Blind Signature Scheme

1. BLIND SIGNATURE SCHEME By: Asanka Balasooriya Kelum Senanayake

2. BLIND SIGNATURE SCHEME “Blind Signature Scheme allows a person to get a message signed by another party without revealing any information about the message to the other party.” – RSA Laboratory Introduced by Dr. David Chaum in 1982. Typical Analogy from the world of paper documents  Enclosing a message in a carbon paper lined envelop.  Writing a signature on the outside of the envelop.  Leaves a carbon copy of the signature on the paper inside the envelop.  The signer does not view the message content  But a third party can later verify the signature

3. ABOUT DR. DAVID CHAUM Dr. David Chaum is the inventor of many cryptographic protocols, including blind signature schemes, commitment schemes, and digital cash. He received his Ph.D. in Computer Science, with a minor in Business Administration, from the University of California at Berkeley. In the area of cryptography, he has published over 45 original technical articles (see list of articles), received over 17 US patents. Founder of the International Association for Cryptographic Research (IACR) In 1982. Founder and a member of the Board of Directors of DigiCash Inc., a company that has pioneered electronic cash innovations.

4. HOW BLIND SIGNATURE WORKS Suppose Alice wants Bob to sign a message m, but does not want Bob to know the contents of the message. Alice "blinds" the message m, with some random number b (the blinding factor). This results in blind(m,b). Bob signs this message, resulting in sign(blind(m,b),d), where d is Bobs private key. Alice then unblinds the message using b, resulting in unblind(sign(blind(m,b),d),b). The functions are designed so that this reduces to sign(m,d), i.e. Bobs signature on m.

5. BLIND RSA SIGNATURES Assume e is the public RSA exponent, d is the secret RSA exponent and N is the RSA modulus. Select random value r, such that r is relatively prime to N (i.e. gcd(r, N) = 1)r is raised to the public exponent e modulo N remod N is used as a blinding factor Because r is a random value, remod N is random too.

6. BLIND RSA SIGNATURES… CONT

7. WHY WOULD BOB SIGN SOMETHING WITHOUTKNOWING WHAT IT IS? A trustee wishes to hold an election by secret ballot. Each elector is very concerned about keeping his vote secret from the trustee. Each vote should be signed by the trustee. Blind signature solves this problem.

8. WHY WOULD BOB SIGN SOMETHING WITHOUTKNOWING WHAT IT IS? Untraceable payment system Consider a bank, payer and the payee  A single note will be formed by the payer  Signed by the bank  Provided to the payee  Cleared by the bank

9. DANGERS OF BLIND SIGNING RSA Blinding Attack. In RSA the signing process is equivalent to decrypting with the signers secret key. An attacker can provide a blinded version of a message m encrypted with the signers public key, m for them to sign. When the attacker unblinds the signed version they will have the clear text.

10. RSA BLINDING ATTACK

11. RSA BLINDING ATTACK … CONT This attack works because in this blind signature scheme the signer signs the message directly. By contrast, in an traditional signature scheme the signer would typically use a padding scheme.  Signing the result of a Cryptographic hash function applied to the message, instead of signing the message itself.  This would produce an incorrect value when unblinded. In RSA the same key should never be used for both encryption and signing purposes.

12. REFERENCES “Blind Signatures for Untraceable Payments,” D. Chaum, Advances in Cryptology Proceedings of Crypto 82, D. Chaum, R.L. Rivest, & A.T. Sherman (Eds.), Plenum, pp. 199-203. RSA Laboratories - 7.3 What is a blind signature scheme?[Online]. Available: http://www.rsa.com/rsalabs/node.asp?id=2339 Blind signatures [Online]. Available: http://www.cs.bham.ac.uk/~mdr/teaching/modules06/ netsec/lectures/blind_sigs.html

13. THANK YOU