Cryptography Reference
In-Depth Information
Suppose that the sender A wants to pay for a service by presenting a bill signed by
its bank B whichwill then refund the service provider. However, A does not want B to
know the details of the service for which the payment is being made. The solution for
this is to use a blind signature scheme. The bank then signs the bill without knowing
its contents and charges A accordingly. A unblinds the signature thus obtaining the
signed bill that it can use to pay for the service. The service provider verifies the
signature and presents the bill to the bank, which also verifies that it has indeed
signed it. Thus the bank pays the service provider without being able to associate the
bill with sender A .
In this example, there is the problem that the sender might cheat and try to make
the bank sign a bill for a value higher than agreed. This can be dealt with in several
ways—for example, the bank may only use a given key to sign bills for a fixed
value—but we shall not go into the details.
In view of this, a blind signature scheme can be described as follows:
The ingredients are a digital signature scheme
Σ
and a pair of functions f , g ,
known only to the sender, such that if
(
f
(
m
), σ )
is a valid message/signature pair
for
is also a valid pair. f is called the blinding function and g
is the unblinding function.
Σ
, then
(
m
,
g
(σ ))
The protocol proceeds as follows:
- The sender blinds a message m by computing f
(
m
)
and sends f
(
m
)
to the
signer.
- The signer signs the blinded message, obtaining the message/signature pair
(
(
), σ )
and sending it to the sender.
- The sender unblinds the signature of the blind message by computing g
f
m
(σ )
.
is then a message signed by the signer.
- The signature may be verified by using the signer's public key as usual.
(
m
,
g
(σ ))
Example 9.7 We present Chaum's protocol, the blind analogue of plain RSA sig-
natures, which are used as the underlying signature scheme. Given a public RSA
key pk
= (
n
,
e
)
and the corresponding private key sk
= (
n
,
d
)
, the blinding and
unblinding functions are defined as follows:
(Blinding function) Choose an integer k such that gcd
(
k
,
n
) =
1 and define f
:
mk e mod n .
Z n → Z n by f
(
m
) :=
k 1
(Unblinding function) g
: Z n → Z n , g
(σ ) :=
σ
mod n .
d mod n
mk e
d mod n
km d mod n is the signature of
Then, if
σ :=
f
(
m
)
= (
)
=
k 1
k 1 km d mod n
the blinded message f
(
m
)
, we have that g
(σ ) =
σ
mod n
=
=
m d mod n is indeed the signature of m with the private key
(
n
,
d
)
. Thus the protocol
proceeds as follows:
The sender blinds the message m
∈ Z n using a random k
← Z n , obtaining
m :=
mk e mod n which is then sent to the signer.
The signer computes the RSA signature of the blinded message m ,
σ
:=
m )
d mod n
(
∈ Z n and sends it to the sender.
Search WWH ::




Custom Search