donau

Donation authority for GNU Taler (experimental)
Log | Files | Refs | Submodules | README | LICENSE

blindsign.tex (3271B)

      1 \section{Blind Signatures}\label{blind_signatures}
      2 One important cryptographic scheme used by the Donau is the blind signature
      3 scheme. It is an extension of digital signatures which provides, besides
      4 authenticity and non-repudiation, privacy by allowing a user to obtain a
      5 signature for a message, without revealing the contents of the message to the
      6 signer. All cryptographic elements used by the Donau where provided by the GNU
      7 Taler libraries. Blind signatures are slightly slower than the normal
      8 signatures, this does not result in a performance issue as this project on GNU
      9 Taler shows: \cite{taler-cs}.
     10 
     11 This section only provides an overview of blinded signatures. Detailed
     12 information about blinded signatures can be found at
     13 \url{https://taler.net/papers/cs-thesis.pdf}. Blinded signatures are the key
     14 elements to reach privacy for the donor (see section
     15 \ref{issuing_donation_receipts}). With blinded signatures a blinded
     16 unrecognizable message was signed. Only the creator of the blinded message is
     17 able to unblind the signature and therefore to receive a valid signature for
     18 the unblinded message. The Donau system uses blinded signatures to bind the
     19 identity to a donation receipt while hiding the identity of the donor. As a
     20 result of the property of blindness, the blind signer (in this case the Donau)
     21 is not able to link the clear-text message with the made blind signature
     22 or the blind signature with the unblind signature \cite[p.12]{cryptoeprint:2019/877}.
     23 
     24 There are multiple blind signature schemes. The Donau distinguishes
     25 the following two equivalent blind signature schemes:
     26 
     27 \subsection{RSA}\label{rsa}
     28 Concrete the RSA-FDH blind signatures are used. Before blinding, to eliminate
     29 certain attacks, a Full-Domain Hash (FDH) is applied on the message.
     30 Full-Domain means the hash has the same size as the RSA modulus. The blind
     31 signature scheme is similar to the normal RSA signature scheme. In addition to
     32 the normal scheme, the message is blinded with a private and random value.
     33 Practically the length of the modulus and therefore for the key size, signature
     34 size and the security level is variable. The scheme only has one round trip.\cite{nigelcrypto:2016}
     35 
     36 \subsection{Clause Schnorr (CS)}\label{cs}
     37 The Clause Schnorr Signature Scheme differs from the RSA scheme. Initially the
     38 blinder needs two random values from the signer party. One random value from
     39 the signer and two random private values are required to blind the message
     40 once. This process is repeated and the two blinded messages are sent to the
     41 signer, who randomly selects a blinded message for blinding. Two blinded
     42 messages are needed to prevent an certain type of attack. In comparison to the
     43 RSA scheme, the Clause Schnorr Scheme needs an additional round trip to get the
     44 initial nonces from the signer. However, the individual crypto operations are so
     45 much faster than the operations from the RSA scheme that the additional round
     46 trip is no longer significant.\cite{DemHeuz2022}
     47 
     48 Because Clause Schnorr signatures are based on elliptic curves, smaller keys
     49 can be used. GNU Taler supports one fixed 256 bit key size, which provides an
     50 security level of 128 bits. The exact processes of this signature scheme do not
     51 need to be understood in order to understand this thesis.
     52