In cryptography a blind signature as introduced by David Chaum^{[1]} is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacyrelated protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.
An oftenused analogy to the cryptographic blind signature is the physical act of a voter enclosing a completed anonymous ballot in a special carbon paper lined envelope that has the voter's credentials preprinted on the outside. The ballot can be marked through the envelope by the carbon paper. The voter hands the sealed envelope to an official who verifies the credentials and signs it. Once signed, the package is given back to the voter, who transfers the now signed ballot to a new unmarked normal envelope. Thus, the signer does not view the message content, but a third party can later verify the signature and know that the signature is valid within the limitations of the underlying signature scheme.
Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later unblinded version that it may be called upon to verify. In this case, the signer's response is first "unblinded" prior to verification in such a way that the signature remains valid for the unblinded message. This can be useful in schemes where anonymity is required.
Blind signature schemes can be implemented using a number of common public key signing schemes, for instance RSA and DSA. To perform such a signature, the message is first "blinded", typically by combining it in some way with a random "blinding factor". The blinded message is passed to a signer, who then signs it using a standard signing algorithm. The resulting message, along with the blinding factor, can be later verified against the signer's public key. In some blind signature schemes, such as RSA, it is even possible to remove the blinding factor from the signature before it is verified. In these schemes, the final output (message/signature) of the blind signature scheme is identical to that of the normal signing protocol.
Contents

Uses 1

Blind signature schemes 2

Blind RSA signatures:235 2.1

Dangers of blind signing 3

See also 4

References 5

External links 6
Uses
Blind signature schemes see a great deal of use in applications where sender privacy is important. This includes various "digital cash" schemes and voting protocols.
For example, the integrity of some electronic voting system may require that each ballot be certified by an election authority before it can be accepted for counting; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot. Simultaneously, it is important that this authority does not learn the voter's selections. An unlinkable blind signature provides this guarantee, as the authority will not see the contents of any ballot it signs, and will be unable to link the blinded ballots it signs back to the unblinded ballots it receives for counting.
Blind signature schemes
Blind signature schemes exist for many public key signing protocols. Some examples are provided below. In each example, the message to be signed is contained in the value m. m is considered to be some legitimate input to the signature function. As an analogy, consider that Alice has a letter which should be signed by an authority (say Bob), but Alice does not want to reveal the content of the letter to Bob. She can place the letter in an envelope lined with carbon paper and send it to Bob. Bob will sign the outside of the carbon envelope without opening it and then send it back to Alice. Alice can then open it to find the letter signed by Bob, but without Bob having seen its contents.
More formally a blind signature scheme is a cryptographic protocol that involves two parties, a user Alice that wants to obtain signatures on her messages, and a signer Bob that is in possession of his secret signing key. At the end of the protocol Alice obtains a signature on m without Bob learning anything about the message. This intuition of not learning anything is hard to capture in mathematical terms. The usual approach is to show that for every (adversarial) signer, there exists a simulator that can output the same information as the signer. This is similar to the way zeroknowledge is defined in zeroknowledge proof systems.
Blind RSA signatures^{[2]}^{:235}
One of the simplest blind signature schemes is based on RSA signing. A traditional RSA signature is computed by raising the message m to the secret exponent d modulo the public modulus N. The blind version uses a random value r, such that r is relatively prime to N (i.e. gcd(r, N) = 1). r is raised to the public exponent e modulo N, and the resulting value r^e\bmod N is used as a blinding factor. The author of the message computes the product of the message and blinding factor, i.e.

m' \equiv m r^e\ (\mathrm{mod}\ N)
and sends the resulting value m' to the signing authority. Because r is a random value and the mapping r\mapsto r^e\bmod N is a permutation it follows that r^e \bmod N is random too. This implies that m' does not leak any information about m. The signing authority then calculates the blinded signature s' as:

s' \equiv (m')^d\ (\mathrm{mod}\ N).
s' is sent back to the author of the message, who can then remove the blinding factor to reveal s, the valid RSA signature of m:

s \equiv s' \cdot r^{1}\ (\mathrm{mod}\ N)
This works because RSA keys satisfy the equation r^{ed}\equiv r\pmod{N} and thus

s \equiv s' \cdot r^{1} \equiv (m')^d r^{1} \equiv m^d r^{ed} r^{1} \equiv m^d r r^{1} \equiv m^d\pmod{N},
hence s is indeed the signature of m.
In practice, the property that signing one blinded message produces at most one valid signed messages is usually desired. This means one vote per signed ballot in elections, for example. This property does not hold for the simple scheme described above: the original message and the unblinded signature is valid, but so is the blinded message and the blind signature, and possibly other combinations given a clever attacker. A solution to this is to blind sign a cryptographic hash of the message, not the message itself.^{[3]}
Dangers of blind signing
RSA is subject to the RSA blinding attack through which it is possible to be tricked into decrypting a message by blind signing another message. Since the signing process is equivalent to decrypting with the signer's secret key, an attacker can provide a blinded version of a message m encrypted with the signer's public key, m' for them to sign. The encrypted message would usually be some secret information which the attacker observed being sent encrypted under the signer's public key which the attacker wants to learn. When the attacker unblinds the signed version they will have the clear text:

\begin{align} m'' & = m' r^e\pmod n \\ & = (m^e\pmod n \cdot r^e)\pmod n \\ & = (mr)^e \pmod n \\ \end{align}
where m' is the encrypted version of the message. When the message is signed, the cleartext m is easily extracted:

\begin{align} s' & = m''^d\pmod n \\ & = ((mr)^e\pmod n)^d\pmod n \\ & = (mr)^{ed} \pmod n \\ & = m \cdot r \pmod n \mbox{, since } ed \equiv 1 \pmod{\phi(n)}\\ \end{align}
Note that \phi(n) refers to Euler's totient function. The message is now easily obtained.

\begin{align} m = s' \cdot r^{1} \pmod{n} \end{align}
This attack works because in this blind signature scheme the signer signs the message directly. By contrast, in an unblinded signature scheme the signer would typically use a padding scheme (e.g. by instead signing the result of a cryptographic hash function applied to the message, instead of signing the message itself), however since the signer does not know the actual message, any padding scheme would produce an incorrect value when unblinded. Due to this multiplicative property of RSA, the same key should never be used for both encryption and signing purposes.
See also
References

^ Chaum, David (1983). "Blind signatures for untraceable payments" (PDF). Advances in Cryptology Proceedings of Crypto 82 (3): 199–203.

^ Goldwasser, S. and Bellare, M. "Lecture Notes on Cryptography". Summer course on cryptography, MIT, 19962001

^ The OneMoreRSAInversion Problems and the Security of Chaum’s Blind Signature Scheme
External links

EP application 1571777, "Electronic voting process using fair blind signatures", published 20050907, assigned to France Telecom

Security of Blind Signatures Under Aborts

Implementation of Blind Signature in Java
This article was sourced from Creative Commons AttributionShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, EGovernment Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a nonprofit organization.