This chapter discusses schemes to confirm that data owned by anonymous entities are legitimate ones, in other words, to protect data owned by anonymous entities from their illegitimate modifications, forgeries, additions, and deletions. Blind Signature schemes enable entity P to obtain the signature of other entity on its data M without disclosing M, therefore later on P can prove the authenticity of M without disclosing its identity. Unlinkable signatures on data ensure that signers had honestly signed on only and all eligible data while disabling anyone including data owners and signers to know correspondences between the data and their signed forms, and implicit transaction links (ITLs) can be used to force entities not to delete their maintaining data without knowing the data themselves. These schemes enable developments of homomorphic anonymous tokens and anonymous credentials, where entities can prove their eligibilities while maintaining their anonymities by showing tokens or credentials. They also enable the identifications of dishonest entities, while preserving privacies of honest entities.
TopBlind Signatures
In anonymous systems, frequently signers are required to sign on bit strings without knowing their values. Let us consider tokens that are used to show that their owners are the eligible entities to receive some services. Here, tokens are unique bit strings, on which an authority signs to convince itself that the token owners are the authorized entities, i.e. only authorized entities can have signatures of the authority on their tokens. However, if the authority memorizes tokens and entities to which it had given the tokens, the authority can easily identify entities that show their tokens to receive services. To maintain anonymity of entities, mechanisms that enable the entities to obtain the signatures of the authority on their tokens without disclosing their values are necessary, and schemes of blind signatures enable this.
Blind signature schemes can be developed based on commutative encryption functions, namely, entity P that requires the signature of signer S on its bit string M encrypts M to E(a, M) by its secret encryption key a, and S signs on E(a, M), i.e. S calculates S(d, E(a, M)) by using its signing key d. Then, finally while exploiting the commutative property of the encryption and the signing functions, P decrypts S(d, E(a, M)) to S(d, M) by its decryption key a-1. Here, S(d, M) is the signature of S on M, however, S cannot know the entity that shows S(d, M) because S had signed on E(a, M). There are 2 different ways to implement this scheme, the one is the public key based and the other is the secret key based implementations. In the former implementation, verification keys of signers are disclosed to relevant entities, on the other hand in the latter implementation, verification keys are known only to signers. In anonymous systems there are cases where verification keys are required to be secrets of signers at least during certain periods.