1. Field of the Invention
This invention relates to transaction systems, and more specifically to improved cryptographic techniques involving public-key digital blind signatures.
2. Description of Prior Art
Blind signature techniques were first disclosed in U.S. Pat. No. 4,759,063, titled "Blind Signature Systems," issued to the present applicant, also appearing as European Patent Publication No. 0139313 dated 2/5/85, and which is incorporated herein by reference.
One possible criticism of the particular exemplary embodiment disclosed there is that it requires the underlying signature system to be secure against a "chosen message" attack. In such attacks, the provider party P chooses a special dangerous message, obtains a signature on it, and then is able to use this signature to break the whole signature scheme. Of course it is not presently known whether such dangerous messages can be found for the well known RSA system.
In any case, ways to prevent such release of chosen roots are known, such as, for example, the techniques disclosed in a co-pending application of the present applicant, titled "One-Show Blind Signature Systems," filed 3/3/88, with U.S. Ser. No. 168802, now U.S. Pat. No. 4,914,698, and which is also incorporated herein by reference. These systems use a plurality of "candidate" messages, some subset of which appear in the final signature. Because the candidates that do not appear in the final signature can be inspected by B before the signature is issued, B obtains (with high probability) control over the content of the candidates appearing in the signature. Consequently, a chosen message attack against these systems has a low chance of success.
Multiple candidate systems proposed so far, though, do suffer from some shortcomings. One is that the number of candidates needed to offer the desired low probability of success for chosen message attacks may be a larger number than is required for the other properties of the signatures. Thus, some economy could be obtained by reducing the number of candidates, while still offering protection against the conceivable danger of chosen message attacks.
Another area for improvement is in the "marking" of the candidates when they appear in the final signatures; each such candidate may be forced to appear under a different mark (or type indication) chosen for it by B. But such marking techniques known so far require different roots for each kind of mark, which in turn substantially increases the number of modular multiplies needed in applying the systems.
A third deficiency of known multiple candidate systems is that, in the signature, the exponents on each candidate are chosen by P. Increased security against some attacks can be achieved if P is unable to choose these exponents.