Talk:Blind signature

Latest comment: 4 years ago by Deepak.maram in topic it's a joke?

I think the final equation in this article is not quite right:

     s \equiv s' * r^{-1}\ (\mathrm{mod}\ N) 

It should be something other than {-1} IMO.

The equation is correct. See the additional explanation. 83.79.54.219 19:48, 27 November 2006 (UTC)Reply
edit

Hello fellow Wikipedians,

I have just modified one external link on Blind signature. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 05:32, 4 November 2016 (UTC)Reply

it's a joke?

edit

If an attacker asks someone to sign a meaningless, random message, he can obtain the signature of a message of his choice?

It means, the RSA cryptosystem can only be used to sign a hash value.

--84.118.82.226 (talk) 14:55, 18 February 2018 (UTC)Reply

That is the case one way or another. Textbook-RSA is widely known to be insecure, both the decryption and the signature-version. Any cryptographer worth their money will tell you the same, but the myth is so widespread that most don't choose to fight windmills. (Secure versions of RSA exist, but the good one, notably RSA-OAEP and RSA-PSS require even more than just padding with randomness/hashing the message.) --Florian Weber (talk) 16:59, 26 February 2018 (UTC)Reply

Deepak.maram (talk) 23:43, 6 May 2020 (UTC)Reply

It is incorrect that hashing allows you to achieve one message, signature pair per a blind sign issuance. The user still has the two pairs discussed in the text. I do not see that claim being made in the cited paper either. Instead, the paper (https://eprint.iacr.org/2001/002.pdf) uses a more subtle argument to argue security, wherein the adversary needs to invert a chosen target.