Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [blinding]

Technique mainly employed for factorization based cryptosystems to hide information. Usually blinding involves using a multiplicative homomorphic property of the cipher, it may be used to realize blind-signatures. It's also commonly used to protect cryptosystems like RSA and Rabin-Williams against timing-attacks.

42 questions
9
votes
1 answer

Details about ROS attack on blind Schnorr signatures

My question concerns the recently uploaded paper On the (in)security of ROS that describes an expected polynomial-time attack on the unforgeability of Schnorr blind signatures. a) Does this mean that Schnorr blind signatures should not be used…
Panagiotis Grontas
  • 863
  • 5
  • 15
9
votes
1 answer

What is "Blinding" used for in cryptography?

What does "blinding" mean in cryptography, and where do we usually use it? Can you describe a sample implementation?
tenfish
  • 91
  • 1
  • 2
9
votes
1 answer

Deterministic RSA blinding

I have an implementation of the RSA private key operation in a context where I don't have access to an entropy source. I'd like to add blinding to it (both message and exponent), to make it resist some side channel attacks. (The subsequent padding…
Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
8
votes
1 answer

Blinding to mask private key operations

Blinding is often used to mask private key operations when the underlying problem is integer factorization. For example, it's used in both RSA and Rabin-Williams signature schemes. This presumes integer operations are not constant time. I have two…
user10496
6
votes
1 answer

Intuition for Schnorr Blind Signatures

I was studying the Blind schnorr signatures in this paper (PDF) which says that the signer sends a commitment $$r=g^{k}\bmod p$$ which the user blinds with 2 random elements $a,b$ to get $$r'=r\cdot g^{-a}\cdot y^{-b}\bmod p$$ what is the intuition…
pd176
  • 277
  • 1
  • 7
6
votes
2 answers

Data Leakage and Data Switching

I have two secret values $a$ and $b$ (i.e. they are arbitrary values). I mask them as follow: $v_1=r_1a+r_2$ $v_2=r_1(b-a)$ where $r_1$ and $r_2$ are uniformly random values. I send $v_1$ and $v_2$ to a malicious server, and ask him to compute…
user153465
  • 1,583
  • 12
  • 23
6
votes
0 answers

IND-CCA1 RSA padding?

I've found a way to complete a task which I'd solve with passwords or by sending keys over the wire (otherwise) by using RSA's homomorphic property. I'm restricted to RSA (any padding; for hardware reasons) to implement "blindable decryption", where…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
6
votes
1 answer

Double-and-add/Montgomery VS blinding

I'm having a hard time understanding why people use constant-time techniques to counter time-attacks, when blinding seems as good and cheaper to implement. Why do people avoid blinding in ECC?
David 天宇 Wong
  • 1,595
  • 11
  • 27
6
votes
2 answers

Blinding an ECDSA private key without learning the private key

I am looking at ways to blind an ECDSA signing key (and verification key respectively). Looking at proposed solutions like the IETF KBSS draft, and the IETF ARKG draft it seems that the ECDSA key blinding requires a multiplicative blinding with a…
Peter Altmann
  • 131
  • 6
5
votes
3 answers

Is multiplicative blinding less secure than additive?

It's easy to see that additive blinding (e.g., $x+r$ for secret x and random r) is perfectly secure in a finite field (this is a one-time-pad) and statistically secure for $r$ uniformly distributed in a domain sufficiently larger than $x$. What I'm…
RevFlash
  • 101
  • 1
4
votes
1 answer

Are Blind Signatures Fundamentally Different From Signatures of Hashed Values?

I've been reading up on blind signatures and am trying to wrap my head around the concept - specifically in the context of anonymous blockchain transactions using vouchers. One particular issue I'm having with this is understanding what precisely a…
CoryG
  • 589
  • 3
  • 11
4
votes
3 answers

Recovering a secret that has been blinded several times

I'm analyzing a protocol that, during one of the steps, sends a blinded secret. Let's denote the secret $x \in \mathbb Z_p^*$ (for $p$ prime) and the blinded secret $y$, so that $y = r\cdot x \bmod p$, where $r$ is a blinding factor randomly sampled…
cygnusv
  • 5,072
  • 1
  • 23
  • 48
4
votes
0 answers

Elliptic Curve Blind Signature Implementation

I have seen this prior post: Elliptic Curve based blind signature implementation Currently I'm sizing up how difficult it would be to attain Elliptic Curve Blind signatures for an application I'm working on. I did see this posting from @DrLecter…
Joshua Zeidner
  • 59
  • 5
3
votes
1 answer

Does blinding protect again fault injection attack against RSA with CRT

I know that blinding can be used as a countermeasure against side-channel timing attacks on RSA-CRT: RSA Timing Attack and Prevention through blinding My question is: can blinding also be used as a countermeasure against differential fault injection…
nature8
  • 33
  • 3
3
votes
0 answers

Variant of CCA security for Paillier with blinded decryption oracle

Consider a variant of the Paillier encryption scheme where the message space is restricted to $\mathbb{Z}_q$ such that the RSA modulus $N$ of the Paillier cryptosystem satisfies $N > q + q^2$. I am interested in the following variant of the CCA…
Prashant Agrawal
  • 31
  • 1
1
2 3