[cryptography] enabling blind signatures in GPG

Jake jake at spaz.org
Wed Aug 21 17:22:17 EDT 2013

thank you Steve for the link to your work!

I really like the idea you had and i hope it catches on, people need 
something like that.  But I don't think they realize it yet, and the ones 
who do have other ways to achieve it.

My focus is very specific though.  I want to use openPGP to do the 
blinding and blind-signing and unblinding, so that the entire system I 
want to create can be based off of a familiar and trusted suite of tools.

Does anyone have experience with the GPG source tree who might be able to 
help expose the blinding routines to the user?  I'm scared to start from 


On Sun, 18 Aug 2013, Steve Weis wrote:

> Hi Jake. This is not GPG-related, but I worked on an OpenID-based private federated login system called PseudoID that used blind
> signatures. Basically, an identity provider will check your real identity, then issue you a blindly-signed token which you can
> then later use to log in pseudo-anonymously to an OpenID consumer. The consumer and provider can't latter correlate your real
> identity with that login.
> This was a summer project from an intern at the time and should be considered a proof-of-concept. It does the unblinding crypto
> in server-delivered Javascript so is not secure as-is. Do not use for anything in practice.
> Here's the paper:
> http://saweis.net/pdfs/pseudoid-pets2010.pdf
> Here's the source:
> https://code.google.com/p/pseudoid/
> Here's a demo video:
> https://www.youtube.com/watch?feature=player_embedded&v=fCBPuGsO_I4
> Here's a site that was the private ID provider demo:
> http://private-idp.appspot.com/
> Here was the blind-signer demo, which is broken since we accidentally let the pseudoid.net domain lapse:
> http://blind-signer.appspot.com/
> On Sun, Aug 18, 2013 at 1:08 AM, Jake <jake at spaz.org> wrote:
>       Hello everybody,
>       I am trying to form an anonymous opining sytem based on a single Registrar, whose signatures deify users' public keys
>       with the mark of a Participant.  But to protect the users from an evil registrar, blinding must be used.
>       I have been told that blinding is already implemented internally to deter timing-based attacks, so this would be a
>       matter of implementing a command-line option to blind a blob and save the blinding salts.
>       I am not a cryptographer so I can only repeat what i've heard on this.
>       http://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures.5B2.5D:235
>       Basically, a Participant generates a key pair (only for use in opining, not with their real identity) and wants to be
>       able to prove, in public signed cleartext postings, that their public key has been signed by the Registar as an
>       endorsement of Participation.  But they don't want the Registrar to see their public key and correlate it with their
>       real identity (their proof of eligibility for participation) because that would compromise their anonymity.
>       So the Participant "blinds" their public key, presents that blob to the Registrar (along with their real identity)
>       and receives the Registrar's signature of the blob.  Then they take the blob home, and unblind it, revealing a
>       perfect Registrar's signature of their public key.
>       Please write if you can help me make this happen.  I believe that the system i'm trying to create could have a very
>       positive effect on democracy in the world, and hopefully make politicians into simple clerks whose job is simply to
>       count the opinions and follow the will of the people.
>       take care,
>       -jake
>       _______________________________________________
>       cryptography mailing list
>       cryptography at randombit.net
>       http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list