Open In App

RSA Blind Signatures

Last Updated : 27 Dec, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

Blind signatures are a form of digital signature in which the content of the message is hidden (blinded) before it is signed by any of the authorities involved in the process. This technique provides invisibility to the person who made the message. It is mainly used when the author and the signer are different parties. Blind signatures can be implemented using a number of common public key signing schemes such as DSA and RSA.

RSA in RSA Blind Signatures stands for Rivest-Shamir-Adleman, which is a public-key crypto-system used for secure data transmission. RSA is one of the most widely used crypto-system and is based on the difficulty of factoring the large integer.

RSA Blind Signatures was originally introduced in the context of a digital cash system by Chaum for untraceable payments.

Blind Signature Protocol

The RSA Blind signature protocol is a two-party protocol between a client and server where they interact to compute sig=Sign(sk, input_msg), where input_msg = Prepare(msg) is a prepared version of the private message that is sent by the client and the sk, is the private signing key provided by the server.

This protocol comprises five functions

  1. Prepare
  2. Blind
  3. BlindSign
  4. Finalize
  5. verification

It also requires one round of interaction between the client and the server.

Assumptions for the protocol:

let msg be the client’s private input message and let (sk, pk) be the server’s private and public pair.

The protocol begins by the client preparing the message to be signed by computing:

input_msg = Prepare(msg)

The client then initiates the blind signature protocol by computing:

blinded_msg, inv = Blind(pk, input_msg)

The client then sends blinded_msg to the server, which then processes the message by computing:

blind_sig = BlindSign(sk, blinded_msg)

The server then sends blind_sig to the client, which then finalizes the protocol by computing:

sig = Finalize(pk, input_msg, blind_sig, inv)

Functions Used in the Protocol

1. Prepare

It is the process in which the message to be signed and verified is prepared for input. In this there are two types of preparation function first is an identity preparation and second is a randomized preparation function.
The identity preparation function returns the input message without transformation i.e msg = PrepareIdentity(msg).
The randomize function preparation arguments the input message with newly generated randomness. it is denoted by the function PreapareRandomize(msg), it taked input a message (msg) and gives ouput a randomized input message.

2. Implementation

Inputs :
msg, message to be signed, a byte string
outputs :
input msg, a byte string that is 32 bytes longer than msg.
Steps :-
1. msg_prefix = random(32 or 64 ) bit
2. input_msg = concat(msg_prefix,msg)
3. output input_msg

  1. Blind :- This function encrypt the input message and blinds it with the public key of the server. It outputs the blinded message to be sent to the server, encoded as a byte string and the related inverse, an integer.
    Let assume the if the function fails with any error, implementations should try the function again. This function initialize RSAVP1, which is defined to throw an optional error invalid inputs.
    Blind(pk, msg)
    Parameters:
    1. modulus_len, the length in bytes of the RDA modulus n
    2. Hash, has function is used to hash the message
    3. MGF, mask generation function
    4. salt_len, the length in the bytes of the salt (denoted sLen in RFC 8017)

    Inputs:
    1. pk, server public key(n,e)
    2. msg, message to be signed, a byte string

    outputs:
    1. blinded_msg, a byte string of the length modulus_len
    2. inv, an integer used to unblind the signature in Finalize

1.encoded_msg = EMSA-PSS-ENCODE(msg, bit_len(n))with Hash, MGF, and salt_len as defined in the parameters

2. If EMSA-PSS-ENCODE raises an error, re-raise the error and stop

3. m = bytes_to_int(encoded_msg)

4. c = is_coprime(m, n)

5. If c is false, raise an “invalid input” error and stop

6. r = random_integer_uniform(1, n)

7. inv = inverse_mod(r, n)

8. If inverse_mod fails, raise a “blinding error” error and stop

9. x = RSAVP1(pk, r)

10. z = (m * x) mod n

11. blinded_msg = int_to_bytes(z, modulus_len)

12. output blinded_msg, inv

3. Blinded Sign

BlindedSign perform operation on RSA private key on the client’s blinded message input and returns the output encrypted as a byte string.
BlindSign(sk, blinded_msg)
Parameters:
modulus_len, the length in the bytes of the RSA modulus n

Inputs:
1. sk, private key of the server
2. blinded_msg, encoded and blinded message to be signed, a byte string.

Outputs:
blind_msg, encrypted and blinded message to be signed, a byte string.

Steps:

1. m = bytes_to_int(blinded_msg)

2. s = RSASP1(sk, m)

3. m’ = RSAVP1(pk, s)

4. If m != m’, raise a “signing failure” error and stop

5. blind_sig = int_to_bytes(s, modulus_len)

6. output blind_sig

4. Finalize

The sept validates the response of the server and unblind the message to produce signature, verifies it for the correctness and outputs the signature upon the success. Parameters:
modulus_len, the length in bytes of the RSA modulus n

Parameter:

  1. Hash, the hash function used to hash the message
  2. MGF, the mask generation function
  3. salt_len, the length in bytes of the salt (denoted sLen in RFC 8017)

Inputs:

  1. pk, server public key (n, e)
  2. msg, message to be signed, a byte string
  3. blind_sig, signed and blinded element, a byte string of
  4. length modulus_len
  5. inv, inverse of the blind, an integer

Outputs:

sig, a byte string of length modulus_len

Steps:

1. If len(blind_sig) != modulus_len, raise an “unexpected input size”

error and stop

2. z = bytes_to_int(blind_sig)

3. s = (z * inv) mod n

4. sig = int_to_bytes(s, modulus_len)

5. result = RSASSA-PSS-VERIFY(pk, msg, sig) with

Hash, MGF, and salt_len as defined in the parameters

6. If result = “valid signature”, output sig, else raise an “invalid signature” error and stop

5. Verification

The output of the protocol is prepared message input_msg and the signature_sig. The message that get input is used in msg, from which input_msg is derived.
At last the client verifies the message signature using the public key of the server pk by invoking the RSASSA-PSS-VERIFY routine.

FAQs on RSA Blind Signatures

1. What is RSA Blind Signature?

RSA Blind Signature is a type of digital signature that provides anonymity and unlinkability to the user. In this scheme, the message is blinded before it is signed using the RSA algorithm. The user blinds the message by combining it with a random blinding factor, and the blinded message is sent to the signer. The signer signs the blinded message using their private key, and the user unblinds the signature to obtain the final signature. RSA Blind Signatures are commonly used in digital cash schemes and voting protocols.

2. How does RSA Blind Signature work?

RSA Blind Signature works by blinding the message before it is signed. The user blinds the message by combining it with a random blinding factor, and the blinded message is sent to the signer. The signer signs the blinded message using their private key, and the user unblinds the signature to obtain the final signature. RSA Blind Signatures provide anonymity and unlinkability to the user and are commonly used in digital cash schemes and voting protocols.

3. What are the applications of RSA Blind Signatures?

RSA Blind Signatures have a variety of applications, including digital cash schemes and voting protocols. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes. RSA Blind Signatures provide anonymity and unlikability to the user, making them suitable for applications where sender privacy is important.

4. What is the difference between RSA blind signature and other blind signature schemes?

Blind signature schemes are a form of digital signature where the content of a message is disguised (blinded) before it is signed, providing anonymity and unlikability to the message sender. One of the simplest blind signature schemes is based on RSA signing, known as RSA blind signature.
Here are some differences between RSA blind signature and other blind signature schemes:

  • Algorithm: RSA blind signatures are based on RSA encryption , that uses public key and private key pair for the encryption and decryption. Blind signature schemes are implemented using different public key algorithms such as DSA.
  • Complexity: The complexity for validating blind signatures changes depend on the algorithm. RSA blind signatures require an RSA private key operation for signing which can relatively cost expensive, especially with large key sizes. The performance of different blind signatures scheme like as DSA or Elgamal differ based on the specific algorithm and key sizes.
  • Patents: Blind signature scheme may patented, while some may patent-free. RSA blind signatures were patented by David Chaum.
  • Post-Quantum readiness: RSA blind signatures are not post-quantum ready, they are based on RSA algorithm, which are vulnerable to Shor’s polynomial time quantum algorithm.


Like Article
Suggest improvement
Next
RSA and Digital Signatures
Share your thoughts in the comments

Similar Reads

RSA and Digital Signatures
TypeScript Object Type Index Signatures
TypeScript Overload Signatures and Implementation Signature
TypeScript Call Signatures
TypeScript Construct Signatures
Digital Signatures and Certificates
Weak RSA decryption with Chinese-remainder theorem
RSA Algorithm using Multiple Precision Arithmetic Library
Security of RSA
How to generate Large Prime numbers for RSA Algorithm
author
omprakashkumawat1313
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox