Blind signatures for simple election

Jan Svensson jan.svensson at hush.com
Wed Apr 8 20:57:54 CEST 2015


>> From what I've read it seems like GPG internally is using blinding to
>> avoid RSA timing attacks, but I guess it is not possible for a user of
>> GPG to use those functions in a similar way as I describe above.
>
> Those are two different beasts, by the way. You want to blind the
> /data/. In OpenPGP, the data that is to be signed is hashed, and only
> the /hash/ is signed with, e.g., RSA. So it could be said that the hash
> is blinded[1], but the signed data definitely is not.
>
> My gut feeling is that OpenPGP is ill suited for this task, but I
> haven't thought thorougly about it.

What do you think about me trying to use Libgcrypt instead? The manual (http://www.gnupg.org/documentation/manuals/gcrypt/gcrypt.pdf) says

"By default Libgcrypt uses a blinding technique for RSA decryption to mitigate real world timing attacks over a network: Instead of using the RSA decryption directly, a blinded value y = x r^{e} \bmod n is decrypted and the unblinded value x' = y' r^{-1} \bmod n returned. The blinding value r is a random value with the size of the modulus n and generated with GCRY_WEAK_RANDOM random level."

Would it be possible to create three small programs in e.g. C (or some other language if it is more suitable) that uses Libgcrypt:
1. a program "generate_blinding_factor" that generates a blinding factor "b".
2. a program "blind" that takes a message and a blinding factor "b" as input parameters and gives as output the message in blinded format.
3. a program "unblind" that takes a blinded message and a blinding factor as input parameters and gives as output the message in unblinded format.

The user would first use "generate_blinding_factor" to generate a blinding factor and then use "blind" to blind a message.
The, the user would then send the message to the signer who uses the usual GPG-command "gpg --output blinded_message.sig --sign blinded_message" and then sends it back to the user.
Finally, the user would use "unblind" to unblind the signed blinded message to get a file with the message signed by the signer.

We can assume that the signer keeps the blinded message so when that signer later gets to see the unblinded message with the signers signature, then the signer cannot link those two messages to each other, i.e. sign(blind(message,b),d) and sign(message,d) cannot be linked.

Thanks for any advice here,
Jan




More information about the Gnupg-users mailing list