盲簽章是一種能夠不讓簽名者知道自己所簽訊息的數位簽章。然而在實際應用中，簽名者往往需要記錄一些與簽名相關的額外訊息。為了解決這個問題，部分盲簽章的概念被提出。除了具有盲簽章的性質外，部分盲簽章可以讓簽名者能從所簽訊息中獲取到所需的相關的資訊。部分盲簽章在被提出至今有不少成果被提出，但這些成果都需要花費較多的運算時間，或是不易應用到實際應用中。除此之外，隨著數位貨幣（如：比特幣）的興起，愈來愈多消費者會購買數位貨幣。但目前的購買方式無法隱藏消費者的電子錢包位置，因此一些研究將重點放在基於橢圓曲線簽章算法（Elliptic Curve Digital Signature Algorithm，ECDSA）的盲簽章的研究上。然而由於盲簽章存在簽名者完全不知道所簽訊息的特性，使得這些基於ECDSA的盲簽章難以靈活地運用在數位貨幣系統上。因此，我們提出了提出了三個部分盲簽章。我們的第一個簽章是到目前為止的研究是效能最好的部分盲簽章。另外，為了與比特幣系統更加契合，我們提出了兩種改版之ECDSA及其在通用群模型（Generic Group Model）下的安全性證明，並基於此提出了兩種首次與現行比特幣系統相契合的ECDSA部分盲簽章。我們為上述的部分盲簽章都提供了安全性證明及效能分析。最後我們提出了我們的部分盲簽章在購買比特幣時的應用方式。

Blind signatures allow a user to obtain a signature without revealing message information to the signer. However, in many cases, the signer must record additional information relevant to the signature. Therefore, a partially blind signature was proposed to enable the signer to obtain some information from the signed message.
Although many partially blind signature schemes have been proposed, they are time intensive and impractical.
Additionally, with the development of blockchain technology, users increasingly use Bitcoin for purchasing and trading with coin providers.
Some studies have indicated that elliptic curve digital signature algorithm (ECDSA)-based blind signatures are compatible with Bitcoin because they prevent the linking of sensitive information due to the untamability of Bitcoin. However, these approaches are not sufficiently flexible because blind signatures do not allow the signer to obtain any information.
In this thesis, we proposed three partially blind signature schemes.
To the best of our knowledge, compared with other state-of-the-art schemes, our first scheme is the most practical partially blind signature. Additionally, to be more compatible with the current Bitcoin protocol, we introduced two variants of ECDSA with their security proofs under generic group model. Based on these two variants of ECDSA we proposed two partially blind signature schemes. Security proofs are provided to demonstrate that all proposed schemes have satisfactory unforgeability and blindness. At last we describe a application of bitcoin purchasing based on proposed schemes.

[1] D. R. Brown, “Generic groups, collision resistance, and ECDSA,” Designs, Codes and
Cryptography, vol. 35, no. 1, pp. 119–152, 2005.
[2] A. Lysyanskaya, “Signature schemes and applications to cryptographic protocol design,”
Ph.D. dissertation, Massachusetts Institute of Technology, 2002.
[3] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE transactions on
Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
[4] D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Conference on the
Theory and Application of Cryptography. Springer, 1988, pp. 319–327.
[5] D. Chaum, “Blind signatures for untraceable payments,” in Advances in cryptology.
Springer, 1983, pp. 199–203.
[6] M. Abe and E. Fujisaki, “How to date blind signatures,” in International Conference on
the Theory and Application of Cryptology and Information Security. Springer, 1996, pp.
244–251.
[7] M. Abe and T. Okamoto, “Provably secure partially blind signatures,” in Annual
International Cryptology Conference. Springer, 2000, pp. 271–286.
[8] S. Nakamoto, “Bitcoin: A peer­to­peer electronic cash system,” Manubot, Tech. Rep.,
2019.
[9] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digital signature algorithm
(ECDSA),” International journal of information security, vol. 1, no. 1, pp. 36–63, 2001.
[10] D. W. Kravitz, “Washington, DC: U.S. patent and trademark office,” U.S. Patent No. 5,
vol. 231, p. 668, 1993.
[11] 李鴻, “一種基於橢圓曲線的部分盲簽名方案,” 宿州學院學報, no. 1, pp. 89–91, 2004.
[12] M. An, “Blind signatures with DSA/ECDSA?” Annual International Cryptology
Conference, pp. 271–286, 2004. [Online]. Available: http://lists.virus.org/cryptography0404/msg00149.html
[13] W. Ladd, “Blind signatures for bitcoin transaction anonymity,” 2012.
[14] X. Yi and K.­Y. Lam, “A new blind ECDSA scheme for bitcoin transaction anonymity,”
in Proceedings of the 2019 ACM Asia Conference on Computer and Communications
Security, 2019, pp. 613–620.
[15] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” in International
Conference on the Theory and Application of Cryptology and Information Security.
Springer, 1996, pp. 252–265.
[16] M. Stadler, J.­M. Piveteau, and J. Camenisch, “Fair blind signatures,” in International
Conference on the Theory and Applications of Cryptographic Techniques. Springer, 1995,
pp. 209–219.
[17] Y. Frankel, Y. Tsiounis, and M. Yung, ““indirect discourse proofs”: Achieving efficient fair
off­line e­cash,” in International Conference on the Theory and Application of Cryptology
and Information Security. Springer, 1996, pp. 286–300.
[18] Y. Xie, F. Zhang, X. Chen, and K. Kim, “Id­based distributed ’magic ink’ signature,” in
Information and Communications Security, Fifth International Conference, ICICS, 2003,
pp. 10–13.
[19] A. Shamir, “Identity­based cryptosystems and signature schemes,” in Workshop on the
theory and application of cryptographic techniques. Springer, 1984, pp. 47–53.
[20] A. J. Menezes, T. Okamoto, and S. A. Vanstone, “Reducing elliptic curve logarithms to
logarithms in a finite field,” iEEE Transactions on information Theory, vol. 39, no. 5, pp.
1639–1646, 1993.
[21] F. Zhang and K. Kim, “Id­based blind signature and ring signature from pairings,” in
International Conference on the Theory and Application of Cryptology and Information
Security. Springer, 2002, pp. 533–547.
[22] S. Lal and A. K. Awasthi, “Proxy blind signature scheme,” Journal of Information Science
and Engineering. Cryptology ePrint Archive, Report, vol. 72, 2003.
[23] F. Zhang, R. Safavi­Naini, and C.­Y. Lin, “New proxy signature, proxy blind signature
and proxy ring signature schemes from bilinear pairing.” IACR Cryptol. ePrint Arch., vol.
2003, p. 104, 2003.
[24] Z. Tan, Z. Liu, and C. Tang, “Digital proxy blind signature schemes based on DLP and
ECDLP,” MM Research Preprints, vol. 21, no. 7, pp. 212–217, 2002.
[25] S. S. Chow, L. C. Hui, S.­M. Yiu, and K. Chow, “Forward­secure multisignature and blind
signature schemes,” Applied Mathematics and Computation, vol. 168, no. 2, pp. 895–908,
2005.
[26] D. N. Duc, J. H. Cheon, and K. Kim, “A forward­secure blind signature scheme
based on the strong RSA assumption,” in International Conference on Information and
Communications Security. Springer, 2003, pp. 11–21.
[27] L. Liu and Z. Cao, “Universal forgeability of a forward­secure blind signature scheme
proposed by Duc et al.” IACR Cryptol. ePrint Arch., vol. 2004, p. 262, 2004.
[28] X. Chen, F. Zhang, and K. Kim, “ID­based multi­proxy signature and blind multisignature
from bilinear pairings,” Proceedings of KIISC, vol. 3, pp. 11–19, 2003.
[29] A. Lysyanskaya and Z. Ramzan, “Group blind digital signatures: A scalable solution to
electronic cash,” in International Conference on Financial Cryptography. Springer, 1998,
pp. 184–197.
[30] J. Kim, K. Kim, and C. Lee, “An efficient and provably secure threshold blind signature,”
in International Conference on Information Security and Cryptology. Springer, 2001, pp.
318–327.
[31] D. L. Vo, F. Zhang, and K. Kim, “A new threshold blind signature scheme from pairings,”
2003.
[32] T. K. Chan, K. Fung, J. K. Liu, and V. K. Wei, “Blind spontaneous anonymous group
signatures for ad hoc groups,” in European Workshop on Security in Ad­hoc and Sensor
Networks. Springer, 2004, pp. 82–94.
[33] D. Jena, S. K. Jena, and B. Majhi, “A novel untraceable blind signature based on elliptic
curve discrete logarithm problem,” 2007.
[34] M. Nikooghadam and A. Zakerolhosseini, “An efficient blind signature scheme based on
the elliptic curve discrete logarithm problem,” ISeCure­The ISC International Journal of
Information Security, vol. 1, no. 2, pp. 125–131, 2009.
[35] D. He, J. Chen, and R. Zhang, “An efficient identity­based blind signature scheme without
bilinear pairings,” Computers & Electrical Engineering, vol. 37, no. 4, pp. 444–450, 2011.
[36] H.­Y. Chien, J.­K. Jan, and Y.­M. Tseng, “RSA­based partially blind signature with
low computation,” in Proceedings. Eighth International Conference on Parallel and
Distributed Systems. ICPADS 2001. IEEE, 2001, pp. 385–389.
[37] F. Zhang, R. Safavi­Naini, and W. Susilo, “Efficient verifiable encrypted signature
and partially blind signature from bilinear pairings,” in International Conference on
Cryptology in India. Springer, 2003, pp. 191–204.
[38] G. Maitland and C. Boyd, “A provably secure restrictive partially blind signature scheme,”
in International Workshop on Public Key Cryptography. Springer, 2002, pp. 99–114.
[39] S. S. Chow, L. C. Hui, S.­M. Yiu, and K. Chow, “Two improved partially blind signature
schemes from bilinear pairings,” in Australasian Conference on Information Security and
Privacy. Springer, 2005, pp. 316–328.
[40] T. Okamoto, “Efficient blind and partially blind signatures without random oracles,” in
Theory of Cryptography Conference. Springer, 2006, pp. 80–99.
[41] C.­P. Schnorr, “Efficient identification and signatures for smart cards,” in Conference on
the Theory and Application of Cryptology. Springer, 1989, pp. 239–252.
[42] V. S. Miller, “Use of elliptic curves in cryptography,” in Conference on the theory and
application of cryptographic techniques. Springer, 1985, pp. 417–426.
[43] D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” in International
Conference on the Theory and Application of Cryptology and Information Security.
Springer, 1996, pp. 252–265.
[44] ——, “Security arguments for digital signatures and blind signatures,” Journal of
cryptology, vol. 13, no. 3, pp. 361–396, 2000.
[45] J. H. Silverman and J. Suzuki, “Elliptic curve discrete logarithms and the index calculus,”
in International Conference on the Theory and Application of Cryptology and Information
Security. Springer, 1998, pp. 110–125.
[46] V. I. Nechaev, “Complexity of a determinate algorithm for the discrete logarithm,”
Mathematical Notes, vol. 55, no. 2, pp. 165–172, 1994.
[47] V. Shoup, “Lower bounds for discrete logarithms and related problems,” in International
Conference on the Theory and Applications of Cryptographic Techniques. Springer, 1997,
pp. 256–266.
[48] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proof
systems,” SIAM Journal on computing, vol. 18, no. 1, pp. 186–208, 1989.
[49] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions to identification
and signature problems,” in Conference on the theory and application of cryptographic
techniques. Springer, 1986, pp. 186–194.
[50] O. Blazy, D. Pointcheval, and D. Vergnaud, “Compact round­optimal partially­blind
signatures,” in International Conference on Security and Cryptography for Networks.
Springer, 2012, pp. 95–112.
[51] W.­J. Tsaur, J.­H. Tsao, and Y.­H. Tsao, “An efficient and secure ECC­based partially
blind signature scheme with multiple banks issuing e­cash payment applications,” in
Proceedings of the International Conference on e­Learning, e­Business, Enterprise
Information Systems, and e­Government (EEE). The Steering Committee of The World
Congress in Computer Science, Computer …, 2018, pp. 94–100.
[52] S. H. Islam and G. Biswas, “A pairing­free identity­based authenticated group key
agreement protocol for imbalanced mobile networks,” Annals of télécommunicationsannales des telecommunications, vol. 67, no. 11­12, pp. 547–558, 2012.
[53] ——, “Provably secure and pairing­free certificateless digital signature scheme using
elliptic curve cryptography,” International Journal of Computer Mathematics, vol. 90,
no. 11, pp. 2244–2258, 2013.
[54] N. Tahat, E. Ismail, and A. Alomari, “Partially blind signature scheme based on chaotic
maps and factoring problems,” Italian Journal of Pure and Applied Mathematics, p. 165,
2018.
[55] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing elliptic curve
cryptography and RSA on 8­bit CPUs,” in International workshop on cryptographic
hardware and embedded systems. Springer, 2004, pp. 119–132.
[56] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza,
“Zerocash: Decentralized anonymous payments from bitcoin,” in 2014 IEEE Symposium
on Security and Privacy. IEEE, 2014, pp. 459–474.
[57] G. Wood et al., “Ethereum: A secure decentralised generalised transaction ledger,”
Ethereum project yellow paper, vol. 151, no. 2014, pp. 1–32, 2014.