-----BEGIN PGP SIGNED MESSAGE----- [I think I messed up when I responded originally ... KLB] Sure, I'll take questions :-) I may be a little slow in responding at the moment.
Conceptually, when you blind a message, nobody else can read it. So "blinding" is a synonym for encryption with your own public key, aka multiplication by a very-hard-to-factor number?
Not exactly. Blinding/Unblinding is multiplication; Encryption/Decryption is exponentiation. While I can unblind a document without knowing phi(n), I cannot decrypt a message without knowing phi(n). Knowing phi(n) is equivalent to knowing how n factors, so this is intractable. phi(n) = Euler totient function.
under the right circumstances if another party digitally signs a blinded message, the unblinded message will contain a valid digital signature. In other words if Alice encrypts and Bob signs, Da(Db(Ea(M))) = Db(M)? Under what conditions? Does RSA (in PGP) satisfy those conditions?
The conditions are usually satisfied. Offhand, the only one I can think of is that x and n must be relatively prime, otherwise there is no inverse of x mod n. With really huge numbers, the chances of guessing x such that gcd(x,n) != 1 are very small. If this does happen, then you've guessed x such that x is a multiple of one of the factors of n! Time for somebody to pick a new p,q, and n :-) As far as PGP, I think the only messages PGP produces are exponentiated. I mean, PGP doesn't produces messages obscured only by a muliplication factor; the ascii snow messages PGP generates are encrypted, signed, compressed, or all of the above. So this doesn't arise.
If someone asks you to digitally sign a random stream of symbols, remember that what you sign may be unblinded to reveal a contract, etc. For what applications would Bob want to sign an encrypted contract instead of a plaintext?
Let me get back on this. I beleive the general name these sorts of protocols go under is "embassy protocols". They are useful in things such a digital cash: blind a message, and get the bank to sign it. Then unblind and you have a valid, digitally signed piece of cash. The bank is unable to track it since it couldn't read it (message was blinded when the bank signed), but the bank can verify that the cash is digitally signed by them. It also arises in automatic protocols: say in computer security. If the computer sends a challenge string which you decrypt and send back, the computer can encrypt with your public key to verify you. If the challenge string is random, you may have unwittingly digitally signed a blinded document that is not in your favor... The cut-and-choose protocol allows a person to sign a blinded document and be sure they aren't signing something else. I'll get back on this as well. /--------------------------------------------------\ | Karl L. Barrus | | klbarrus@owlnet.rice.edu | | D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 | \--------------------------------------------------/ -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLHzwP4OA7OpLWtYzAQEyuQP/Vrc5tB5TfbDc0/FRWN9uALdSZk/JZNwX UYmFfKHQzhYdqJkoOrDE+MMHbJaGuZkuSnYUbIEAFvos6SRPI9doRAvyWnKjQKfp 9h04BMGrB3IoHPBqK59CbH+jNtNc3hYgWw4zSpaFo3+1aEPM+WUHQ2plO2KjJSJg 2M272Y2Y3IE= =tHuX -----END PGP SIGNATURE-----