RSA- Blinded message scheme still vulnerable?
https://stackoverflow.com/questions/4418256
-
08-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I know this is more or less an algorithm or design problem and not so much programming, but I hope it's alright.
I am using a blinded message and having it signed by C. After the signing I want to remove the blinding and have other users A and B be able to share the message. Is this safe or can the signer still read these messages if they have the public and private keys? Should I take further steps after unblinding to ensure the confidentiality?
I have read various math formulas explaining how this works, but I am more of a programmer than a mathematician. I want to ensure the confidentiality and I am not sure if it's working.
Solution
Signatures do not ensure confidentiality. If you have data which must be transmitted but should remain confidential, then you must use a transmission mechanism which ensures confidentiality.
You apparently also want the message to be signed by entity C, but without giving any clue on the message to C. Generally speaking, the signing entity only needs to know the hash of the signed data. The signer may then try to "guess" the data by hashing potential messages and see if one matches the hash it received. This is the point where blind signatures come into action: to prevent the signer from even seeing the hashed message.
It so happens that with RSA, the hashed message can be recovered from the signature and the signer's public key. The signer (C) certainly knows his own public key. Hence, the signature itself must be kept confidential (otherwise, it would make no sense to use blind signatures in the first place). Thus, whatever mechanism you use to keep the message itself confidential when it is transmitted from A to B, must also be applied to the signature (and the signature is not that mechanism).
