In many applications involving anonymity, it is desirable to allow a participant to sign a message without knowing what the message is. This is called a blind signature.

Blind signatures

Suppose Charlie wants Dianne to sign a message m, but does not want Dianne to know the contents of the message. This might seem like a strange thing -- why would Diane sign something without knowing what it is? But the concept has useful applications in situations involving anonymity, such as digital cash and electronic voting. The arrangement works like this:

Charlie "blinds" the message m, with some random number b (the blinding factor). This results in blind(m,b).
Dianne signs this message, resulting in sign(blind(m,b),d), where d is Dianne's private key.
Charlie then unblinds the message using b, resulting in unblind(sign(blind(m,b),d),b). The functions are designed so that this reduces to sign(m,d), i.e. Dianne's signature on m.

The concept of blind signatures (and their implementation in RSA) was invented by David Chaum in 1982.

Implementation in RSA

Recap on plain RSA signatures

Euler's totient. Two numbers are "relative primes" if their only common factor is 1. The Euler's totient of a number n, written phi(n), is the number of relative primes to n which are less than n. If n=57, all 56 of the numbers less than n are relatively prime to n, because n is prime. So phi(57)=56. Fact 1: if n is the composite pq, where p and q are prime, then phi(n) = (p-1)(q-1). For example, suppose n=35. We can work out manually that there are 24 primes relative to 35 which are below 35, namely {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34}. We can use the fact mentioned to calculate this more directly. Since 35 = 5*7, and 5 and 7 are primes, phi(35)=4*6=24, as expected.

Modulo arithmetic. In "mod n" arithmetic, all numbers are reduced to their remainder on division by n. For example, we are used to working in "mod 256", where (for example) 250 + 10 = 4 (mod 256), and 100 * 4 = 144 (mod 256), and 100² = 16, 100³=64, 100⁴=0 (mod 256). Fact 2: a^phi(n) = 1 (mod n).

Generating the public and private keys.

Exercise. Which of the following key pairs are valid?

K=(3,99), K^-1=(27,99)
K=(7,187), K^-1=(23,187)
K=(23,187), K^-1=(7,187)
K=(7,143), K^-1=(23,143)

Can you invert the key (7,147)?

Pick two large prime numbers, p and q. Let n=pq. Typically, n is a 1024 bit number. Pick e relatively prime to (p-1)(q-1). Now find d such that ed=1 mod (p-1)(q-1). You can use Euclid's algorithm to find this d. The pair of numbers (e, n) is the public key. The pair of numbers (d, n) is the private key. The two primes p,q are no longer needed, and can be discarded, but should never be revealed.

Message format. Divide the message into blocks, each block corresponding to a number less than n. For example, for binary data, the blocks will be (log₂ n) bits.
Signing. The signature of message m is s = m^d mod n.
Signature verification. To recover the message from the signature s, put m' = s^e mod n.

Why it works.

m'	=	s^e	(mod n)	by definition of sig verification
	=	m^de	(mod n)	by definition of signature
	=	m^{k(p-1)(q-1) + 1}	(mod n)	since de = k(p-1)(q-1) + 1, some k
	=	m^{k phi(n) + 1}	(mod n)	Fact 1
	=	(m^phi(n))^km	(mod n)	elementary equivalences
	=	m	(mod n)	Fact 2

Exercise. Sign the message 88 with the key (7,187). (Details of similar calculation [1],p.468, [2],p.271.)

Blind signatures

Suppose C wants D to sign the message m blindly. Suppose D's public key is (e,n) and her private key is (d,n).

C first blinds the message m, by multiplying it by k^e mod n, where k is a randomly chosen number called the blinding factor. C sends the blinded message m . k^e mod n to D.
Next, D signs the blinded message, resulting in ( m . k^e )^d mod n, and sends the signed blinded message back to C.
Finally, C unblinds the message by dividing by k mod n, resulting in ( m . k^e )^d / k mod n.

( m . k^e )^d / k mod n	=	m^d . k^ed / k mod n	(mod n)	elementary equivalence
	=	m^d . k / k mod n	(mod n)	by the reasoning given above
	=	m^d mod n	(mod n)	which is the D's signature on m

Implementation in other cryptographic schemes

Many other crypto schemes besides RSA also support blind signatures.

References

[1] Bruce Schneier, Applied Cryptography. Second Edition, J. Wiley and Sons, 1996.
[2] William Stallings, Cryptography and Network Security, Principles and Practice, Prentice Hall, 1999.
[3] Nigel Smart, Cryptography. McGraw Hill, 2003.