このページは http://www.slideshare.net/kelumkps/blind-signature-scheme の内容を掲載しています。

掲載を希望されないスライド著者の方は、こちらよりご連絡下さい。

4年以上前 (2012/05/28)にアップロードinテクノロジー

In 1982, a blind signature, as introduced by David Chaum. Blind Signature Scheme is a form of dig...

In 1982, a blind signature, as introduced by David Chaum. Blind Signature Scheme is a form of digital signature scheme which allows a person to get a message signed by another party without revealing any information about the message to the other party.

This presentation introduces the theory behind the blind signature scheme, how to implement it with RSA public cryptographic scheme and various practical aspects of the scheme.

- BLIND SIGNATURE SCHEME

By:

Asanka Balasooriya

Kelum Senanayake - BLIND SIGNATURE SCHEME

“Blind Signature Scheme allows a person to get a

message signed by another party without revealing

any information about the message to the other

party.” – RSA Laboratory

Introduced by Dr. David Chaum in 1982.

Typical Analogy from the world of paper documents

Enclosing a message in a carbon paper lined envelop.

Writing a signature on the outside of the envelop.

Leaves a carbon copy of the signature on the paper

inside the envelop.

The signer does not view the message content

But a third party can later verify the signature - ABOUT DR. DAVID CHAUM

Dr. David Chaum is the inventor of many cryptographic

protocols, including blind signature schemes,

commitment schemes, and digital cash.

He received his Ph.D. in Computer Science, with a minor

in Business Administration, from the University of

California at Berkeley.

In the area of cryptography, he has published over 45

original technical articles (see list of articles), received

over 17 US patents.

Founder of the International Association for

Cryptographic Research (IACR) In 1982.

Founder and a member of the Board of Directors of

DigiCash Inc., a company that has pioneered electronic

cash innovations. - HOW BLIND SIGNATURE WORKS

Suppose Alice wants Bob to sign a message m,

but does not want Bob to know the contents of the

message.

Alice "blinds" the message m, with some random

number b (the blinding factor). This results in

blind(m,b).

Bob signs this message, resulting in

sign(blind(m,b),d), where d is Bob's private key.

Alice then unblinds the message using b,

resulting in unblind(sign(blind(m,b),d),b).

The functions are designed so that this reduces to

sign(m,d), i.e. Bob's signature on m. - BLIND RSA SIGNATURES

Assume e is the public RSA exponent, d is the secret

RSA exponent and N is the RSA modulus.

Select random value r, such that r is relatively

prime to N (i.e. gcd(r, N) = 1)

r is raised to the public exponent e modulo N

remod N is used as a blinding factor

Because r is a random value, remod N is random

too. - BLIND RSA SIGNATURES… CONT
- WHY WOULD BOB SIGN SOMETHING WITHOUT

KNOWING WHAT IT IS?

A trustee wishes to hold an election by secret

ballot.

Each elector is very concerned about keeping his

vote secret from the trustee.

Each vote should be signed by the trustee.

Blind signature solves this problem. - WHY WOULD BOB SIGN SOMETHING WITHOUT

KNOWING WHAT IT IS?

Untraceable payment system

Consider a bank, payer and the payee

A single note will be formed by the payer

Signed by the bank

Provided to the payee

Cleared by the bank - DANGERS OF BLIND SIGNING

RSA Blinding Attack.

In RSA the signing process is equivalent to

decrypting with the signers secret key.

An attacker can provide a blinded version of a

message m encrypted with the signers public

key, m' for them to sign.

When the attacker unblinds the signed version

they will have the clear text. - RSA BLINDING ATTACK
- RSA BLINDING ATTACK … CONT

This attack works because in this blind signature

scheme the signer signs the message directly.

By contrast, in an traditional signature scheme the

signer would typically use a padding scheme.

Signing the result of a Cryptographic hash function

applied to the message, instead of signing the message

itself.

This would produce an incorrect value when unblinded.

In RSA the same key should never be used for both

encryption and signing purposes. - REFERENCES

“Blind Signatures for Untraceable Payments,” D.

Chaum, Advances in Cryptology Proceedings of

Crypto 82, D. Chaum, R.L. Rivest, & A.T. Sherman

(Eds.), Plenum, pp. 199-203.

RSA Laboratories - 7.3 What is a blind signature

scheme?[Online]. Available:

http://www.rsa.com/rsalabs/node.asp?id=2339

Blind signatures [Online]. Available:

http://www.cs.bham.ac.uk/~mdr/teaching/modules06/

netsec/lectures/blind_sigs.html - THANK YOU