Python PyCrypto RSA Blind and Unblind

Question

I am trying to perform blinding and unblinding on a hash.

Following: https://gdata-python-client.googlecode.com/hg/pydocs/gdata.Crypto.PublicKey.RSA.html#RSAobj_c-unblind

I have:

messageHashed = md5.new('MyMessage').digest()
print 'Message MD5:%s' % messageHashed
blindSigned = loadedPublic.blind(messageHashed,123)
print 'Blinded: %s' % blindSigned
blindSigned = loadedPrivate.sign(blindSigned,loadedPrivate.n)
print 'Blinded Signed: %s' % str(blindSigned)

unblind = loadedPrivate.unblind(blindSigned,123)
print '-------------'
print 'Unblinded: %s' % unblind
verify = loadedPrivate.verify(unblind,(loadedPrivate.n,loadedPrivate.d))
print 'Verify: %s' % verify

(I have previously loaded the public and private key and thats working fine)

Now, my issue is, when it runs, I get this output:

M<ssage MD5:?.Z?3??f2??
Blinded: ?YL⽥p??j+Z<I?vxV??{5??
??>[??? ??r?"l
??d?ڸYC????k?U?Q?????C?0?D??*T8?}?P?9~$??'?p??ZR:2? sh͓l??kXvU??d]???$?c聻?b??@?
Blinded Signed: (122872721681409041185513323026772702402844983846953530757782619983060590754290923453963299094289086410649560247540686534912830758097386690290305557644701999751846538319065094741731992734124277081554060855405114566548615303949954231396930615801829673187895538075706631646002356108979884582511973944741160960028L,)
Traceback (most recent call last):
  File "NewClient.py", line 103, in <module>
    unblind = loadedPrivate.unblind(blindSigned,123)
  File "build/bdist.macosx-10.8-intel/egg/Crypto/PublicKey/pubkey.py", line 165, in unblind
  File "build/bdist.macosx-10.8-intel/egg/Crypto/PublicKey/RSA.py", line 247, in _unblind
    object = RSAobj
  File "build/bdist.macosx-10.8-intel/egg/Crypto/PublicKey/_slowmath.py", line 47, in _unblind
OverflowError: cannot fit 'long' into an index-sized integer

Even though the unblind function is documented as follows:

unblind(self, M, B)
unblind(M : string|long, B : string|long) : string|long
Unblind message M using blinding factor B.

It does not seem to accept it.

Can anybody point me in the right direction? I have been at this for hours.

Answer 1

Two things stand out as I'm trying to replicate your issue:

• On my version of Crypto (2.4.1), the _RSAobj.blind() and _RSAobj.unblind() calls appear to enforce type (i.e. you're required to provide a long or string, ints don't work). A long constant is denoted by adding a L to the end of the numerical value (e.g. 9001L).
• The _RSAobj.sign() function returns a tuple. The signature ends up in element 0 of the return value.

So your code really looks like this:

messageHashed = md5.new('MyMessage').digest()
print 'Message MD5:%s' % messageHashed
blindSigned = loadedPublic.blind(messageHashed,123L)
print 'Blinded: %s' % blindSigned
blindSigned = loadedPrivate.sign(blindSigned,loadedPrivate.n)[0]
print 'Blinded Signed: %s' % str(blindSigned)

unblind = loadedPublic.unblind(blindSigned,123L)
print '-------------'
print 'Unblinded: %s' % unblind
verify = loadedPublic.verify(unblind,(loadedPrivate.n,loadedPrivate.d))
print 'Verify: %s' % verify

This code runs, but probably doesn't do what you really want it to do; in particular verify will always end up being False.

What you have after unblinding is the valid RSA signature of messageHashed using the p, and _RSAobj.verify(self, M, signature) is the correct function signature (with signature required to be a 2-tuple, the 0th element of which is the actual RSA signature). So if you have

verify = loadedPublic.verify(messageHashed, (unblind,))

that will work as advertised (i.e. verify should end up being True).