Using a blinding factor for RSA in pycrypto

Question

In python, I am trying to blind and unblind a message. When I unblind the message, I don\'t get the original message. Does anyone know what I might be doing wrong. The follo

Answer 1

Blinding is a sort of encryption with a random element. It is usually used for Blind Signatures which would look like this:

from Crypto.PublicKey import RSA
from Crypto.Hash import SHA256
from random import SystemRandom

# Signing authority (SA) key
priv = RSA.generate(3072)
pub = priv.publickey()

## Protocol: Blind signature ##

# must be guaranteed to be chosen uniformly at random
r = SystemRandom().randrange(pub.n >> 10, pub.n)
msg = "my message" * 50 # large message (larger than the modulus)

# hash message so that messages of arbitrary length can be signed
hash = SHA256.new()
hash.update(msg)
msgDigest = hash.digest()

# user computes
msg_blinded = pub.blind(msgDigest, r)

# SA computes
msg_blinded_signature = priv.sign(msg_blinded, 0)

# user computes
msg_signature = pub.unblind(msg_blinded_signature[0], r)

# Someone verifies
hash = SHA256.new()
hash.update(msg)
msgDigest = hash.digest()
print("Message is authentic: " + str(pub.verify(msgDigest, (msg_signature,))))

This is how it is implemented, so you cannot directly unblind the message, because you don't have d, so the blinded element must be signed first. In order for the blind signature to be secure, you need to randomly generate the blinding factor r in the range of the signing modulus.