INTRODUCTION Nowadays, most of the time we pay for the things we buy is either by credit card, debit card or cell phones. There is a rapid increase in the use of electronic payments like e-cash, e-mail, e-shopping, fingerprinting. The availability of electronic payment systems leads to a virtuous economic cycle whereby increased consumption leads to increased production and more jobs. But it has some disadvantages too as by increased electronic payments the crimes related to personal privacy has also increased. According to David Chaum, there are two problems in the transaction of payment. The first one is – if A is sending some message to B and there is a third party who signs the message sent by A who can know everything about the message, this can reveal personal information to the third party. The second one is – if the payments are made anonymously there is a greater chance of tax evasion or theft of payments. So there is a need for a cryptographic function which is similar to digital signatures. A require some kind of blindness on his payment, the third party will sign his message but will have zero knowledge about the message.BLIND SIGNATURE SCHEME DEFINITIONDavid Chaum defined the blind signatures in terms of an analogy which consist of a sender, a receiver, signing authority and carbon lined envelopes. The sender wants to send a message to the receiver but wants it to be signed by the signing authority so that receiver can verify that it is a valid message sent by sender and at the same time sender do not want the signing authority to have zero knowledge about the message. The sender also wants to know that his message is signed or not. So to do this he places his message in a carbon lined envelope which have the property that if one writes on it the impression goes to the paper below it. The sender places the carbon lined envelope in an outer envelope with the return address on it to the signing authority. The authority will take out the carbon lined envelope, signs it and put that in a new outer envelope and sends it to the address given by the sender. This way only the authorized senders will get the signatures. Now sender can verify it and then it sends the message in a new outer envelope to the receiver. Therefore, the signing authority cannot know anything about the message. It do not have any information about who send it and who is going to see it.SECURITY DEFINITIONSAccording to 1 2 there are 3 properties of blind signatures – Blindness – The signing party cannot know the message that it signs and that is being sent between sender and receiver.Unforgeability – the person who do not the signing key cannot retrieve the message that is sent between sender and receiver.Auditability – A receipt by the receiver to the sender helps the sender to verify that the message is sent to the receiver that he wants to send.FUNCTIONS AND PROTOCOLFollowing are the 3 functions derived by David Chaum and the Blind signature protocol that is made from these functions -Signing function s’ that is secret key of signer and s that is known public key such that s(s'(x))=xCommuting function c and its inverse c’ that is known by the sender such that c'(s'(c(x)))=s'(x)Randomness factor r that provides some randomness so that adversary cannot know valid signatures.The way these functions are used is shown below – The sender chooses x at random and makes c(x) and sends it to the signer.Signer signs the message c(x) using its secret key s’ and gives s'(c(x)) back to the sender.The sender checks the s'(c(x)) using its inverse c’ and get s'(x), c'(s'(c(x)))= s'(x).Now anyone can check the signature using the signer’s public key s.UNTRACEABLE PAYMENT SYSTEM BY CHAUMChaum illustrated a payment system using the blind signatures using three characters sender, receiver and bank. This is just like a carbon paper lined envelope analogy that is the bank is the the signing authority which signs the message sent by the sender but could not know anything about the message and then returns this to sender, then given to receiver and cleared by the bank. Chaum shows the transaction as follows -Sender chooses x randomly and compute c(x).Sender gives this c(x) to the bank.Bank signs this c(x) using its key s’ and debits the sender’s account and compute s'(c(x)).Bank returns this to the sender.Sender checks the signature using c’ and compute c'(s'(c(x)))=s'(x) and stops if not equal.Sender then sends s'(x) to the receiver.Receiver checks the message by computing s(s'(x)) and stops if false.Receiver then gives s'(x) to the bank.Bank checks the message by computing the same s(s'(x)) and stops if false.Bank then credits the receiver’s account.Bank tells the sender that receiver accepted the amount sent by it.There are many different types of blind signature structures that depend on different cryptographic schemes. Some of them are based on RSA, DLP(Discrete Log Problem), Quadratic Residue problem, Bilinear Pairings, Lattices, IDs etc. Some of them have extra blind security properties and these are fair-blind signatures and partially-blind signatures.FLAWS IN BLIND SIGNATURESThe anonymity property of blind signatures have advantages but it also have some disadvantages. This property gives a secure transaction but it also gives a perfect opportunity for the criminals. According to Solms and Naccache with the growing emphasis on the protection of the privacy of user data and user actions in electronic systems, blind signatures seem to be a perfect solution. However, there is a problematic aspect of blind signatures, showing that this perfect solution can potentially lead to perfect crime. With the help of blind signatures you can tell the data is false or valid but cannot take some specific actions on the transaction or on the users.When blind signatures are used in the electronic payment system it authorizes the money to be used and no one can track the person where it uses that money. Individual surveillance (traceability) becomes impossible since it is not possible to determine who spends the electronic money and where.SCHEME TO SHOW NON TRACEABLE PAYMENTAccording to 3 following are steps to show this scheme -User chooses B at random and sends it to bank.Bank legalises the money by computing D and withdraws one “money unit” from the user’s bank account, putting this “money unit” into a money pool. Then the bank sends D back.The user can now spend this money for example it can pay the shopkeeper its money units.The shopkeeper checks it with the bank whether the money unit is used previously or not.Now shopkeeper will give this money unit to the Bank and there is no possible way to trace it to the original user.THE CRIME From 3, a man opens a bank account in some some bank and deposits some money in order to get a credit card. After some time he kidnaps the baby of some famous celebrity and demands some big amount of money. When the enquiry is held police came to know that the man has opened the bank account with a false identity. Now policemen started surveilling the ATM operations and are placed near each machine and all withdrawal operations are filtered. Some days later the man was caught while withdrawing the money.If the bank was using a blind signature scheme then it would be impossible for the police to trace back to the criminal. Knowing this attack another scheme is used which is similar to blind signatures but there is a third party which can help in tracing called Fair Blind Signatures.FAIR BLIND SIGNATURESFair blind signatures have a third party which possess certain information which can help in case of fraud or dishonest transaction. It helps in removing the anonymity with the help of a trusted third party when there is a need to do so legally.Fair blind signature scheme consist of a sender, signer and a trusted entity which is also called judge which controls the two protocols – A Signing protocol which consist of signer and sender A Link recovery protocol which consist of a signer and judgeThe Signing protocol works the same way as the blind signatures that is signing the message and sending it back to the sender. The Link recovery protocol gives some information to the signer with the help of judge which is the trusted third party and enables him to link a view of the protocol to its corresponding message-signature pair.According to 4, there are two types of fair blind signature schemes, according to the information the judge receives from the signer during the link-recovery protocol:Type 1 – Given the signer’s view of the protocol, the judge delivers information that enables the signer to efficiently recognize the corresponding message-signature pair that is the judge can extract the message that was signed.Type 2 – Given the message-signature pair, the judge delivers information that enables the signer to efficiently identify the sender of that message.The model can be shown in a type of program as follows – FAIR ONE OUT OF TWO OBLIVIOUS TRANSFER PROTOCOLA One-out-of-two Oblivious Transfer Protocol is a protocol between sender and receiver in which the sender sends two different values M0 and M1 and the receiver has to choose one of them. The receiver gets the message that is chosen by itself and the sender cannot know which message receiver has chosen. Let M0 and M1 be the two messages sent by the sender and let C be the chosen bit of the receiver. Then an execution of the protocol is denoted by:A fair one-out-of-two oblivious transfer protocol is a protocol in which the judge can determine the chosen bit C but the sender cannot. It is a modification of One out-of-two Oblivious Transfer Protocol. The protocol is shown with the help of a diagram as below -OTHER TYPES OF BLIND SIGNATURESPARTIALLY BLIND SIGNATURESIt is a type of blind signature. In Blind signatures, the signer has no control over the attributes of the message like “date of issue” or “valid until” because of the signatures but have control over those attributes that are bound by the public key. According to 5 if a signer issues blind signatures that are valid until the end of the week, the signer has to change his public key every week. This will seriously impact availability and performance. Similar thing happens with electronic cash system where bank gives blind signature as electronic coin. So now bank have use different public key each time. One more example is when signing authority signs the ballot, signing authority cannot include voteID, so the public key of the signing authority should be disposable. So each voter should have new public key for each vote.According to 5, partially blind signatures, signer can add some extra information regarding the message in agreement with the receiver. The signer can add like “valid until” with his blind signatures as an attribute. If the signer is issuing large number of signatures with some attribute like “valid until” it will not violate the anonymity property of the blind signatures.If one can fit all the common information to a single string, one can easily transform partially blind signature schemes into fully blind signatures. However, the reverse that is fully blind signatures to partially blind signatures is not that easy.IDENTITY BASED BLIND SIGNATURESAccording to Zhang and Kim 6, false certification or no certification can lead to a problematic situations, there could be a “man in the middle attack”, the problem appears with the encryption too. So there is a need for an identity certification or authentication. In public key cryptosystem, each user has two keys, a private key and a public key. The public key is binded with the identity with the help of digital certificates. But in a system which is certificate based the user must first verify the certificate before using the public key. So this system requires a large amount of storage time and computing time and it gets worse as the number of user increases.The ID-based public key can be used instead of certificate based public key when efficient key management and moderate security is required. In Identity based cryptography one’s public key is his identity. For example zhang and kim state that if a bank is using a ID-based blind signatures, users do not have to know the bank’s public key. They can verify the e-cash by just seeing the following -Name of the country || Name of the city || Name of the bank || This Year.SECURITY OF BLIND SIGNATURES UNDER ABORTBlind signatures work perfectly in case when they are fully executed but if the signing protocol is canceled prematurely it reduces the security of whole protocol. In order to remove this problem Camenisch stated a phenomenon called selective failure blindness. Selective failure blindness ensures that the signer still signs the message even after knowing that the execution is aborted. So the adversary who is a fake signer can not force the actual user to abort the signing protocol using some property and it cannot get any information about the message.