[cryptography] enabling blind signatures in GPG

Steve Weis steveweis at gmail.com
Thu Aug 22 21:59:31 EDT 2013

The one caveat I'd offer is that there have been many similar voting or
e-cash proposals based on blind signatures going back to David Chaum in
1982. I'm not aware of any that have gotten traction. The blinding part is
easy. The hard part is getting any adoption.

Regardless, there are some anonymous credential projects with large backers
which may be of interest:

- Intel is baking Enhanced Privacy ID support into upcoming processors. CPU
packages will have unique key material that will be used to anonymously or
pseudonymously authenticate a hardware device:

- Microsoft's U-Prove, which is based on Stefan Brands' Credentica work,
published a lot of material in April 2013:

There is a related book by Brands available for download here:

- IBM's Idemix looked promising a few years ago, but seems to have

Source code here:

On Thu, Aug 22, 2013 at 3:37 PM, Jake <jake at spaz.org> wrote:

> Hi Jim and Alex,
> Thanks for your help.  I am pretty overwhelmed by this stuff because I am
> not a cryptographer (although i am a coder) but I am very determined to do
> this.  So I am in over my head, but I have to keep going.
> My main focus is to be able to implement blinding for signatures using an
> openPGP implementation (something open-source, which means GnuPG)
> But when I say "signature" I DON'T mean the type of signature you do when
> you sign someone's public key.  I mean like when you sign a textfile or a
> binary blob.  As for revokation, I plan to have the CR (central registrar)
> "sign" peoples pubkeys using a key set to expire 12 months hence.  So there
> will be twelve pubkeys in use by the CR at any given time.
> If someone loses their private key and is concerned that someone is using
> it to "vote" in their name, they can simply post a revokation signed with
> their pubkey (and accompanied by their endorsement) saying "revoked" and
> anyone doing a tally of signed screeds will blacklist their pubkey.  But
> they won't be able to participate in the system until 12 months after their
> last signing by the CR, because their realname is crossed off the list for
> that time.  The CR only tracks realnames, not pubkeys.
> But to enforce anonymity from an evil CR, the voter will "blind" their
> pubkey into an unreadable blob before having the CR put a signature around
> it.  The CR will do this with RSA with no padding, so that the voter can
> take the result and "unblind" it into what looks like a signature of their
> pubkey (even though the CR never saw their pubkey).  Apologies if this is
> already obvious to you.
> My highest priority is making this system understandable by as many people
> as possible, which will be a huge challenge.  Eventually there will be an
> iphone app and a javascript page (i know) and people will be able to use it
> no matter how simple they are.  So i definitely need to start with
> something I personally can understand.
> Another very important feature of this system is that there is only one
> point of centralization:  the central registrar (CR).  Their job is to see
> the person's credentials (an ID or proof of residence or whatever proves
> they are a member of the set in question), sign (with unpadded RSA)
> whatever the person presents, and record the date and fact of this signing
> in a publicly accessible record.  And publish their pubkeys (one for each
> month, each expiring 12 months hence).
> All other aspects of the system are decentralized.  Each enrolled person
> can post their opinions signed with their (signed) pubkey anywhere on the
> net they want.  Anyone can crawl and tally these opinions, and verify all
> signatures independantly, traceable to the CR's pubkeys.
> The point of this is to make it so that a population (whether defined by a
> geographical area, or a voting district, or a cultural enclave,
> neighborhood, bolo, or entire nation) can choose a central registrar
> (trusted with a simple and mostly verifiable task) to enable an unmediated
> discussion between members.  If members stick to a machine-parseable format
> (copy tweet-length statements that they agree with, and are or will be
> trending), it will be possible for anyone to take a snapshot of opinion,
> guaranteeing accuracy of sentiment and one-person one-vote.
> I have everything figured out except the blinding.  I am glad to give more
> detail to anyone interested but I can't do anything until I get blinding
> working because it's essential to the anonymity of participants.
> Thank you for any help you can give,
> -jake
> ______________________________**_________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130822/919149cf/attachment.html>

More information about the cryptography mailing list