and B is now able to unblind the message. Unblinding is performed by dividing u

by r or multiplying u with the multiplicative inverse of r modulo n .Thisinverse,in

turn, can be found because r is a unit (and hence invertible) in

Z n .

To prove the blindness property of the blind RSA DSS, one has to show that

the pair ( t, u ) is statistically independent of the pair ( m, s ). Because r e (mod n ) is

a random group element of

Z n , t and m are statistically independent. Furthermore,

because u is determined by t and s is determined by m , ( t, u ) and ( m, s ) are

statistically independent as well.

At first sight, one would argue that blind signatures are not particularly

useful, because a signatory always wants to know what it signs. Surprisingly,

this is not always the case, and there are many applications for blind signatures

and corresponding DSSs. Examples include anonymous digital cash and electronic

voting. After Chaum published his results in the early 1980s, almost all DSS have

been extended in one way or another to also provide the possibility to issue blind

signatures.

15.6.2

Undeniable Signatures

The notion of an undeniable signature was developed and originally proposed by

David Chaum and Hans van Antwerpen at the end of the 1980s [22]. In short,

undeniable signatures are digital signatures that cannot be verified with a public key.

Instead, they must be verified interactively, meaning that an undeniable signature can

only be verified with the aid of the signatory and that the Verify algorithm is therefore

replaced with a signature verification protocol that is executed between the verifier

and the signatory. Because a dishonest signatory can always refuse participation in

a signature verification protocol, an undeniable signature system must come along

with a disavowal protocol that can be used to prove that a given signature is a forgery.

15.6.3

Fail-Stop Signatures

The notion of a fail-stop signature was developed and originally proposed by Birgit

Pfitzmann in the early 1990s [23] (see [24] for a more formal treatment). Fail-stop

signatures can be briefly characterized as digital signatures that allow the signatory

to prove that a signature purportedly (but not actually) signed by itself is a forgery.

This is done by showing that the underlying assumption on which the DSS is

based has been compromised. After such a proof has been published, the system

can be stopped (that's why the signatures are called fail-stop in the first place).

Fail-stop signatures are theoretically interesting, but they are practically not very

important. Note that it is much more likely that a signing key is compromised than

the underlying assumption is broken.