Linkability of Some Blind Signature Schemes ⋆ Swee-Huay Heng 1 , Wun-She Yap 2 and Khoongming Khoo 3 1 Centre for Cryptography and Information Security (CCIS) Faculty of Information Science and Technology Multimedia University, Jalan Ayer Keroh Lama, 75450 Melaka, Malaysia shheng@mmu.edu.my 2 Centre for Cryptography and Information Security (CCIS) Faculty of Engineering Multimedia University, 63100 Cyberjaya, Selangor, Malaysia wsyap@mmu.edu.my 3 DSO National Laboratories 20 Science Park Drive, Singapore 118230 kkhoongm@dso.org.sg Abstract. Unforgeability and blindness are two important properties of blind signature. The latter means that after interacting with vari- ous users, the signer is unable to link a valid message-signature pair. In ICCSA 2006, Zhang et al. showed that a signer in an identity-based blind signature scheme proposed by Huang et al. is able to link a valid message- signature pair obtained by some user. They also presented an improved scheme to overcome this flaw. In ICICIC 2006, Zhang and Zou showed that the identity-based blind signature scheme proposed by Zhang and Kim also suffered from the similar linkability attack. In this paper, we first show that the so-called linkability can be shown for Zhang et al.’s improved scheme as well. We then point out that the linkability attack against the Huang et al. scheme and the Zhang-Kim scheme is invalid. Keywords: Blind signature, identity-based, linkability, blindness 1 Introduction The concept of blind signatures was first introduced by Chaum [3] in 1982. A blind signature scheme is an interactive two-party protocol between a user and a signer. Informally, a blind signature is a signature scheme that incorporates a signing protocol that allows the signer to sign a document submitted by a user blindly, without obtaining any information about the document itself. This cryptographic scheme provides anonymity of users and is especially suited for use in e-cash and e-voting systems. On the other hand, identity (ID)-based public key cryptography is a concept formalized by Shamir in 1984 [6]. In ID-based schemes, users need exchange ⋆ The first two authors gratefully acknowledge the Malaysia IRPA grant (04-99-01- 00003-EAR) and e-Science fund (01-02-01-SF0032).