Author-blinded RSASSA-PSS RSAE signatures.
This is an implementation of the RSA Blind Signatures IETF draft, based on the Zig implementation.
A client asks a server to sign a message. The server receives the message, and returns the signature.
Using that (message, signature)
pair, the client can locally compute a second, valid (message', signature')
pair.
Anyone can verify that (message', signature')
is valid for the server's public key, even though the server didn't see that pair before.
But no one besides the client can link (message', signature')
to (message, signature)
.
Using that scheme, a server can issue a token and verify that a client has a valid token, without being able to link both actions to the same client.
- The client creates a random message, and blinds it with a random, secret factor.
- The server receives the blind message, signs it and returns a blind signature.
- From the blind signature, and knowing the secret factor, the client can locally compute a
(message, signature)
pair that can be verified using the server's public key. - Anyone, including the server, can thus later verify that
(message, signature)
is valid, without knowing when step 2 occurred.
The scheme was designed by David Chaum, and was originally implemented for anonymizing DigiCash transactions.
use blind_rsa_signatures::{KeyPair, Options};
let options = Options::default();
let rng = &mut rand::thread_rng();
// [SERVER]: Generate a RSA-2048 key pair
let kp = KeyPair::generate(rng, 2048)?;
let (pk, sk) = (kp.pk, kp.sk);
// [CLIENT]: create a random message and blind it for the server whose public key is `pk`.
// The client must store the message and the secret.
let msg = b"test";
let blinding_result = pk.blind(rng, msg, true, &options)?;
// [SERVER]: compute a signature for a blind message, to be sent to the client.
// The client secret should not be sent to the server.
let blind_sig = sk.blind_sign(rng, &blinding_result.blind_msg, &options)?;
// [CLIENT]: later, when the client wants to redeem a signed blind message,
// using the blinding secret, it can locally compute the signature of the
// original message.
// The client then owns a new valid (message, signature) pair, and the
// server cannot link it to a previous(blinded message, blind signature) pair.
// Note that the finalization function also verifies that the new signature
// is correct for the server public key.
let sig = pk.finalize(
&blind_sig,
&blinding_result.secret,
blinding_result.msg_randomizer,
&msg,
&options,
)?;
// [SERVER]: a non-blind signature can be verified using the server's public key.
sig.verify(&pk, blinding_result.msg_randomizer, msg, &options)?;
This crate also includes utility functions to import and export keys.