Blind signature
Encyclopedia
In cryptography
a blind signature as introduced by David Chaum
is a form of digital signature
in which the content of a message is disguised (blinded
) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.
An often used analogy to the cryptographic blind signature is the physical act of enclosing a message in a special 'write through' capable envelope, which is then sealed and signed by a signing agent. Thus, the signer does not view the message content, but a third party can later verify the signature and know that the signature is valid within the limitations of the underlying signature scheme.
Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this case, the signer's response is first "un-blinded" prior to verification in such a way that the signature remains valid for the un-blinded message. This can be useful in schemes where anonymity
is required.
Blind signature schemes can be implemented using a number of common public key signing schemes, for instance RSA and DSA
. To perform such a signature, the message is first "blinded", typically by combining it in some way with a random "blinding factor". The blinded message is passed to a signer, who then signs it using a standard signing algorithm. The resulting message, along with the blinding factor, can be later verified against the signer's public key. In some blind signature schemes, such as RSA, it is even possible to remove the blinding factor from the signature before it is verified. In these schemes, the final output (message/signature) of the blind signature scheme is identical to that of the normal signing protocol.
" schemes and voting protocols
.
For example, the integrity of some electronic voting system may require that each ballot be certified by an election authority before it can be accepted for counting; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot. Simultaneously, it is important that this authority not learn the voter's selections. An unlinkable blind signature provides this guarantee, as the authority will not see the contents of any ballot it signs, and will be unable to link the blinded ballots it signs back to the un-blinded ballots it receives for count
and send it to Bob. Bob will sign the outside of the carbon envelope without opening it and then send it back to Alice. Alice can then open it to find the letter signed by Bob, but without Bob having seen its contents.
More formally a blind signature scheme is a cryptographic protocol
that involves two parties, a user Alice that wants to obtain signatures on her messages, and a signer Bob that is in possession of his secret signing key. At the end of the protocol Alice obtains a signature on m without Bob learning anything about the message. This intuition of not learning anything is hard to capture in mathematical terms. The usual approach is to show that for every (adversarial) signer, there exists a simulator that can output the same information as the signer. This is similar to the way zero-knowledge is defined in zero-knowledge proof
systems.
is used as a blinding factor. The author of the message computes the product of the message and blinding factor, i.e.
and sends the resulting value
to the signing authority. Because r is a random value and the mapping 
is a permutation it follows that 
is random too. This implies that 
does not leak any information about m. The signing authority then calculates the blinded signature s' as:
s' is sent back to the author of the message, who can then remove the blinding factor to reveal s, the valid RSA signature of m:
This works because RSA keys satisfy the equation
and thus
hence s is indeed the signature of m.
encrypted with the signers public key, 
for them to sign. The encrypted message would usually be some secret information which the attacker observed being sent encrypted under the signers public key which the attacker wants to learn. When the attacker unblinds the signed version they will have the clear text:
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
a blind signature as introduced by David Chaum
David Chaum
David Chaum is the inventor of many cryptographic protocols, including blind signature schemes, commitment schemes, and digital cash. In 1982, Chaum founded the International Association for Cryptologic Research , which currently organizes academic conferences in cryptography research...
is a form of digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
in which the content of a message is disguised (blinded
Blinding (cryptography)
In cryptography, blinding is a technique by which an agent can provide a service to a client in an encoded form without knowing either the real input or the real output. Blinding techniques also have applications to preventing side-channel attacks on encryption devices.More precisely, Alice has...
) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.
An often used analogy to the cryptographic blind signature is the physical act of enclosing a message in a special 'write through' capable envelope, which is then sealed and signed by a signing agent. Thus, the signer does not view the message content, but a third party can later verify the signature and know that the signature is valid within the limitations of the underlying signature scheme.
Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this case, the signer's response is first "un-blinded" prior to verification in such a way that the signature remains valid for the un-blinded message. This can be useful in schemes where anonymity
Anonymity
Anonymity is derived from the Greek word ἀνωνυμία, anonymia, meaning "without a name" or "namelessness". In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown.There are many reasons why a...
is required.
Blind signature schemes can be implemented using a number of common public key signing schemes, for instance RSA and DSA
Digital Signature Algorithm
The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
. To perform such a signature, the message is first "blinded", typically by combining it in some way with a random "blinding factor". The blinded message is passed to a signer, who then signs it using a standard signing algorithm. The resulting message, along with the blinding factor, can be later verified against the signer's public key. In some blind signature schemes, such as RSA, it is even possible to remove the blinding factor from the signature before it is verified. In these schemes, the final output (message/signature) of the blind signature scheme is identical to that of the normal signing protocol.
Uses
Blind signature schemes see a great deal of use in applications where sender privacy is important. This includes various "digital cashEcash
Using cryptography, ecash was introduced by David Chaum as an anonymous electronic cash system. He used blind signatures to achieve unlinkability between withdrawal and spend transactions. Depending on the properties of the payment transactions, one distinguishes between on-line and off-line...
" schemes and voting protocols
End-to-end auditable voting systems
End-to-end auditable or end-to-end voter verifiable systems are voting systems with stringent integrity properties and strong tamper-resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were not modified, without revealing which...
.
For example, the integrity of some electronic voting system may require that each ballot be certified by an election authority before it can be accepted for counting; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot. Simultaneously, it is important that this authority not learn the voter's selections. An unlinkable blind signature provides this guarantee, as the authority will not see the contents of any ballot it signs, and will be unable to link the blinded ballots it signs back to the un-blinded ballots it receives for count
Blind signature schemes
Blind signature schemes exist for many public key signing protocols. Some examples are provided below. In each example, the message to be signed is contained in the value m. m is considered to be some legitimate input to the signature function. As an analogy, consider that Alice has a letter which should be signed by an authority (say Bob), but Alice does not want to reveal the content of the letter to Bob. She can place the letter in an envelope lined with carbon paperCarbon paper
Carbon paper is paper coated on one side with a layer of a loosely bound dry ink or pigmented coating, usually bound with wax. It is used for making one or more copies simultaneous with the creation of an original document...
and send it to Bob. Bob will sign the outside of the carbon envelope without opening it and then send it back to Alice. Alice can then open it to find the letter signed by Bob, but without Bob having seen its contents.
More formally a blind signature scheme is a cryptographic protocol
Cryptographic protocol
A security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...
that involves two parties, a user Alice that wants to obtain signatures on her messages, and a signer Bob that is in possession of his secret signing key. At the end of the protocol Alice obtains a signature on m without Bob learning anything about the message. This intuition of not learning anything is hard to capture in mathematical terms. The usual approach is to show that for every (adversarial) signer, there exists a simulator that can output the same information as the signer. This is similar to the way zero-knowledge is defined in zero-knowledge proof
Zero-knowledge proof
In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a statement is true, without revealing anything other than the veracity of the statement....
systems.
Blind RSA signatures
One of the simplest blind signature schemes is based on RSA signing. A traditional RSA signature is computed by raising the message m to the secret exponent d modulo the public modulus N. The blind version uses a random value r, such that r is relatively prime to N (i.e. gcd(r, N) = 1). r is raised to the public exponent e modulo N, and the resulting value is used as a blinding factor. The author of the message computes the product of the message and blinding factor, i.e.
and sends the resulting value
to the signing authority. Because r is a random value and the mapping is a permutation it follows that is random too. This implies that does not leak any information about m. The signing authority then calculates the blinded signature s' as:
s' is sent back to the author of the message, who can then remove the blinding factor to reveal s, the valid RSA signature of m:
This works because RSA keys satisfy the equation
and thus
hence s is indeed the signature of m.
Dangers of blind signing
RSA is subject to the RSA blinding attack through which it is possible to be tricked into decrypting a message by blind signing another message. Since the signing process is equivalent to decrypting with the signers secret key, an attacker can provide a blinded version of a message encrypted with the signers public key, for them to sign. The encrypted message would usually be some secret information which the attacker observed being sent encrypted under the signers public key which the attacker wants to learn. When the attacker unblinds the signed version they will have the clear text:-
where
is the encrypted version of the message. When the message is signed, the cleartext 
is easily extracted:
-
Note that
refers to Euler's totient functionEuler's totient functionIn number theory, the totient \varphi of a positive integer n is defined to be the number of positive integers less than or equal to n that are coprime to n In number theory, the totient \varphi(n) of a positive integer n is defined to be the number of positive integers less than or equal to n that...
. The message is now easily obtained.
-
This attack works because in this blind signature scheme the signer signs the message directly. By contrast, in an unblinded signature scheme the signer would typically use a padding scheme (e.g. by instead signing the result of a Cryptographic hash functionCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
applied to the message, instead of signing the message itself), however since the signer does not know the actual message, any padding scheme would produce an incorrect value when unblinded. Due to this multiplicative property of RSA, the same key should never be used for both encryption and signing purposes.
See also
- Dining cryptographers protocol
- Anonymous internet bankingAnonymous internet bankingAnonymous Internet banking is the proposed use of strong financial cryptography to make electronic bank secrecy possible. The bank issues currency in the form of electronic tokens that can be converted on presentation to the bank to some other currency...
- Electronic moneyElectronic moneyElectronic money is money or scrip that is only exchanged electronically. Typically, this involves the use of computer networks, the internet and digital stored value systems...
External links
-
-