Pairing Free Identity-Based Blind Signature Scheme with Message Recovery

Abstract

With the rapid development of modern technology, personal privacy has become a critical concern in many applications. Various digitalized applications such as online voting systems and the electronic cash systems need authenticity and anonymity. Blind signature is an advanced technique that provides the authenticity and anonymity of the user by obtaining a valid signature for a message without revealing its content to the signer. The message recovery property minimizes the signature size and allows efficient communication in situations where bandwidth is limited. With the advantage of blind signature and message recovery properties, in this paper, we present a new pairing free blind signature scheme with message recovery in Identity-based settings. The proposed scheme is proven to be secure in the random oracle model under the assumption that the Elliptic Curve Discrete Logarithm Problem (ECDLP) is intractable. The proposed scheme meets the security requirements such as blindness, untracebility, and unforgeability. We compare our scheme with the well-known existing schemes in the literature, and the efficiency analysis shows that our scheme is more efficient in terms of computational and communicational point of view.

1. Introduction

Digital Signature is one of the most important applications of Public Key Cryptography (PKC) and provides authenticity, data integrity, and non-repudiation. In traditional PKC, proposed by Diffie and Hellman [1] in 1976, authentication of public key relies on the certificate issued by Certificate Authority (CA). However, certificate management leads to extra storage, large computation, and communication costs. To surmount the obstacles in traditional PKC, Shamir [2] introduced Identity–based PKC (ID-PKC). In this system, public key of a user is resulting from user’s identity such as email and phone number; and secret key is generated from user’s public key via a trusted third party called Private Key Generator (PKG). To implement the digital signature in the real-world applications, we need to consider different features and properties to make them adequate and proper for different usages. There are many digital signature schemes in the literature with different properties such as Proxy signature, Aggregate signature, Multi signature, Group signature, Ring signature, etc. One of such variant is Blind Signature.

Blind signature is used to protect anonymity of a user in many applications such as electronic payment on e-commerce and anonymous electronic voting systems [3,4,5,6,7,8]. The concept of blind signature was introduced by Chaum [7] in 1982. In contrast to regular digital signature schemes, a blind signature scheme is an interactive two-party protocol between a user and a signer. The user acquires a signature on a message from the signer, however the content of the message and the final blind signature is not known to the signer. With the development of electronic commerce, the preservation of anonymity of the user has been an imperative need. As blind signature allows secure electronic payment and protects customers’ privacy or anonymity in e-cash transactions, it is a very important tool for electronic cash transmission. Similarly, e-voting uses blind signatures to obtain votes without violating the anonymity of the voter.

Message recovery is a concept where some (partial), or all (full), of the message is embedded in the signature itself. A digital signature scheme with this feature allows conserving bandwidth when transmitting a signed message, compared to a signature scheme with appendix. The digital signature scheme with a message recovery was first introduced by Nyberg and Rueppel [9] in 1993. In this signature scheme, the message itself is not required to be transmitted together with the signature. In fact, the message is embedded in the signature and can be recovered during the verification/message recovery process. In this way, the total length of the message and the appended signature can be shortened. It is very much suitable in situations where bandwidth is one of the main concerns. Combination of blind signature technique with message recovery integrates the advantages of both and provides anonymity, untraceability, and unforgeability for low bandwidth devices.

1.1. Related Work

After the introduction of blind signatures by Chaum [7], many blind signature schemes [10,11,12,13,14] were proposed in traditional PKC. Advantages of Identity based cryptosystem attracted the researchers towards it [15]. The first ID-based blind signature scheme was proposed by Zhang et al. [16] in 2002. Later many identity-based blind signature schemes have been proposed in literature along with its applications in e-cash and e-voting systems [17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35]. Most of these schemes are designed using bilinear pairings over elliptic curves [17,18,19,20,21,22,23,25,26,28,31,35]. In 2003, Zhang et al. [17] and in 2005, Huang et al. [18] proposed different efficient ID-based blind signature schemes. In 2006, Zhao et al. [19] proposed a new identity based blind signature scheme from bilinear pairings. In 2008, Kalkan et al. [20] presented a generalized ID-based blind signature from bilinear pairings. In 2010, Rao et al. [21] proposed a blind signature scheme using bilinear pairings over elliptic curves. The proposed scheme is based on the Hess identity-based digital signature scheme [22] and the security is based on the CDH problem. In 2010, Fan et al. [23] proposed a provably secure randomized blind signature scheme based on bilinear pairings. They proved the security for unlinkability, unforgeability in ROM. In the same year, Zhang et al. [24] proposed a novel ID-based blind signature for electronic voting system and Shakerian et al. [25] proposed blind signature scheme from pairings. In 2011, He et al. [26] proposed an efficient identity-based blind signature scheme without bilinear pairings, and their work is motivated by the importance of blind signatures, which guarantees the anonymity of users. Later, Hu et al. [27] presented ID-based blind signature without random oracle model. In 2013, Xu et al. [28] presented an ID-based blind signature scheme from pairings with unlinkability. In the same year, Jain et al. [29] presented an efficient ID-based blind signature scheme in E-voting. Later, Li et al. [30] presented a partially blind signature scheme standard model. In 2014, Pance et al. [31] presented a comparison of ID-based blind signatures from pairings for E-voting. In 2015, Girish et al. [32] proposed a survey paper on Identity based blind signature schemes. In 2016, Islam et al. [33] proposed a provably secure pairing-free identity-based partially blind signature scheme and its application in online e-cash system. The security analysis of the proposed scheme was presented in the random oracle model, which substantiated that it was provably secure. In 2017, Kumar et al. [34] proposed a blind signature for E-voting in ID-based setting. In the same year Sarde et al. [35] presented a blind and proxy blind signature scheme. Most of these schemes are designed using bilinear pairings over elliptic curves. In addition to these, very few ID-based blind signature schemes with message recovery have been proposed in literature [23,36,37,38,39,40]. In 2007, Han et al. [36] proposed a blind signature scheme with message recovery, using pairings over elliptic curves. This paper is based on modified Weil/Tate pairings over elliptic curves, which improves the key size. In 2008, Hassan et al. [37] proposed a new identity-based blind signature scheme with message recovery based on Zhang et al. scheme. Their scheme is more efficient than Han et al. [36] scheme. It requires less bandwidth and is suitable for signing short messages such as pin card numbers and short identifiers. Additionally, in 2013, Diao et al. [38] proposed a new proxy blind signature scheme with message recovery. In 2017, James et al. [39] proposed an identity-based blind signature scheme with message recovery using bilinear pairings over elliptic curves. Recently, in 2018, Verma and Singh [40] proposed an efficient identity-based blind signature scheme with message recovery using bilinear pairings. However, the above-mentioned blind signature schemes are designed using bilinear pairings over elliptic curves. Additionally, these blind signature schemes are designed with message recovery using pairings.

1.2. Motivation

In any PKC, to provide the high security, the length of the key size must be sufficiently large. Larger keys in cryptographic schemes cause less computational efficiency and require more bandwidth. Thus, cryptographic schemes with smaller key size are desirable. To meet this requirement, Koblitz [41] and Miller [42] independently proposed the Elliptic Curve Cryptography (ECC) using elliptic curves. ECC has many advantages over PKC, especially; ECC provides high security with smaller keys in size. For instance, ECC with 512 bit key provides the same level of security as in AES (Advanced Encryption Standard; symmetric algorithm) with 256 bit key and in RSA with 15,360 bit key. Thus, ECC based schemes have shorter key sizes and requires low computational and communicational costs; consequently, time management, storage space, and consumption of bandwidth become very less with these small keys. Though ECC provides much security with short keys, the computational cost of a bilinear pairing over elliptic curve group is a costly operation, and is significantly more expensive than the elliptic curve scalar multiplication operation. In addition, map to point hash function is also very expensive cryptographic operation. Due to the expensive operations such as bilinear pairings and map to point hash functions, most of the cryptographic schemes are having less efficiency while implementing them. In view of this, ECC based schemes without pairing operation under general hash function would be more desirable to achieve high efficiency with the same level of security. Motivated by this, we focus on the design of new identity based blind signature scheme with message recovery in a pairing free environment.

1.3. Our Contribution

In this paper, we present a Pairing Free Identity based Blind Signature scheme with message recovery over elliptic curves. The blindness property provides anonymity and untraceability. This scheme is secure against forgeability and the security proof is presented in the ROM model under the hardness of ECDLP. To the best of our knowledge, this is the first blind signature scheme in identity-based setting addressing about message recovery in a pairing free environment. Our scheme achieves high efficiency and is more comfortable for resource constrained applications. We presented the comparative analysis of our scheme with existing schemes and it shows that the proposed scheme is efficient in terms of computational and communicational point of view.

1.4. Organization

The remaining part of this paper is organized as follows. In Section 2, we presented some preliminaries. The syntax and security model for our PF-IDBS-MR scheme are presented in Section 3. The proposed PF-IDBS-MR scheme is presented in Section 4. Security analysis and efficiency analysis of our PF-IDBS-MR scheme are presented in Section 5. The conclusions of the paper are presented in Section 6.

2. Preliminaries

This section briefly presents the fundamental concepts of ECC and the complexity assumption, on which the proposed scheme is designed and achieves the desired security.

2.1. Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) has become more popular and plays a very important role in modern PKC [41,42].

Let $E_q\left(a,b\right)$ be a set of elliptic curve points over the prime field $F_q$, defined by the non-singular elliptic curve equation: $y^2\mathrm{mod}q=$ $\left(x^3+ax+b\right)\mathrm{mod}p$ with $a,b\in F_q$ and $\left(4a^3+27b^2\right)\mathrm{mod}q\ne 0$. The additive elliptic curve group is defined as $G_q=\left\{(x,y):x,y\in F_q\right\}$ and $\left(x,y\right)\in E_q\left(a,b\right)\cup \left\{O\right\}$, where the point O is known as “point at infinity”. The order of the elliptic curve over $F_q$ is $o\left(E\left(F_q\right)\right)$ satisfies the relation $1-2\sqrt{q}\le o\left(E\left(F_q\right)\right)\le q+1$. The scalar multiplication on the cyclic group $G_q$ defined as k∙P = P + P+∙∙∙+ P (k times). Here, $P\in G_q$ is the generator of order n.

2.2. Elliptic Curve Discrete Logarithm Problem

• Given a tuple $\left(P,Q\right),$ it is computationally hard for any Probabilistic Polynomial Time (PPT) algorithm $\mathcal{A}$dv to determine $a,$ where $Q=aP$ and $a\in Z_q^{\ast }.$
• The probability that any polynomial-time bounded algorithm $\mathcal{A}$dv can solve the ECDLP is defined as $Adv{g}_{\mathcal{A}\mathit{dv,Gg}}^{\mathit{ECDLP}}$ = Prob $\left\{\mathcal{A}dv\right(P,Q)=a\ni P,Q\in G_g\mathrm{and}Q=aP,a\in Z_q^{\ast }\}.$

2.3. Notations and Acronyms

The following

Table 1. Acronyms and explanation.

Acronyms	Explanation
ECDLP	Elliptic Curve Discrete Logarithm Problem
PKC	Public Key Cryptography
PF-IDBS-MR	Pairing-Free Identity-based Blind Signature with Message Recovery
ECC	Elliptic Curve Cryptography
PPT	Probabilistic Polynomial Time
PKG	Private Key Generator
ROM	Random Oracle Model
EF-ACMA	Existential Forgery under the Adaptive Chosen Message Attack

presents the acronyms that are used throughout this paper.

The following

Table 2. Notation and Meaning.

Notation	Meaning
$E\left(F_q\right)$	Group of elliptic curve points over $F_q$
$k$	Security parameter
$G_1$	An additive group which is generated by $\widehat{P}$ with the order $\widehat{q}$ on the super singular elliptic curve
$G$	An additive cyclic group generated by a point $P$ on a non-singular elliptic curve
$H_1,H_2,H_3,F_1,F_2$	Cryptographic hash functions
$a||b$	Concatenation of two strings $a\mathrm{and}b$
$\oplus$	X-OR computation in the binary system
${\left[x\right]}_{10}$	$\mathrm{Decimal}\mathrm{representation}\mathrm{of}x\in {\left\{0,1\right\}}^{\ast }$
${\left[y\right]}_2$	Binary representation of $y\in Z$
${}_{l_2}\left|\beta \right|$	$\mathrm{The}\mathrm{first}{l}_2$ bits of β from the left side
${\left|\beta \right|}_{l_1}$	$\mathrm{The}\mathrm{first}{l}_1$ bits of β from the right side
$\mathsf{\Omega }$	Signature on the message m

presents the symbols and their descriptions, which have been used throughout this paper.

3. Syntax and Security Model of the Proposed PF-IDBS-MR Scheme

In this section we present the syntax and security model of the proposed PF-IDBS-MR scheme.

3.1. Syntax of PF-IDBS-MR

A formal model of the proposed scheme consists of the following four algorithms: System Setup, Key Extract, Blind Signature Generation, and Blind Signature Verification. The detailed description of these algorithms is described below.

• System Setup. For a given security parameter $k\in Z^{+},$ the Private Key Generator (PKG) runs this algorithm and generates the system parameters Params and the master key s. Params are made public and s is kept secret. Params are implicit input to all the following algorithms.
• Key Extract. For a given user’s identity ID, the PKG runs this algorithm to generate the public key and private key. PKG sends the private key to the corresponding user over a secure channel.
• Blind Signature Generation. This is an interactive and probabilistic polynomial time protocol, which is operated by the user and the signer. The user first blinds the message $m$ and obtains a new version $\tilde{h}$ of $m,$ and then sends it to the signer. The signer uses his/her private key to sign on $\tilde{h}$ and obtains $z_1,$ and then sends it to the sender/user. The sender un-blinds it to obtain $\mathsf{\Omega },$ which is a blind signature on the original message $m.$
• Blind Signature Verification. For a signer’s identity ID and a blind signature $\mathsf{\Omega },$ a verifier runs this algorithm to recover the message and check the validity of the blind signature $\mathsf{\Omega },$ more precisely, the algorithm Verify $(ID,\mathsf{\Omega })$ outputs 1 if accepted, or 0 if rejected.

3.2. Security Requirements of the Proposed PF-IDBS-MR

A secure blind signature scheme must satisfy the following requirements:

• Correctness. If the user and the signer, both comply with the algorithm of blind signature generation, then the blind signature $\mathsf{\Omega }$ will always be accepted. The correctness of the signature can be checked by anyone using the signer’s public key.
• Blindness. A signature is said to be blind if a given message-signature pair and the signer’s view are statistically independent. While correctly operating one instance of the blind signature scheme, let the output be $(m,R,Y,v)$ (i.e., message-signature pair) and the view of the protocol $V^{\prime }.$ At a later time, the signer is not able to link $V^{\prime }$ to $(m,R,Y,v).$ Hence, the content of the message is blind to the signer.
• Unforgeability. With this property, the user is not able to forge a valid blind signature. Only the signer can give a valid signature for the associated message.

Now we present the security definitions of blindness and unforgeability for our proposed scheme.

Definition 1.

(Blindness) Let$\mathcal{A}$dv be a probabilistic polynomial-time adversary which plays the role of the signer,$U_0\mathrm{and}{U}_1$be two honest users.$U_0\mathrm{and}{U}_1$engage in the blind signature issuing scheme with$\mathcal{A}$dv on messages$m_e\mathrm{and}{m}_{1-e}$, and output signatures${\sigma }_e\mathrm{and}{\sigma }_{1-e}$, respectively, where$e\in \left\{0,1\right\}$is a random bit chosen uniformly.$\left(m_e,m_{1-e},{\sigma }_e,{\sigma }_{1-e}\right)$are sent to$\mathcal{A}$dv and then$\mathcal{A}$dv outputs$e^{\prime }\in \left\{0,1\right\}.$For all such$\mathcal{A}$dv,$U_0\mathrm{and}{U}_1$for any constant$c$, and for sufficiently large$n,\left|\mathrm{Pr}\left[e=e^{\prime }\right]-\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2$}\right.\right|<n^{-c}.$

Definition 2.

(Unforgeability) The proposed PF-IDBS-MR is secure against existential forgery under the adaptive chosen message attack (EF-ACMA) and identity attacks if there is no probabilistic polynomial time adversary has a non-negligible advantage in the following game.

Our proposed scheme is existentially unforgeable in the Random Oracle Model (ROM) under an adaptive chosen-message and an adaptive chosen-ID attack. In this model (Game), a forger can choose its messages and its identities adaptively. We give the forger the power to request private keys on identities of its choice. The forger is also given access to the signing oracle for any messages for desired identities. A forger’s advantage ${\mathit{Advg}}_{\mathit{IBSSMR},\mathcal{A}\mathit{dv}}$ is defined as its probability of success in the following game between a challenger $\xi$ and a forger $\mathcal{A}$dv. The advantage to win the above game by a PPT-bounded adversary $\mathcal{A}$dv with the help of $\xi$ is defined as $Adv{g}_{\mathcal{A}dv}=\mathrm{Pr}\left[\mathcal{A}dv\mathrm{succeeds}\right]$.

Game Model.

• Setup. The challenger $\xi$ takes a security parameter k and executes the setup algorithm of the PF-IDBS-MR. $\xi$ returns the system Params to $\mathcal{A}$dv and keeps the master secret with itself.
• Queries. The forger $\mathcal{A}$dv adaptively makes the following different queries to the challenger $\xi .$

  -

  Hash Queries. When the involved hash functions are modeled by random oracles $\mathcal{A}$dv also performs adaptive queries to the hash functions. The Challenger $\xi$ answers these queries of the forger of this oracle, providing it with consistent and totally random values.

  -

  Extract Queries. When $\mathcal{A}$dv requests the private key of an identity ID of its choice, the challenger $\xi$ runs the key extraction algorithm on ID and forwards the output $d_{ID}$ to $\mathcal{A}$dv.

  -

  Sign Queries. When $\mathcal{A}$dv requests, adaptively, a signature on a given message $m$ with an identity ID, $\xi$ returns a signature $\mathsf{\Omega }.$

• Output. $\mathcal{A}$dv outputs $\left(m^{*},I{D}^{*},{\mathsf{\Omega }}^{*}\right)$ and we say that $\mathcal{A}$dv succeeds if:

  (i)

  ${ID}^{*}$ has never requested to the private key extraction oracle;

  (ii)

  ${\mathsf{\Omega }}^{*}$ has not been obtained as an answer of the challenger to a sign query $\left(m^{*},{ID}^{*}\right)$;

  (iii)

  ${\mathsf{\Omega }}^{*}$ is a valid signature.

4. Proposed PF-IDBS-MR Scheme

The proposed Pairing Free Identity based Blind signature with Message Recovery scheme consists of the following four algorithms:

• System Setup. For a given security parameter $k\in Z^{+},$ the PKG runs this algorithm as follows.
  • Choose a cyclic additive group $G$ of prime order $q$ with the points on an elliptic curve $E$ and $P$ as the generator of $G.$
  • Select $s\in Z_q^{*}$ randomly and compute the system public key $P_{pub}=sP.$
  • Choose $H_1:{\left\{0,1\right\}}^{\ast }\to Z_q^{\ast },$ $H_2:{\left\{0,1\right\}}^{\ast }\to Z_q^{\ast },$ $H_3:G\to {\left\{0,1\right\}}^{\left|q\right|}$ and $F_1:{\left\{0,1\right\}}^{l_1}\to {\left\{0,1\right\}}^{l_2},$ $F_2:{\left\{0,1\right\}}^{l_2}\to {\left\{0,1\right\}}^{l_1}$ as hash functions. $l_1\mathrm{and}{l}_2$ are positive integers such that $\left|q\right|=l_1+l_2$.
  • PKG publishes the system parameters $Params=\left\{E,G,q,P,P_{pub},H_1,H_2,H_3,F_1,F_2,l_1,l_2\right\}$ as public and keeps the master key $<s>$ as secret.
• Key Extract. Given a user’s identity ID, the PKG runs this algorithm by choosing $r\in Z_q^{*}$ and computes $R=rP$; $h_1=H_1\left(ID,R,P_{pub}\right)$; $d=\left(r+s{h}_1\right)\mathrm{mod}q.$
  This algorithm returns $D=\left(d,R\right)$ and sends it securely to the corresponding user $ID$ as his private key.
• Blind signature generation. In order to sign a message $m\in {\left\{0,1\right\}}^{l_1}$ blindly by a signer, whose identity is $ID,$ the user and the signer should follow the scenario given below:
  • Signer: Chooses a number $k\in Z_q^{\ast }$ and computes $X=kP$ and sends $X,R$ to the user as a commitment.
  • Blinding: The user chooses blinding factors $a,b\in Z_q^{\ast }$ randomly and computes

    $$\beta =F_1\left(m\right)\Vert \left(F_2\left(F_1\left(m\right)\right)\oplus m\right),Y=aX+b\beta P,h_2=H_2\left(ID,R,Y\right),\tilde{h}=a^{-1}{h}_2\mathrm{mod}q.$$
    Now the user sends $\tilde{h}$ to the signer.
  • Signing: The signer computes $z_1=\left(k+\tilde{h}d\right)\mathrm{mod}q$ and sends back to the user.
  • Unblinding: The user computes the following.

    $$z_2=\left(a{z}_1+b\beta \right)\mathrm{mod}q,\alpha =H_3\left(ID,z_{2}P\right),v={\left[\alpha \oplus \beta \right]}_{10}.$$
    The user outputs $\left(m,Y,R,v\right)$ and $\mathsf{\Omega }=\left(Y,R,v\right)$ is the blind signature on the message $m.$
    The blind signature issuing protocol is shown in

    Table 3. The blind signature issuing protocol.

    User		Signer
    		$k\in Z_q{}^{\ast }$
    		$\mathrm{Compute}X=kP$
    	$\stackrel{\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}X,R\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}}{\leftarrow }$
    Chooses $a,b\in Z_q{}^{\ast }$
    Computes $\beta =F_1\left(m\right)\Vert \left(F_2\left(F_1\left(m\right)\right)\oplus m\right)$
    $Y=aX+b\beta P$
    $h_2=H_2\left(ID,R,Y\right)$
    $\tilde{h}=a^{-1}{h}_2\mathrm{mod}q$
    	$\stackrel{\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\tilde{h}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}}{\to }$
    		$\mathrm{Compute}{z}_1=\left(k+\tilde{h}d\right)\mathrm{mod}q$
    	$\stackrel{\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}{z}_1\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}\hspace{0.17em}}{\leftarrow }$
    Compute $z_2=\left(a{z}_1+b\beta \right)\mathrm{mod}q$
    $\alpha =H_3\left(ID,z_{2}P\right)$
    $v={\left[\alpha \oplus \beta \right]}_{10}$
    $\mathsf{\Omega }=\left(Y,R,v\right)$ is the blind signature on message m

    .
• Blind signature verification. To verify the signature $\mathsf{\Omega }=\left(Y,R,v\right)$ for the message $m$ and the identity $ID,$ the verifier computes $h_1=H_1\left(ID,R,P_{pub}\right),$ $h_2=H_2\left(ID,R,Y\right),$ $\tilde{\alpha }=H_3\left(ID,Y+h_2\left(R+h_1{P}_{pub}\right)\right),$ $\tilde{\beta }={\left[v\right]}_2\oplus \tilde{\alpha }.$
  The verifier recovers the message $\tilde{m}={\left|\tilde{\beta }\right|}_{l_1}\oplus F_2\left[{}_{l_2}\left|\tilde{\beta }\right|\right]\left(=m\right).$
  Accept the signature $\mathsf{\Omega }$ as valid on $\tilde{m}=m\mathrm{iff}{}_{l_2}\left|\tilde{\beta }\right|=F_1\left(\tilde{m}\right).$

5. Analysis of the Proposed PF-IDBS-MR Scheme

This section presents the security analysis and efficiency analysis of the proposed PF-IDBS-MR scheme.

5.1. Security Analysis of the Proposed Scheme

In the following we will analyse the security of our PF-IDBS-MR scheme. We prove the correctness property, blindness property and unforgeability of our PF-IDBS-MR scheme by the following two theorems.

Theorem 1.

(Proof of Correctness) The proposed scheme satisfies the property of correctness.

Proof of Theorem 1.

The following equations give the correctness of the proposed scheme.

$$\begin{array}{l}\mathrm{Consider}{z}_{2}P=\left\{a{z}_1+b\beta \right\}P\\ =\left\{a\left[k+\tilde{h}d\right]+b\beta \right\}P=\left\{a\left[k+\tilde{h}\left(r+h_{1}s\right)\right]+b\beta \right\}P\\ =\left\{a\left[k+a^{-1}{h}_2\left(r+h_{1}s\right)\right]+b\beta \right\}P=akP+h_2\left(r+h_{1}s\right)P+b\beta P\\ =aX+h_2\left(R+h_1{P}_{pub}\right)+b\beta P\\ =\left(aX+b\beta P\right)+h_2\left(R+h_1{P}_{pub}\right)\\ =Y+h_2\left(R+h_1{P}_{pub}\right).\end{array}$$

□

Theorem 2.

(Blindness) The proposed scheme satisfies the blindness property.

Proof of Theorem 2.

We consider the condition in Definition 1. Let $\left(m,R,Y,v\right)$ be one of the two signatures given to adversary $\mathcal{A}$dv. Let $\left(X,\tilde{h},z_1\right)$ be the data exchanged during one of the signature issuing schemes in the view of $\mathcal{A}$dv. It is sufficient to show that there exists two random factors $\left(a,b\right)\mathrm{that}\mathrm{map}\left(X,\tilde{h},z_1\right)$ to $\left(m,R,Y,v\right).$ From the description of the scheme, we know the following equations must hold.

$$Y=aX+b\beta$$

(1)

$$\tilde{h}=a^{-1}{h}_2\mathrm{mod}q$$

(2)

$$z_2=\left(a{z}_1+b\beta \right)\mathrm{mod}q$$

(3)

From Equation (3), we get $b\beta =z_2-a{z}_1\mathrm{mod}q$ and if replacing $b\beta =z_2-a{z}_1\mathrm{mod}q$ in Equation (1), we get that it is obvious that $a\in Z_q^{\ast }$ is unique. Then $b$ is unique, since $b\beta =z_2-a{z}_1\mathrm{mod}q.$ Thus, $\left(X,\tilde{h},z_1\right)$ and $\left(m,R,Y,v\right)$ have exactly the same relation defined by the signature issuing protocol. Such $a,b$ always exist regardless of the values of $\left(X,\tilde{h},z_1\right)$ and $\left(m,R,Y,v\right).$ Even an infinitely powerful $\mathcal{A}$dv outputs a correct value $e^{\prime }$ with a probability exactly $\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2$}\right..$ Thus, the proposed scheme is unconditionally blind. □

Theorem 3.

(Unforgeability) The proposed scheme is existential unforgeable against the adaptive chosen message and identity attacks based on the infeasibility assumption of the ECDLP.

Proof of Theorem 3.

Let $\xi$ be an ECDLP challenger, and it is given a random instance $Q=sP$ of the ECDL problem in $G$ for a randomly chosen $s\in Z_q^{*}$. Its goal is to compute $s$. Let $\mathcal{A}$dv be an adversary who interacts with $\xi$, as described in security model of the proposed scheme (Section 3.2). Now, we prove that $\xi$ can solve the ECDLP using $\mathcal{A}$dv. During the simulation process, $\xi$ needs to guess the target identity of $\mathcal{A}$dv. Without loss of generality, $\xi$ takes $I{D}^{*}$ as target identity of $\mathcal{A}$dv on a message $m.$

• Initialization phase. $\xi$ runs the setup algorithm and sets $P_{pub}=Q=sP$ as public key and generates system parameters params and sends params, $P_{pub}\mathrm{to}$ $\mathcal{A}$dv.
• Queries phase. $\mathcal{A}$dv can access the following oracle in an adaptive manner and the algorithm $\xi$ responds to these oracles as follows.

  -

  Extraction oracle. $\xi$ maintains an initial-empty $H_1-\mathrm{oracle}\mathrm{list}{\mathcal{L}}_1,$ which includes the tuples like $\left(I{D}_i,R_i,P_{pub},d_i,h_{1i}\right)$ when $\mathcal{A}$dv makes this query on identity $I{D}_i,\xi$ looks for $I{D}_i$ in the list ${\mathcal{L}}_1$ and returns the output to $\mathcal{A}$dv as follows.

  • If $I{D}_i=I{D}^{\ast },\xi$ aborts.
  • If $I{D}_i\ne I{D}^{\ast },\xi \mathrm{selects}{a}_i,b_i\in Z_q^{\ast }\mathrm{and}\mathrm{sets}{d}_i=b_i,R_i=a_i{P}_{pub}+b_{i}P{\mathrm{and}\mathrm{h}}_{1i}=-a_i.$
    Clearly $\left(d_i,R_i\right)$ satisfies the equation $d_{i}P=R_i+h_{1i}{P}_{pub}.$ Then $\xi$ outputs $d_i$ as secret key of the user $I{D}_i$ and incorporates the tuple $\left(I{D}_i,R_i,P_{pub},d_i,h_{1i}\right)$ to ${\mathcal{L}}_1$ list and returns $d_i$ to $\mathcal{A}$dv.

  -

  Queries on oracle $H_2:H_2\left(I{D}_i,R_i,Y_i\right).$ When $\mathcal{A}$dv asks a $H_2$ query with the input $\left(I{D}_i,R_i,Y_i\right)$, $\xi$ then replies with previous value $h_{2i}\in Z_q^{\ast }$, if the tuple $\left(I{D}_i,R_i,Y_i,h_{2i}\right)$ is in ${\mathcal{L}}_2.$ Otherwise $\xi$ picks a random $h_{2i}\in Z_q^{\ast }$ and returns $h_{2i}$ to $\mathcal{A}$dv and adds $\left(I{D}_i,R_i,Y_i,h_{2i}\right)$ to the list ${\mathcal{L}}_2.$

  -

  Queries on oracle $H_3:H_3\left(I{D}_i,z_{2i}P\right).$ $\xi$ maintains a list ${\mathcal{L}}_3,$ which is initially empty. It contains tuples of the form $\left(I{D}_i,z_{2i}P,h_{3i}\right).$ After receiving the query on $\left(I{D}_i,z_{2i}P\right)$, if a tuple $\left(I{D}_i,z_{2i}P,h_{3i}\right)$ exists on ${\mathcal{L}}_3,$ $\xi$ returns $h_{3i}\in Z_q^{\ast }$. Otherwise, $\xi$ picks a random $h_{3i}\in Z_q^{\ast }$ and returns $h_{3i}.$ $\xi$ adds $\left(I{D}_i,z_{2i}P,h_{3i}\right)$ to ${\mathcal{L}}_3.$

  -

  Queries on $F_1,F_2$: $\xi$ maintains two separate lists ${\mathcal{F}}_1-list,{\mathcal{F}}_2-list,$ which are initially empty. If the queries are made earlier, then it returns the same answer. Otherwise, $\xi$ picks random numbers from ${\left\{0,1\right\}}^{l_2}\mathrm{and}{\left\{0,1\right\}}^{l_1}$ respectively, and returns to adversary. $\xi$ stores these values in ${\mathcal{F}}_1,{\mathcal{F}}_2$ lists, respectively.

  -

  Signing oracle. When $\mathcal{A}$dv makes this query on $\left(I{D}_i,m_i\right),\xi$ first makes queries on $H_2,H_3,F_1,F_2$ oracles and recovers the tuples $\left(I{D}_i,R_i,Y_i,h_{2i}\right),$ $\left(I{D}_i,z_{2i}P,h_{3i}\right)$ from lists, respectively. Then, $\xi$ does the following.

  • Choose $z_{2i},h_{2i}\in {}_{R}Z{}_q^{\ast }.$
  • Set $H_2\left(I{D}_i,R_i,Y_i\right)\leftarrow h_{2i}\mathrm{and}\mathrm{store}\left(I{D}_i,R_i,Y_i,h_{2i}\right)$ to the list ${\mathcal{L}}_2.$
  • Compute ${\alpha }_i=H_3\left(I{D}_i,z_{2i}P\right),$ ${\beta }_i=F_1\left(m_i\right)\Vert \left(F_2\left(F_1\left(m_i\right)\right)\oplus m_i\right),$ $Y_i=z_{2i}P-h_{2i}\left(R_i+h_{1i}{P}_{pub}\right),$ $v_i={\left[{\alpha }_i\oplus {\beta }_i\right]}_{10}.$

Finally, $\xi$ responds to $\mathcal{A}$dv with the signature $\left(m_i,Y_i,R_i,v_i\right).$

Forgery. After forgery, a valid signature $\left(m_i^{\ast },Y_i^{\ast },R_i^{\ast },v_i^{\ast }\right)$ on the message $m_i^{\ast }$ under the identity $I{D}_i^{\ast }$ by $\mathcal{A}$dv, $\xi$ recovers the corresponding tuples $\left(I{D}_i^{\ast },R_i^{\ast },Y_i^{\ast },h_{2i}^{\ast }\right),\left(I{D}_i^{\ast },z_{2i}^{\ast }P,h_{3i}^{\ast }\right)$ from ${\mathcal{L}}_2,{\mathcal{L}}_3$ lists. From the tuples, if $I{D}_i^{\ast }\ne I{D}^{\ast },\mathrm{then}\xi$ halts and fails. Otherwise, if $I{D}_i^{\ast }=I{D}^{\ast },$ $\mathrm{then}\xi$ computes the value of $s$ as follows. From Forking Lemma (Pointcheval et al. [43]), if we have a replay of $\xi$ with the same random tape but different choices of $H_2$, $H_3$, $\mathcal{A}$dv will output another signature $\left(m_i^{\ast },Y_i^{{\ast }^{\prime }},R_i^{\ast },v_i^{{\ast }^{\prime }}\right).$ This signature satisfies the verification equation.

By $r_i^{\ast },s,$ we now denote discrete logarithms of $R_i^{\ast },P_{pub}$, respectively, which is $R_i^{\ast }=r_i^{\ast }P,P_{pub}=sP.$

As the signatures $\left(m_i^{\ast },Y_i^{\ast },R_i^{\ast },v_i^{\ast }\right)$, $\left(m_i^{\ast },Y_i^{{\ast }^{\prime }},R_i^{\ast },v_i^{{\ast }^{\prime }}\right)$ satisfy the verification equations, we get two linearly independent equations as $Y_i^{\ast \left(j\right)}=z_{2i}^{\ast \left(j\right)}P-h_{2i}^{\ast \left(j\right)}\left(R_i^{\ast }+h_{1i}^{\ast \left(j\right)}{P}_{pub}\right)\mathrm{for}j=1,2$. $\xi$ solves the unknown values $r_i^{\ast },s,$ from the above two linearly independent equations and outputs $s$ as the solution of ECDLP. However, the ECDLP is computationally infeasible by any polynomial-time bounded algorithm. Therefore, based on the intractability assumption of ECDLP, our scheme is provably secure in the ROM against the adaptive chosen message and identity attacks. □

5.2. Efficiency Analysis of the Proposed Scheme

In this section, we analyze the performance of our PF-IDBS-MR scheme. We compare our scheme with the relevant schemes in terms of computational and communicational cost. We consider the experimental results (Ren et al. [44], Cao et al. [45], and Tan et al. [46]), to achieve the comparable security with 1024-bit RSA key, where the bilinear pairing (Tate pairing) is defined over the super singular elliptic curve $E_q:y^2=x^3+x$ with embedding degree 2 and the 160-bit Solinas prime number $q=2^{159}+2^{17}+1$ with 512-bit prime number p satisfying $p+1=12qr.$ The running time is calculated for different cryptographic operations in References [44,45,46] using MIRACL (Shamus software) [47], a standard cryptographic library and implemented on a hardware platform PIV (Pentium-4) 3GHZ processor with 512-MB memory and a windows XP operating system. Furthermore, Chung et al. [48] indicated that the time needed to execute the elliptic curve scalar multiplication $(T_{EM})$ is approximately $29T_{ML},$ and the time needed to execute the modular exponentiation $(T_{EX})$ is approximately $240T_{ML}.$ It was also mentioned in Reference [45] that the time needed to execute one pairing based scalar multiplication $(T_{EM})$ is approximately 6.38 ms, i.e, $T_{EM}\approx 6.38\hspace{0.17em}\mathrm{m}\mathrm{s},$ the time needed to execute one bilinear pairing (Tate pairing) operation $(T_{BP})$ is approximately 20.01 ms, i.e.,$T_{BP}\approx 20.01\hspace{0.17em}\mathrm{m}\mathrm{s}$ and the time needed to execute one pairing-based exponentiation $T_{PX}$ is approximately $11.20\hspace{0.17em}\mathrm{m}\mathrm{s}$, i.e., $T_{PX}\approx 11.20\hspace{0.17em}\mathrm{ms}.$ Now, from the works proposed by Baretto et al. [49] and Tan et al. [46], $1T_{BP}\approx 3T_{EM}$ and $1T_{PX}\approx (1/2)T_{BP}.$ We summarize these computational results in

Table 4. Notations and descriptions of various cryptographic operations and their conversions.

Notations	Descriptions
$T_{ML}$	Time needed to execute the modular multiplication operation
$T_{EM}$	Time needed to execute the elliptic curve point multiplication (Scalar multiplication in $G_1$): $T_{EM}\approx 29T_{ML}$
$T_{BP}$	Time needed to execute the bilinear pairing operation in $G_2$: $T_{BP}\approx 87T_{ML}$
$T_{PX}$	Time needed to execute the pairing-based exponentiation operation in $G_2$: $T_{PX}\approx 43.5T_{ML}$
$T_{EX}$	Time needed to execute modular exponentiation operation in $Z_q^{*}$: $T_{EX}\approx 240T_{ML}$
$T_{IN}$	Time needed to execute modular inversion operation in $Z_q^{*}$: $T_{IN}\approx 11.6T_{ML}$
$T_{MTP}$	Time needed to execute a map-to-point (hash function): $T_{MTP}\approx T_{EM}\approx 29T_{ML}$
$T_{PA}$	Time needed to execute addition of 2 elliptic curve points (point addition in $G_1$): $T_{PA}\approx 0.12T_{ML}$

.

5.2.1. Computational Efficiency

The comparison of our proposed PF-IDBS-MR scheme with the existing blind signature schemes, in terms of a computational point of view, is presented in

Table 5. Comparison of computational efficiency of our proposed scheme with the related schemes.

Scheme	Signing Cost	Verification Cost	Total Cost
Han et al. (2005) [36]	$6{\mathrm{T}}_{EM}+2T_{BP}+1T_{IN}+2T_{PA}$	$3T_{BP}+1T_{PX}$	$664.34T_{ML}$
Hassan et al. (2006) [37]	$6{\mathrm{T}}_{EM}+1T_{BP}+1T_{IN}+2T_{PA}$	$2T_{BP}+1T_{PX}$	$490.34T_{ML}$
Fan et al. (2010) [23]	$7{\mathrm{T}}_{EM}+1T_{MTP}+1T_{IN}+3T_{PA}$	$3T_{BP}+1T_{MTP}$	$533.96T_{ML}$
Rao, et al. (2010) [21]	$2T_{BP}+3T_{EM}+1T_{PX}+4T_{PA}$	$2T_{BP}+1T_{PX}$	$522.48T_{ML}$
He et al. (2011) [26]	$5T_{EM}$	$3T_{EM}$	$232T_{ML}$
Islam et al. (2016) [33]	${4\mathrm{T}}_{EM}+2T_{PA}+1T_{IN}$	$1T_{PA}+1T_{EM}$	$156.96T_{ML}$
James et al. (2017) [39]	${6\mathrm{T}}_{EM}+1T_{BP}+1T_{IN}+2T_{PA}$	$2T_{BP}+1T_{EM}$	$475.84T_{ML}$
Verma et al. (2018) [40]	${3\mathrm{T}}_{EM}+1T_{MTP}+1T_{BP}+1T_{IN}$	$1T_{BP}+1T_{EX}$	$541.6T_{ML}$
Our Proposed Scheme	${3\mathrm{T}}_{EM}+1T_{PA}+1T_{IN}$	$2T_{EM}+2T_{PA}$	$156.96T_{ML}$

. The total computational cost of our proposed scheme is $156.96T_{ML},$ which is much more efficient than the well-known existing schemes. While the computational cost of our scheme is equal to Islam et al. scheme [33], our proposed scheme achieves message recovery. Hence, our scheme is considered to be more efficient compared to Islam et al. scheme [33]. From Table 5, it is clear that the computation cost of our PF-IDBS-MR scheme is $156.96T_{ML}$, which is 76.37% less than Han et al. scheme [36], 67.98% less than Hassan et al. scheme [37], 70.60% less than Fan et al. scheme [23], 69.95% less than Prasad et al. [21], 32.34% less than He et al. scheme [26], 67.01% less than James et al. [39], and 71.01% less than Verma et al. scheme [40]. Hence, our scheme is computationally more efficient when compared to the well-known related schemes [21,23,26,33,36,37,39,40].

5.2.2. Communicational Efficiency

The comparison of our proposed PF-IDBS-MR scheme with the existing blind signature schemes, in terms of communicational point of view, is presented in

Table 6. Comparison of communicational efficiency of our proposed scheme with the related schemes.

Scheme	Message Recovery	Signature Length	In Bytes
Han et al. (2005) [36]	✓	$2\left|G_1\right|$	$256bytes$
Hassan et al. (2006) [37]	✓	$\left|q\right|+\left|G_1\right|$	$148bytes$
Fan et al. (2010) [23]	✕	$\left|m\right|+2\left|G_1\right|$	$256bytes+\left|m\right|$
Rao et al. (2010) [21]	✕	$\left|q\right|+\left|G_1\right|$	$148bytes+\left|m\right|$
He et al. (2011) [26]	✕	$\left|q\right|+2\left|G\right|$	$100bytes+\left|m\right|$
Islam et al. (2016) [33]	✕	$\left|q\right|+2\left|G\right|$	$276bytes+\left|m\right|$
James et al. (2017) [39]	✓	$\left|q\right|+\left|G_1\right|$	$148bytes+\left|m\right|$
Verma et al. (2018) [40]	✓	$\left|q\right|+\left|G_1\right|$	$148bytes$
Our Proposed Scheme	✓	$\left|q\right|+2\left|G\right|$	$100bytes$

. The schemes [21,23,36,37,39,40] are established on bilinear pairings. The remaining related schemes [26,33] and our proposed scheme is established on ECC. To achieve a security level of 80 bits, in bilinear pairing, we consider $\widehat{e}:G_1\times G_1\to G_T$, where $G_1$ is an additive group that is generated by $\widehat{P}$ with the order $\widehat{q}$ on the super singular elliptic curve $\widehat{E}:y^2=x^3+x\mathrm{mod}\widehat{p}$ with embedding degree 2. Here, $\widehat{p}$ consists of 512 bit prime number and $\widehat{q}$ is of 160 bit solinas prime number. To achieve the same 80 bit security level, in ECC, we consider $G$ as an additive cyclic group generated by a point $P$ on a non-singular elliptic curve $E:y^2=x^3+ax+b\mathrm{mod}p$ and its order is $q$ where $p,q$ are prime numbers of 160 bit each and $a,b\in Z_q{}^{\ast }.$ Hence, the size of $\widehat{p}$ is 512 bits (i.e., 64 bytes) and the size of $p$ is 160 bits (i.e., 20 bytes). Hence, the size of elements in $G_1$ is $512\times 2=1024$ bits and the size of elements in $G$ is $160\times 2=320$ bits. Additionally, the size of the elements in $Z_q{}^{\ast }$ is 160 bits.

Since our proposed scheme is with message recovery, the original message of the signature is not required to be transmitted together with the signature, and hence the signature length of our proposed scheme is $\left|q\right|+2\left|G\right|$ and the communication cost is $160+2\times 320=800$ bits = 100 bytes.

From Table 6, it is clear that our PF-IDBS-MR scheme is more efficient compared to the existing blind signature schemes [21,23,26,33,36,37,39,40], in a communicational point of view.

The following bar graphs (Figure 1 and Figure 2) clearly show that our scheme is much more efficient than the existing schemes. Hence, our PF-IDBS-MR scheme is much more efficient than the existing blind signature schemes, both from a computational and communicational cost point of view.

6. Conclusions

In this paper, we have presented a pairing-free Identity-based blind signature scheme with message recovery. This PF-IDBS-MR scheme combines the advantages of blind signature, message recovery property in ID-based setting. Moreover, it is designed in pairing-free environment. The correctness of the proposed scheme has been validated. The proposed scheme is secure and existential unforgeable against the adaptive chosen message and identity attacks under the assumption that ECDLP intractable. The blindness property of the proposed scheme provides the anonymity of the user and the message recovery property of the proposed scheme enhances the bandwidth efficiency. To the best of our knowledge, this is the first blind signature scheme with message recovery in pairing free environment. The comparison of our PF-IDBS-MR scheme with the existing schemes shows that the proposed scheme is efficient in terms of computational and communicational point of view. The proposed scheme is very useful in practical applications such as mobile communications, wireless sensor networks etc., where bandwidth is the main constrain. Due to the blindness and message recovery property, computational, and communicational efficiency, the proposed PF-IDBS-MR scheme can be applied efficiently in the design of e-voting and e-payment applications.