[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Blind signatures; archives?

To: spki@c2.org
Subject: Blind signatures; archives?
From: Hal <hfinney@shell.portal.com>
Date: Mon, 24 Jun 1996 07:53:36 -0700
Sender: owner-spki@c2.org

(Is this list archived anywhere?  The signon message I got indicated that
was TBD.)

Chaum has done a lot of work on blind signatures, originally for
ecash and later for credentials.  The idea is that you get a credential
by showing that you are entitled for it, but later when you show the
credential you shouldn't need to reveal any more information than that
you have the credential itself.

With ordinary signatures for credentials, you don't get good protection
because the credential issuer may have noted what key he was issuing
the credential on (e.g. signing) and so when you use that key later, if
he finds out, he will recognize the key and therefore know all the
information you presented in order to get that credential.

Chaum's blinding uses RSA signatures (methods exist for many discrete
log sigs as well); the person getting the credential supplies his key in
blinded form, the signer signs it, and the receiver then removes the
blinding to leave a signed key which the signer has never seen.

The recent proposals for credentials, such as Carl Ellison's and SDSI,
don't lend themselves to this.  The meaning of the signature is embedded
in the signed material.  If that material is blinded, the signer can't
know what claims are being made in the material that is signed.

For blinding to work (as far as I can see) the signature key itself
must determine the meaning of the signature.  There has to be a
separate signature key for each different certificate/credential
meaning.  With RSA this can be done by having the exponent determine
the meaning (where meanings are standardized), so that different
signers each have their own modulus but share these exponents.  With
discrete logs it is harder to see how to do this but perhaps if there
weren't too many meanings the low order bits of the public key could be
used (signers would need to choose keys at random until they find one
with the required bits).

Alternatively the meanings of the signatures can be opaque but signed
meaning statements available separately define what meaning each key
signature has.  These can be presented in conjunction with a credential
or simply referenced via a URL.

There are patent restrictions on blinding, as on most of the other
technologies we discuss here, but it still might be worthwhile considering
whether credentials could be designed to allow it.

Hal Finney

Prev by Date: Re: Private keys and the emperor's clothes -Reply
Next by Date: Re: Blind signatures; archives?
Prev by thread: Re: Private keys and the emperor's clothes -Reply
Next by thread: Re: Blind signatures; archives?
Index(es):
- Main
- Thread