Score:0

RSA Blind Signatures Secure Implementation

in flag

note: I am not a crpytographer

I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.
I did a lot of research in the last few days and came out with this:

Signature Issuing Stage

  1. Get the public key; exponent $e$, modulus $n$
  2. Generate a random number $r$ that is less than and relatively prime to the modulus $n$
  3. Calculate the hash of the private token $m$
  4. Calculate the blinded message $ M = h(m).(r^emod$ $n) $
  5. Send the blinded message to the server that will return the blinded signature $S = M^d mod $ $n$, where $d$ is the private exponent
  6. Calculate the unblinded signature $s = S.r^{-1}$

If I am correct, this will end up with a private token $m$ and its valid signature $s$

Question 1: How to multiply $h(m)$ and $r^emod$ $n$ ? Won't be the result greater than $n$ ?
Question 2: Can I just use any hash algorithm on $m$ like SHA-256 ?
Question 3: The server won't hash or pad the blinded message before signing it, Is that right and safe ?

Signature Verifing Stage

  1. The client sends its private token $m$ and its signature $s$
  2. The server will check the signature $s^e = h(m)$ $mod$ $n$

Question 4: How to implement a padding scheme to prevent signatures from being faked due to the homomorphic property of RSA ?
Question 5: Is this implementation vulnerable to any attacks ? Are there any improvements ?

fgrieu avatar
ng flag
The equation for $M$ is $ M = h(m).(r^emod$ $n) $ in the question. With good typography I think this gives $M=h(m)\cdot(r^e\bmod n)$. But is that correct? Isn't it $M=h(m)\cdot r^e\bmod n$ ? This can be computed as $M=(h(m)\cdot (r^e\bmod n))\bmod n$. Also, I'm pretty sure it's meant $s = S\cdot r^{-1}\bmod n$ where there is $s = S.r^{-1}$, and the correct typography is $S=M^d\bmod n$.
Score:2
my flag

note: I am not a cryptographer

I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.

Sorry, but when I hear questions like this, it sounds like:

I am not a surgeon, but I want to perform some heart surgery. I've done a lot of research for a few days, and I want to make sure I understand the basics before I get started...

Ok, I'd not that bad, but it sounds somewhat similar (and if it really is for a 'production-stage application', it might not be all that far off. At the very least, if you get your heart surgery wrong, you'll know right then it didn't work...

With that off my chest, here are some answers:

Question 1: How to multiply $h(m)$ and $r^e \bmod n$ ? Won't be the result greater than $n$ ?

Actually, you multiply them modulo $n$.

Question 2: Can I just use any hash algorithm on m like SHA-256 ? Question 4: How to implement a padding scheme to prevent signatures from being faked due to the homomorphic property of RSA ?

I'm taking these two questions together because they have the same answer. What $h$ needs to be is not the straight SHA-256, but instead one where you perform a hash (such as SHA-256) and then pad the result, using perhaps PKCS 1.5 SSA or PSS (depending on what the verifier would expect).

Question 3: The server won't hash or pad the blinded message before signing it, Is that right and safe ?

In this case, it is right and safe - if the server did either hash or pad the message, it'd mess things up. Remember, you did the hashing/padding in step 4.

On the other hand (to get back to my original comments), if you needed to ask these questions, you might not be ready to implement this yourself...

Mohamed Waleed avatar
in flag
Thanks for your answer, I didn't want to implement this myself, as I am not a cryptographer, but I didn't find any implementation that will be safe to use. So I asked about the implementation details, then I will write the code to perform it. I want to make sure of a last thing: To check if a signature is padded correctly I will try to pad the original message and check if the results are equal (like checking the hash of a message). i.e. pad(m) = s. Is that right ?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.