1993-08-26 - Re: blinding message & newbie questions

Header Data

From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
To: cypherpunks@toad.com
Message Hash: 7dd18aeaffd425fa2abbf582c56e9b26da18afe62bd8604592e460e0dee6ef9d
Message ID: <9308261719.AA16210@elf.owlnet.rice.edu>
Reply To: N/A
UTC Datetime: 1993-08-26 17:22:30 UTC
Raw Date: Thu, 26 Aug 93 10:22:30 PDT

Raw message

From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
Date: Thu, 26 Aug 93 10:22:30 PDT
To: cypherpunks@toad.com
Subject: Re: blinding message & newbie questions
Message-ID: <9308261719.AA16210@elf.owlnet.rice.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

[I think I messed up when I responded originally ... KLB]

Sure, I'll take questions :-)  I may be a little slow in responding at
the moment.

>> Conceptually, when you blind a message, nobody else can read it. 
>So "blinding" is a synonym for encryption with your own public
>key, aka multiplication by a very-hard-to-factor number?

Not exactly.  Blinding/Unblinding is multiplication;
Encryption/Decryption is exponentiation.

While I can unblind a document without knowing phi(n), I cannot
decrypt a message without knowing phi(n).  Knowing phi(n) is
equivalent to knowing how n factors, so this is intractable.

phi(n) = Euler totient function.  

>> under the right circumstances if another 
>> party digitally signs a blinded message, the unblinded message will 
>> contain a valid digital signature.
>In other words if Alice encrypts and Bob signs, Da(Db(Ea(M))) = Db(M)?  
>Under what conditions?  Does RSA (in PGP) satisfy those conditions?

The conditions are usually satisfied.  Offhand, the only one I can
think of is that x and n must be relatively prime, otherwise there is
no inverse of x mod n.

With really huge numbers, the chances of guessing x such that 
gcd(x,n) != 1 are very small.  If this does happen, then you've
guessed x such that x is a multiple of one of the factors of n!  Time
for somebody to pick a new p,q, and n :-)

As far as PGP, I think the only messages PGP produces are exponentiated.
I mean, PGP doesn't produces messages obscured only by a muliplication
factor; the ascii snow messages PGP generates are encrypted, signed,
compressed, or all of the above.

So this doesn't arise.

>> If someone asks
>> you to digitally sign a random stream of symbols, remember that what you
>> sign may be unblinded to reveal a contract, etc. 
>For what applications would Bob want to sign an encrypted contract
>instead of a plaintext?

Let me get back on this.  I beleive the general name these sorts of
protocols go under is "embassy protocols".

They are useful in things such a digital cash: blind a message, and
get the bank to sign it.  Then unblind and you have a valid, digitally
signed piece of cash.  The bank is unable to track it since it
couldn't read it (message was blinded when the bank signed), but the
bank can verify that the cash is digitally signed by them.

It also arises in automatic protocols: say in computer security.  If
the computer sends a challenge string which you decrypt and send back,
the computer can encrypt with your public key to verify you.  If the
challenge string is random, you may have unwittingly digitally signed
a blinded document that is not in your favor...

The cut-and-choose protocol allows a person to sign a blinded document
and be sure they aren't signing something else.  I'll get back on this
as well.

/--------------------------------------------------\
| Karl L. Barrus                                   |
| klbarrus@owlnet.rice.edu                         |
| D1 59 9D 48 72 E9 19 D5  3D F3 93 7E 81 B5 CC 32 |
\--------------------------------------------------/






-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLHzwP4OA7OpLWtYzAQEyuQP/Vrc5tB5TfbDc0/FRWN9uALdSZk/JZNwX
UYmFfKHQzhYdqJkoOrDE+MMHbJaGuZkuSnYUbIEAFvos6SRPI9doRAvyWnKjQKfp
9h04BMGrB3IoHPBqK59CbH+jNtNc3hYgWw4zSpaFo3+1aEPM+WUHQ2plO2KjJSJg
2M272Y2Y3IE=
=tHuX
-----END PGP SIGNATURE-----





Thread