# Blind signature – Wikipedia

In cryptanalysis a

**blind signature**, as introduced by David Chaum, [ 1 ] is a form of digital signature in which the contentedness of a message is disguised ( blinded ) before it is signed. The resulting blind touch can be publicly verified against the master, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptanalytic election systems and digital cash schemes. An often-used analogy to the cryptanalytic blind signature is the physical act of a voter enclosing a completed anonymous ballot in a special carbon newspaper lined envelope that has the voter ‘s credentials pre-printed on the outside. An official verifies the credentials and signs the envelope, thereby transferring his signature to the ballot inside via the carbon paper paper. once signed, the box is given back to the voter, who transfers the now signed vote to a raw overlooked normal envelope. frankincense, the signer does not view the message content, but a one-third party can later verify the touch and know that the key signature is valid within the limitations of the underlie touch scheme .

An exercise of blind touch in military action

Reading: Blind signature – Wikipedia

Blind signatures can besides be used to provide *unlinkability*, which prevents the signer from linking the blind message it signs to a subsequently un-blinded translation that it may be called upon to verify. In this lawsuit, the signer ‘s response is first gear “ un-blinded ” anterior to confirmation in such a way that the signature remains valid for the un-blinded message. This can be useful in schemes where anonymity is required. Blind key signature schemes can be implemented using a number of common public key signing schemes, for exemplify RSA and DSA. To perform such a touch, the message is foremost “ blinded ”, typically by combining it in some way with a random “ blind factor ”. The blind message is passed to a signer, who then signs it using a standard sign algorithm. The result message, along with the blind factor, can be former verified against the signer ‘s populace key. In some blind key signature schemes, such as RSA, it is evening possible to remove the blind factor from the touch before it is verified. In these schemes, the final output ( message/signature ) of the blind signature system is identical to that of the normal sign protocol .

## Uses [edit ]

Blind signature schemes see a great distribute of manipulation in applications where sender privacy is authoritative. This includes assorted “ digital cash “ schemes and vote protocols. For example, the integrity of some electronic vote arrangement may require that each ballot be certified by an election authority before it can be accepted for count ; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot. simultaneously, it is authoritative that this authority does not learn the voter ‘s selections. An unlinkable blind signature provides this guarantee, as the authority will not see the contents of any vote it signs, and will be unable to link the blind ballots it signs back to the un-blinded ballots it receives for counting .

## Blind signature schemes [edit ]

Blind signature schemes exist for many public key sign protocols. More formally a blind signature scheme is a cryptanalytic protocol that involves two parties, a user Alice that wants to obtain signatures on her messages, and a signer Bob that is in possession of his mystery sign key. At the end of the protocol Alice obtains Bob ’ south signature on *m* without Bob learning anything about the message. This intuition of not learning anything is hard to capture in numerical terms. The common approach path is to show that for every ( adversarial ) signer, there exists a simulator that can output signal the same information as the signer. This is similar to the way zero-knowledge is defined in zero-knowledge proof systems .

### Blind RSA signatures [edit ]

[ 2 ] : 235 One of the simplest blind signature schemes is based on RSA sign. A traditional RSA key signature is computed by raising the message *m* to the clandestine exponent *d* modulo the public modulus *N*. The blind adaptation uses a random value *r*, such that *r* is relatively prime to *N* ( i.e. *gcd* ( *r*, *N* ) = 1 ). *r* is raised to the public exponent *e* modulo *N*, and the resulting value radius einsteinium mod N { \displaystyle r^ { e } { \bmod { N } } } is used as a blazing factor. The generator of the message computes the merchandise of the message and blind gene, i.e. :

- molarity ′ ≡ megabyte r vitamin e ( megabyte o vitamin d N ) { \displaystyle m’\equiv mr^ { e } \ ( \mathrm { mod } \ N ) }

and sends the resulting respect molarity ′ { \displaystyle thousand ‘ } to the sign authority. Because *r* is a random prize and the map radius ↦ roentgen e mod N { \displaystyle r\mapsto r^ { einsteinium } { \bmod { N } } } is a permutation it follows that r e mod N { \displaystyle r^ { einsteinium } { \bmod { N } } } is random excessively. This implies that meter ′ { \displaystyle thousand ‘ } does not leak any data about *m*. The sign authority then calculates the blind signature *s’ * as :

- randomness ′ ≡ ( m ′ ) five hundred ( molarity o d N ). { \displaystyle s’\equiv ( m ‘ ) ^ { five hundred } \ ( \mathrm { mod } \ N ). }
Read more: A Few Thoughts on Cryptographic Engineering

*s’ * is sent back to the author of the message, who can then remove the blind agent to reveal *s*, the valid RSA touch of *m* :

- mho ≡ south ′ ⋅ gas constant − 1 ( megabyte o vitamin d N ) { \displaystyle s\equiv s’\cdot r^ { -1 } \ ( \mathrm { mod } \ N ) }

This works because RSA keys satisfy the equation radius e d ≡ roentgen ( mod N ) { \displaystyle r^ { erectile dysfunction } \equiv gas constant { \pmod { N } } } and therefore

- s ≡ south ′ ⋅ roentgen − 1 ≡ ( m ′ ) vitamin d r − 1 ≡ meter d gas constant vitamin e d radius − 1 ≡ thousand d radius radius − 1 ≡ megabyte vitamin d ( mod N ), { \displaystyle s\equiv s’\cdot r^ { -1 } \equiv ( m ‘ ) ^ { d } r^ { -1 } \equiv m^ { five hundred } r^ { erectile dysfunction } r^ { -1 } \equiv m^ { d } rr^ { -1 } \equiv m^ { vitamin d } { \pmod { N } }, }

therefore *s* is indeed the touch of *m*. In rehearse, the place that signing one blind message produces at most one valid signed messages is normally desired. This means one vote per signed vote in elections, for example. This property does not hold for the simple scheme described above : the master message and the unblinded signature is valid, but then is the blinded message and the blind signature, and possibly other combinations given a apt attacker. A solution to this is to blind sign a cryptanalytic hash of the message, not the message itself. [ 3 ]

## Dangers of RSA blind signing [edit ]

RSA is subject to the RSA blind attack through which it is potential to be tricked into decrypting a message by blind sign another message. Since the bless work is equivalent to decrypting with the signer ‘s secret samara, an attacker can provide a blinded interpretation of a message thousand { \displaystyle molarity } code with the signer ‘s public key, m ′ { \displaystyle megabyte ‘ } for them to sign. The code message would normally be some secret information which the attacker observed being sent encrypted under the signer ‘s public key which the attacker wants to learn more about. When the attacker removes the blindness the signed interpretation they will have the clear textbook :

- megabyte ″ = thousand ′ roentgen e ( mod n ) = ( megabyte east ( mod normality ) ⋅ gas constant vitamin e ) ( mod nitrogen ) = ( m radius ) vitamin e ( mod newton ) { \displaystyle { \begin { aligned } thousand ” & =m’r^ { east } { \pmod { newton } } \\ & = ( m^ { e } { \pmod { nitrogen } } \cdot r^ { e } ) { \pmod { newton } } \\ & = ( mister ) ^ { e } { \pmod { north } } \\\end { align } } }

where megabyte ′ { \displaystyle megabyte ‘ } is the code translation of the message. When the message is signed, the cleartext molarity { \displaystyle meter } is easily extracted :

- sulfur ′ = megabyte ″ d ( mod newton ) = ( ( m r ) e ( mod nitrogen ) ) vitamin d ( mod normality ) = ( megabyte r ) east vitamin d ( mod n ) = thousand ⋅ roentgen ( mod n ), since einsteinium d ≡ 1 ( mod ϕ ( north ) ) { \displaystyle { \begin { aligned } mho ‘ & =m ” ^ { vitamin d } { \pmod { newton } } \\ & = ( ( mister ) ^ { e } { \pmod { north } } ) ^ { d } { \pmod { north } } \\ & = ( mister ) ^ { ed } { \pmod { nitrogen } } \\ & =m\cdot gas constant { \pmod { n } } { \mbox {, since } } ed\equiv 1 { \pmod { \phi ( n ) } } \\\end { aligned } } }
Read more: A Few Thoughts on Cryptographic Engineering

note that ϕ ( normality ) { \displaystyle \phi ( n ) } refers to Euler ‘s totient function. The message is nowadays easily obtained .

- thousand = mho ′ ⋅ gas constant − 1 ( mod newton ) { \displaystyle { \begin { aligned } m=s’\cdot r^ { -1 } { \pmod { nitrogen } } \end { align } } }

This attack works because in this blind key signature scheme the signer signs the message immediately. By contrast, in an unblinded signature scheme the signer would typically use a pad scheme ( e.g. by alternatively signing the leave of a cryptanalytic hash function applied to the message, rather of signing the message itself ), however since the signer does not know the actual message, any pad outline would produce an incorrect measure when unblinded. due to this multiplicative property of RSA, the same key should never be used for both encoding and sign language purposes .