Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [blind-signature]

In a blind signature scheme, the signer does not know what he is signing. This is an important building block of anonymous voting or digital cash schemes, because it allows an authority to control the creating of signed messages, but doesn't allow it to track their use.

75 questions
18
votes
2 answers

Which blind signature schemes exist, and how do they compare?

I'm looking into blind signature schemes for use as digital cash. I have come across blinded RSA, and Lucre(DH based). Are there other schemes available, and how do they compare? I suspect there should be a elliptic curve scheme, which might have…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
13
votes
0 answers

Potential Flaws With Lattice Based Cryptography?

From researching post-quantum cryptographic schemes it seems hash-based and lattice-based algorithms are the most promising (MQ-based seem to be covered by patents and have more potential unknowns which could be used to exploit them.) Hash-based…
CoryG
  • 589
  • 3
  • 11
9
votes
1 answer

What is "Blinding" used for in cryptography?

What does "blinding" mean in cryptography, and where do we usually use it? Can you describe a sample implementation?
tenfish
  • 91
  • 1
  • 2
9
votes
2 answers

RSA blind signatures in practice

Hi I have a problem with moving my blind signature implementation from educational (textbook RSA) to more practical (padded RSA) side. David Chaums paper gives a following figure: $r$ - blinding factor $e$, $d$ - public & private exponent $Blinded\…
Denis
  • 91
  • 1
  • 3
7
votes
1 answer

Is there a standard padding/format for RSA Blind Signatures?

I'm working on a RSA blinded signature scheme. RSA Blind signatures are discussed in Chaum's original paper and other places like wikipedia. The descriptions of RSA blind signatures are straight forward, but they seem to use the original message…
user10496
7
votes
1 answer

Blind signature with openssl

I'm trying to understand (to reproduce in practice) how does blinded tokens work. Currently i'm lacking examples. According to Wiki the blinded signature protocol is the same as ordinary signature protocol. So maybe it is possible to reproduce it…
Lu4
  • 71
  • 2
7
votes
1 answer

Blinding twice in RSA

I understand that if you have a message $m$, you can blind it by selecting a random $r$ and then multiplying $r^e\times m \pmod{n}$ Someone else then signs it with $d$, raising to the power of $d$: $(r^{ed}\times m^d) \bmod n = r \times m^d$. …
SJR
  • 71
  • 2
6
votes
0 answers

Understanding anonymous credentials. Does someone understand how it works?

After reading a series of papers CL01 CL02 CL04, I feel like I understand the intuition behind the anonymous credential framework but I don't understand some details the mathematics behind it. I placed myself in a case example where this system…
Bean Guy
  • 772
  • 3
  • 11
6
votes
2 answers

Are (EC) DSA blind signatures possible?

I've been searching for a way to create blind ECDSA signatures. My research and experimentation has led me to believe that this is not possible. I've been attempting to articulate why and I think that it is because it is not possible to apply a…
Chris
  • 819
  • 4
  • 10
6
votes
1 answer

How secure is a blind signature?

From Wikipedia: Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this case, the signer's…
jornane
  • 539
  • 1
  • 4
  • 5
5
votes
2 answers

Post-Quantum Blind Signatures?

Are there any post-quantum blind signature algorithms? Since hash-based blind signature schemes have proven to by impossible (based on a response to this question) is this an active area of research or is it only feasible by using extraordinarily…
CoryG
  • 589
  • 3
  • 11
5
votes
1 answer

Blind signatures security

I was reading up on blind signatures. I came across the following paragraph in this paper. Previous methods of proofs used to establish security arguments for signature schemes no longer work since, during the collusion between the signer, the…
pd176
  • 277
  • 1
  • 7
5
votes
1 answer

One-way hash on encrypted data, result hidden from hasher

I'm looking for a one-way hash function that can be performed by A on an encrypted piece of data E(D) provided by B, without the performer A able to figure out D or H(D). This similar to HMAC(Message, Key), except the output hash cannot be known by…
Ian Wetherbee
  • 153
  • 5
5
votes
1 answer

Is there a flaw in this ECC blind signature scheme?

Recently I've found the following work on the internet: An ECC-Based Blind Signature Scheme The paper claims to be an ECDSA blind signature however it seems that their scheme has a flaw in it. The process they describe is pretty standard: Requester…
Lu4
  • 185
  • 5
5
votes
2 answers

Usability of padding scheme in blinded RSA signature?

In Wikipedia's article on Blind signature, in the section Dangers of blind signing which describes RSA blinding attack one reads the following This attack works because in this blind signature scheme the signer signs the message directly. By…
Piotr Dobrogost
  • 153
  • 7
1
2 3 4 5