Hence, in the proposed scheme, the requester A cannot remove the random r from the corresponding signature (a, z, γ) of message m.
Unlinkability: For every instance, numbered i, of the protocol in study, the signer can record the transmitted messages (σ i , s i ) between the requester A and the signer during the instance i of the protocol. The pair (σ i , s i ) is usually referred to as the view of the signer to the instance i of the protocol. Thus, we have the following theorem: Theorem: Giving a signature (a, z, γ) produced by the proposed scheme, the signer can derive i i (u , v ) ′ ′ for every(σ i , s i ) such that: we have that: i for every record (σ i , s i ). Hence, giving a signature (a, z, γ) produced by the proposed scheme, the signer can always derive the two blinding factors (σ i , s i ) for every transmitted record (σ i , s i ).
This implies that the signer is unable to find the link between the signature and its corresponding signing process instance. So, our scheme can achieve the unlinkability property. the intruder. Hence, x stays hard to detect because intruder can generate infinite solution of the above system of equations but cannot figure out which one is correct. In addition, intruder wishes to obtain secret keys (x, d) using all information that available from system. In this case, intruder needs to solve or calculate y = g x mod p and e −1 mod (n) φ which are clearly infeasible the difficulty of solving DL and FAC.
Performance: Next, we investigate the performance of our scheme in number of modular multiplication, number of hashing operation, number of randomnumber generation, number of inverse computations and number of modular exponentiation.
The computation costs of the proposed scheme are summarized in Table 1.
In the proposed scheme, no root, hashing operation and inverse computations in * n Ζ are performed by the signer. There are three modular exponentiations, ten modular multiplications, two hashing operations and twice of random number generation performed by the requester A.
There are two modular exponentiations, three modular multiplications and once random number generation performed by the signer to issue a signature.

DISCUSSION
So far in the literature, the developed partially blind signature schemes are based on a single problem. If an enemy can find a solution of this single problem then he or she can break the scheme. These includes the scheme of Abe and Fujisaki [1] , Abe and Okamoto [2] , Fan and Lei [4] , Hwang, Lee and Lai [6] and Zhang and Chen [7] . This problem is avoided in our scheme, since the proposed partially blind signature is based on two multiple hard problems; namely factoring and discrete logarithm problems. Thus it provides a longer security than that partially blind signature schemes based on a single problem. This is because it is very unlikely for enemies to solve the two problems simultaneously. If one of the problems can be solved, the intruder still has to solve the other problem in order to break our new scheme. Next, our scheme also satisfies the four important requirements to guarantee the security of the scheme namely; partial blindness, randomization, unlinkability and unforgeability. The randomization property avoids intruder in gaining some valuable hints or ideas to break the scheme. The property of unlinkability prevents intruder from obtaining added information from the previous blind signature. The last requirement, unforgeability confirms that the intruder will have no chance in getting any secret numbers or information.
The efficiency performance reveals that the modular multiplication operation dominates our scheme. However this operation does not interrupt the process of the scheme since it can always speeded up. Note that the other operations; modular exponentiation, hashing and inverse computations involve only minimal operations. Our performance analysis also maintains the performances of schemes of Abe and Fujisaki [1] , Abe and Okamoto [2] , Fan and Lei [4] , Hwang, Lee and Lai [6] and Zhang and Chen [7] . This means, no significant difference were found in performance analysis of our scheme (using Table 1) when compared with other schemes.

CONCLUSIONS
In this study, we presented a new partially blind signature based two hard problems namely; factoring and discrete logarithms. The scheme based on two problems provides higher level security than scheme that based on a single problem. The proposed scheme requires minimal operation in signing and verifying and thus makes it very efficient. Some possible attacks have also been considered and we showed that the scheme secure from those attacks.