What does "blinding" mean in cryptography, and where do we usually use it? Can you describe a sample implementation?
Asked
Active
Viewed 5,634 times
1 Answers
6
As @CodesInChaos explains:
It might refer to blind signatures.
It also might refer to a method to harden (typically) RSA implementations against timing/side-channel attacks, by blinding the data before operating on it.
Example: suppose you are writing code to decrypt data, i.e., to compute $y=x^d \bmod n$, given the input $x$. The naive way to do is just to compute $x^d \bmod n$; but it turns out this can be vulnerable to timing and other side-channel attacks. One defense is to blind the data before raising the $d$th power. In more detail, pick a random number $r$; compute $s=r^e \bmod n$; compute $X=xs \bmod n$ and then $Y=X^d \bmod n$ and then $y=Y/r \bmod n$. You can notice that $Y/r=X^d/r=(xs)^d/r = x^d s^d/r = x^d r/r = x^d \bmod n$, which is what we wanted to compute. However, this process makes it hard for an attacker to learn anything about $d$ using a timing attack, because the exponentiation process works on a random value $X$ that's not known to the attacker, rather than on the known value $x$.
