" Untraceability " Analysis of Two Id-based Proxy Blind Signature from Bilinear Pairings

" Untraceability " is an important property of Proxy blind signature. Zhang proposed some new untraceable blind signatures in order to enhance the security of Cai et al. (2007) and Hu et al. (2007)'s schemes. However, this study shows there are three important conclusions: 1. By reduction, we prove that the cryptanalysis method proposed by Zhang is improper and Cai et al. (2007)'s schemes does satisfy the property of untraceability; 2. On that basis, we pinpoints a new analysis method of untraceability which has effectively proved that Hu et al. (2007)'s scheme doesn't satisfy the property of untraceability. Furthermore, the method can be used as a standard method which could analyze other schemes related with blind signature; 3. Zhang's scheme is unpractical since the cost of the scheme is higher compared with Cai et al. (2007)'s scheme.


INTRODUCTION
In Chaum (1982) first proposed the concept of blind signature.It is a particular digital signature which needs to satisfy two additional properties: • Blindness: The signer does not see the content of the message.• Untraceability: The signer is unable to link the message-signature pair with the corresponding view after the blind signature has been revealed to the public by the requester.
Proxy signature scheme was first presented by Mambo et al. (1996) which enables a proxy signer to sign message on behalf of an original signer.Recently, many proxy blind signatures have been proposed.A proxy blind signature is a digital signature scheme which combines the properties of proxy signature and blind signature schemes.Furthermore, it produces some new properties.So it is very useful in some special applications.
In Cai et al. (2007), pointed out Li's et al., proxy blind signature was insecure and proposed an improved scheme which had been proved secure (Cai et al., 2007).Hu et al. (2007) presented a new ID-based strong proxy blind signature scheme from bilinear pairings (Hu et al., 2007).However, the author just simply claimed that the scheme met the property of untraceability and didn't give a proof.Recently, Zhang (2009) showed Cai et al. (2007)'s scheme and Hu et al. (2007)'s scheme couldn't satisfy the property of untraceability and proposed 2 corresponding improved schemes (Zhang, 2009).Chen et al. (2010) have a research of the cryptanalysis of a new blind signature based on the DLP.Unfortunately, in this manuscript, we point out that Zhang's analysis method is improper and acquire three important conclusions.

CAI ET AL.'S SCHEME AND SECURITY ANALYSIS
Cai et al.'s scheme: Here, we will briefly recall (Cai et al., 2007)'s scheme.
is the corresponding public key.Publish the system parameter: G G e q P Q H H Proxy delegation phase: • The original signer A picks , computes: where, m w is proxy delegation certification and then sends (U A , V A , r A , m w ) to proxy signer B.
• B checks whether the equation: The blind signature of the message m is (U, r, V) Verification phase: Anyone can verify the validness of the proxy blind signature (U, r, V) by checking whether: Zhang's cryptanalysis: In Zhang's cryptanalysis (Zhang, 2009)

=
. If the checking equation holds, the scheme will satisfy the property of untraceability.Otherwise, it will not meet the property.

DISCUSSION
In this section, we will prove Zhang's cryptanalysis is unfortunately incorrect.Let: ) , , ( be the two arbitrary message-signatures of the scheme and their corresponding views are ) , , respectively, so the following equations hold: when the message-signature pair (U j , r j , V j ) is revealed to the public, the proxy signer searches all the views stored.Obviously, from its corresponding view stored, ) , , For the revealed message-signature pair (U j , r j , v j ) and any view ) , , (3) The proxy signer computes factors {k, p 3 } from Eq. ( 4) and ( 5): where, Then, by use of Eq. ( 1) and( 2), we can see that the Eq. ( 3) always holds: always holds.Therefore, the signer is still unable to link the message-signature pair with the corresponding view by using Zhang's method.

Result I:
The cryptanalysis method proposed by Zhang is improper and Cai et al. (2007)'s scheme does meet the property of untraceablity which has been proved in Cai et al. (2007).
Result II: The analysis and proof process in above can be used as a new method which can analyze the property of "untraceability" of other schemes related with blind signature.Result III: The equations: in Zhang's scheme.Obviously, Zhang's scheme is unpractical since the cost of the scheme is higher compared with Cai et al. (2007)'s scheme.

Our new proof method of "untraceability" analysis:
From the discussion in above section, we propose a new method of "untraceability" analysis of blind signature.The new method can be described briefly as follows: Theorem: During the execution of the blind signature issuing protocol ∑, for the revealed message-signature pair S and any view V stored by signature (whenever they are corresponding or not), Suppose they have n corresponding "blindness" equations, the signer can compute n-1 factors from the n-1 "blindness" equations of all and then check the nth "blindness" equation by use of the given equations in the blind signature issuing protocol ∑.If the nth "blindness" equation holds, the protocol ∑ satisfies the property of "untraceability".Otherwise, it doesn't meet the property.

HU ET AL.'S SCHEME AND SECURITY ANALYSIS
Hu et al.'s scheme: Here, we will briefly recall Hu et al. (2007)'s scheme (Zhang, 2009).
Setup: Let G 1 , G 2 be additive cyclic group and multiplicative cyclic group respectively with prime order q.A bilinear pairing : . Pick , as system master key, Set pk = xP, as system public key, where, P is the generator of 1 G .Let h, H be two hash functions where, private key of proxy signer and the corresponding public key is .
Signing phase: Then, the blind signature of the message m is (U, r).
Verification phase: Anyone can verify the validness of the proxy blind signature (U, r) by checking whether: r = e(P,U) e(H(m w ), tP) -V e(Q`, xP) -V holds.Proof: During the execution of Hu et al. (2007)'s blind signature issuing protocol, let (U i , r i ), (U j , r j ) be the two arbitrary message-signatures of the scheme and their corresponding view are ) , , Hu et al. (2007)'s scheme, the following equations hold:

Untraceability analysis of
when the message-signature pair (U j , r j ) is revealed to the public, the proxy signer searches all the views stored.For the revealed message-signature pair (U j , r j ) and any view ) , , stored (whenever they are corresponding or not), obviously, they have two corresponding "blindness" equations as follows:  6) and ( 7).Unfortunately, we find that the Eq. ( 8) holds if and only if i = j.In other words, the Eq. ( 8) holds if and only if the view and the revealed message-signature are corresponding.From theorem, Hu et al. (2007)'s scheme doesn't satisfy the property of untraceability.

CONCLUSION
In this manuscript, we point out that Zhang's cryptanalysis method of untraceability is improper.Furthermore, we present a new analysis method of untraceability which can be used to analyze other schemes related with blind signature.
, he claimed thatCai et al. (2007)'s blind signature could be traced by the proxy signer.The proxy signer will keep a set of record ) for all blinding signed messages.After revealing the message-signature pair (U, r, V) to the public by the requester, the proxy signer can compute factors Zhang's checking equation always hold.The proof is listed as follows: -signature pair (U j , r j , V j ) are corresponding or not, the checking equation ) et al. (2007)'s scheme are replaced respectively by the equations: is the private key of original signer O, where H(ID O ) is the corresponding public key.S IDP = xH(ID P ) is the private key of proxy signer P, where H(ID p ) is the corresponding public key.whether the equation: e(S,P) = e(H(m w ), tP) e(H(ID O ),xP) holds.If it holds, P computes