Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What lib or software to sign and verify blindly?

I recently heard of blind signatures. I saw the wikipedia article on how they work but don't feel like implementing it. What libraries (preferably compatible with linux and windows) may I use to implement blind signatures and verifying the file is signed?

I tried looking at openssl man pages but I don't think it supports blind signatures http://www.openssl.org/docs/apps/dgst.html

I can implement my app in either C++ or .NET and have no issues spawning process and parsing their outputs however a lib would be preferred over software.

like image 721
Nick wheatley Avatar asked Nov 25 '22 23:11

Nick wheatley


1 Answers

I can implement my app in either C++ or .NET ... What lib or software to sign and verify blindly?

Here's a Crypto++ based answer. Crypto++ is a class library of cryptographic schemes written by Wei Dai. The example was taken from Raw RSA | Blind Signatures on the wiki.

Jack Lloyd's Botan, which is a C++11 crypto and TLS library, may have native blind signature support.

Crypto++ lacks blind signature classes. The method below follows the basic algorithm as detailed at Blind Signatures. However, it differs from Wikipedia by applying the s(s'(x)) = x cross-check. The cross-check was present in Chaum's original paper, but it is missing from the wiki article. A second difference from Chaum's paper and wikipedia is, the code below uses H(m) rather than m. That's due to Rabin in 1979.

You may want to apply a padding function first per Usability of padding scheme in blinded RSA signature? or RSA blind signatures in practice. Also see Is there a standard padding/format for RSA Blind Signatures?


#include "cryptlib.h"
#include "integer.h"
#include "nbtheory.h"
#include "osrng.h"
#include "rsa.h"
#include "sha.h"
using namespace CryptoPP;

#include <iostream>
#include <stdexcept>
using std::cout;
using std::endl;
using std::runtime_error;

int main(int argc, char* argv[])
{
    // Bob artificially small key pair
    AutoSeededRandomPool prng;
    RSA::PrivateKey privKey;

    privKey.GenerateRandomWithKeySize(prng, 64);
    RSA::PublicKey pubKey(privKey);

    // Convenience
    const Integer& n = pubKey.GetModulus();
    const Integer& e = pubKey.GetPublicExponent();
    const Integer& d = privKey.GetPrivateExponent();

    // Print params
    cout << "Pub mod: " << std::hex << pubKey.GetModulus() << endl;
    cout << "Pub exp: " << std::hex << e << endl;
    cout << "Priv mod: " << std::hex << privKey.GetModulus() << endl;
    cout << "Priv exp: " << std::hex << d << endl;

    // For sizing the hashed message buffer. This should be SHA256 size.
    const size_t SIG_SIZE = UnsignedMin(SHA256::BLOCKSIZE, n.ByteCount());

    // Scratch
    SecByteBlock buff1, buff2, buff3;

    // Alice original message to be signed by Bob
    SecByteBlock orig((const byte*)"secret", 6);
    Integer m(orig.data(), orig.size());
    cout << "Message: " << std::hex << m << endl;

    // Hash message per Rabin (1979)
    buff1.resize(SIG_SIZE);
    SHA256 hash1;
    hash1.CalculateTruncatedDigest(buff1, buff1.size(), orig, orig.size());

    // H(m) as Integer
    Integer hm(buff1.data(), buff1.size());
    cout << "H(m): " << std::hex << hm << endl;

    // Alice blinding
    Integer r;
    do {
        r.Randomize(prng, Integer::One(), n - Integer::One());
    } while (!RelativelyPrime(r, n));

    // Blinding factor
    Integer b = a_exp_b_mod_c(r, e, n);
    cout << "Random: " << std::hex << b << endl;

    // Alice blinded message
    Integer mm = a_times_b_mod_c(hm, b, n);
    cout << "Blind msg: " << std::hex << mm << endl;

    // Bob sign
    Integer ss = privKey.CalculateInverse(prng, mm);
    cout << "Blind sign: " << ss << endl;

    // Alice checks s(s'(x)) = x. This is from Chaum's paper
    Integer c = pubKey.ApplyFunction(ss);
    cout << "Check sign: " << c << endl;
    if (c != mm)
        throw runtime_error("Alice cross-check failed");

    // Alice remove blinding
    Integer s = a_times_b_mod_c(ss, r.InverseMod(n), n);
    cout << "Unblind sign: " << s << endl;

    // Eve verifies
    Integer v = pubKey.ApplyFunction(s);    
    cout << "Verify: " << std::hex << v << endl;

    // Convert to a string
    size_t req = v.MinEncodedSize();
    buff2.resize(req);
    v.Encode(&buff2[0], buff2.size());

    // Hash message per Rabin (1979)
    buff3.resize(SIG_SIZE);
    SHA256 hash2;
    hash2.CalculateTruncatedDigest(buff3, buff3.size(), orig, orig.size());

    // Constant time compare
    bool equal = buff2.size() == buff3.size() && VerifyBufsEqual(
        buff2.data(), buff3.data(), buff3.size());

    if (!equal)
        throw runtime_error("Eve verified failed");

    cout << "Verified signature" << endl;

    return 0;
}

Here is the result of building and running the program:

$ g++ blind.cxx ./libcryptopp.a -o blind.exe
$ ./blind.exe
Pub mod: bbf62585f8486acbh
Pub exp: 11h
Priv mod: bbf62585f8486acbh
Priv exp: 31c1280c6bb08635h
Message: 736563726574h
H(m): 2bb80d537b1da3e3h
Random: 7db0ecdb0a09fad5h
Blinded msg: a8bf62a25b7b4b53h
Blind sign: 2646ab6b9d5b48dfh
Check sign: a8bf62a25b7b4b53h
Unblind sign: 418d211b9cbb2d00h
Verify: 2bb80d537b1da3e3h
Verified signature
like image 172
jww Avatar answered Nov 27 '22 13:11

jww