On the complexity of blind signatures

Blind signature schemes provide the functionality of a carbon copy envelope: The user (receiver) puts his message into this envelope and hands it over to the signer (sender). The signer in return signs the envelope and gives it back to the user who recovers the original signed message out of the envelope. Security says that the signer remains oblivious about the message (blindness), but at the same time the receiver cannot output any additional message/signature pair (unforgeability). Classical applications of blind signatures include e-cash and e-voting. Blind signature schemes are an important cryptographic primitive and many constructions have been proposed in the literature. These instantiations differ mainly in round complexity, underlying computational assumptions, and the model in which the proof of security is given. However, the minimal requirements for blind signatures in terms of round complexity and computational assumptions without assuming setup assumptions are unknown. This thesis addresses both of these questions. For the study of the round complexity, this thesis investigates the possibility of proving the security of a more general class of three-move blind signature schemes. We show that finding security proofs for these schemes via black-box reductions in the standard model is hard. Characteristic for this class is that it is publicly decidable from the transcript if the user can derive a valid signature, or not. Regarding the computational assumptions, this thesis first shows that the class of unique blind signature schemes can be used to build oblivious transfer protocols in a blackbox way. These blind signature schemes have at most one signature per message and public key. It is well known that oblivious transfer cannot be constructed from oneway functions in a black-box fashion. Thus, this result also holds for (regular) blind signature schemes. Moreover, this thesis rules out black-box constructions of blind signature schemes from one-way functions. In fact, this thesis rules out constructions from a random permutation oracle. This separation holds even for schemes signing 1-bit messages that achieve security only against honest-but-curious behavior.