Blind signature

Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties.

Examples include cryptographic election systems and digital cash schemes.

An often-used analogy to the cryptographic blind signature is the physical act of a voter enclosing a completed anonymous ballot in a special carbon paper lined envelope that has the voter's credentials pre-printed on the outside.

An official verifies the credentials and signs the envelope, thereby transferring his signature to the ballot inside via the carbon paper.

The resulting message, along with the blinding factor, can be later verified against the signer's public key.

Blind signature schemes see a great deal of use in applications where sender privacy is important.

For example, the integrity of some electronic voting system may require that each ballot be certified by an election authority before it can be accepted for counting; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot.

Blind signature schemes exist for many public key signing protocols.

More formally a blind signature scheme is a cryptographic protocol that involves two parties, a user Alice that wants to obtain signatures on her messages, and a signer Bob that is in possession of his secret signing key.

[2]: 235 One of the simplest blind signature schemes is based on RSA signing.

A traditional RSA signature is computed by raising the message m to the secret exponent d modulo the public modulus N. The blind version uses a random value r, such that r is relatively prime to N (i.e. gcd(r, N) = 1).

does not leak any information about m. The signing authority then calculates the blinded signature s' as: s' is sent back to the author of the message, who can then remove the blinding factor to reveal s, the valid RSA signature of m: This works because RSA keys satisfy the equation

This property does not hold for the simple scheme described above: the original message and the unblinded signature is valid, but so is the blinded message and the blind signature, and possibly other combinations given a clever attacker.

Since the signing process is equivalent to decrypting with the signer's secret key, an attacker can provide a blinded version of a message

When the attacker removes the blindness the signed version will have the clear text: where

This attack works because in this blind signature scheme the signer signs the message directly.

By contrast, in an unblinded signature scheme the signer would typically use a padding scheme (e.g. by instead signing the result of a cryptographic hash function applied to the message, instead of signing the message itself), however since the signer does not know the actual message, any padding scheme would produce an incorrect value when unblinded.

Due to this multiplicative property of RSA, the same key should never be used for both encryption and signing purposes.

An example of blind signature in action