Cryptography Reference
In-Depth Information
6.6.3 Blind Signatures
Blind signatures
are signatures where the signer is not supposed to know the
contents of a document in whole or in part. In the former case, such signa-
tures are also referred to as
completely blind signatures
. The most important
aspect of such signatures is that the document in question existed at a specific
point in time. Such signatures were developed by Chaum for implementing
digital money at the beginning of the 1980s. We will see under what circum-
stances blind signatures are meaningful in connection with a similar protocol
(Section 6.6.7).
Without cryptology, completely blind signatures are easily possible. A notary
signs page by page with 'document no.:
...
submitted on:
...
signature:
...
',
where each page is disguised by the document's author. Using cryptology, the
scheme could be such that Alice sends only a long one-way hash value of her
document to Bob, and Bob signs it. In the simplest case, Bob decrypts the hash
value with his private key. To prevent a chosen-ciphertext attack, he had better
calculate a hash value from the hash value and then decrypt this one.
Unfortunately, the method has a flaw. Bob can memorize all hash values given
to him, so he can learn the time and place when each document was signed.
This may be undesirable in some situations. Moreover, Bob could use a sub-
liminal channel to infiltrate a document number in the signature, together with
his signature, and correlate these numbers with additional information in a
secret list.
The protocol first introduced by Chaum used the following idea: Alice can
multiply her document by a random number. This makes the document inde-
cipherable so that she can give it to Bob for signature without worrying. Once
Bob has signed, she computes the random number out of it, converting Bob's
signature into a valid one for the original document. Since multiplication and
signature have to be 'compatible', it is best to use the RSA method. However,
the multiplication cannot be removed from the hash function for certain. The
following method suggests itself (for the RSA method; see Figure 4.16).
1. Alice calculates the hash value,
m
, for her document.
2. She chooses a random number,
k
, which is relatively prime to module
n
, and computes
t=mk
e
mod n
