Cryptography Reference
In-Depth Information
3. Bob receives
t
for signature. He computes
t
d
=m
d
k
de
mod n
Now, decryption with the RSA method was just based on the equation
M
de
= M mod n
for all
M<n
. In particular,
k
de
=
k
mod
n
. This means that Bob actually
computed
t
d
=m
d
k mod n.
4. Since
k
is relatively prime to
n
, Alice can resolve the equation
uk=t
d
mod n
toward
u
, thus revealing Bob's signature,
u
=
m
d
,of
m
.
Based on this protocol,
k
e
is sometimes referred to as the
blinding factor
,
and Step 4 is said to
remove the blinding factor
. Later on, Bob can no longer
recover
t
from
m
. As a minimum, if Alice used only primitive roots,
k
of
n
,
then there is a
k
with
mk
e
= t mod n
for each
t
and each
m
. This means that hash value
m
could belong to every
t
that Bob memorized.
That much about completely blind signatures. Blind signatures (better termed
as 'semi-blind signatures') should grant Bob an insight into the document in
general, but not reveal too much. For example, Bob wants to protect himself
against signing horrendous claims. For this situation, there is no intuitive solu-
tion, neither in the physical world nor in cryptology. One possible protocol was
described by Schneier [SchnCr, 5.3]:
