Cryptography Reference
In-Depth Information
15.6
VARIATIONS
Several variations of “normal” DSSs can be used in practice. In this section, we
briefly overview and put into perspective blind signatures, undeniable signatures,
and fail-stop signatures. More variations are proposed and discussed in the relevant
literature.
8
15.6.1
Blind Signatures
The idea of blind signatures was developed and originally proposed by David Chaum
in the early 1980s [20, 21]. In short, a
blind signature
is a digital signature with the
additional property that the signatory does not obtain any information about the
message it signs or the signature it actually generates. The message is blinded in a
way that can be reversed by the recipient of the blind signature.
Protocol 15.1
Protocol to issue blind RSA signatures.
B
A
(
n, e, m
)
(
n, d
)
∈
R
Z
n
r
mr
e
(mod
n
)
t
≡
t
−→
u ≡ t
d
≡ t
1
/e
≡ m
d
r
(mod
n
)
u
←−
s ≡ u/r ≡ m
d
r/r ≡ m
d
(mod
n
)
(
s
)
For example, the RSA DSS as introduced in Section 15.2.1 can be turned into
a blind RSA DSS. Let A be a signatory with public RSA verification key (
n, e
)
and B be a recipient of a blind signature from A. Protocol 15.1 can then be used
to have A issue a blind RSA signature
s
for a message
m
chosen by B. On B's
side, the protocol takes as input the verification key of A and the message
m
to be
signed, and it generates as output the RSA digital signature
s
for
m
.OnA'sside,the
protocol only takes the signing key of A as input. B first randomly chooses an
r
from
Z
n
and uses this random value to blind the message
m
. Blinding is performed by
multiplying the message with
r
to the power of
e
modulo
n
. The resulting blinded
message
t
is transmitted to A and digitally signed there. Digital signing is performed
by setting
t
to the power of
d
modulo
n
. The resulting message
u
is sent back to B,
8
A good and comprehensive bibliography on digital signatures and corresponding DSS is maintained
by Guilin Wang. It is available at http://www.i2r.a-star.edu.sg/icsd/staff/guilin/bible.htm.