BLIND SIGNATURE SCHEME

By:

Asanka Balasooriya

Kelum Senanayake

BLIND SIGNATURE SCHEME

“Blind Signature Scheme allows a person to get a

message signed by another party without revealing

any information about the message to the other

party.” – RSA Laboratory

Introduced by Dr. David Chaum in 1982.

Typical Analogy from the world of paper documents

Enclosing a message in a carbon paper lined envelop.

Writing a signature on the outside of the envelop.

Leaves a carbon copy of the signature on the paper

inside the envelop.

The signer does not view the message content

But a third party can later verify the signature

ABOUT DR. DAVID CHAUM

Dr. David Chaum is the inventor of many cryptographic protocols, including blind signature schemes, commitment schemes, and digital cash.

He received his Ph.D. in Computer Science, with a minor in Business Administration, from the University of California at Berkeley.

In the area of cryptography, he has published over 45 original technical articles (see list of articles), received over 17 US patents.

Founder of the International Association for Cryptographic Research (IACR) In 1982.

Founder and a member of the Board of Directors of DigiCash Inc., a company that has pioneered electronic cash innovations.

HOW BLIND SIGNATURE WORKS

Suppose Alice wants Bob to sign a message m,

but does not want Bob to know the contents of the

message.

Alice "blinds" the message m, with some random

number b (the blinding factor). This results in

blind(m,b).

Bob signs this message, resulting in

sign(blind(m,b),d), where d is Bob's private key.

Alice then unblinds the message using b,

resulting in unblind(sign(blind(m,b),d),b).

The functions are designed so that this reduces to

sign(m,d), i.e. Bob's signature on m.

BLIND RSA SIGNATURES

Assume e is the public RSA exponent, d is the secret

RSA exponent and N is the RSA modulus.

Select random value r, such that r is relatively

prime to N (i.e. gcd(r, N) = 1)

r is raised to the public exponent e modulo N

remod N is used as a blinding factor

Because r is a random value, remod N is random

too.

BLIND RSA SIGNATURES… CONT

WHY WOULD BOB SIGN SOMETHING WITHOUT

KNOWING WHAT IT IS?

A trustee wishes to hold an election by secret

ballot.

Each elector is very concerned about keeping his

vote secret from the trustee.

Each vote should be signed by the trustee.

Blind signature solves this problem.

WHY WOULD BOB SIGN SOMETHING WITHOUT

KNOWING WHAT IT IS?

Untraceable payment system

Consider a bank, payer and the payee

A single note will be formed by the payer

Signed by the bank

Provided to the payee

Cleared by the bank

DANGERS OF BLIND SIGNING

RSA Blinding Attack.

In RSA the signing process is equivalent to

decrypting with the signers secret key.

An attacker can provide a blinded version of a

message m encrypted with the signers public

key, m' for them to sign.

When the attacker unblinds the signed version

they will have the clear text.

RSA BLINDING ATTACK

RSA BLINDING ATTACK … CONT

This attack works because in this blind signature

scheme the signer signs the message directly.

By contrast, in an traditional signature scheme the

signer would typically use a padding scheme.

Signing the result of a Cryptographic hash function

applied to the message, instead of signing the message

itself.

This would produce an incorrect value when unblinded.

In RSA the same key should never be used for both

encryption and signing purposes.

REFERENCES

“Blind Signatures for Untraceable Payments,” D.

Chaum, Advances in Cryptology Proceedings of

Crypto 82, D. Chaum, R.L. Rivest, & A.T. Sherman

(Eds.), Plenum, pp. 199-203.

RSA Laboratories - 7.3 What is a blind signature

scheme?[Online]. Available:

http://www.rsa.com/rsalabs/node.asp?id=2339

Blind signatures [Online]. Available:

http://www.cs.bham.ac.uk/~mdr/teaching/modules06/

netsec/lectures/blind_sigs.html

THANK YOU