[cryptography] enabling blind signatures in GPG

Steve Weis steveweis at gmail.com
Sun Aug 18 15:35:57 EDT 2013


Hi Jake. This is not GPG-related, but I worked on an OpenID-based private
federated login system called PseudoID that used blind signatures.
Basically, an identity provider will check your real identity, then issue
you a blindly-signed token which you can then later use to log in
pseudo-anonymously to an OpenID consumer. The consumer and provider can't
latter correlate your real identity with that login.

This was a summer project from an intern at the time and should be
considered a proof-of-concept. It does the unblinding crypto in
server-delivered Javascript so is not secure as-is. Do not use for anything
in practice.

Here's the paper:
http://saweis.net/pdfs/pseudoid-pets2010.pdf

Here's the source:
https://code.google.com/p/pseudoid/

Here's a demo video:
https://www.youtube.com/watch?feature=player_embedded&v=fCBPuGsO_I4

Here's a site that was the private ID provider demo:
http://private-idp.appspot.com/

Here was the blind-signer demo, which is broken since we accidentally let
the pseudoid.net domain lapse:
http://blind-signer.appspot.com/



On Sun, Aug 18, 2013 at 1:08 AM, Jake <jake at spaz.org> wrote:

> Hello everybody,
>
> I am trying to form an anonymous opining sytem based on a single
> Registrar, whose signatures deify users' public keys with the mark of a
> Participant.  But to protect the users from an evil registrar, blinding
> must be used.
>
> I have been told that blinding is already implemented internally to deter
> timing-based attacks, so this would be a matter of implementing a
> command-line option to blind a blob and save the blinding salts.
>
> I am not a cryptographer so I can only repeat what i've heard on this.
>
> http://en.wikipedia.org/wiki/**Blind_signature#Blind_RSA_**
> signatures.5B2.5D:235<http://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures.5B2.5D:235>
>
> Basically, a Participant generates a key pair (only for use in opining,
> not with their real identity) and wants to be able to prove, in public
> signed cleartext postings, that their public key has been signed by the
> Registar as an endorsement of Participation.  But they don't want the
> Registrar to see their public key and correlate it with their real identity
> (their proof of eligibility for participation) because that would
> compromise their anonymity.
>
> So the Participant "blinds" their public key, presents that blob to the
> Registrar (along with their real identity) and receives the Registrar's
> signature of the blob.  Then they take the blob home, and unblind it,
> revealing a perfect Registrar's signature of their public key.
>
> Please write if you can help me make this happen.  I believe that the
> system i'm trying to create could have a very positive effect on democracy
> in the world, and hopefully make politicians into simple clerks whose job
> is simply to count the opinions and follow the will of the people.
>
> take care,
> -jake
> ______________________________**_________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130818/179e87ca/attachment.html>


More information about the cryptography mailing list