Are (EC) DSA blind signatures possible?

I’ve been searching for a way to create blind ECDSA signatures.
My research and experimentation has led me to believe that this is not possible.

I’ve been attempting to articulate why and I think that it is because it is not possible to apply a transformation to the message in a way which can be reversed whilst retaining a valid signature. The message and signature cannot be transformed as required because the ephemeral key is not known by the recipient, and if the key were known then the long term signing key could be determined. An ECDSA signature only permits validating that the signature was formed from the message and the private key corresponding to the expected public key.

I would like to confirm whether there are any known ECDSA blind signature schemes? I suppose publication bias might prevent this from appearing in the literature.

More generally are there any known ECDSA variants such as proxy signatures? My research has led me to the conclusion that it’s functionality is entirely constrained to yielding a standard signature scheme.

Cryptography Asked on December 27, 2020

2 Answers

2 Answers

A paper( in Asiaccs 2019 seems to have constructed one. But it did not give a security proof. Not sure if it is secure. Hope it can help you.

Answered by user77340 on December 27, 2020

I am not aware of any existing scheme allowing this easily (excepted for PureEdDSA maybe, but I wouldn't classify it as an ECDSA variant).

However I do not believe this is impossible. So let's try to do this for ECDSA:

We have a message $m$ whose hashed value $H(m)$ is converted into an integer $z$ which gets signed into the signature $(r,s)$ by the signer.

Now the verifier will basically rely on $$begin{aligned} C&=u_1times G+u_2times Q\ &=u_1 times G +u_2d times G\ &=(u_1+u_2 d)times G \ &=(zs^{-1}+rds^{-1})times G \ &=(z+rds)color{red}{s^{-1}}times G \ &=(z+rd)color{red}{(z+rd)^{-1}(k^{-1})^{-1}}times G \ &=ktimes G end{aligned}$$ And will say that it verifies iff $C_x==r$ And as you can see, if you can change $r,s,z$ then you can force a coefficient in the latest line to cancel "almost out", by taking $bs,abr,abz$ instead and would end up with $$(abz+abrd)color{red}{b^{-1}(z+rd)^{-1}(k^{-1})^{-1}}times G \ = aktimes G $$

Now the difficult part is to find out if it is possible to get $a,b,m'$ such that $H(m')$, once converted into $z'$ is such that $z'=abz$ and such that $(aktimes G)_x equiv abrmod n$...

I do not see why this couldn't be possible, being given so much slack on the variables... But since I don't have time right now to actually try it out, I'll try to do it later or another day and will edit this answer accordingly.

Answered by Lery on December 27, 2020

Add your own answers!

Related Questions

Would Triple DES-X with 7 keys be much slower than standard Triple DES?

1  Asked on October 24, 2021 by abercrombie-dorfen


Can someone help me understand this?

1  Asked on October 24, 2021 by user80873


Modulo hashing scheme

0  Asked on October 24, 2021


AES/ECB vs AES/CBC for <16 bytes

1  Asked on October 24, 2021 by andriy-gerasika


Pollard Rho Optimization

0  Asked on October 24, 2021


Proof of the Diffie-Hellman Key Exchange

1  Asked on March 7, 2021 by mppub


Ask a Question

Get help from others!

© 2022 All rights reserved.