Talk:Blind signature

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Cryptography: Computer science Mid‑importance This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles Mid This article has been rated as Mid-importance on the importance scale. This article is supported by WikiProject Computer science (assessed as Mid-importance).

I think the final equation in this article is not quite right:

     s \equiv s' * r^{-1}\ (\mathrm{mod}\ N) 

It should be something other than {-1} IMO.

The equation is correct. See the additional explanation. 83.79.54.219 19:48, 27 November 2006 (UTC)[reply]

Hello fellow Wikipedians,

I have just modified one external link on Blind signature. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20110718231432/http://www.dominique-schroeder.de/data/publications/conference/security-blind-signature-abort.pdf to http://www.dominique-schroeder.de/data/publications/conference/security-blind-signature-abort.pdf
• Added {{dead link}} tag to http://www.maniora.pl/?p=101&lang=en

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 05:32, 4 November 2016 (UTC)[reply]

If an attacker asks someone to sign a meaningless, random message, he can obtain the signature of a message of his choice?

It means, the RSA cryptosystem can only be used to sign a hash value.

--84.118.82.226 (talk) 14:55, 18 February 2018 (UTC)[reply]

That is the case one way or another. Textbook-RSA is widely known to be insecure, both the decryption and the signature-version. Any cryptographer worth their money will tell you the same, but the myth is so widespread that most don't choose to fight windmills. (Secure versions of RSA exist, but the good one, notably RSA-OAEP and RSA-PSS require even more than just padding with randomness/hashing the message.) --Florian Weber (talk) 16:59, 26 February 2018 (UTC)[reply]

Deepak.maram (talk) 23:43, 6 May 2020 (UTC)[reply]

It is incorrect that hashing allows you to achieve one message, signature pair per a blind sign issuance. The user still has the two pairs discussed in the text. I do not see that claim being made in the cited paper either. Instead, the paper (https://eprint.iacr.org/2001/002.pdf) uses a more subtle argument to argue security, wherein the adversary needs to invert a chosen target.