An ECC-Based Blind Signcryption Scheme for Multiple...

Research ArticleAn ECC-Based Blind Signcryption Scheme forMultiple Digital Documents

Chien-Hua Tsai1 and Pin-Chang Su2

1Department of Accounting Information Chihlee University of Technology New Taipei City Taiwan2Department of Information Management National Defense University Taipei Taiwan

Correspondence should be addressed to Chien-Hua Tsai chienhuamailchihleeedutw

Received 20 October 2016 Revised 12 January 2017 Accepted 26 January 2017 Published 22 February 2017

Academic Editor Angelos Antonopoulos

Copyright copy 2017 Chien-Hua Tsai and Pin-Chang Su This is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited

The popularity of the Internet has comprehensively altered the traditional way of communication and interaction patterns suchas e-contract negotiations e-payment services or digital credential processes In the field of e-form systems a number of studiesinvestigate the ability of the blind signature to fulfill the basic properties of blindness and untraceability However most literaturesexploring the blind signaturemechanisms only address research and technology pertaining to single blind signature issues Furthermost of the topics only deal with signing rather than encryptionThus we propose a new blind signature scheme formultiple digitaldocuments based on elliptic curve cryptography (ECC) Our scheme incorporates the design of signcryption paradigm into theblind signature scheme to strengthen high levels of securityThis innovative method also enhances computational efficiency duringprocessing multiple electronic documents since the ECC provides a shorter key length and higher processing speed than otherpublic-key cryptosystems on equivalent secrecy The analysis results show that the present scheme achieves better performance atlow communication overheads as well as with higher level of security By helping the design of the intrinsic properties the proposedcryptosystem can be applied to many areas to protect sensitive data in ubiquitous computing environments

1 Introduction

Information and communications technology has stronglyinfluenced the way of peoplersquos daily lives particularly thechannel we use The Internet appears to be benefitting thedevelopment of data transmission or exchange in areas ofdelivering valuable information such as e-contract nego-tiations e-voting or e-payment systems and informationmarket applications As peoplersquos activities on the unfetterednetwork and communication increase digital informationdistribution applications become more available This alsomeans that by manipulating certain data in the query it couldpossibly lead to unauthorized access and usage of privateinformation to the open Internet connection and potentiallycause data leakage and access issues For example if anagreementrsquos contents cannot be appropriately maintainedsecrecy in an electronic contract some crucial informationand sensitive business rules can easily be intercepted by unau-thorized people and the incidents involving the compromise

of such data may result in a loss of individuals or businesspartners and revenue To ensure that digital communicationcontaining sensitive information remains relatively accessibleand secure to the masses the need of proper securitymeasures should be applied for such data access A number oftechniques can be adopted when implementing privacy andunlinkability mechanisms within such an electronic docu-ment application each with its own contributions to the pro-tection of proprietary information such as public-key crypto-graphy [1] digital signatures [2 3] and blind signatures [4ndash9]

Blind signature which was first described by Chaum [1011] has been extensively employed for protecting digital infor-mation privacy and themechanismmakes sensitive data con-tents anonymous resistant to forgery and indisputable Anyblind signature scheme must satisfy two core properties thatis blindness and untraceability [10 12 13] Blindness propertyin an interactive signature protocol allows that the signedmessages are transmitted between a user and a signer and

HindawiSecurity and Communication NetworksVolume 2017 Article ID 8981606 14 pageshttpsdoiorg10115520178981606

2 Security and Communication Networks

the message contents are unknown from the signer Untrace-ability or unlinkability property ensures that the signercannot link back any message-signature pair later even if thesignature is revealed to the public Chaumrsquos blind signaturescheme is based on the integer factorization problem (IFP)and the security relies on the hardness of RSA assumptionThis scheme can be considered secure if the underlying hashfunction is chosen appropriately In order to enhance thesecurity and efficiency of blind signatures there have beenseveral constructions of various schemes since the appear-ance of the blind signature [12ndash20] Some works suggest thattechnical security requirements are based on the discretelogarithm problem (DLP) other than the IFP There are alsocombination strategies [7 9] which simultaneously involveboth solving the DLP and tackling the IFP for attaining ahigh security level As we probably know by now the DLPhardness assumption is that if a hash function is collision-resistant then it is hard In this setting the associated securityparameters must be chosen carefully so that the DLP remainshard in certain groups It is interesting to note that either theDLP or the IFP over a prime field appears to be of roughlythe same degree of difficulty [21 22] As the computing powerincreases and the algorithmic skills are constantly improvedthere is also the chance that the DLP and IFP for the underly-ing combinatorial hard problem could be solved determinis-tically in subexponential time

More recently Vanstone [23] has proved that ellipticcurve cryptosystems based on the elliptic curve discretelogarithm problem (ECDLP) provide greater efficiency thanthose cryptographic algorithms for the IFP andDLPThis factmakes solving the ECDLP in subexponential time impracti-cable Due to the strength of smaller key size operations forthe ECDLP it is expected that a secure and efficient solutioncan be achieved under the algorithmic technique assumptionSubsequently several variations of ECC-based blind signa-tures [4 8 24ndash27] are consequently proposed and they haveshown their schemes to be remarkably useful in practicalapplications between the security and the performance It isworth pointing out that a newly unveiled blind signcryptionconcept (by combining blind signature and signcryptionalgorithm) is obtained from Shamsherullah et al [28] andSadat et al [29] their research is focused on customizeddesigns on electronic payment systems and a proxy approachrespectively offering strong security requirements to facilitatethe progress of communicating and accessing information incomplex networks

From the above literature review these existing crypto-graphic protocols aremainly interesting to construct strongermodels for blind digital signatures to satisfy basic securityguarantees and their algorithms focus on disguising a mes-sage then followed by a digital signature and maintaininga verification along with a blinding factor to the resultingmessage Although the strategy can guarantee the blindnessand untraceability properties for the message specific autho-rized subjects (eg project participants) are not assigned toverify this signature correctly since anyone can use signerrsquospublic key to verify the signature without identity authentica-tion during the verification phase In the meantime dif-ferent participants interact with each other in establishing

communication sessions and the session data can leave anidentifier stolen more vulnerable to identity theft or protocolattacks (eg the man-in-the-middle attack) Moreover mostof the current studies deal with blind signatures in a singlemessage at a time or a batch ofmultiple signatures onmultipledocuments [2 30] instead of managing large number ofdigital documents bymaking a single signature just once [31]In the case of handling voluminous amount of documentsgradually performing blind signature processes on multipleelectronic documents takes more time than going throughthe same steps in a single digital document Another concernis that in batch processing the messages are signed tocompletion in consequence and the rest of thesemessageswillnot be affected by the tampering attempt if some of messagecontents have been compromised This situation will raisesecurity risks about information disclosure

Unlike the approaches of one signature at a time or abatch mode our proposal handles multiple digital docu-ments by creating one-time signature that links all chunkedmessages to form the avalanche effect in cryptography toprotect data from unauthorized access or alteration In thispaper we also study methods to extend the functionalityof member signatures while distinguishing the involvementof designated representatives from unauthorized personswhere the proposed scheme can enable a verifiable action forparticular authorized people and authenticates the informa-tion correctly at a later time to verify the identities of givenusers to prevent identity breaches from the verification stageThis is particularly useful in an off-line scenario where thesignatures are able to be self-certified without needing anInternet connection once participants have been registeredin the system as existing legitimate entities In addition weintroduce the concept of ECC-based signcryption techniqueinstead of using a more general class blind signature schemewhich along with its form can greatly minimize the com-putational load and communication overheads for tacklingmultiple electronicmessagesThe signcryption schemewhichwas first introduced by Zheng [32] is a new cryptographicparadigm that fulfills the integration of encryption anddigital signature synchronously at a low-overhead function-ality providing program Research has proven its benefit inimproving efficiency in several applications such as three-party communication environments [33] key managementfor wireless sensor networks [34] and multiple receivers forfirewalls [35] Yu and He [36] suggest a new efficient DLP-based blind signcryption protocol to enhance security goalssuch as anonymity untraceability and unlinkability Ullah etal [37] also present an ECC-based blind signcryption schemethat is capable of supplying the properties of confidentialityintegrity unforgeability and nonrepudiation for low-poweror resource-constrained devices On top of that instead ofusing elliptic curve cryptography Ch et al [38 39] andNizamuddin et al [40] introduce an alternative paradigm forsigncryption measurements that are based on the notion ofhyperelliptic curve cryptography and their papers propose amore lightweight signcryption model having public verifia-bility and forward secrecy to reduce the number of bits andobtain better performance than the existing ECC-basedschemes However all three of the methods do not use a

Security and Communication Networks 3

blinding technique but a nonblind cryptographic primitiveto offer the support of public verifiability and hyperellipticcurve cryptography in genus 2 that requires many morefield operations in each group operation has the potential tobe competitive with its genus 1 elliptic curve cryptographycounterpart [41 42] As for multidocument cryptographicprocessing using signcryption technique Tsai and Su [31]present a variant of a threshold signcryption protocol byassigning a group of signatures to share a secret link formultiple documents Their work handles large number ofdigital documents via a group of participants splitting a secretand each of the members is allocated a share of the secretwhereas the proposed scheme manages multiple documentsby one single person employing a blind signcryption tech-nique alongwith thesemessages to enable effective protectionmeasures for example the anonymity and untraceabilityproperties It is only natural to consider the signcryptiontechnique from digital information perspectivemdashthus bycombining a signcryption approach with a blinding proce-dure to carry out the blind digital signature protocol thistype of scheme not only essentially yields strong securityrequirements of a blind signature manner to detect dishonestadversaries but also efficiently improves the computation andtransmission costs of blind signature processing

Our research contributions aim to improve adoptionof the security requirements and to increase the speedof information transmission for multiple blind signcryptedmessages To achieve these objectives we design a secureand efficient blind signcryption scheme based on ellipticcurve cryptography that empowers the combination strat-egy to verify the authenticity of legitimate entities in thenetwork without disclosing the contents of the signcryptedmessagesTheproposed scheme has the security attributes formultiple messages namely blindness untraceability authen-ticity confidentiality correctness integrity nonrepudiationunforgeability and the avalanche effect of encrypted mes-sagesThe comparative evaluation of the study has better per-formance in terms of computational cost and communicationoverheads Additionally this innovative method offers theuseful property of a self-certified identity in off-line scenariosIt can be adapted to mobile computing environments forefficient and secure data transmissionThe paper is organizedas follows In the next section we briefly introduce theRSA-based blind signature form ECC-based blind signatureprotocol and signcryptionmanner respectively In Section 3we propose an original essay to construct a signcryption-combined scheme for blind digital signatures In Section 4weevaluate the performance of the proposed solution and proveits security features Finally Section 5 concludes the paper

2 Conceptual Basis

This section first gives a brief introduction to a RSA-basedblind signature algorithm We also sketch an ECC-basedblind signature technique and the signcryption mechanismfrom their respective backgrounds which will be recom-mended to our proposed scheme in Section 3

21 Blind Signature Based on RSA The concept of blindsignature first devised by Chaum [10] in 1983 is based onRSAalgorithmand the hardness of IFPAccording toChaumrsquosconcepts there are two participants namely the signer 119878 andthe requester 119877 involved in the signature scheme Given amessage 119898 to be signed let (119899 119890) be the signerrsquos public keyand the corresponding private key is 119889 The blind signaturescheme consists of the following five phases

(i) Initializing Phase 119878 chooses two distinct primes 119901 119902and computes 119899 = 119901 sdot 119902 120593(119899) = (119901 minus 1) sdot (119902 minus 1)Next 119878 selects two randomnumbers 119890 and 119889 such that1 lt 119890 lt 120593(119899) and gcd(120593(119899) 119890) = 1 to determine 119889 as119889 equiv 119890minus1(mod 120593(119899)) 119878 then publishes (119899 119890) and keeps(119901 119902 119889) secret

(ii) Blinding Phase 119877 takes an arbitrary number 119903 isin [0 119899]and calculates1198981015840 equiv 119898119903119890(mod 119899) Then 119877 sends1198981015840 to119878 In this phase 119877 blinds the message and 119878 does notknow the contents of the message

(iii) Signing Phase 119878 uses the private key 119889 to compute 1199041015840 equiv(1198981015840)119889(mod 119899) and sends it back to 119877

(iv) Unblinding Phase 119877 acquires the signature 119904 equiv 1199041015840 sdot119903minus1(mod 119899)

(v) Verifying Phase Anyone can verify the validity ofmessage-signature pair (119898 119904) by checking that 119904119890 equiv119898(mod 119899)

22 Blind Signature Based on ECC In 2010 Jeng et al [4]proposed a fast blind signature scheme based on the ECDLPThis scheme does not compute modular exponentiationconsecutively Instead a user can obtain a signature and verifyit only through scalar multiplication of points on ellipticcurves for example point addition and point doubling ECCrequires much lesser numbers for its operations hence thescheme is very efficient Let an elliptic group 119864119901(119886 119887) beformed as1199102 = 1199093+119886119909+119887(mod119901) where 41198863+271198872 = 0 mod119901 such that119864119901(119886 119887) is appropriate for cryptography And thena base point119866 on119864119901 is determinedwhose order is a very largevalue 119906 such that 119906 sdot 119866 = 119874 The protocol is described below

(i) Initialization 119877 randomly selects a secret key 119899119894 andgenerates the corresponding public key 119875119894 as 119875119894 equiv 119899119894 sdot119866(mod119901) Likewise 119878 chooses a random number 119899119895as the secret key and the corresponding public key is119875119895 equiv 119899119895 sdot 119866(mod119901)

(ii) Blinding 119877 retains a message119898 sets 120572 equiv 119898 sdot (119899119894 sdot 119875119894) sdot(mod119901) and sends the blinded message 120572 to 119878

(iii) Signing 119878 arbitrarily chooses another blinding factor119899V and creates a pair of blind signatures (119903 119904) where119903 equiv 119899V sdot 120572(mod119901) and 119904 equiv (119899V +119899119904) sdot 120572 sdot (mod119901) Then119878 forwards the message-signature pair (120572 (119903 119904)) to 119877and keeps (120572 119899V) in private

(iv) Unblinding 119877 removes the blind signature (119903 119904) byapplying the secret key 119899119894 along with 119878rsquos public key 119875119895to yield 1199041015840 equiv 119904minus119898sdot119899119894119875119895( mod 119901) And then119877 calculates1198981015840 = 119899119894 sdot (119899119894 minus 1)119898


Requester A

Verifier T

Authentication server(AS)

(i) Initial setup and registration

(ii) Mutual identity verification

(iii) Blind signcryption

Signer B

(iv) Unblinding

(v) Signature verification

(vi) Decryption

Figure 1 The proposed operational context diagram

(v) Verification Anyone can use 119878rsquos public key 119875119895 toverify the authentication of the signature (1198981015840 1199041015840 119903) bychecking whether the given formula 119903 equiv 1199041015840 minus 1198981015840 sdot119875119895(mod119901) has been satisfied

23 Signcryption Mechanism Signcryption first presentedby Zheng [32] in 1997 is a new cryptographic technique thatfulfills digital signature and public-key encryption simulta-neously in a single step at lower computational costs andcommunication overheads than signing and encrypting sepa-rately Due to its advantages both confidentiality and authen-ticity are seamlessly accomplished and it is widely used foremail transmission files delivery and data communicationA generic signcryption scheme Σ = (Gen SCUSC) typicallyconsists of the following three phases key generation (Gen)signcryption (SC) and unsigncryption (USC)Gen generatesa pair of keys for any user 119880 (SDK119880VEK119880) larr Gen(119880 120582)where 120582 is the security parameter SDK119880 is the privatesigningdecryption key of user119880 and VEK119880 is hisher publicverificationencryption key For any message 119898 isin 119872 thesigncrypted text 120590 is obtained as 120590 larr SC(119898 SDK119878VEK119877)where 119878 denotes the sender and 119877 is the receiver SC isgenerally a probabilistic algorithm while USC is most likelyto be deterministic where 119898 cup perp larr USC(120590 SDK119877VEK119878)in which perp denotes the invalid result of unsigncryption

Signcryption schemes can be trusted by providing twodifferent mathematical functions as mentioned above one isthe signature and the other is the encryption The choice ofconfidentiality and authenticity would be made based on thelevel of security desired by any digital signature scheme inconjunction with a public-key encryption scheme

3 The Proposed Scheme

In this section we introduce a secure and efficient blind sig-nature scheme which embeds the signcryption technique inthe mutual authentication procedure for singular or multipleelectronic message contents based on the ECDLP Solving theECDLP circumstance becomes computationally infeasible ifany antagonist attempts to gather some secret informationfrom captured participants to perform a specific action (egcounterfeit identity) In addition our study uses interleavingstructural features that is the ECC-based hard problem andthe shift permutation problem to raise the levels of securityfor the transmission of such information Particularly owingto the difficulty of solving the ECDLP and the small key lengthsin ECC the security strength and efficiency of the proposedsolution will certainly lead to very promising results

Our scheme comprises the following six phases initialsetup and registration phase mutual identity verificationphase blind signcryption phase unblinding phase signatureverification phase and decryption phase The operationalcontext diagram of the proposed scheme is shown in Figure 1and ldquoAbbreviationsrdquo section summarizes the notations andthe denotations thereof about the mechanism usedThere arethree participants in our blind signature protocol namely arequester 119860 a signer 119861 and a verifier 119879 respectively Thenan authentication server AS is responsible for generating thesystem parameters and issuing secure electronic identities tousers

31 Initial Setup and Registration Phase During the initialand registration stage we first specify the domainrsquos parame-ters to set up the system configurationThe default argumentsthat are made up of several key fields are as follows


(i) A secure elliptic curve 119864(119865119902) is defined over a finitefield 119865119902 where 119902 is a large prime number such thatthe number is greater than 283 bits that is a 283-bitkey in ECC is considered to be as secured as 3072-bitkey in RSA [43 44] Next an order 119889 will be selectedtogether with the base point 119866 on the elliptic curve119864(119865119902) and the proper choice satisfies 119889sdot119866 = 119874 where119874 is the point at infinity

(ii) To generate a public-private key pair the AS ran-domly chooses a secret value of 119899AS from [2 119889 minus 2]as the private key and the associated public key canbe derived from (1)

PKAS = 119899AS sdot 119866 (1)

(iii) Then the AS publishes PKAS to all users as well as thesystem parameters (119864(119865119902) 119866 and 119889) and keeps 119899ASas a secret

(iv) Each user that is 119860 119861 and 119879 must register onthe dedicated server (AS) as a legitimate participantbefore proceeding to related services

(v) Next all the users select random values 119899119860 119899119861 119899119879 astheir private keys in the same way Accordingly thepaired public keys of all users are generated with (2)

PK119860 = 119899119860 sdot 119866PK119861 = 119899119861 sdot 119866PK119879 = 119899119879 sdot 119866

(2)

(vi) After creation all participants have their own uniquepair of keys The message of private keys with identi-fies id119860 id119861 and id119879will be transmitted to theAS via asecure channel In addition the ASwill apply the hashfunction ℎ1(sdot) to produce a random nonsecret saltvalue 119890 for verifying the identity of a user thereafterThe hash value can be used to determine the criticalissue of identity assurance in an off-line status as aself-certification approach and the associated hashvalues are obtained from (3)

119890119860 = ℎ1 (id119860PK119860)

119890119861 = ℎ1 (id119861PK119861)

119890119879 = ℎ1 (id119879PK119879)

(3)

(vii) In themeantime the AS still needs the correspondingdata points 119885119860 119885119861 119885119879 on the elliptic curve togenerate the relative certificates Each data pointcontaining a random numerical value 119897 is calculatedaccording to (4)

119885119860 = 119897119860 sdot 119866 = (119909119885119860 119910119885119860)

119885119861 = 119897119861 sdot 119866 = (119909119885119861 119910119885119861)

119885119879 = 119897119879 sdot 119866 = (119909119885119879 119910119885119879)

(4)

(viii) The certificates associated with each participant aretherefore computed by (5)

ca119860 = 119897119860minus1 (119890119860 + 119909119885119860 sdot 119899AS)

ca119861 = 119897119861minus1 (119890119861 + 119909119885119861 sdot 119899AS)

ca119879 = 119897119879minus1 (119890119879 + 119909119885119879 sdot 119899AS)

(5)

(ix) When the setup process prepares all the appropriateparameters for the actions that were run the ASsecurely sends the messages (119890user 119885user and causer)to each user and also makes the global system param-eters publicly known including PK119860 PK119861 PK119879 ℎ1(sdot)and ℎ2(sdot)

32 Mutual Identity Verification Phase When finishing theregistration process each entity is able to effectively com-municate with the related parties The user authenticationagreement between the requester119860 and the signer 119861 operatesas below

(i) In the request the message (ca119860 119890119860 119885119860 PK119860 PKAS)is sent from 119860 to 119861 and vice versa (ie the message(ca119861 119890119861 119885119861 PK119861 PKAS) also reaches the targetedrecipient from119861 to119860) According to themessage fromthe requester 119860 the signer 119861 first checks whether thereceived message is original or not If the messagedigest has not been altered the signer 119861 goes on theidentity verification process Otherwise the signer 119861rejects the requester 119860rsquos authentication request Theauthenticity of the received message must satisfy theconstraint equation (6)

1199061 = ca119860minus1 mod 119889

1199062 = 119890119860 sdot 1199061 mod 1198891199063 = 119909119885119860 sdot 1199061 mod 119889

(6)

(ii) If the message is genuine the requester 119860 is avalid user and the signer 119861 continues the mutualverification context or else the signer 119861 revokes theprocedure Next the signer 119861 applies the public keyfrom the AS to the message so as to authenticatethe requester119860rsquos identity The discriminant validity isconstructed as (7) and the authenticity of119860 is verifiedby (8)

119876119860 = 1199062 sdot 119866 + 1199063 sdot PKAS = (119909119876119860 119910119876119860) (7)

119909119885119860= 119909119876119860 (8)

(iii) The signer 119861 compares 119909119885119860 with 119909119876119860 If 119909119885119860 = 119909119876119860which implies the identity verification is valid thesigner 119861 is then convinced that the requester 119860 is alegal entity The requester 119860 can also verify the signer119861rsquos identity and it works in much the same way as thesigner119861 doesThat is the requester119860 verifies whether119909119885119861 is identical to 119909119876119861 or not


33 Blind Signcryption Phase Theblind signcryption phase isa single continuous action rather than a three-stage processIn order to facilitate a more overt understanding of thecontext and later comparison with other existing methodsbetween the operational baseline conditions we logicallydivide the implementation into three substeps and thisprogress can be considered as the core part of the proposedscheme Each one of these operations is closely aligned to anintegration activity

331 Encryption Substep The purpose of the encryptionstage is to avoid suffering the leak of sensitive informationagainst the wishes of those who intend to snoop We followadditional steps to increase operational security and espe-cially of that data is traveling across networks

(i) To ensure the safe and secure delivery of digitalinformation to the signer 119861 through the Internetthe requester 119860 first partitions a data message intoa sequence V of different plaintext blocks V119894 (ge1)and the separate blocks in each data segment can beexpressed as (9)

V = V1 V2 V119894 (9)

(ii) Secondly the requester119860 uses the ℎ1(sdot) hash functionto produce a specific hash value 119905 known as a messagedigest for the sequence V of V119894 and the operation canbe uniformly implemented by (10) At the same timethe one-way function 1198911198982119901(sdot) that takes the sequenceof data blocks as inputs is applied to transform theplaintext messages into a series 119881 of elliptic curvepoints 119881119894 (ge1) The data transformation can be donewith (11)

ℎ1 (V) = 119905 (10)

1198911198982119901 (V) = 1198811 1198812 119881119894 = 119881 (11)

(iii) Thirdly in order tomake the relationship between theplaintext messages and the representative points onthe elliptic curve as complex as possible the requester119860 defines a set 119901 of binary sequences 119901119894 by (12) thatis the sequences whose terms are either 0 or 1 Alsoeach entry 119901119894 in the binary will match exactly thenumber of the aforementioned data points 119881119894

119901 = (1199011 1199012 119901119894) 119901119894 = 0 1 (12)

(iv) Fourthly the requester119860 generates a randomnumberas a permutation value and the given decimal integer119908 which will be converted into its binary form andcan be mapped onto 119901 is organized by (13) Thepermutations which are controlled by the encodedbinary sequence 119908 start with the most significant bitof1199081 first toward the least significant bit of119908119894 end anddo the following operationsWhen the current binarydigit is 1 and the right side digit is 0 the correspondingdata points are shifted to the right by one position

The operation shifts the place of relative point rightby three bits if the two consecutive bits are equal to 1In contrary when the upper bit of the matching datais 0 and the lower bit is either 1 or 0 the left operationsshift bits in transition marching them to the left onebit or the left three bits respectively The sequence ofleft (≪) or right (≫) shifts corresponds to the functionas (14)

119908 = 119891 1199081 997888rarr 1199011 1199082 997888rarr 1199012 119908119894 997888rarr 119901119894 119908119894 = 119901119894= 119891 (119894)

(13)

119891 (119894) =

≫ 1 if 119894th bit is 1 (119894 + 1) th is 0≫ 3 if 119894th bit is 1 (119894 + 1) th is 1≪ 1 if 119894th bit is 0 (119894 + 1) th is 1≪ 3 if 119894th bit is 0 (119894 + 1) th is 0

such that 119891 (119894) isin 119901

(14)

(v) After that the requester 119860 needs the essential argu-ments including the arbitrary integer 119908 the hashvalue 119905 a randomly chosen number 119896 and a public keyPK119879 from the verifier 119879 to systematically transformthe foregoing plaintext messages to correspondingciphertext points Equations (15) through (18) sum-marize the encryption operationsThere is a specifiedpoint 119870 which is calculated from the product of 119896and the base point 119866 and it serves to detect thatthe received ciphertext has not been tampered withwhile in transit In such a way each ciphertext block1198620 1198621 1198622 119862119894 (ge1) is combined with the previousciphertext block before being computed Note thatthe starting point 1198620 included in the ciphertext datasegments contains two secret parameters119908 and 119905 rep-resenting a permutation value and an integrity checkvalue respectively and the two significant factors willexhibit the avalanche effect which causes a drasticvariation in the ciphertext if either the plaintextfor example 119881119894 or the value of characteristics forexample 119896 119901119894 PK119879 is changed slightly

119870 = 119896 sdot 119866 (15)

1198620 = [1198911198982119901 (119908 119905) + 119896 sdot PK119879] (16)

119862119894 = [119881119894 + 119901119894 sdot 119862119894minus1] 119894 ge 1 (17)

119862 = 1198620 1198621 1198622 119862119894 (18)

(vi) Lastly the requester 119860 applies a publicly known hashfunction ℎ2(sdot) as (19) to the encrypted message 119862 tocreate a unique message digest 119898 after obtaining thesequence of ciphertext blocks 119862119894

ℎ2 (119862) = 119898 (19)


332 Blinding Substep The core goal of blindness is toprotect the messages from the signer without knowing itscontents For the blindness property the requester119860 uses thepublic and private key pair as a blinding factor (119899119860 sdotPK119860)withthe message digest 119898 to blind the message and the blindingoperation is computed by (20)Then the blindedmessage 120572 ispassed to the signer 119861

120572 = 119898 sdot 119899119860 sdot PK119860 (20)

333 Signing Substep Upon receipt of the resulting message120572 the signer 119861 haphazardly selects an integer 120573 isin [2 119889 minus 2]to determine a secret element 119877 as (21) and combines theprivate key 119899119861 with 120573 to obtain the blind signature 119878 using(22)Themessage-signature pair (120572 (119877 119878)) is then forwardedback to the requester 119860 Since 120573 is a random number anda pair consisting of a secret value and a signature (119877 119878) isarbitrary too this implies that each individual constructionyields a completely different signature and it is not possibleto forge any valid signature on messages

119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)

34 Unblinding Phase To unblind the received signature ofthe message-signature pair the requester 119860 first takes theblind signature 119878 the previously generated message digest119898the private key 119899119860 and the public key PK119861 of the signer toextract the blinded signature 1198781015840 as expressed by (23) Also therequester119860 computes the nonce message digest value1198981015840 andthe unblind operation is governed by (24) Then both 1198781015840 and1198981015840 along with the triple (119877 119862119870) are sent to the verifier 119879 totestify that its blinded allegation-signature-requestmessage isauthentic

1198781015840 = 119878 minus 119898 sdot 119899119860 sdot PK119861 (23)

1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)

35 Signature Verification Phase After receiving themessage-signature tuple (1198781015840 1198981015840 119877 119862 119870) the verifier 119879 usesthe signerrsquos public key PK119861 to verify the authentication of thealleged signature and the passing message digest by checkingwhether (25) holds If the resulting message-signature pair(1198781015840 1198981015840) is accepted as valid the verifier 119879 then can proceedto decrypt the sequence 119862 of ciphertext blocks

119877 minus ℎ2 (119862) sdot PK119861= 1198781015840 minus 1198981015840 sdot PK119861 (25)

36 Decryption Phase Decryption is the reverse processconverting the ciphertext message back into its original formIn this case the encrypted messages contain the transformeddata points119881119894 and the related sequence entries 119901119894 thereof andthe random generated permutation value 119908 along with themessage digest 119905 Besides the number of data segments isrepeatedly carried over from previous data blocks Thus theverifier119879needs these things to get the originalmessages back

(i) First the conversion function 1198911198982119901(sdot) having therandom permutation value and the hashed messagepair (119908 119905) can be explicitly specified by assigningthe verifierrsquos private key 119899119879 the verification point 119870and the initialization block 1198620 arguments If (26) canproperly express the causal relationship implied bythis assignment process this means that the mea-surement corresponds accurately to its correspondinglatent variables

1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)

(ii) Next the verifier 119879 uses another conversion function1198911199012119898(sdot) which maps an elliptic curve point to amessage block to acquire the specific pair (119908 119905) Bytaking the input arguments the return operation from(27) yields its untransformed information

(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)

(iii) Once both the permutation value 119908 and the correctmessage digest 119905 are collected thismakes the obtainedreferences suitable for decryption of messages Theverifier 119879 applies the permutation sequence 119908 (from(13)) in binary format to the associated messagesequence 119901 previously defined in (12) and then per-forms bit shifting operations to find the number ofmatching permutation values in corresponding bitpositions in the two binary sequencesThe bit-reverseoperation is similar to the forward bit shifting trick(from (14)) but it is intended for operating in theopposite direction on individual bits Equation (28)indicates that it uses the relevant rules regardingreversals for bit patterns to locate the bit offset inan ordered sequence of bits While the underlyingpermutations with respect to the sequence of messageblocks are interpreted the ciphertext blocks can beeasily deciphered back into the plaintext messages

119891 (119894) =

≪ 1 if 119894th bit is 1 (119894 + 1) th is 0≪ 3 if 119894th bit is 1 (119894 + 1) th is 1≫ 1 if 119894th bit is 0 (119894 + 1) th is 1≫ 3 if 119894th bit is 0 (119894 + 1) th is 0

such that 119891 (119894) isin 119901

(28)

(iv) After that the process of reverting the ciphertextunits 119862119894 to the plaintext segments of data points119881119894 is progressively carried out by (29) And all thecorresponding plaintext data sets can be recoveredfrom the relevant ciphertext blocks as an expressionof the sequence form 119881 = 1198811 1198812 119881119894

119881119894 = [119862119894 minus 119909119894 sdot 119862119894minus1] 119894 ge 1 (29)

(v) Finally the verifier 119879 reuses the conversion function1198911199012119898(sdot) to convert the data points into the numeric


values as expressed in (30) and all the separatedelements in the sequence V are then concatenatedto form one continuous text message as the originalplaintext

1198911199012119898 (119881) = V (30)

4 Security Analysis andPerformance Evaluation

In this section we will first describe the security analysisof the proposed scheme and then show that our solutioncan reach greater efficiency with respect to the performanceassessments

41 Security Analysis The security of our scheme is basedupon the difficulty of solving the ECDLP In the mean-while the signature approach has applied the signcryptiontechnique within the functionality of blind signature whichthereby strengthens the overall security of electronic com-munications Apart from providing the crux properties ofblindness and untraceability some additional characteristicslike authenticity confidentiality correctness integrity non-repudiation and unforgeability as formalized requirementsfrom previous works [5 6 16 18ndash20] are incorporated inthe proposed scheme to make it stronger as well as moreuseful for various applications We examine these securityrequirements of our scheme as follows

411 Blindness Blindness means that the signer cannot viewthe content of the message while heshe signs the messageThe blindedmessage of our scheme is generated as 120572 = 119898sdot119899119860 sdotPK119860 in (20) The signer 119861 or an opponent is unable to derivethe message 120572 without the parameters namely the messagedigest119898 and the blinding factor (119899119860 sdot PK119860) Since finding theblinding factor in this equation leads to encounter calculatingthe number of points on the elliptic curve over fields itbecomes extremely difficult to break the value of knowingdesired points when tackling the ECDLP The other param-eter value119898 is not an easy attempt that reverses a hash func-tion Therefore the present approach is able to fulfill theblindness property because the signer 119861 signs the blindedmessage and knows nothing about the content of themessage

412 Untraceability Untraceability is also an essential secu-rity requirement in any blind signature scheme The signeris unable to link the signature with the message when themessage-signature pair has been revealed to the public Inthis experiment the message-signature pair (120572 (119877 119878)) isproduced from (20) (21) and (22) The signer 119861 only has theinformation about his or her ownprivate key 119899119861 and a randomnumber 120573 for each blind signature requested Without theknowledge of the secret factors a unique message digest 119898and 119860rsquos private key 119899119860 from the requester 119860 the signer 119861or the verifier 119879 cannot trace the association between themessage and the blind signature Hence this scheme canachieve the untraceability or unlinkability property of a blindsignature

413 Authenticity Authenticity is the property that has twopurposes One ensures that a message received is the exactsame message which was sent and the other verifies that allcommunication participants are who they really claim to beWith regard to message authentication the current schemecan provably provide the authenticity ability of electronicdocuments or data while maintaining the privacy of the sig-nature and thesemessages are able to be adequately protectedfrom inappropriate or malicious modifications through avalid corresponding checksumat the verifier side as describedin (25) As for identity verification the identities of all partiescan be reliably verified during an interactive communicationmodel using the identity authentication 119909119885119860

= 119909119876119860 of(8) If a third party impersonates a legitimate user to gainunauthorized access to themessage data it is computationallyimpractical for solving the ECDLP in elliptic curves (eg toobtain 119899AS from PKAS) Surely the proposed model rendersthe property of authenticity

414 Confidentiality Confidentiality specifies that the con-tents of the message are required to be kept confidential fromunauthorized persons entities or processes In this study allmessages first are encrypted and disguised (blinded) by therequester 119860 signcrypted by the signer 119861 and then passedthrough a permutation process before conveying them to theverifier119879 If there is an opponent that succeeds in interceptingthe messages during transmission the opponent should beunable to decrypt the transmitted ciphertext in a very strongform of cascaded encryption technique The message-relatedattributes especially a set of messages of different types can-not easily be derived without reference values for cryptanaly-sis works For example the value of119870 a verification point asshown in (15) which depends parametrically on 119896 (a randomnumber) and119866 (a base point) can be difficult to find by othermeansThe attacker has to encounter calculating the numberof points on the elliptic curve over fields and it becomesextremely hard to break the value of knowing desired pointswhen tackling the ECDLP Accordingly the present methodcan secure the contents of the message to reach the propertyof confidentiality

415 Correctness Correctness indicates that everyone withthe signerrsquos public key can check the correctness of a signa-ture As wementioned in Section 1 the signature of the signeris revealed to public leading to an identity leak issue Thepublic delegate as a verifier will learn the identity of the signeron each session from a unique electronic binding between anidentity and a public key via a digital certificate As a resultthe public verifying may put various confidential messages atrisk In our design the correctness of the signature of a mes-sage signed through the signature verification procedure canbe checked by the verifier 119879 as a major role using 119861rsquos publickey via an authentication form To verify the correctness ofthe signature from the signer 119861 the verifier 119879 has to checkwhether (25) is valid If the equation holds then (1198781015840 1198981015840) isaccepted as a valid signature of themessage During the courseof the verification the verifier 119879 can successfully achievethe identity authentication from the signer 119861 through the


Table 1 Comparison of the proposed scheme and the two existing similar methods

Security goalsAlgorithm

A new efficient blind signcryption(Yu and He 2008) [36]

Blind signcryption scheme based on elliptic curves(Ullah et al 2014) [37]

Ourscheme

Blindness times radic radicUntraceability times radic radicAuthenticity times radic radicConfidentiality radic radic radicCorrectness times times radicIntegrity radic radic radicNonrepudiation radic radic radicUnforgeability radic radic radic

secret value 119899119861 which is 119861rsquos private key and embedded into(22) Consequently the proposed design conforms to thecorrectness property

416 Integrity Integrity denotes that the information cannotbe altered during the transmission neither accidentally normaliciously If an antagonist attempts to alter a certain pieceof data for example portions of ciphertext119862119894 being commu-nicated between the sender and the recipient it is not easy totamper with the message segments Such tampering requiresat least two or more secret parameters like a permutationvalue 119908 and an integrity check value 119905 in (16) and they arebarely obtained from a conversion function of elliptic curvepoints that maps the messages to the curve Furthermoreeach portion of the ciphertext that is given the correspondingcoordinate position and is embedded in the encoded textas given in (17) is quite dependent on all message blocksOnce there is an intentional act to make any change to aparticular message it should result in dramatically differentconsequences with respect to the avalanche effect Thus theproposed solution provides the integrity property

417 Nonrepudiation Nonrepudiation denotes that thesigner cannot deny having signed a message that has avalid signature In our case the blinded message 120572 has beenelectronically signed by the signer 119861 that purported to signthe document and the signature containing specific valuesusually accompanies the document to send back the requester119860 119861 cannot repudiate having signed 120572 since the signaturewas created with 119861rsquos private key 119899119861 and a randomly selectednumber 120573 In addition through the signature validationprocess as represented by (25) the verifier119879 can later confirmthat the signature of the message has been entitled by thedesignated signer 119861 because 119879 has to use the correspondingpublic key as119861rsquos PK119861 during the verification So the proposedmethod offers the nonrepudiation property

418 Unforgeability Unforgeability refers that only thesigner can give a valid signature for the associated messageand heshe should not be able to generate more signaturesthan the number of valid signing executions (aka nonreus-ability) in an interactive signature agreement If an adversary

impersonates the signer 119861 to forge a legally blind signatureheshe can intercept or eavesdrop the blinded message 120572but is unable to obtain a valid pair (120572 (119877 119878)) to execute thesignature generation process without a designated signer 119861holding private key 119899119861 Similarly if the signer 119861 attempts towillfully create two more valid signatures after interactingwith the requester 119860 once it is practically impossible for119861 to guess a random signature (119877 119878) Besides the verifier119879 can use the signature verification procedure 119877 minus ℎ2(119862) sdotPK119861

= 1198781015840 minus 1198981015840 sdot PK119861 as defined in (25) to determine areceived message tuple (1198781015840 1198981015840 119877 119862 119870) corresponding tothat signature against the forgery For these parameters theadversary or the dishonest signer then has to encounter thehardness of solving the ECDLP and the difficulty of invertingthe one-way hash function The proposed scheme indeedsatisfies the property of unforgeability

We have described the multifaceted characteristics of theproposed scheme in terms of security requirements it hasbeen pointed out that distinguishing attributes do fit wellwithin blind signatures In Table 1 we present a comparisonof the above-mentioned two latest schemes in Section 1 basedon security properties for blind signcryption techniquesThe symbol ldquoradicrdquo on a security requirement means that it issatisfied with the feature while the symbol ldquotimesrdquo indicates thatit does not provide satisfaction in a specifiedmanner As seenfrom Table 1 due to the eight essential properties the presentmethod offers enhanced security functions in related appli-cations of blind signcryption whereas the existing successfulschemes suffer from some weaknesses including blindnessuntraceability and correctness

42 Performance Evaluation The subsection following thenext investigates a detailed quantitative measure comparingthe performance of our proposed algorithm with the twoaforesaid algorithms in blind signcryption systems We willexamine theoretical results of the three different strategiesfor solving the cryptological operations involved with respectto the costs of computation and communication incurred byeach task according to the concept of modular arithmeticoperations [31 45] The notations including scalar multi-plication point addition hash construction and modular


Table 2 The computational complexity symbols and the meanings

Symbol Description Operation cost119879MUL The execution time of a multiplication operation = 1119879MUL

119879ADD The execution time of an addition operation Negligible119879EXP The execution time of an exponentiation operation asymp240119879MUL

119879INVS The execution time of a modular multiplicative inverse asymp240119879MUL

119879ECMUL The execution time of an ECC point multiplication asymp29119879MUL

119879ECADD The execution time of an ECC point addition asymp5119879MUL

119879ℎ The execution time of an ECC point hash operation asymp23119879MUL

119905ℎ The execution time of a basic hash function operation asymp04119879MUL

arithmetic that we used to evaluate the performance areshown in Table 2

Table 3 summarizes the comparison results betweenour scheme and the existing similar blind signcryptionschemes in terms of computational costs Compared to thethree related algorithms by evaluating one single electronicdocument processing the proposed scheme requires twopublic-key encryption and decryption operations for eachtask which lead to a performance penaltyThis is more time-consuming work regarding the computational complexity ofdealing with both the ECDLP computation and the permuta-tion procedure simultaneously As we can see if we comparethe outcomes with the same baseline measures as shadowareas in Table 3 the proposed scheme has much lower com-putational complexity even with encryption and decryptionlatency-time tradeoffs than the other two blind signcryptionapproaches In spite of imposingmore sophisticatedmanipu-lation techniques this nature makes the proposed solu-tion bear strongly secure structure and effectively preventunwanted network intrusions

As the number of electronic documents is graduallyincreased maintaining the efficiency and security of blindsigncryption protocols becomes critical to the continuity ofthe related operations To estimate different performancelevels for these blind signcryption schemes in the contextof multiple documents (eg a multipage document) werepeatedly conduct the required steps to complete each blindsigncryption process Table 4 yields the performance compar-ison for the proposed signcryption-combined blind signaturescheme against the two exemplary blind signcryption proto-cols in terms of number of documents As shown in Table 4Yu et alrsquos DLP-based method causes the substantial increasein computational cost on each associative multiplicationoperation Although our scheme reaches a slightly highercomputational complexity for dealing with one single digitaldocument about 121119879MUL in the total cost than Ullah et alrsquosapproach due to the mutual authentication operation (ie2119879ECMUL + 1119879ECADD + 2119879MUL + 1119879INVS asymp 305119879MUL) thecomputational costs of the two existing methods potentiallytake more time to execute cryptographic-related operationswith a dramatic increase in managing vast numbers ofdocuments from 2 to 10 The performance penalty associatedwith the relative inefficiency of these blind signcryptionbased algorithms is closely correlated if every single digitaldocument has to go through all of the time-consuming

steps involved Unlike the classic approaches that handle asingle electronic document each task our solution consumeslower costs to perform the security-related operations forprocessing relatively large amounts of digital documents andalways runs in weakly polynomial time Put another way theproposed scheme requires only one-time operation to blindsigncryption unblinding signature verification and decryptprocesses for multiple document messages whereas the exist-ing mechanisms need to keep reiterating the procedure sev-eral times tomanipulate large quantities of data in a paginatedform for blinding signing unblinding and signature verifi-cation actionsThrough the contiguously tabular analysis webelieve that our proposed signcryption-embedded approachsignificantly outperforms the other existing methods in car-rying out several levels of cryptographic operations on largenumbers of documents This much efficient cryptosystem isgood to use in various kinds of blind signature applications

5 Conclusions

This paper presents a new alternative scheme of blind sig-natures for electronic messages and documents processingbased on both the ECDLP and the bit-level permutationproblem difficulties To make the relationship between thecontent of the messages and the message-signature pairthereof as perplexed as possible we embed the signcryptiontechnique into the functions of blind signature besides thecryptographic primitives and explore the constructive solu-tion to tackle the tricky challenges such as identity privacyanonymity and security

We have seen how the concept of aggregate signcryptionlike blind signature and encryption can be used to builda signcryption-combined blind signature scheme and alsoindicated that the proposed scheme is capable of being morebeneficial and requires less number of multiplication oper-ations compared to the two existing solutions in physicallysecure and efficient implementations for digital informationprotection At the security analysis the work investigatesthe related security requirements from a blind signaturedesign methodology and these strong security properties arefully satisfied with the relevant parameters In addition thestudy evaluates the performance effects of different levelsin carrying out large numbers of digital messages and theexperimental results give lower computational costs andcommunication overheads


Table3Com

paris

onbetweenthep

ropo

sedschemea

ndthetwoexistingblindsig

ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our

signcryption-combinedscheme

Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL


Table 4 Performance comparison between the proposed scheme and the other two schemes across multiple documents

Number ofdocuments

MethodA new efficient blind signcryption

(Yu and He 2008) [36]Blind signcryption scheme based on elliptic curves

(Ullah et al 2014) [37]The proposed

scheme1 3131119879MUL 400119879MUL 521119879MUL

2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL

Annotation to strengthen the security protection mechanisms the mutual identity verification phase to authenticate the communicating parties to each otheris required to prevent the identity forgery or fraud and the cost of each authentication thus takes 305119879MUL time to calculate the complexity (ie 2119879ECMUL +1119879ECADD + 2119879MUL + 1119879INVS)

By providing the above-mentioned abilities of the secu-rity structure and the computation efficiency the proposedscheme not only speeds up current blind signature tech-niques and digital information application programs but alsoextends the field for a new protocol method using thesesecure yet efficient structure primitives This facilitates muchfaster blind signatures and electronic messages processing aswith many distributions that take place at scale combininghigh performance with robust security for constructing var-ious anonymous applications including electronic paymentsystems voting services credential-based access control pro-cesses and digital content protection platforms

Abbreviations

119864(119865119902) An elliptical curve 119864 over a finite field 119865119902119866 A base point of an elliptical curve119889 A prime order of 119866119902 A prime number such that 119902 gt 2283id119860 id119861 id119879 Userrsquos identity information such as

requester 119860 signer 119861 and verifier 119879PKAS 119899AS A public and private key pair from ASPK119860 PK119861 PK119879 Public keys of all the users as requester 119860

signer 119861 and verifier 119879119899119860 119899119861 119899119879 Private keys of all the users as requester 119860

signer 119861 and verifier 119879ca119860 ca119861 ca119879 The usersrsquo certificates for requester 119860

signer 119861 and verifier 119879119885119860 119885119861 119885119879 Representative points on an elliptic curve

119864 defined over 119865119902119890119860 119890119861 119890119879 An identity value selected for requester 119860

signer 119861 and verifier 119879119897119860 119897119861 119897119879 A random number selected from AS for

requester 119860 signer 119861 and verifier 1198791199061 1199062 1199063 Nonce values

119876119860 119876119861 119876119879 Intermediate points on an elliptic curve 119864defined over 119865119902

ℎ1(sdot) A hash function to be used for public keyidentity and plaintext messages

ℎ2(sdot) A hash function to be used for ciphertextmessages

1198911198982119901(sdot) A conversion function from a message toan elliptic curve point

1198911199012119898(sdot) A conversion function from an ellipticcurve point to a message

V A plaintext segment119862 A ciphertext stream119908 A permutation value in bit shift operations119905 A hash value derived from a plaintext

sequence119898 A hash value derived from a ciphertext

sequence120572 A blinded message120573 A random integer number119896 An arbitrary integer number119870 A verification point119877 A secret element119878 A blind signature The concatenation operation

Competing Interests

The authors declare that they have no competing interests

References

[1] C BrzuskaM FischlinA Lehmann andD Schroder ldquoUnlink-ability of sanitizable signaturesrdquo in Proceedings of the 13thInternational Conference on Practice and Theory in Public KeyCryptography (PKC rsquo10) vol 6056 pp 444ndash461 Springer ParisFrance May 2010


[2] C-F Chou W C Cheng and L Golubchik ldquoPerformancestudy of online batch-based digital signature schemesrdquo Journalof Network and Computer Applications vol 33 no 2 pp 98ndash1142010

[3] A C Enache ldquoAbout group digital signaturesrdquo Journal ofMobile Embedded andDistributed Systems vol 4 no 3 pp 193ndash202 2012

[4] F-G Jeng T-L Chen and T-S Chen ldquoAn ECC-based blindsignature schemerdquo Journal of Networks vol 5 no 8 pp 921ndash928 2010

[5] D Pointcheval and J Stern ldquoSecurity arguments for digitalsignatures and blind signaturesrdquo Journal of Cryptology vol 13no 3 pp 361ndash396 2000

[6] Z Shao ldquoImproved user efficient blind signaturesrdquo ElectronicsLetters vol 36 no 16 pp 1372ndash1374 2000

[7] N M F Tahat E S Ismail and R R Ahmad ldquoA new blindsignature scheme based on factoring and discrete logarithmsrdquoInternational Journal of Cryptology Research vol 1 no 1 pp 1ndash92009

[8] AThu ldquoImplementation of an efficient blind signature schemerdquoInternational Journal of Innovation Management and Technol-ogy vol 5 no 6 pp 443ndash448 2014

[9] S Verma and B Kumar Sharma ldquoNew proxy blind multisignature based on integer-factorization and discrete-logarithmproblemsrdquoBulletin of Electrical Engineering and Informatics vol1 no 3 pp 185ndash190 2012

[10] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in CryptologymdashCRYPTO rsquo82 vol 3 of Lecture Notesin Computer Science pp 199ndash203 Springer 1983

[11] D Chaum ldquoSecuritywithout identification transaction systemstomake big brother obsoleterdquoCommunications of the ACM vol28 no 10 pp 1030ndash1044 1985

[12] L Harn ldquoCryptanalysis of the blind signatures based on thediscrete logarithm problemrdquo Electronics Letters vol 31 no 14p 1136 1995

[13] C-C LeeM-S Hwang andW-P Yang ldquoA new blind signaturebased on the discrete logarithm problem for untraceabilityrdquoApplied Mathematics and Computation vol 164 no 3 pp 837ndash841 2005

[14] J L Camenisch J M Piveteau and M A Stadler ldquoBlindsignatures based on discrete logarithm problemrdquo in Proceedingsof the Advances in Cryptology (EUROCRYPT rsquo94) vol 950of Lecture Notes in Computer Science pp 428ndash432 SpringerPerugia Italy 1994

[15] C-I Fan and C-L Lei ldquoEfficient blind signature scheme basedon quadratic residuesrdquo Electronics Letters vol 32 no 9 pp 811ndash813 1996

[16] C-I FanW-K Chen andY-S Yeh ldquoRandomization enhancedChaumrsquos blind signature schemerdquo Computer Communicationsvol 23 no 17 pp 1677ndash1680 2000

[17] C-I Fan C-I Wang and W-Z Sun ldquoFast randomizationschemes for Chaum blind signaturesrdquo International Journal ofInnovative Computing Information and Control vol 5 no 11pp 3887ndash3900 2009

[18] M-S Hwang C-C Lee and Y-C Lai ldquoAn untraceable blindsignature schemerdquo IEICE Transactions on Fundamentals ofElectronics Communications and Computer Sciences vol 86 no7 pp 1902ndash1906 2003

[19] W-S Juang and C-L Lei ldquoPartially blind threshold signaturesbased on discrete logarithmrdquo Computer Communications vol22 no 1 pp 73ndash86 1999

[20] V R L Shen Y F Chung T S Chen and Y A Lin ldquoA blindsignature based on discrete logarithm problemrdquo InternationalJournal of Innovative Computing Information and Control vol7 no 9 pp 5403ndash5416 2011

[21] K Rabah ldquoElliptic curve cryptography over binary finite fieldGF(2119898)rdquo Information Technology Journal vol 5 no 1 pp 204ndash229 2006

[22] S Su and S Lu ldquoA public key cryptosystem based on three newprovable problemsrdquoTheoretical Computer Science vol 426-427pp 91ndash117 2012

[23] S A Vanstone ldquoElliptic curve cryptosystemmdashthe answer tostrong fast public-key cryptography for securing constrainedenvironmentsrdquo Information Security Technical Report vol 2 no2 pp 78ndash87 1997

[24] I Butun and M Demirer ldquoA blind digital signature schemeusing elliptic curve digital signature algorithmrdquo Turkish Journalof Electrical Engineering and Computer Sciences vol 21 no 4pp 945ndash956 2013

[25] K Chakraborty and J Mehta ldquoA stamped blind signaturescheme based on elliptic curve discrete logarithm problemrdquoInternational Journal of Network Security vol 14 no 6 pp 316ndash319 2012

[26] D Jena S K Jena and B Majhi ldquoA novel untraceable blindsignature based on elliptic curve discrete logarithm problemrdquoInternational Journal of Computer Science andNetwork Securityvol 7 no 6 pp 269ndash275 2007

[27] M Nikooghadam and A Zakerolhosseini ldquoAn efficient blindsignature scheme based on the elliptic curve discrete logarithmproblemrdquo International Journal of Information Security vol 1no 2 pp 125ndash131 2009

[28] Shamsherullah Nizamudin A I Umar Noor-ul-Amin RUllah and I Ullah ldquoBlind signcryption scheme based on hyperelliptic curve for untraceable payment systemrdquo in Proceedings ofthe 13th International Conference on Statistical Sciences vol 28pp 337ndash344 Peshawar Pakistan 2015

[29] A Sadat I Ullah H Khattak S Ullah and AmjadurrehmanldquoProxy blind signcrypion based on elliptic curverdquo InternationalJournal of Computer Science and Information Security vol 14no 3 pp 257ndash262 2016

[30] C-H Lin R-H Hsu and L Harn ldquoImproved DSA variant forbatch verificationrdquo Applied Mathematics and Computation vol169 no 1 pp 75ndash81 2005

[31] C-H Tsai and P-C Su ldquoMulti-document threshold signcryp-tion schemerdquo Security and Communication Networks vol 8 no13 pp 2244ndash2256 2015

[32] Y Zheng ldquoDigital signcryption or how to achieve cost(signatureamp encryption) ≪ cost(signature) + cost(encryption)rdquo LectureNotes in Computer Science (including subseries Lecture Notes inArtificial Intelligence and Lecture Notes in Bioinformatics) vol1294 pp 165ndash179 1997

[33] H-Y Lin T-S Wu and S-K Huang ldquoCertificate-based securethree-party signcryption scheme with low costsrdquo JISE Journalof Information Science and Engineering vol 28 no 4 pp 739ndash753 2012

[34] A Braeken and P Porambage ldquoEfficient generalized signcryp-tion based on ECCrdquo International Journal on Cryptography andInformation Security vol 5 no 2 pp 1ndash13 2015

[35] N Din A I Umar N Amin and Abdul Waheed ldquoA novelmulti receiver signcryption scheme based on elliptic curvesfor firewallsrdquo Journal of Applied Environmental and BiologicalSciences vol 6 no 2S pp 144ndash150 2016


[36] X Yu and D He ldquoA new efficient blind signcryptionrdquo WuhanUniversity Journal of Natural Sciences vol 13 no 6 pp 662ndash664 2008

[37] R Ullah N Uddin A I Umar and N Amin ldquoBlind sign-cryption scheme based on elliptic curvesrdquo in Proceedings ofthe Conference on Information Assurance and Cyber Security(CIACS rsquo14) pp 51ndash54 IEEEXploreDigital Library RawalpindiPakistan June 2014

[38] S A Ch Nizamuddin andM Sher ldquoPublic verifiable signcryp-tion schemes with forward secrecy based on hyperelliptic curvecryptosystemrdquo Communications in Computer and InformationScience vol 285 pp 135ndash142 2012

[39] S A Ch Nizamuddin M Sher A Ghani H Naqvi andA Irshad ldquoAn efficient signcryption scheme with forwardsecrecy and public verifiability based on hyper elliptic curvecryptographyrdquo Multimedia Tools and Applications vol 74 no5 pp 1711ndash1723 2015

[40] Nizamuddin S A Ch W Nasar and Q Javaid ldquoEfficient sign-cryption schemes based on hyperelliptic curve cryptosystemrdquoin Proceedings of the 7th International Conference on EmergingTechnologies (ICET rsquo11) September 2011

[41] D J Bernstein and T Lange ldquoHyper-and-elliptic-curve cryp-tographyrdquo LMS Journal of Computation and Mathematics vol17 pp 181ndash202 2014

[42] JW Bos C CostelloHHisil andK Lauter ldquoFast cryptographyin genus 2rdquo inAdvances in CryptologymdashEUROCRYPT 2013 vol7881 of LectureNotes in Computer Science pp 194ndash210 Springer2013

[43] M Gobi R Sridevi and R Rahini priyadharshini ldquoA compar-ative study on the performance and the security of RSA andECC algorithmrdquo in Proceedings of the UGC Sponsored NationalConference on Advanced Networking and Applications pp 168ndash171 Jalgaon India 2015

[44] R Sinha H K Srivastava and S Gupta ldquoPerformance basedcomparison study of rsa and elliptic curve cryptographyrdquoInternational Journal of Scientific amp Engineering Research vol4 no 5 pp 720ndash725 2013

[45] N Tahat and E E Abdallah ldquoA new signing algorithm basedon elliptic curve discrete logarithms and quadratic residueproblemsrdquo Italian Journal of Pure and AppliedMathematics vol32 pp 125ndash132 2014

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



the message contents are unknown from the signer Untrace-ability or unlinkability property ensures that the signercannot link back any message-signature pair later even if thesignature is revealed to the public Chaumrsquos blind signaturescheme is based on the integer factorization problem (IFP)and the security relies on the hardness of RSA assumptionThis scheme can be considered secure if the underlying hashfunction is chosen appropriately In order to enhance thesecurity and efficiency of blind signatures there have beenseveral constructions of various schemes since the appear-ance of the blind signature [12ndash20] Some works suggest thattechnical security requirements are based on the discretelogarithm problem (DLP) other than the IFP There are alsocombination strategies [7 9] which simultaneously involveboth solving the DLP and tackling the IFP for attaining ahigh security level As we probably know by now the DLPhardness assumption is that if a hash function is collision-resistant then it is hard In this setting the associated securityparameters must be chosen carefully so that the DLP remainshard in certain groups It is interesting to note that either theDLP or the IFP over a prime field appears to be of roughlythe same degree of difficulty [21 22] As the computing powerincreases and the algorithmic skills are constantly improvedthere is also the chance that the DLP and IFP for the underly-ing combinatorial hard problem could be solved determinis-tically in subexponential time

More recently Vanstone [23] has proved that ellipticcurve cryptosystems based on the elliptic curve discretelogarithm problem (ECDLP) provide greater efficiency thanthose cryptographic algorithms for the IFP andDLPThis factmakes solving the ECDLP in subexponential time impracti-cable Due to the strength of smaller key size operations forthe ECDLP it is expected that a secure and efficient solutioncan be achieved under the algorithmic technique assumptionSubsequently several variations of ECC-based blind signa-tures [4 8 24ndash27] are consequently proposed and they haveshown their schemes to be remarkably useful in practicalapplications between the security and the performance It isworth pointing out that a newly unveiled blind signcryptionconcept (by combining blind signature and signcryptionalgorithm) is obtained from Shamsherullah et al [28] andSadat et al [29] their research is focused on customizeddesigns on electronic payment systems and a proxy approachrespectively offering strong security requirements to facilitatethe progress of communicating and accessing information incomplex networks

From the above literature review these existing crypto-graphic protocols aremainly interesting to construct strongermodels for blind digital signatures to satisfy basic securityguarantees and their algorithms focus on disguising a mes-sage then followed by a digital signature and maintaininga verification along with a blinding factor to the resultingmessage Although the strategy can guarantee the blindnessand untraceability properties for the message specific autho-rized subjects (eg project participants) are not assigned toverify this signature correctly since anyone can use signerrsquospublic key to verify the signature without identity authentica-tion during the verification phase In the meantime dif-ferent participants interact with each other in establishing

communication sessions and the session data can leave anidentifier stolen more vulnerable to identity theft or protocolattacks (eg the man-in-the-middle attack) Moreover mostof the current studies deal with blind signatures in a singlemessage at a time or a batch ofmultiple signatures onmultipledocuments [2 30] instead of managing large number ofdigital documents bymaking a single signature just once [31]In the case of handling voluminous amount of documentsgradually performing blind signature processes on multipleelectronic documents takes more time than going throughthe same steps in a single digital document Another concernis that in batch processing the messages are signed tocompletion in consequence and the rest of thesemessageswillnot be affected by the tampering attempt if some of messagecontents have been compromised This situation will raisesecurity risks about information disclosure

Unlike the approaches of one signature at a time or abatch mode our proposal handles multiple digital docu-ments by creating one-time signature that links all chunkedmessages to form the avalanche effect in cryptography toprotect data from unauthorized access or alteration In thispaper we also study methods to extend the functionalityof member signatures while distinguishing the involvementof designated representatives from unauthorized personswhere the proposed scheme can enable a verifiable action forparticular authorized people and authenticates the informa-tion correctly at a later time to verify the identities of givenusers to prevent identity breaches from the verification stageThis is particularly useful in an off-line scenario where thesignatures are able to be self-certified without needing anInternet connection once participants have been registeredin the system as existing legitimate entities In addition weintroduce the concept of ECC-based signcryption techniqueinstead of using a more general class blind signature schemewhich along with its form can greatly minimize the com-putational load and communication overheads for tacklingmultiple electronicmessagesThe signcryption schemewhichwas first introduced by Zheng [32] is a new cryptographicparadigm that fulfills the integration of encryption anddigital signature synchronously at a low-overhead function-ality providing program Research has proven its benefit inimproving efficiency in several applications such as three-party communication environments [33] key managementfor wireless sensor networks [34] and multiple receivers forfirewalls [35] Yu and He [36] suggest a new efficient DLP-based blind signcryption protocol to enhance security goalssuch as anonymity untraceability and unlinkability Ullah etal [37] also present an ECC-based blind signcryption schemethat is capable of supplying the properties of confidentialityintegrity unforgeability and nonrepudiation for low-poweror resource-constrained devices On top of that instead ofusing elliptic curve cryptography Ch et al [38 39] andNizamuddin et al [40] introduce an alternative paradigm forsigncryption measurements that are based on the notion ofhyperelliptic curve cryptography and their papers propose amore lightweight signcryption model having public verifia-bility and forward secrecy to reduce the number of bits andobtain better performance than the existing ECC-basedschemes However all three of the methods do not use a




2 Conceptual Basis














Requester A

Verifier T





Signer B

(iv) Unblinding


(vi) Decryption












PKAS = 119899AS sdot 119866 (1)





(2)


119890119860 = ℎ1 (id119860PK119860)

119890119861 = ℎ1 (id119861PK119861)

119890119879 = ℎ1 (id119879PK119879)

(3)


119885119860 = 119897119860 sdot 119866 = (119909119885119860 119910119885119860)

119885119861 = 119897119861 sdot 119866 = (119909119885119861 119910119885119861)

119885119879 = 119897119879 sdot 119866 = (119909119885119879 119910119885119879)

(4)


ca119860 = 119897119860minus1 (119890119860 + 119909119885119860 sdot 119899AS)

ca119861 = 119897119861minus1 (119890119861 + 119909119885119861 sdot 119899AS)

ca119879 = 119897119879minus1 (119890119879 + 119909119885119879 sdot 119899AS)

(5)




1199061 = ca119860minus1 mod 119889

1199062 = 119890119860 sdot 1199061 mod 1198891199063 = 119909119885119860 sdot 1199061 mod 119889

(6)


119876119860 = 1199062 sdot 119866 + 1199063 sdot PKAS = (119909119876119860 119910119876119860) (7)

119909119885119860= 119909119876119860 (8)






V = V1 V2 V119894 (9)


ℎ1 (V) = 119905 (10)

1198911198982119901 (V) = 1198811 1198812 119881119894 = 119881 (11)


119901 = (1199011 1199012 119901119894) 119901119894 = 0 1 (12)



119908 = 119891 1199081 997888rarr 1199011 1199082 997888rarr 1199012 119908119894 997888rarr 119901119894 119908119894 = 119901119894= 119891 (119894)

(13)

119891 (119894) =


such that 119891 (119894) isin 119901

(14)


119870 = 119896 sdot 119866 (15)

1198620 = [1198911198982119901 (119908 119905) + 119896 sdot PK119879] (16)

119862119894 = [119881119894 + 119901119894 sdot 119862119894minus1] 119894 ge 1 (17)

119862 = 1198620 1198621 1198622 119862119894 (18)


ℎ2 (119862) = 119898 (19)



120572 = 119898 sdot 119899119860 sdot PK119860 (20)


119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)



1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)





1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)


(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)


119891 (119894) =


such that 119891 (119894) isin 119901

(28)






1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












2 Conceptual Basis














Requester A

Verifier T





Signer B

(iv) Unblinding


(vi) Decryption












PKAS = 119899AS sdot 119866 (1)





(2)


119890119860 = ℎ1 (id119860PK119860)

119890119861 = ℎ1 (id119861PK119861)

119890119879 = ℎ1 (id119879PK119879)

(3)


119885119860 = 119897119860 sdot 119866 = (119909119885119860 119910119885119860)

119885119861 = 119897119861 sdot 119866 = (119909119885119861 119910119885119861)

119885119879 = 119897119879 sdot 119866 = (119909119885119879 119910119885119879)

(4)


ca119860 = 119897119860minus1 (119890119860 + 119909119885119860 sdot 119899AS)

ca119861 = 119897119861minus1 (119890119861 + 119909119885119861 sdot 119899AS)

ca119879 = 119897119879minus1 (119890119879 + 119909119885119879 sdot 119899AS)

(5)




1199061 = ca119860minus1 mod 119889

1199062 = 119890119860 sdot 1199061 mod 1198891199063 = 119909119885119860 sdot 1199061 mod 119889

(6)


119876119860 = 1199062 sdot 119866 + 1199063 sdot PKAS = (119909119876119860 119910119876119860) (7)

119909119885119860= 119909119876119860 (8)






V = V1 V2 V119894 (9)


ℎ1 (V) = 119905 (10)

1198911198982119901 (V) = 1198811 1198812 119881119894 = 119881 (11)


119901 = (1199011 1199012 119901119894) 119901119894 = 0 1 (12)



119908 = 119891 1199081 997888rarr 1199011 1199082 997888rarr 1199012 119908119894 997888rarr 119901119894 119908119894 = 119901119894= 119891 (119894)

(13)

119891 (119894) =


such that 119891 (119894) isin 119901

(14)


119870 = 119896 sdot 119866 (15)

1198620 = [1198911198982119901 (119908 119905) + 119896 sdot PK119879] (16)

119862119894 = [119881119894 + 119901119894 sdot 119862119894minus1] 119894 ge 1 (17)

119862 = 1198620 1198621 1198622 119862119894 (18)


ℎ2 (119862) = 119898 (19)



120572 = 119898 sdot 119899119860 sdot PK119860 (20)


119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)



1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)





1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)


(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)


119891 (119894) =


such that 119891 (119894) isin 119901

(28)






1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Requester A

Verifier T





Signer B

(iv) Unblinding


(vi) Decryption












PKAS = 119899AS sdot 119866 (1)





(2)


119890119860 = ℎ1 (id119860PK119860)

119890119861 = ℎ1 (id119861PK119861)

119890119879 = ℎ1 (id119879PK119879)

(3)


119885119860 = 119897119860 sdot 119866 = (119909119885119860 119910119885119860)

119885119861 = 119897119861 sdot 119866 = (119909119885119861 119910119885119861)

119885119879 = 119897119879 sdot 119866 = (119909119885119879 119910119885119879)

(4)


ca119860 = 119897119860minus1 (119890119860 + 119909119885119860 sdot 119899AS)

ca119861 = 119897119861minus1 (119890119861 + 119909119885119861 sdot 119899AS)

ca119879 = 119897119879minus1 (119890119879 + 119909119885119879 sdot 119899AS)

(5)




1199061 = ca119860minus1 mod 119889

1199062 = 119890119860 sdot 1199061 mod 1198891199063 = 119909119885119860 sdot 1199061 mod 119889

(6)


119876119860 = 1199062 sdot 119866 + 1199063 sdot PKAS = (119909119876119860 119910119876119860) (7)

119909119885119860= 119909119876119860 (8)






V = V1 V2 V119894 (9)


ℎ1 (V) = 119905 (10)

1198911198982119901 (V) = 1198811 1198812 119881119894 = 119881 (11)


119901 = (1199011 1199012 119901119894) 119901119894 = 0 1 (12)



119908 = 119891 1199081 997888rarr 1199011 1199082 997888rarr 1199012 119908119894 997888rarr 119901119894 119908119894 = 119901119894= 119891 (119894)

(13)

119891 (119894) =


such that 119891 (119894) isin 119901

(14)


119870 = 119896 sdot 119866 (15)

1198620 = [1198911198982119901 (119908 119905) + 119896 sdot PK119879] (16)

119862119894 = [119881119894 + 119901119894 sdot 119862119894minus1] 119894 ge 1 (17)

119862 = 1198620 1198621 1198622 119862119894 (18)


ℎ2 (119862) = 119898 (19)



120572 = 119898 sdot 119899119860 sdot PK119860 (20)


119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)



1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)





1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)


(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)


119891 (119894) =


such that 119891 (119894) isin 119901

(28)






1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












PKAS = 119899AS sdot 119866 (1)





(2)


119890119860 = ℎ1 (id119860PK119860)

119890119861 = ℎ1 (id119861PK119861)

119890119879 = ℎ1 (id119879PK119879)

(3)


119885119860 = 119897119860 sdot 119866 = (119909119885119860 119910119885119860)

119885119861 = 119897119861 sdot 119866 = (119909119885119861 119910119885119861)

119885119879 = 119897119879 sdot 119866 = (119909119885119879 119910119885119879)

(4)


ca119860 = 119897119860minus1 (119890119860 + 119909119885119860 sdot 119899AS)

ca119861 = 119897119861minus1 (119890119861 + 119909119885119861 sdot 119899AS)

ca119879 = 119897119879minus1 (119890119879 + 119909119885119879 sdot 119899AS)

(5)




1199061 = ca119860minus1 mod 119889

1199062 = 119890119860 sdot 1199061 mod 1198891199063 = 119909119885119860 sdot 1199061 mod 119889

(6)


119876119860 = 1199062 sdot 119866 + 1199063 sdot PKAS = (119909119876119860 119910119876119860) (7)

119909119885119860= 119909119876119860 (8)






V = V1 V2 V119894 (9)


ℎ1 (V) = 119905 (10)

1198911198982119901 (V) = 1198811 1198812 119881119894 = 119881 (11)


119901 = (1199011 1199012 119901119894) 119901119894 = 0 1 (12)



119908 = 119891 1199081 997888rarr 1199011 1199082 997888rarr 1199012 119908119894 997888rarr 119901119894 119908119894 = 119901119894= 119891 (119894)

(13)

119891 (119894) =


such that 119891 (119894) isin 119901

(14)


119870 = 119896 sdot 119866 (15)

1198620 = [1198911198982119901 (119908 119905) + 119896 sdot PK119879] (16)

119862119894 = [119881119894 + 119901119894 sdot 119862119894minus1] 119894 ge 1 (17)

119862 = 1198620 1198621 1198622 119862119894 (18)


ℎ2 (119862) = 119898 (19)



120572 = 119898 sdot 119899119860 sdot PK119860 (20)


119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)



1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)





1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)


(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)


119891 (119894) =


such that 119891 (119894) isin 119901

(28)






1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













V = V1 V2 V119894 (9)


ℎ1 (V) = 119905 (10)

1198911198982119901 (V) = 1198811 1198812 119881119894 = 119881 (11)


119901 = (1199011 1199012 119901119894) 119901119894 = 0 1 (12)



119908 = 119891 1199081 997888rarr 1199011 1199082 997888rarr 1199012 119908119894 997888rarr 119901119894 119908119894 = 119901119894= 119891 (119894)

(13)

119891 (119894) =


such that 119891 (119894) isin 119901

(14)


119870 = 119896 sdot 119866 (15)

1198620 = [1198911198982119901 (119908 119905) + 119896 sdot PK119879] (16)

119862119894 = [119881119894 + 119901119894 sdot 119862119894minus1] 119894 ge 1 (17)

119862 = 1198620 1198621 1198622 119862119894 (18)


ℎ2 (119862) = 119898 (19)



120572 = 119898 sdot 119899119860 sdot PK119860 (20)


119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)



1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)





1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)


(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)


119891 (119894) =


such that 119891 (119894) isin 119901

(28)






1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











120572 = 119898 sdot 119899119860 sdot PK119860 (20)


119877 = 120573 sdot 120572 (21)

119878 = (119899119861 + 120573) sdot 120572 (22)



1198981015840 = 119899119860 sdot (119899119860 minus 1) sdot 119898 + 119898 (24)





1198911198982119901 (119908 119905) = 1198620 minus 119899119879 sdot 119870 (26)


(119908 119905) = 1198911199012119898 [1198911198982119901 (119908 119905)] (27)


119891 (119894) =


such that 119891 (119894) isin 119901

(28)






1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











1198911199012119898 (119881) = V (30)















Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation














Ourscheme























5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






















5 Conclusions




Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Table3Com

paris

onbetweenthep

ropo

sedschemea


ncryptionschemes

basedon

ataskin

onee

lectronicd

ocum

ent

Item

Metho

dAneweffi

cientb

lindsig

ncryption

(YuandHe2008)[36]

Blindsig

ncryptionschemeb

ased

onellip

ticcurves

(Ullahetal2014)[37]

Our


Cost

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Com

putatio

nalcost

Roug

hestim

ation

Sign

cryptio

n

Encryptio

nNot

specified

Not

specified

Not

specified

Not

specified

2119879EC

MUL+1119879ℎ+1119905ℎ+

2119879MUL+1119879

ADD

83119879 M

UL

Blinding

5119879MUL+8119879

EXP+1119879

INVS+

5119879ADD+6119905ℎ

2167119879 M

UL

3119879EC

MUL+3119879

MUL+1119879

ECADD+

5119879ADD+1119879

INVS+2119905ℎ

336119879

MUL

1119879EC

MUL+1119879

MUL

30119879 M

UL

Sign

ing

2119879EC

MUL+1119879

ADD

58119879 M

UL

Unsigncryption

Unb

linding

2119879MUL+4119879

EXP+4119905ℎ

964119879

MUL

1119879EC

MUL+2

119879 MUL+2

119879 ECA

DD+1

119879 ℎ+1

119905 ℎ64119879 M

UL

1119879EC

MUL+1119879

ECADD+

3119879MUL+1119879

ADD

37119879 M

UL

Sign

aturev

erificatio

n2119879

ECMUL+2119879

ECADD+1119879ℎ

91119879 M

UL

Decryption

Not

specified

Not

specified

Not

specified

Not

specified

1119879EC

MUL+1119879

ECADD+1119905ℎ

34119879 M

UL

Totalcostw

ithou

tencryptio

nand

decryptio

n

7119879MUL+12119879 E

XP+1119879

INVS+

5119879ADD+10119905 ℎ

3131119879 M

UL

4119879EC

MUL+5119879

MUL+3119879

ECADD+

5119879ADD+1119879

INVS+1119879ℎ+3119905ℎ

400119879

MUL

6119879EC

MUL+3119879

ECADD+

4119879MUL+2119879

ADD+1119879ℎ

216119879

MUL



Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











Number ofdocuments





2 6262119879MUL 800119879MUL 521119879MUL

3 9393119879MUL 1200119879MUL 521119879MUL

4 12524119879MUL 1600119879MUL 521119879MUL

5 15655119879MUL 2000119879MUL 521119879MUL

6 18786119879MUL 2400119879MUL 521119879MUL

7 21917119879MUL 2800119879MUL 521119879MUL

8 25048119879MUL 3200119879MUL 521119879MUL

9 28179119879MUL 3600119879MUL 521119879MUL

10 31310119879MUL 4000119879MUL 521119879MUL



Abbreviations

















Competing Interests


References


















































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

























































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









An ECC-Based Blind Signcryption Scheme for Multiple...

Documents

Transcript of An ECC-Based Blind Signcryption Scheme for Multiple...