A Restrictive Blind Signature Scheme with Applications to Electronic Cash

  • C. Radis
  • R. Govaerts
  • J. Vandewalle
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT)


A restrictive blind signature scheme is a cryptographic primitive involved in the design of untraceable off-line electronic payment systems. The security of this primitive determines both the integrity of the bank and the anonymity of the payers. Brands proved that a restrictive blind issuing protocol for secret-key certificates can be derived from any signature scheme of Fiat-Shamir type, if the latter can be ordinary blinded. There is not a similar result for the restrictive blind issuing of public-key certificates. Only one such primitive is known. It is derived from Schnorr’s identification protocol. Our paper presents another restrictive blind signature scheme, that can be used for public-key certificates. This solution is developed from the Identification Scheme type 1 and the corresponding signature scheme introduced by Okamoto. Using this blind signature protocol, we design an efficient untraceable electronic cash system.


Blind signature schemes public-key certificates anonymity electronic cash 


  1. Brands, S. (1993) Untraceable off-line cash in wallet with observers. Advances in Cryptology — CRYPTO’93, volume 773of Lecture Notes in Computer Science, 302–318, Berlin, 1993. Springer-Verlag.Google Scholar
  2. Brands, S. (1995) Restrictive blinding of secret-key certificates. Advances in Cryptology — EURO-CRYPT’95, volume 921of Lecture Notes in Computer Science, 231–247, Berlin, 1995. Springer-Verlag.Google Scholar
  3. Brickell, E.F. and McCurley, K.S. (1992) An interactive identification scheme based on discrete logarithms and factoring. Journal of Cryptology, 5 (1), 29–39.zbMATHCrossRefGoogle Scholar
  4. Chaum, D. and Pedersen, T.P. (1993) Wallet databases with observers. Advances in Cryptology — CYPTO ’92, volume 740 of Lecture Notes in Computer Science, 89–105, Berlin, 1993. Springer-Verlag.CrossRefGoogle Scholar
  5. Feige, U., Fiat, A. and Shamir, A. (1988) Zero-knowledge proofs of identity. Journal of Cryptology, 1(2), 77–94.zbMATHMathSciNetCrossRefGoogle Scholar
  6. Fiat, A. and Shamir, A. (1987) How to prove yourself: Practical solutions to identification and signature problems. Advances in Cryptology — CRYPTO’86, volume 263 of Lecture Notes in Computer Science, 186–194, New York, 1987. Springer-Verlag.Google Scholar
  7. Goldwasser, S., Micali, S. and Rivest, R. (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17 (2), 281–308.zbMATHMathSciNetCrossRefGoogle Scholar
  8. Okamoto, T. (1993) Provably secure and practical identification schemes and and corresponding signature schemes. Advances in Cryptology — CRYPTO’92, volume 740 of Lecture Notes in Computer Science, 31–53, Berlin, 1993. Springer-Verlag.Google Scholar
  9. Okamoto, T. and Ohta, K. (1990) Divertible zero-knowledge interactive proofs and commutative random self-reducibility. Advances in Cryptology — EUROCRYPT’89, volume 434 of Lecture Notes in Computer Science, 134–149, Heidelberg, 1990. Springer-Verlag.Google Scholar
  10. Ong, T. and Okamoto, T. (1994) Single-term divisible electronic coins. Advances in Cryptology — EURO-CRYPT’94, volume 950of Lecture Notes in Computer Science, 306–319, Berlin, 1994. Springer-Verlag.Google Scholar
  11. Schnorr, C.P. (1991) Efficient signature generation by smart cards. Journal of Cryptology, 4 (3),161–174.zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 1996

Authors and Affiliations

  • C. Radis
    • 1
  • R. Govaerts
    • 1
  • J. Vandewalle
    • 1
  1. 1.Katholieke Universiteit LeuvenKatholieke Universiteit Leuven Laboratorium ESAT-COSICHeverleeBelgium

Personalised recommendations