note: I am not a cryptographer
I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.
Sorry, but when I hear questions like this, it sounds like:
I am not a surgeon, but I want to perform some heart surgery. I've done a lot of research for a few days, and I want to make sure I understand the basics before I get started...
Ok, I'd not that bad, but it sounds somewhat similar (and if it really is for a 'production-stage application', it might not be all that far off. At the very least, if you get your heart surgery wrong, you'll know right then it didn't work...
With that off my chest, here are some answers:
Question 1: How to multiply $h(m)$ and $r^e \bmod n$ ? Won't be the result greater than $n$ ?
Actually, you multiply them modulo $n$.
Question 2: Can I just use any hash algorithm on m like SHA-256 ?
Question 4: How to implement a padding scheme to prevent signatures from being faked due to the homomorphic property of RSA ?
I'm taking these two questions together because they have the same answer. What $h$ needs to be is not the straight SHA-256, but instead one where you perform a hash (such as SHA-256) and then pad the result, using perhaps PKCS 1.5 SSA or PSS (depending on what the verifier would expect).
Question 3: The server won't hash or pad the blinded message before signing it, Is that right and safe ?
In this case, it is right and safe - if the server did either hash or pad the message, it'd mess things up. Remember, you did the hashing/padding in step 4.
On the other hand (to get back to my original comments), if you needed to ask these questions, you might not be ready to implement this yourself...