Download Blind Signatures Overview We remember a bit of mathematics

Blind Signatures
Clemens Cap
Overview
ASR of RSA: A Short Repetition of Rivest-Shamir-Adleman
Constructing blind and non-blind signatures
Applications:
 Electronic cash
 Enhancing security for RSA signatures
We remember
a bit of mathematics ...





Arithmetic modulo n
Euclidean Algorithm
Inverse modulo n
Phi Function
Theorem of Euler
1
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
(must be different)
Divide the larger by the smaller
Get a remainder
54
Remainder is smaller than the divisor
Repeat the game
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
(must be different)
Divide the larger by the smaller
Get a remainder
54
Remainder is smaller than the divisor
Repeat the game
174 = 3 * 54
+
12
54 = 4 * 12
+
6
12 = 2 * 6
+
0
Terminates eventually with a zero
Why?
Remainder always strictly smaller than divisor
Remainder never negative
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
(must be different)
Divide the larger by the smaller
Get a remainder
54
Remainder is smaller than the divisor
Repeat the game
174 = 3 * 54
+
12
54 = 4 * 12
+
6
12 = 2 * 6
+
0
Terminates with a number (6) which divides the initial two numbers
Why? Run equations backwards !
6 divides 12 (due to termination at 0)
6 divides 6 and 12 and therefore 54
6 divides 12 and 54 and therefore 174
6 divides 54 and 174 and therefore 228
2
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
54
174 = 3 * 54
+
12
54 = 4 * 12
+
6
12 = 2 * 6
+
0
Terminates with greatest number (6) which divides the initial two numbers
Why? Run equations forward.
Assume X divides 228 and 174
Then X divides 54
Since X divides 174 and 54 so X divides 12
Since X divides 54 and 12 so X divides 6
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
54
174 = 3 * 54
+
12
54 = 4 * 12
+
6
12 = 2 * 6
+
0
Terminates with greatest number (6) which divides the initial two numbers
Since X divides 54 and 12 so X divides 6
Therefore X smaller or equal to 6
6 (as well as X) divide 228 and 174
Therefore 6 is the greatest common divisor if 228 and 174
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
54
174 = 3 * 54
+
12
54 = 4 * 12
+
6
12 = 2 * 6
+
0
6 = 1 * 54 - 4 * 12
Delivers GCD as value and as weighted sum of the initial numbers
Why? Get GCD as linear combination in pre-last step
Eliminate the smaller of the two numbers (12) by going upwards
3
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
54
174 = 3 * 54
+
12
54 = 4 * 12
+
6
12 = 2 * 6
+
0
12 = 1 * 174 - 3 * 54
6 = - 4 * 174 + 13 * 54
6 = 1 * 54 - 4 * 12
6 = 1 * 54 - 4 * 12
Delivers GCD as value and as weighted sum of the initial numbers
Why? Get GCD as linear combination in pre-last step
Eliminate the smaller of the two numbers (12) by going upwards
Eliminate the smaller of the two numbers (54) by going upwards
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
54
54 = 1 * 228 - 1 * 174
6 = 13 * 228 - 17 * 174
174 = 3 * 54
+
12
12 = 1 * 174 - 3 * 54
6 = - 4 * 174 + 13 * 54
54 = 4 * 12
+
6
6 = 1 * 54 - 4 * 12
6 = 1 * 54 - 4 * 12
12 = 2 * 6
+
0
Delivers GCD as value and as weighted sum of the initial numbers
Why? Get GCD as linear combination in pre-last step
Eliminate the smaller of the two numbers (12) by going upwards
Eliminate the smaller of the two numbers (54) by going upwards
Now we are done
Euclidean Algorithm
Start: Numbers 228 and 174
228 = 1 * 174
+
54
54 = 1 * 228 - 1 * 174
6 = 13 * 228 - 17 * 174
174 = 3 * 54
+
12
12 = 1 * 174 - 3 * 54
6 = - 4 * 174 + 13 * 54
54 = 4 * 12
+
6
6 = 1 * 54 - 4 * 12
6 = 1 * 54 - 4 * 12
12 = 2 * 6
+
0
Terminates with greatest common divisor GCD
Delivers GCD as value and as weighted sum of the initial numbers
GCD ( 228 , 174 ) =
6 = 13 * 228 - 17 * 174
4
Inverse modulo n
Inverse modulo n
Let x and n have no common divisor, then
there is a y such that x * y = 1 mod n
We have GCD ( x, n ) = 1
Get GCD as weighted sum: 1 = GCD ( x, n ) = a * x + b * n
Take modulo n the equation
1=a*x+b*n
1 = a * x modulo n
Phi Function
Remove (p-1) numbers
q, 2q, 3q, ..., (p-1)q
Euler Phi Function  (n)
Number of all positive numbers less-or-equal n
having no common divisor with n
(5)=#{1
1, 2
2, 3
3, 4
4, 5 } = 4
p prime
Remove (q-1) numbers
p, 2p, 3p, ..., (q-1)p
 ( p ) = # {1, 2, 3, ..., p - 1, p} = p - 1
Remove p * q
All numbers
p, q primes
 ( p * q ) = # {1, 2, ..., p * q } = p * q - ( q-1 ) - ( p-1 ) - 1
= (p - 1) * (q - 1)
 ( 6 ) = # { 1, 2, 3, 4, 5, 6 } = 6 - 2 - 1 - 1 = 2 = (3-1) * (2-1)
Theorem of Euler
Theorem of Euler
Let x and n have no common divisor, then we have
x ( n ) = 1 mod n
Let Z = {a1, a2, ..., a  (n) } be all positive numbers less-or-equal n,
having no common divisor with n
x * Z = {x*a1, x*a2, ..., x*a  (n) } is exactly the same set (modulo n)
since we may divide by x
Product of all numbers in x * Z = Product of all numbers in Z
x*a1 * x*a2 * ... * x*a  (n) = a1 * a2 * ... * a  (n)
x  ( n ) = x*x*...*x* = 1 mod n
5
RSA Algorithm
Pick to different and large primes p, q
Calculate n = p * q
Chose number e, sharing no divisor with  (n)
Get d as inverse mod  (n) to e: e * d = 1 mod  (n)
RSA Operations
Rd ( x ) := xd mod n
Re ( x ) := xe mod n
Core Property
Re ( Rd ( x ) ) = x mod n
Rd ( Re ( x ) ) = x mod n
(x e)d = x e*d = x 1+k(n) = x * x k(n) =x * (x(n))k = x * 1k = x
RSA Assumption
Assumption:
 It is difficult to split a large number n into prime factors p, q
Known:
If n is publically known then determining e from d
is as difficult as splitting n into prime factors p, q

Every person is associated with two keys
A public key (n,e) known to everybody
 A private key d known only to this person

RSA Signature
Public key of Alice
(n,e)
Private key of Alice
d
Rd
I love you
only owner of d
(Alice)
is able to to so
Re
eRqWEgF26JhK
I love you
only owner of e
(everybody)
can do so
Everybody can check that Alice is in love by applying Re
Only Alice can produce such a message by applying Rd
6
RSA Encryption
Public key of Alice
(n,e)
Private key of Alice
d
My bank PIN
is 123
Re
Rd
qeoi23458swr
only owner of e
(everybody)
can do so
My bank PIN
is 123
only owner of d
(Alice)
is able to to so
Everybody can encrypt secrets to Alice
Only Alice can reproduce the original message
Can we use an RSA digital signature
to implement electronic cash?
Idea
Alice presents 1$ at the bank
Alice receives an electronic document
"This document has a value of 1$ and serial number 3456"
This electronic document is signed by the bank
Alice now pays with this document
7
Problems
Problem 1:
Keeping the right
When Alice hands over the signed document to Bob
she might keep a copy of the signed document
Problem 2:
Double Spending
Alice might used a signed document to pay to Bob and Carol
Problem 3:
No privacy
When Bob presents the document to the bank to get his 1$
the bank may check the serial number and sees that it was
Alice who paid Bob
Solutions
Database of spent coins
 Before accepting a digital document as a coin
I ask the bank if it has been used already
Blind Signature
 The bank signs the document
but without seeing the serial number
 Needs a new concept of blind signature !
Blind Signature
By D. Chaum
Bob has public key (n,e) and private key d
Alice wants a (blind) signature of Bob on document x
Alice choses blinding factor B
Alice sends y = x * Re ( B ) mod n to Bob
Bob signs and sends z = Rd ( y ) to Alice
Alice calculates inverse G to B, ie. G * B = 1 mod n
Alice calculates z*G
8
Blind Signature by D. Chaum
What did Alice receive?
z*G
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
Definition of z
z = Rd ( y )
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
= (x * Re ( B ) )d * G
Definition of y
y = x * Re ( B ) mod n
9
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
= (x * Re ( B ) )d * G
= (x * Be)d * G
Definition of Re ( B )
R e ( B ) = Be
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
= (x * Re ( B ) )d * G
= (x * Be)d * G
= xd * Be*d * G
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
= (x * Re ( B ) )d * G
= (x * Be)d * G
= xd * Be*d * G
= xd * B * G
Core property of RSA
Re ( Rd ( B ) ) = B mod n
10
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
= (x * Re ( B ) )d * G
= (x * Be)d * G
= xd * Be*d * G
= xd * B * G
= xd
G was the inverse to B mod n
B * G = 1 mod n
Blind Signature by D. Chaum
What did Alice receive?
z * G = yd * G
= (x * Re ( B ) )d * G
= (x * Be)d * G
= xd * Be*d * G
= xd * B * G
= xd
Alice has obtained the signature xd = Rd ( x )
Properties
Blind signature allows Alice to
 Receive a signature from Bob on a document
 Without Bob knowing the signed document
Application:
 Bank signs a digital bank note
 Bank does not know the serial number
 When digital bank note is handed in to bank
bank checks signature and
stores serial to protect against double spending
11
Problem 1
Blind signatures are unwanted in normal life.
Consequence 1:
Do not digitally sign arbitrary data
 Normally, not docs but hashes of docs are signed
Must verify, that data indeed is hash of the doc you want 2 sign
Consequence 2:
Randomize signed document
 You sign hash value R
 You think you sign document X, since hash(X) = R
 Your opponent will claim you signed document Y, since hash(Y)=R
 Issue: Opponent pre-pares docs X and Y such that hash(X)=hash(Y)
and can use years of preparation in advance
 Defence: When signing document X, both parties add random noise N and M
and produce hash(XNM) – so nobody can pre-pare hash collisions
Problem 2
Consequence 2:
 For intentional blind signatures, use different key pair
than for normal contract signing
 Idea: Every key should have a clear "purpose"
 Think: Car sales contract shows up signed with a key "for blind signature only"
12