學術產出-Theses
Article View/Open
Publication Export
-
題名 基於ECDSA之部分盲簽章及其在比特幣上應用之研究
A Study on Partially Blind ECDSA and Its Application on Bitcoin作者 黃泓遜
Huang, Hong-Xun貢獻者 左瑞麟
Tso, Ray-Lin
黃泓遜
Huang, Hong-Xun關鍵詞 ECDSA
部分盲簽章
比特幣
ECDSA
Partially Blind Signature
Bitcoin日期 2021 上傳時間 2-Mar-2021 14:34:04 (UTC+8) 摘要 盲簽章是一種能夠不讓簽名者知道自己所簽訊息的數位簽章。然而在實際應用中,簽名者往往需要記錄一些與簽名相關的額外訊息。為了解決這個問題,部分盲簽章的概念被提出。除了具有盲簽章的性質外,部分盲簽章可以讓簽名者能從所簽訊息中獲取到所需的相關的資訊。部分盲簽章在被提出至今有不少成果被提出,但這些成果都需要花費較多的運算時間,或是不易應用到實際應用中。除此之外,隨著數位貨幣(如:比特幣)的興起,愈來愈多消費者會購買數位貨幣。但目前的購買方式無法隱藏消費者的電子錢包位置,因此一些研究將重點放在基於橢圓曲線簽章算法(Elliptic Curve Digital Signature Algorithm,ECDSA)的盲簽章的研究上。然而由於盲簽章存在簽名者完全不知道所簽訊息的特性,使得這些基於ECDSA的盲簽章難以靈活地運用在數位貨幣系統上。因此,我們提出了提出了三個部分盲簽章。我們的第一個簽章是到目前為止的研究是效能最好的部分盲簽章。另外,為了與比特幣系統更加契合,我們提出了兩種改版之ECDSA及其在通用群模型(Generic Group Model)下的安全性證明,並基於此提出了兩種首次與現行比特幣系統相契合的ECDSA部分盲簽章。我們為上述的部分盲簽章都提供了安全性證明及效能分析。最後我們提出了我們的部分盲簽章在購買比特幣時的應用方式。
Blind signatures allow a user to obtain a signature without revealing message information to the signer. However, in many cases, the signer must record additional information relevant to the signature. Therefore, a partially blind signature was proposed to enable the signer to obtain some information from the signed message.Although many partially blind signature schemes have been proposed, they are time intensive and impractical.Additionally, with the development of blockchain technology, users increasingly use Bitcoin for purchasing and trading with coin providers.Some studies have indicated that elliptic curve digital signature algorithm (ECDSA)-based blind signatures are compatible with Bitcoin because they prevent the linking of sensitive information due to the untamability of Bitcoin. However, these approaches are not sufficiently flexible because blind signatures do not allow the signer to obtain any information.In this thesis, we proposed three partially blind signature schemes.To the best of our knowledge, compared with other state-of-the-art schemes, our first scheme is the most practical partially blind signature. Additionally, to be more compatible with the current Bitcoin protocol, we introduced two variants of ECDSA with their security proofs under generic group model. Based on these two variants of ECDSA we proposed two partially blind signature schemes. Security proofs are provided to demonstrate that all proposed schemes have satisfactory unforgeability and blindness. At last we describe a application of bitcoin purchasing based on proposed schemes.參考文獻 [1] D. R. Brown, “Generic groups, collision resistance, and ECDSA,” Designs, Codes andCryptography, vol. 35, no. 1, pp. 119–152, 2005.[2] A. Lysyanskaya, “Signature schemes and applications to cryptographic protocol design,”Ph.D. dissertation, Massachusetts Institute of Technology, 2002.[3] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE transactions onInformation Theory, vol. 22, no. 6, pp. 644–654, 1976.[4] D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Conference on theTheory and Application of Cryptography. Springer, 1988, pp. 319–327.[5] D. Chaum, “Blind signatures for untraceable payments,” in Advances in cryptology.Springer, 1983, pp. 199–203.[6] M. Abe and E. Fujisaki, “How to date blind signatures,” in International Conference onthe Theory and Application of Cryptology and Information Security. Springer, 1996, pp.244–251.[7] M. Abe and T. Okamoto, “Provably secure partially blind signatures,” in AnnualInternational Cryptology Conference. Springer, 2000, pp. 271–286.[8] S. Nakamoto, “Bitcoin: A peertopeer electronic cash system,” Manubot, Tech. Rep.,2019.[9] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm(ECDSA),” International journal of information security, vol. 1, no. 1, pp. 36–63, 2001.[10] D. W. Kravitz, “Washington, DC: U.S. patent and trademark office,” U.S. Patent No. 5,vol. 231, p. 668, 1993.[11] 李鴻, “一種基於橢圓曲線的部分盲簽名方案,” 宿州學院學報, no. 1, pp. 89–91, 2004.[12] M. An, “Blind signatures with DSA/ECDSA?” Annual International CryptologyConference, pp. 271–286, 2004. [Online]. Available: http://lists.virus.org/cryptography0404/msg00149.html[13] W. Ladd, “Blind signatures for bitcoin transaction anonymity,” 2012.[14] X. Yi and K.Y. Lam, “A new blind ECDSA scheme for bitcoin transaction anonymity,”in Proceedings of the 2019 ACM Asia Conference on Computer and CommunicationsSecurity, 2019, pp. 613–620.[15] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” in InternationalConference on the Theory and Application of Cryptology and Information Security.Springer, 1996, pp. 252–265.[16] M. Stadler, J.M. Piveteau, and J. Camenisch, “Fair blind signatures,” in InternationalConference on the Theory and Applications of Cryptographic Techniques. Springer, 1995,pp. 209–219.[17] Y. Frankel, Y. Tsiounis, and M. Yung, ““indirect discourse proofs”: Achieving efficient fairoffline ecash,” in International Conference on the Theory and Application of Cryptologyand Information Security. Springer, 1996, pp. 286–300.[18] Y. Xie, F. Zhang, X. Chen, and K. Kim, “Idbased distributed ’magic ink’ signature,” inInformation and Communications Security, Fifth International Conference, ICICS, 2003,pp. 10–13.[19] A. Shamir, “Identitybased cryptosystems and signature schemes,” in Workshop on thetheory and application of cryptographic techniques. Springer, 1984, pp. 47–53.[20] A. J. Menezes, T. Okamoto, and S. A. Vanstone, “Reducing elliptic curve logarithms tologarithms in a finite field,” iEEE Transactions on information Theory, vol. 39, no. 5, pp.1639–1646, 1993.[21] F. Zhang and K. Kim, “Idbased blind signature and ring signature from pairings,” inInternational Conference on the Theory and Application of Cryptology and InformationSecurity. Springer, 2002, pp. 533–547.[22] S. Lal and A. K. Awasthi, “Proxy blind signature scheme,” Journal of Information Scienceand Engineering. Cryptology ePrint Archive, Report, vol. 72, 2003.[23] F. Zhang, R. SafaviNaini, and C.Y. Lin, “New proxy signature, proxy blind signatureand proxy ring signature schemes from bilinear pairing.” IACR Cryptol. ePrint Arch., vol.2003, p. 104, 2003.[24] Z. Tan, Z. Liu, and C. Tang, “Digital proxy blind signature schemes based on DLP andECDLP,” MM Research Preprints, vol. 21, no. 7, pp. 212–217, 2002.[25] S. S. Chow, L. C. Hui, S.M. Yiu, and K. Chow, “Forwardsecure multisignature and blindsignature schemes,” Applied Mathematics and Computation, vol. 168, no. 2, pp. 895–908,2005.[26] D. N. Duc, J. H. Cheon, and K. Kim, “A forwardsecure blind signature schemebased on the strong RSA assumption,” in International Conference on Information andCommunications Security. Springer, 2003, pp. 11–21.[27] L. Liu and Z. Cao, “Universal forgeability of a forwardsecure blind signature schemeproposed by Duc et al.” IACR Cryptol. ePrint Arch., vol. 2004, p. 262, 2004.[28] X. Chen, F. Zhang, and K. Kim, “IDbased multiproxy signature and blind multisignaturefrom bilinear pairings,” Proceedings of KIISC, vol. 3, pp. 11–19, 2003.[29] A. Lysyanskaya and Z. Ramzan, “Group blind digital signatures: A scalable solution toelectronic cash,” in International Conference on Financial Cryptography. Springer, 1998,pp. 184–197.[30] J. Kim, K. Kim, and C. Lee, “An efficient and provably secure threshold blind signature,”in International Conference on Information Security and Cryptology. Springer, 2001, pp.318–327.[31] D. L. Vo, F. Zhang, and K. Kim, “A new threshold blind signature scheme from pairings,”2003.[32] T. K. Chan, K. Fung, J. K. Liu, and V. K. Wei, “Blind spontaneous anonymous groupsignatures for ad hoc groups,” in European Workshop on Security in Adhoc and SensorNetworks. Springer, 2004, pp. 82–94.[33] D. Jena, S. K. Jena, and B. Majhi, “A novel untraceable blind signature based on ellipticcurve discrete logarithm problem,” 2007.[34] M. Nikooghadam and A. Zakerolhosseini, “An efficient blind signature scheme based onthe elliptic curve discrete logarithm problem,” ISeCureThe ISC International Journal ofInformation Security, vol. 1, no. 2, pp. 125–131, 2009.[35] D. He, J. Chen, and R. Zhang, “An efficient identitybased blind signature scheme withoutbilinear pairings,” Computers & Electrical Engineering, vol. 37, no. 4, pp. 444–450, 2011.[36] H.Y. Chien, J.K. Jan, and Y.M. Tseng, “RSAbased partially blind signature withlow computation,” in Proceedings. Eighth International Conference on Parallel andDistributed Systems. ICPADS 2001. IEEE, 2001, pp. 385–389.[37] F. Zhang, R. SafaviNaini, and W. Susilo, “Efficient verifiable encrypted signatureand partially blind signature from bilinear pairings,” in International Conference onCryptology in India. Springer, 2003, pp. 191–204.[38] G. Maitland and C. Boyd, “A provably secure restrictive partially blind signature scheme,”in International Workshop on Public Key Cryptography. Springer, 2002, pp. 99–114.[39] S. S. Chow, L. C. Hui, S.M. Yiu, and K. Chow, “Two improved partially blind signatureschemes from bilinear pairings,” in Australasian Conference on Information Security andPrivacy. Springer, 2005, pp. 316–328.[40] T. Okamoto, “Efficient blind and partially blind signatures without random oracles,” inTheory of Cryptography Conference. Springer, 2006, pp. 80–99.[41] C.P. Schnorr, “Efficient identification and signatures for smart cards,” in Conference onthe Theory and Application of Cryptology. Springer, 1989, pp. 239–252.[42] V. S. Miller, “Use of elliptic curves in cryptography,” in Conference on the theory andapplication of cryptographic techniques. Springer, 1985, pp. 417–426.[43] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” in InternationalConference on the Theory and Application of Cryptology and Information Security.Springer, 1996, pp. 252–265.[44] ——, “Security arguments for digital signatures and blind signatures,” Journal ofcryptology, vol. 13, no. 3, pp. 361–396, 2000.[45] J. H. Silverman and J. Suzuki, “Elliptic curve discrete logarithms and the index calculus,”in International Conference on the Theory and Application of Cryptology and InformationSecurity. Springer, 1998, pp. 110–125.[46] V. I. Nechaev, “Complexity of a determinate algorithm for the discrete logarithm,”Mathematical Notes, vol. 55, no. 2, pp. 165–172, 1994.[47] V. Shoup, “Lower bounds for discrete logarithms and related problems,” in InternationalConference on the Theory and Applications of Cryptographic Techniques. Springer, 1997,pp. 256–266.[48] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proofsystems,” SIAM Journal on computing, vol. 18, no. 1, pp. 186–208, 1989.[49] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions to identificationand signature problems,” in Conference on the theory and application of cryptographictechniques. Springer, 1986, pp. 186–194.[50] O. Blazy, D. Pointcheval, and D. Vergnaud, “Compact roundoptimal partiallyblindsignatures,” in International Conference on Security and Cryptography for Networks.Springer, 2012, pp. 95–112.[51] W.J. Tsaur, J.H. Tsao, and Y.H. Tsao, “An efficient and secure ECCbased partiallyblind signature scheme with multiple banks issuing ecash payment applications,” inProceedings of the International Conference on eLearning, eBusiness, EnterpriseInformation Systems, and eGovernment (EEE). The Steering Committee of The WorldCongress in Computer Science, Computer …, 2018, pp. 94–100.[52] S. H. Islam and G. Biswas, “A pairingfree identitybased authenticated group keyagreement protocol for imbalanced mobile networks,” Annals of télécommunicationsannales des telecommunications, vol. 67, no. 1112, pp. 547–558, 2012.[53] ——, “Provably secure and pairingfree certificateless digital signature scheme usingelliptic curve cryptography,” International Journal of Computer Mathematics, vol. 90,no. 11, pp. 2244–2258, 2013.[54] N. Tahat, E. Ismail, and A. Alomari, “Partially blind signature scheme based on chaoticmaps and factoring problems,” Italian Journal of Pure and Applied Mathematics, p. 165,2018.[55] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing elliptic curvecryptography and RSA on 8bit CPUs,” in International workshop on cryptographichardware and embedded systems. Springer, 2004, pp. 119–132.[56] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza,“Zerocash: Decentralized anonymous payments from bitcoin,” in 2014 IEEE Symposiumon Security and Privacy. IEEE, 2014, pp. 459–474.[57] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,”Ethereum project yellow paper, vol. 151, no. 2014, pp. 1–32, 2014. 描述 碩士
國立政治大學
資訊科學系
107753047資料來源 http://thesis.lib.nccu.edu.tw/record/#G0107753047 資料類型 thesis dc.contributor.advisor 左瑞麟 zh_TW dc.contributor.advisor Tso, Ray-Lin en_US dc.contributor.author (Authors) 黃泓遜 zh_TW dc.contributor.author (Authors) Huang, Hong-Xun en_US dc.creator (作者) 黃泓遜 zh_TW dc.creator (作者) Huang, Hong-Xun en_US dc.date (日期) 2021 en_US dc.date.accessioned 2-Mar-2021 14:34:04 (UTC+8) - dc.date.available 2-Mar-2021 14:34:04 (UTC+8) - dc.date.issued (上傳時間) 2-Mar-2021 14:34:04 (UTC+8) - dc.identifier (Other Identifiers) G0107753047 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/134089 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊科學系 zh_TW dc.description (描述) 107753047 zh_TW dc.description.abstract (摘要) 盲簽章是一種能夠不讓簽名者知道自己所簽訊息的數位簽章。然而在實際應用中,簽名者往往需要記錄一些與簽名相關的額外訊息。為了解決這個問題,部分盲簽章的概念被提出。除了具有盲簽章的性質外,部分盲簽章可以讓簽名者能從所簽訊息中獲取到所需的相關的資訊。部分盲簽章在被提出至今有不少成果被提出,但這些成果都需要花費較多的運算時間,或是不易應用到實際應用中。除此之外,隨著數位貨幣(如:比特幣)的興起,愈來愈多消費者會購買數位貨幣。但目前的購買方式無法隱藏消費者的電子錢包位置,因此一些研究將重點放在基於橢圓曲線簽章算法(Elliptic Curve Digital Signature Algorithm,ECDSA)的盲簽章的研究上。然而由於盲簽章存在簽名者完全不知道所簽訊息的特性,使得這些基於ECDSA的盲簽章難以靈活地運用在數位貨幣系統上。因此,我們提出了提出了三個部分盲簽章。我們的第一個簽章是到目前為止的研究是效能最好的部分盲簽章。另外,為了與比特幣系統更加契合,我們提出了兩種改版之ECDSA及其在通用群模型(Generic Group Model)下的安全性證明,並基於此提出了兩種首次與現行比特幣系統相契合的ECDSA部分盲簽章。我們為上述的部分盲簽章都提供了安全性證明及效能分析。最後我們提出了我們的部分盲簽章在購買比特幣時的應用方式。 zh_TW dc.description.abstract (摘要) Blind signatures allow a user to obtain a signature without revealing message information to the signer. However, in many cases, the signer must record additional information relevant to the signature. Therefore, a partially blind signature was proposed to enable the signer to obtain some information from the signed message.Although many partially blind signature schemes have been proposed, they are time intensive and impractical.Additionally, with the development of blockchain technology, users increasingly use Bitcoin for purchasing and trading with coin providers.Some studies have indicated that elliptic curve digital signature algorithm (ECDSA)-based blind signatures are compatible with Bitcoin because they prevent the linking of sensitive information due to the untamability of Bitcoin. However, these approaches are not sufficiently flexible because blind signatures do not allow the signer to obtain any information.In this thesis, we proposed three partially blind signature schemes.To the best of our knowledge, compared with other state-of-the-art schemes, our first scheme is the most practical partially blind signature. Additionally, to be more compatible with the current Bitcoin protocol, we introduced two variants of ECDSA with their security proofs under generic group model. Based on these two variants of ECDSA we proposed two partially blind signature schemes. Security proofs are provided to demonstrate that all proposed schemes have satisfactory unforgeability and blindness. At last we describe a application of bitcoin purchasing based on proposed schemes. en_US dc.description.tableofcontents 致謝 i摘要 iiAbstract iii1 Introduction 11.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Related Work 63 Background 93.1 Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 Schnorr Blind Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3 Elliptic Curve Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . 113.4 ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.5 Yi’s Blind ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Preliminary 154.1 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.1.1 Existential Forger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.1.2 Selective Forger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.2 Property of Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.2.1 OneWayness (PreimageResistance) . . . . . . . . . . . . . . . . . . 164.2.2 SecondPreimageResistance . . . . . . . . . . . . . . . . . . . . . . . 164.2.3 ZeroFinderResistance . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Generic Group Model 186 VariantECDSA 226.1 Definition of VariantECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 226.2 Unforgeability of variantECDSA . . . . . . . . . . . . . . . . . . . . . . . . 236.2.1 Existential Unforgeability Against NoMessage Attacks . . . . . . . . 236.2.2 Selective Unforgeability Against Adaptive ChosenMessage Attacks . . 237 VariantECDSA1 257.1 Scheme of VariantECDSA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.2 Generic Group Oracle for VariantECDSA1 . . . . . . . . . . . . . . . . . . . 257.3 Security Proof of VariantECDSA1 . . . . . . . . . . . . . . . . . . . . . . . 278 VariantECDSA2 298.1 Scheme of VariantECDSA2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 298.2 Generic Group Oracle for VariantECDSA2 . . . . . . . . . . . . . . . . . . . 298.3 Security Proof of VariantECDSA2 . . . . . . . . . . . . . . . . . . . . . . . 319 Partially Blind Signature 339.1 Definition of Partially Blind Signature . . . . . . . . . . . . . . . . . . . . . . 339.2 Security Definitions of Partially Blind Signature . . . . . . . . . . . . . . . . . 349.2.1 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349.2.2 Partial Blindness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3410 The Proposed Scheme 1 3611 The Proposed Scheme 2 3812 The Proposed Scheme 3 4213 Security Analysis 4614 Efficiency Analysis 5115 Performance 5516 Discussion 5617 Application of the Proposed Schemes 5817.1 Application on Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5817.2 Further Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6117.2.1 Fixed Denominations . . . . . . . . . . . . . . . . . . . . . . . . . . . 6117.2.2 Different Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6117.2.3 Amount of Daily Trades . . . . . . . . . . . . . . . . . . . . . . . . . 6217.2.4 The Tradeoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6217.3 Applications beyond Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . 6318 Conclusion 64Bibliography 65 zh_TW dc.format.extent 683443 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0107753047 en_US dc.subject (關鍵詞) ECDSA zh_TW dc.subject (關鍵詞) 部分盲簽章 zh_TW dc.subject (關鍵詞) 比特幣 zh_TW dc.subject (關鍵詞) ECDSA en_US dc.subject (關鍵詞) Partially Blind Signature en_US dc.subject (關鍵詞) Bitcoin en_US dc.title (題名) 基於ECDSA之部分盲簽章及其在比特幣上應用之研究 zh_TW dc.title (題名) A Study on Partially Blind ECDSA and Its Application on Bitcoin en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] D. R. Brown, “Generic groups, collision resistance, and ECDSA,” Designs, Codes andCryptography, vol. 35, no. 1, pp. 119–152, 2005.[2] A. Lysyanskaya, “Signature schemes and applications to cryptographic protocol design,”Ph.D. dissertation, Massachusetts Institute of Technology, 2002.[3] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE transactions onInformation Theory, vol. 22, no. 6, pp. 644–654, 1976.[4] D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Conference on theTheory and Application of Cryptography. Springer, 1988, pp. 319–327.[5] D. Chaum, “Blind signatures for untraceable payments,” in Advances in cryptology.Springer, 1983, pp. 199–203.[6] M. Abe and E. Fujisaki, “How to date blind signatures,” in International Conference onthe Theory and Application of Cryptology and Information Security. Springer, 1996, pp.244–251.[7] M. Abe and T. Okamoto, “Provably secure partially blind signatures,” in AnnualInternational Cryptology Conference. Springer, 2000, pp. 271–286.[8] S. Nakamoto, “Bitcoin: A peertopeer electronic cash system,” Manubot, Tech. Rep.,2019.[9] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm(ECDSA),” International journal of information security, vol. 1, no. 1, pp. 36–63, 2001.[10] D. W. Kravitz, “Washington, DC: U.S. patent and trademark office,” U.S. Patent No. 5,vol. 231, p. 668, 1993.[11] 李鴻, “一種基於橢圓曲線的部分盲簽名方案,” 宿州學院學報, no. 1, pp. 89–91, 2004.[12] M. An, “Blind signatures with DSA/ECDSA?” Annual International CryptologyConference, pp. 271–286, 2004. [Online]. Available: http://lists.virus.org/cryptography0404/msg00149.html[13] W. Ladd, “Blind signatures for bitcoin transaction anonymity,” 2012.[14] X. Yi and K.Y. Lam, “A new blind ECDSA scheme for bitcoin transaction anonymity,”in Proceedings of the 2019 ACM Asia Conference on Computer and CommunicationsSecurity, 2019, pp. 613–620.[15] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” in InternationalConference on the Theory and Application of Cryptology and Information Security.Springer, 1996, pp. 252–265.[16] M. Stadler, J.M. Piveteau, and J. Camenisch, “Fair blind signatures,” in InternationalConference on the Theory and Applications of Cryptographic Techniques. Springer, 1995,pp. 209–219.[17] Y. Frankel, Y. Tsiounis, and M. Yung, ““indirect discourse proofs”: Achieving efficient fairoffline ecash,” in International Conference on the Theory and Application of Cryptologyand Information Security. Springer, 1996, pp. 286–300.[18] Y. Xie, F. Zhang, X. Chen, and K. Kim, “Idbased distributed ’magic ink’ signature,” inInformation and Communications Security, Fifth International Conference, ICICS, 2003,pp. 10–13.[19] A. Shamir, “Identitybased cryptosystems and signature schemes,” in Workshop on thetheory and application of cryptographic techniques. Springer, 1984, pp. 47–53.[20] A. J. Menezes, T. Okamoto, and S. A. Vanstone, “Reducing elliptic curve logarithms tologarithms in a finite field,” iEEE Transactions on information Theory, vol. 39, no. 5, pp.1639–1646, 1993.[21] F. Zhang and K. Kim, “Idbased blind signature and ring signature from pairings,” inInternational Conference on the Theory and Application of Cryptology and InformationSecurity. Springer, 2002, pp. 533–547.[22] S. Lal and A. K. Awasthi, “Proxy blind signature scheme,” Journal of Information Scienceand Engineering. Cryptology ePrint Archive, Report, vol. 72, 2003.[23] F. Zhang, R. SafaviNaini, and C.Y. Lin, “New proxy signature, proxy blind signatureand proxy ring signature schemes from bilinear pairing.” IACR Cryptol. ePrint Arch., vol.2003, p. 104, 2003.[24] Z. Tan, Z. Liu, and C. Tang, “Digital proxy blind signature schemes based on DLP andECDLP,” MM Research Preprints, vol. 21, no. 7, pp. 212–217, 2002.[25] S. S. Chow, L. C. Hui, S.M. Yiu, and K. Chow, “Forwardsecure multisignature and blindsignature schemes,” Applied Mathematics and Computation, vol. 168, no. 2, pp. 895–908,2005.[26] D. N. Duc, J. H. Cheon, and K. Kim, “A forwardsecure blind signature schemebased on the strong RSA assumption,” in International Conference on Information andCommunications Security. Springer, 2003, pp. 11–21.[27] L. Liu and Z. Cao, “Universal forgeability of a forwardsecure blind signature schemeproposed by Duc et al.” IACR Cryptol. ePrint Arch., vol. 2004, p. 262, 2004.[28] X. Chen, F. Zhang, and K. Kim, “IDbased multiproxy signature and blind multisignaturefrom bilinear pairings,” Proceedings of KIISC, vol. 3, pp. 11–19, 2003.[29] A. Lysyanskaya and Z. Ramzan, “Group blind digital signatures: A scalable solution toelectronic cash,” in International Conference on Financial Cryptography. Springer, 1998,pp. 184–197.[30] J. Kim, K. Kim, and C. Lee, “An efficient and provably secure threshold blind signature,”in International Conference on Information Security and Cryptology. Springer, 2001, pp.318–327.[31] D. L. Vo, F. Zhang, and K. Kim, “A new threshold blind signature scheme from pairings,”2003.[32] T. K. Chan, K. Fung, J. K. Liu, and V. K. Wei, “Blind spontaneous anonymous groupsignatures for ad hoc groups,” in European Workshop on Security in Adhoc and SensorNetworks. Springer, 2004, pp. 82–94.[33] D. Jena, S. K. Jena, and B. Majhi, “A novel untraceable blind signature based on ellipticcurve discrete logarithm problem,” 2007.[34] M. Nikooghadam and A. Zakerolhosseini, “An efficient blind signature scheme based onthe elliptic curve discrete logarithm problem,” ISeCureThe ISC International Journal ofInformation Security, vol. 1, no. 2, pp. 125–131, 2009.[35] D. He, J. Chen, and R. Zhang, “An efficient identitybased blind signature scheme withoutbilinear pairings,” Computers & Electrical Engineering, vol. 37, no. 4, pp. 444–450, 2011.[36] H.Y. Chien, J.K. Jan, and Y.M. Tseng, “RSAbased partially blind signature withlow computation,” in Proceedings. Eighth International Conference on Parallel andDistributed Systems. ICPADS 2001. IEEE, 2001, pp. 385–389.[37] F. Zhang, R. SafaviNaini, and W. Susilo, “Efficient verifiable encrypted signatureand partially blind signature from bilinear pairings,” in International Conference onCryptology in India. Springer, 2003, pp. 191–204.[38] G. Maitland and C. Boyd, “A provably secure restrictive partially blind signature scheme,”in International Workshop on Public Key Cryptography. Springer, 2002, pp. 99–114.[39] S. S. Chow, L. C. Hui, S.M. Yiu, and K. Chow, “Two improved partially blind signatureschemes from bilinear pairings,” in Australasian Conference on Information Security andPrivacy. Springer, 2005, pp. 316–328.[40] T. Okamoto, “Efficient blind and partially blind signatures without random oracles,” inTheory of Cryptography Conference. Springer, 2006, pp. 80–99.[41] C.P. Schnorr, “Efficient identification and signatures for smart cards,” in Conference onthe Theory and Application of Cryptology. Springer, 1989, pp. 239–252.[42] V. S. Miller, “Use of elliptic curves in cryptography,” in Conference on the theory andapplication of cryptographic techniques. Springer, 1985, pp. 417–426.[43] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” in InternationalConference on the Theory and Application of Cryptology and Information Security.Springer, 1996, pp. 252–265.[44] ——, “Security arguments for digital signatures and blind signatures,” Journal ofcryptology, vol. 13, no. 3, pp. 361–396, 2000.[45] J. H. Silverman and J. Suzuki, “Elliptic curve discrete logarithms and the index calculus,”in International Conference on the Theory and Application of Cryptology and InformationSecurity. Springer, 1998, pp. 110–125.[46] V. I. Nechaev, “Complexity of a determinate algorithm for the discrete logarithm,”Mathematical Notes, vol. 55, no. 2, pp. 165–172, 1994.[47] V. Shoup, “Lower bounds for discrete logarithms and related problems,” in InternationalConference on the Theory and Applications of Cryptographic Techniques. Springer, 1997,pp. 256–266.[48] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proofsystems,” SIAM Journal on computing, vol. 18, no. 1, pp. 186–208, 1989.[49] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions to identificationand signature problems,” in Conference on the theory and application of cryptographictechniques. Springer, 1986, pp. 186–194.[50] O. Blazy, D. Pointcheval, and D. Vergnaud, “Compact roundoptimal partiallyblindsignatures,” in International Conference on Security and Cryptography for Networks.Springer, 2012, pp. 95–112.[51] W.J. Tsaur, J.H. Tsao, and Y.H. Tsao, “An efficient and secure ECCbased partiallyblind signature scheme with multiple banks issuing ecash payment applications,” inProceedings of the International Conference on eLearning, eBusiness, EnterpriseInformation Systems, and eGovernment (EEE). The Steering Committee of The WorldCongress in Computer Science, Computer …, 2018, pp. 94–100.[52] S. H. Islam and G. Biswas, “A pairingfree identitybased authenticated group keyagreement protocol for imbalanced mobile networks,” Annals of télécommunicationsannales des telecommunications, vol. 67, no. 1112, pp. 547–558, 2012.[53] ——, “Provably secure and pairingfree certificateless digital signature scheme usingelliptic curve cryptography,” International Journal of Computer Mathematics, vol. 90,no. 11, pp. 2244–2258, 2013.[54] N. Tahat, E. Ismail, and A. Alomari, “Partially blind signature scheme based on chaoticmaps and factoring problems,” Italian Journal of Pure and Applied Mathematics, p. 165,2018.[55] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing elliptic curvecryptography and RSA on 8bit CPUs,” in International workshop on cryptographichardware and embedded systems. Springer, 2004, pp. 119–132.[56] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza,“Zerocash: Decentralized anonymous payments from bitcoin,” in 2014 IEEE Symposiumon Security and Privacy. IEEE, 2014, pp. 459–474.[57] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,”Ethereum project yellow paper, vol. 151, no. 2014, pp. 1–32, 2014. zh_TW dc.identifier.doi (DOI) 10.6814/NCCU202100361 en_US