Blind signature: Information from Answers.com

In cryptography, a blind signature, as introduced by David Chaum ^[1], is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

An often-used analogy to the cryptographic blind signature is the physical act of enclosing a message in a special write-through-capable envelope, which is then sealed and signed by a signing agent. Thus, the signer does not view the message content, but a third party can later verify the signature and know that the signature is valid within the limitations of the underlying signature scheme.

Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this case, the signer's response is first "un-blinded" prior to verification in such a way that the signature remains valid for the un-blinded message. This can be useful in schemes where anonymity is required.

Blind signature schemes can be implemented using a number of common public key signing schemes, for instance RSA and DSA. To perform such a signature, the message is first "blinded", typically by combining it in some way with a random "blinding factor". The blinded message is passed to a signer, who then signs it using a standard signing algorithm. The resulting message, along with the blinding factor, can be later verified against the signer's public key. In some blind signature schemes, such as RSA, it is even possible to remove the blinding factor from the signature before it is verified. In these schemes, the final output (message/signature) of the blind signature scheme is identical to that of the normal signing protocol.

1 Uses
2 Blind signature schemes
- 2.1 Blind RSA signatures
3 Dangers of blind signing
4 References
5 See also
6 External links

Uses

Blind signature schemes see a great deal of use in applications where sender privacy is important. This includes various "digital cash" schemes and voting protocols.

For example, the integrity of some electronic voting system may require that each ballot be certified by an election authority before it can be accepted for counting; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot. Simultaneously, it is important that this authority not learn the voter's selections. An unlinkable blind signature provides this guarantee, as the authority will not see the contents of any ballot it signs, and will be unable to link the blinded ballots it signs back to the un-blinded ballots it receives for counting.

Blind signature schemes

Blind signature schemes exist for many public key signing protocols.

Blind RSA signatures

One of the simplest blind signature schemes is based on RSA signing. A traditional RSA signature is computed by raising the message m to the secret exponent d modulo the public modulus N. The blind version uses a random value r, such that r is relatively prime to N (i.e. gcd(r, N) = 1). r is raised to the public exponent e modulo N, and the resulting value $r e mod N$ is used as a blinding factor. The author of the message computes the product of the message and blinding factor, i.e.

$m' \equiv m r^e\ (\mathrm{mod}\ N)$

and sends the resulting value $m'$ to the signing authority. Because r is a random value and the mapping $r\mapsto r^e\bmod N$ is a permutation it follows that $r e mod N$ is random too. This implies that $m'$ does not leak any information about m. The signing authority then calculates the blinded signature s' as:

$s' \equiv (m')^d\ (\mathrm{mod}\ N).$

s' is sent back to the author of the message, who can then remove the blinding factor to reveal s, the valid RSA signature of m:

$s \equiv s' \cdot r^{-1}\ (\mathrm{mod}\ N)$

This works because RSA keys satisfy the equation $r^{ed}\equiv r\pmod{N}$ and thus

$s \equiv s' \cdot r^{-1} \equiv (m')^d r^{-1} \equiv m^d r^{ed} r^{-1} \equiv m^d r r^{-1} \equiv m^d\pmod{N},$

hence s is indeed the signature of m.

Dangers of blind signing

RSA is subject to the RSA blinding attack through which it is possible to be tricked into decrypting a message by blind signing another message. Since the signing process is equivalent to encrypting with your secret key an attacker can provide a blinded version of a message $m$ encrypted with your public key, $m'$ for you to sign. When they unblind the signed version they will have the clear text:

$\begin{align} m'' & = m' r^e\pmod n \\ & = (m^e\pmod n \cdot r^e)\pmod n \\ & = (mr)^e \pmod n \\ \end{align}$

where $m'$ is the encrypted version of the message. When the message is signed, the cleartext $m$ is easily extracted:

$\begin{align} s' & = m''^d\pmod n \\ & = ((mr)^e\pmod n)^d\pmod n \\ & = (mr)^{ed} \pmod n \\ & = m \cdot r \pmod n \mbox{, since } ed \equiv 1 \pmod{\phi(n)}\\ \end{align}$

Note that $φ(n)$ refers to Euler's totient function. The message is now easily obtained.

$\begin{align} m = s' \cdot r^{-1} \pmod{n} \end{align}$

This attack works because in this blind signature scheme the signer signs the message directly. Contrary, in an ordinary signature scheme the signer would typically apply a padding scheme (e.g. a Cryptographic hash function) to the message before signing it to prevent this kind of attack.

References

^ David Chaum, Blind signatures for untraceable payments, Advances in Cryptology - Crypto '82, Springer-Verlag (1983), 199-203. [1]

External links

European patent application on "Electronic voting process using fair blind signatures"

This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

Donate to Wikimedia

	Why there is a night blindness or color blind? Read answer...
	Why are blind mice blind? Read answer...
	How you write your signature? Read answer...

	What is his signature?
	Why do you have signatures?
	Is he blind?

Blind signature

Contents