Blind multi-signature scheme based on factoring and discrete logarithm problem

One of the important objectives of information security systems is providing authentication of the electronic documents and messages. In that, blind signature schemes are an important solution to protect the privacy of users in security electronic transactions by highlighting the anonymity of participating parties. Many studies have focused on blind signature schemes, however, most of the studied schemes are based on single computationally difficult problem. Also, digital signature schemes from two difficult problems were proposed but the fact is that only finding solution to single hard problem then these digital signature schemes are breakable. In this paper, we propose a new signature schemes base on the combination of the RSA and Schnorr signature schemes which are based on two hard problems: IFP and DLP. Then expanding to propose a single blind signature scheme, a blind multi-signature scheme, which are based on new baseline schemes.

In 1999, Popescu [13] presented blind multi-signatures based on elliptic curves. In 2005, Chow et al. proposed two blind signature schemes partially based on Bilinear Pairings [14]. In 2011, Moldovyan [15] presented a blind signature scheme based on the GOST R34.10-2001 signature standard. In 2012, Nguyen and Dang [16] provided enhanced security for voting protocols on the Internet using blind signatures; Swati Verma et al. also presented New Proxy Blind Multi Signature based on Integer Factorization and Discrete-Logarithm Problems [17]. In 2013, Panda et al. researched blind signing authorizations in electronic voting processes [18]. In 2014, Hua Sun et al. proposed New Certificateless Blind Ring Signature Scheme [19]. In 2016, Shilbayeh et al. proposed security schemes for electronic voting processes [20]. In 2017, Minh et al. proposed New Blind Signature Protocols Based on a New Hard Problem [21]; Salome James et al. proposed Identity-Based Blind Signature Scheme with Message Recovery [22].
In this paper, we propose a new digital signature scheme from two difficult problems based on the RSA digital signature scheme [23] and the Schnorr digital signature scheme [24]. We expand our functionality to construct the blind signature scheme and the blind multi-signature scheme. This helps new blind digital signature schemes inherit some advantages of the security of the signature schemes that had been proven in practice. The organization of the paper is as follows: section 2 provides the related theories and schemes. In section 3, we shall design a new signature scheme, which requires the simultaneous breaking of the factorization and discrete logarithm. We expand our functionality to construct a new blind signature scheme and a new blind multi-signature scheme. In the last section, the conclusion of our research work will be presented.

Related Theories and Schemes
The following notations are used: -p is a prime number, with structure p=2n+1, n q q = with , qq  are the strong prime numbers [25] -H is a collision-resistant hash function - is a generator of order n over * p Z -q|p−1: q is the divisor of p-1 -() n  is the Euler function -e is the public key and d is the secret key in RSA

Integer Factorization Problem [26]
The integer factorization problem is the following: given a positive integer n, find its prime factorization, i.e., find pairwise distinct primes i p and positive integers i e such that 12 12  -Choose e such that gcd( , ( )) 1.
ne is published as the public key.
-Compute d such that 1mod ( ). de n  = The pair ( , ) nd is used as the secret key. x yp = -Let H and computed from the signed document M. The public key is ( , , ).

py 
The secret key is x .

Signature Generation Procedure
To sign a message M the signer performs the following steps: -Choose a random k such that 1 1.
. Then the pair ( , ) ES is the digital signature of M. The signer repeats these steps for every signature.

Signature Verification Procedure
A signature ( , ) ES of a message M is verified as follows: -Compute

Blind Signature Scheme based on Difficulty of Solving Simultaneously Two Difficult Problems 3.1. New Signature Scheme based on Two Difficult Problems
To design the new blind signature scheme and blind multi-signature scheme, we first propose a new digital signature scheme as a basic structure of our developing blind signature schemes. Breaking the modified signature schemes described below requires simultaneous solving two different difficult problems, computing discrete logarithm in the ground field () GF p and factoring n. In this signature scheme, p is a prime number, with structure 21 pn =+ .
The process of the basic structure is describe following: Solving the discrete logarithm problem in () GF p is not sufficient for breaking the modified scheme. Now to break the signature scheme it is required to know the factorization of n. The solution of the discrete logarithm problem leads to the computation of the secret key x and to the possibility to calculate the value * ( ) mod S k xE n =− . However, to calculate the signature S is required to extract the eth root modulo n from the value * S .
This requires factoring the modulus n.

New Blind Signature Scheme
The proposed signature scheme using two difficult problems can be used as a basic algorithm for constructing blind signature scheme which is similar to the blind signature scheme based on the RSA [23] and Schnorr signature schemes [24]. This approach will be used to develop the following blind signature scheme, which requires the simultaneous solving of these two difficult problems. There are six rounds in the blind signature scheme.

New Blind Multi-signature Scheme
Assume that user A asks the entire group B who has the authority to include n signers to sign document M; however, this user does not want this authorized group to know the content of M. First, this user blinds the document M, which becomes document Mʹ. Then, Mʹ is sent to the authorized signing group. This group signs Mʹ and sends it back to the requesting user. Then, the user unblinds Mʹ to M and checks the received signature. If the signature is valid, then the user has a valid signature on document M. A blind multisignature scheme has three participants: User A, signers B and a trusted third party (TTP). The implementation process for blind signing the message M includes three schemes:  ES  .

Signature Verification Procedure
The verification procedure described in the blind signature scheme is the same as in the previous basic digital signature scheme, i.e., using the verification equation

Unlinkability
In a blind signature scheme, the unlinkability property (or blindness property) makes it impossible for the signer to derive the link between a given signature and the instance of the signing scheme which produces the blinded form of that signature. Theorem 2: The scheme provides unlinkability property in the case when the message M and signature ( , ) ES  will be presented to the signer.

Randomization
The signer had better inject one or more randomizing factors into the blinded message such that the attackers cannot predict the exact content of the message the signer signs.

Unforgeability
It means that only the signer can generate the valid signature. The intruder may attack the proposed scheme by following way. Intruder tries to derive the signature ( , ) ES  for a given message M by letting one integer fixed and finding the other one. For example, intruder selects E and tries to figure out the value of S satisfying and only if two difficult problems is breakable.

Performance
The security of the new blind digital signature scheme has been proven to be equivalent to solving two independent difficult problems simultaneously including IFP and DLP. We investigate the performance of our schemes in the number of modular multiplication, number of hashing operation, number of random number generation, number of inverse computations, number of cube root and number of modular exponentiation. Time for computing modular addition and subtraction are ignored, since it is much smaller than time for computing modular exponentiation, modular multiplication and modular inverse. The comparisons of computation costs performed by the user, signer and verifier between the proposed blind signature scheme and the scheme of [27] are summarized in Table 1 and Table 2.   This section will compare the performance of our blind multi-signature scheme with the blind multi-signature scheme in [27] also design the blind multi-signature scheme, but the basic scheme is based on the Rabin and the Schnorr schemes and using S 3 instead S in the Signature verification procedure. Our blind multi-signature scheme is based on the RSA and the Schnorr schemes and using S e instead S in the Signature verification procedure.
From the comparison Table 1 and Table 2, we realized that the time costs of the proposed blind multi-signature scheme has more the time cost than the scheme in [27] with performed by uer and with performed by the Verifier. However, with performed by the signer, it is easier to perform because it is not required to extract the square 3 root to calculate the D value ( D is used to computing the blind signature S ). And therefore, they can be applied in practice.

Conclusion
In this paper, we proposed a new signature scheme from two difficult problems IFP and DLP. Then expanding to propose a single blind signature scheme and a blind multi-signature scheme, which requires the simultaneous breaking of two independent difficult problems, these are based on the RSA signature scheme and Schnorr signature scheme. It has been proved to be correct, blind, unforged, random and provides higher level security than schemes that based on a single hard problem. The results show that the proposed blind multi-signature signature scheme are safe and present high performance; therefore, they can be applied in practice such as the proposed schemes can be applied in election systems and digital cash schemes.