7

I understand that if you have a message $m$, you can blind it by selecting a random $r$ and then multiplying $r^e\times m \pmod{n}$ Someone else then signs it with $d$, raising to the power of $d$: $(r^{ed}\times m^d) \bmod n = r \times m^d$. Finally to unblind: $r^{-1}\times r \times m^d = m^d$ and $\left(m^d\right)^e = m$. I understand that.

However, what if I wanted to blind twice? So after the first blind: $r_1^e\times m \pmod{n_1}$.
After the second blind: $r_2^e \times [(r_1^e \times m) \bmod n_1] \bmod n_2$.
Then someone signs it with $d_2$: $\big(r_2^e \times [(r_1^e \times m) \bmod n_1] \bmod n_2\big)^{d_2} = r_2 \times [(r_1^e \times m) \bmod n_1]^{d_2}$.
Then to unblind the first round: $r_2^{-1}\times r_2 \times [(r_1^e \times m) \bmod n_1]^{d_2} = [(r_1^e \times m) \bmod n_1]^{d_2}$.
Next: $[(r_1^e \times m) \bmod n_1]^{d_2e_2} = (r_1^e \times m) \bmod n_1$.
Finally to unblind the second round: $[(r_1^e)^{-1} \times r_1^e \times m] \bmod n_1 = m$

Am I going wrong somewhere in my math? Because I wrote a program to do this and the strangest thing — sometimes it gives me the original message and sometimes it does not. However, it does work perfectly when I comment out either round 1 or round 2. So my program doesn't work for both rounds, but works for a single round. I know this isn't the place to ask for programming help, but I'm thinking my math is off somewhere. Does it have to be the case: $\gcd(r_1, n_1) = \gcd(r_1, n_2) = \gcd(r_2, n_1) = \gcd(r_2, n_2)$ that both values of $r$ cannot have a common factor with both values of $n$? Or did I make a mistake somewhere else?

Cryptographeur
  • 4,357
  • 2
  • 29
  • 40
SJR
  • 71
  • 2

1 Answers1

6

As long as you ensure that $n_1\leq n_2$ is guaranteed, the value $r^em\pmod {n_1}$ can be treated as an element in $Z_{n_2}$ and the "outer blinding" and "outer unlinding" in $Z_{n_2}$ does not change this value. Consequently, if you compute the "inner unblinding" in $Z_{n_1}$ after the "outer unblinding" your proposal works.

Remarks from the previous comments:

fgrieu – in his comment – also provided a trick for cascading signatures when working with different RSA moduli. This, however, does not apply to your setting since you are not cascading signatures (maybe you want to do that?)

Your application scenario:

As CodesinChaos noted in his comment in response to your desired application, your approach still raises some questions.

A simple eCash protocol on blind signatures does not really require you to do that. There, you can assign different values for coins by setting up different signing key pairs for the bank (one for each value) and the coin (value $m$ in your case is simply a random element). If the merchant blacklists the unblinded value and signature pairs, then you can prevent doublespending. Although you will not achieve anonymity revocation in case of this event.

It is not clear for what purpose you want to include customers identites into the coins - maybe you want to have something like anonymity revocation? (why you therefore require another modulus $n_1$ - as well as use blinding without signing this part)? I think there is still potential for discussion.

Community
  • 1
DrLecter
  • 12,675
  • 3
  • 44
  • 61