Blind signature schemes allow a message to be signed without revealing the message contents to the signer. Dr. David Chaum introduced blind signatures in 1982 as a way to sign messages privately. In a blind signature, the message is "blinded" with a random factor before signing, then "unblinded" to reveal the signature. This allows signatures to be generated without the signer viewing the actual message. However, blind signatures also introduce security risks like blinding attacks if used improperly for encryption and signing with the same key.
2. BLIND SIGNATURE SCHEME
“Blind Signature Scheme allows a person to get a
message signed by another party without revealing
any information about the message to the other
party.” – RSA Laboratory
Introduced by Dr. David Chaum in 1982.
Typical Analogy from the world of paper documents
Enclosing a message in a carbon paper lined envelop.
Writing a signature on the outside of the envelop.
Leaves a carbon copy of the signature on the paper
inside the envelop.
The signer does not view the message content
But a third party can later verify the signature
3. ABOUT DR. DAVID CHAUM
Dr. David Chaum is the inventor of many cryptographic
protocols, including blind signature schemes,
commitment schemes, and digital cash.
He received his Ph.D. in Computer Science, with a minor
in Business Administration, from the University of
California at Berkeley.
In the area of cryptography, he has published over 45
original technical articles (see list of articles), received
over 17 US patents.
Founder of the International Association for
Cryptographic Research (IACR) In 1982.
Founder and a member of the Board of Directors of
DigiCash Inc., a company that has pioneered electronic
cash innovations.
4. HOW BLIND SIGNATURE WORKS
Suppose Alice wants Bob to sign a message m,
but does not want Bob to know the contents of the
message.
Alice "blinds" the message m, with some random
number b (the blinding factor). This results in
blind(m,b).
Bob signs this message, resulting in
sign(blind(m,b),d), where d is Bob's private key.
Alice then unblinds the message using b,
resulting in unblind(sign(blind(m,b),d),b).
The functions are designed so that this reduces to
sign(m,d), i.e. Bob's signature on m.
5. BLIND RSA SIGNATURES
Assume e is the public RSA exponent, d is the secret
RSA exponent and N is the RSA modulus.
Select random value r, such that r is relatively
prime to N (i.e. gcd(r, N) = 1)
r is raised to the public exponent e modulo N
remod N is used as a blinding factor
Because r is a random value, remod N is random
too.
7. WHY WOULD BOB SIGN SOMETHING WITHOUT
KNOWING WHAT IT IS?
A trustee wishes to hold an election by secret
ballot.
Each elector is very concerned about keeping his
vote secret from the trustee.
Each vote should be signed by the trustee.
Blind signature solves this problem.
8. WHY WOULD BOB SIGN SOMETHING WITHOUT
KNOWING WHAT IT IS?
Untraceable payment system
Consider a bank, payer and the payee
A single note will be formed by the payer
Signed by the bank
Provided to the payee
Cleared by the bank
9. DANGERS OF BLIND SIGNING
RSA Blinding Attack.
In RSA the signing process is equivalent to
decrypting with the signers secret key.
An attacker can provide a blinded version of a
message m encrypted with the signers public
key, m' for them to sign.
When the attacker unblinds the signed version
they will have the clear text.
11. RSA BLINDING ATTACK … CONT
This attack works because in this blind signature
scheme the signer signs the message directly.
By contrast, in an traditional signature scheme the
signer would typically use a padding scheme.
Signing the result of a Cryptographic hash function
applied to the message, instead of signing the message
itself.
This would produce an incorrect value when unblinded.
In RSA the same key should never be used for both
encryption and signing purposes.
12. REFERENCES
“Blind Signatures for Untraceable Payments,” D.
Chaum, Advances in Cryptology Proceedings of
Crypto 82, D. Chaum, R.L. Rivest, & A.T. Sherman
(Eds.), Plenum, pp. 199-203.
RSA Laboratories - 7.3 What is a blind signature
scheme?[Online]. Available:
http://www.rsa.com/rsalabs/node.asp?id=2339
Blind signatures [Online]. Available:
http://www.cs.bham.ac.uk/~mdr/teaching/modules06/
netsec/lectures/blind_sigs.html