Internet DRAFT - draft-wood-cfrg-rsa-blind-signatures


Network Working Group                                           F. Denis
Internet-Draft                                               Fastly Inc.
Intended status: Informational                                 F. Jacobs
Expires: 9 September 2021                                     Apple Inc.
                                                               C.A. Wood
                                                            8 March 2021

                          RSA Blind Signatures


   This document specifies the RSA-based blind signature scheme with
   appendix (RSA-BSSA).  RSA blind signatures were first introduced by
   Chaum for untraceable payments [Chaum83].  It extends RSA-PSS
   encoding specified in [RFC8017] to enable blind signature support.

Discussion Venues

   

   

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   3
   3.  Notation  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Blind Signature Protocol Overview . . . . . . . . . . . . . .   4
   5.  RSABSSA Signature Instantiation . . . . . . . . . . . . . . .   4
     5.1.  Signature Generation  . . . . . . . . . . . . . . . . . .   4
       5.1.1.  Blind . . . . . . . . . . . . . . . . . . . . . . . .   5
       5.1.2.  BlindSign . . . . . . . . . . . . . . . . . . . . . .   5
       5.1.3.  Finalize  . . . . . . . . . . . . . . . . . . . . . .   6
     5.2.  Encoding Options  . . . . . . . . . . . . . . . . . . . .   7
   6.  Public Key Certification  . . . . . . . . . . . . . . . . . .   8
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
     7.1.  Timing Side Channels  . . . . . . . . . . . . . . . . . .   8
     7.2.  Message Robustness  . . . . . . . . . . . . . . . . . . .   8
     7.3.  Salt State  . . . . . . . . . . . . . . . . . . . . . . .   9
     7.4.  Key Substitution Attacks  . . . . . . . . . . . . . . . .   9
     7.5.  Alternative RSA Encoding Functions  . . . . . . . . . . .   9
     7.6.  Alternative Blind Signature Schemes . . . . . . . . . . .   9
     7.7.  Post-Quantum Readiness  . . . . . . . . . . . . . . . . .  10
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Appendix A.  Test Vector  . . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  17

1.  Introduction

   Originally introduced in the context of digital cash systems by Chaum
   for untraceable payments [Chaum83], RSA blind signatures turned out
   to have a wide range of applications ranging from electric voting
   schemes to authentication mechanisms.

   Recently, interest in blind signatures has grown to address
   operational shortcomings from VOPRFs such as [I-D.irtf-cfrg-voprf].
   Specifically, VOPRF evaluation requires access to the private key,
   and is therefore required for both issuance and redemption of tokens

   in anonymous authentication protocols such as Privacy Pass
   [I-D.davidson-pp-protocol].  This limitation complicates deployments
   where it is not desirable to distribute secret keys entities
   performing token verification.  Additionally, if the private key is
   kept in a Hardware Security Module, the number of operations on the
   key are doubled compared to a scheme where the private key is only
   required for issuance of the tokens.

   In contrast, cryptographic signatures provide a primitive that is
   publicly verifiable and does not require access to the private key
   for verification.  Moreover, [JKK14] shows that one can realize a
   VOPRF in the Random Oracle Model by hashing a (deterministic) blind
   signature-message pair.

   This document specifies the RSA Blind Signature Scheme with
   Appendix (RSABSSA).  In order to facilitate deployment, we define it
   in such a way that the resulting (unblinded) signature can be
   verified with a standard RSA-PSS library.

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Notation

   The following terms are used throughout this document to describe the
   protocol operations in this document:

   *  I2OSP and OS2IP: Convert a byte string to and from a non-negative
      integer as described in [RFC8017].  Note that these functions
      operate on byte strings in big-endian byte order.

   *  random_integer_uniform(M, N): Generate a random, uniformly
      distributed integer R such that M <= R < N.

   *  inverse_mod(x, n): Compute the multiplicative inverse of x mod n.

   *  len(s): The length of a byte string, in octets.

4.  Blind Signature Protocol Overview

   In this section, we sketch the blind signature protocol wherein a
   client and server interact to compute "sig = Sign(skS, msg)", where
   "msg" is the private message to be signed, and "skS" is the server's
   private key.  In this protocol, the server learns nothing of "msg",
   whereas the client learns "sig" and nothing of "skS".

   The core issuance protocol runs as follows:

      Client(pkS, msg)                      Server(skS, pkS)
     blinded_msg, inv = Blind(pkS, msg)


                    blind_sig = BlindSign(skS, blinded_msg)


     sig = Finalize(pkS, msg, blind_sig, inv)

   Upon completion, correctness requires that clients can verify
   signature "sig" over private input message "msg" using the server
   public key "pkS" by invoking the RSASSA-PSS-VERIFY routine defined in
   [RFC3447].  The finalization function performs that check before
   returning the signature.

5.  RSABSSA Signature Instantiation

   Section 8.1 of [RFC8017] defines RSASSA-PSS RSAE, which is a
   signature algorithm using RSASSA-PSS [RFC8017] with mask generation
   function 1.  In this section, we define RSABSSA, a blinded variant of
   this algorithm.

5.1.  Signature Generation

   As outlined in Section 4, signature generation involves three
   subroutines: Blind, BlindSign, and Finalize.  The output from
   Finalize is a signature over the input to Blind.  A specification of
   these subroutines is below.

5.1.1.  Blind

   rsabssa_blind encodes an input message and blinds it with the
   server's public key.  It outputs the blinded message to be sent to
   the server and the corresponding inverse, both encoded as octet
   strings.  RSAVP1 and EMSA-PSS-ENCODE are as defined in [RFC3447].

   rsabssa_blind(pkS, msg)

   - kLen, the length in octets of the RSA modulus n
   - kBits, the length in bits of the RSA modulus n

   - pkS, server public key (n, e)
   - msg, message to be signed, an octet string
   - HF, the hash function used to hash the message
   - MGF, the mask generation function

   - blinded_msg, an octet string of length kLen
   - inv, an octet string of length kLen

   - "message too long": Raised when the input message is too long.
   - "encoding error": Raised when the input message fails encoding.
   - "invalid blind": Raised when the inverse of r cannot be found.

   1. encoded_message = EMSA-PSS-ENCODE(msg, kBits - 1)
      with MGF and HF as defined in the parameters
   2. If EMSA-PSS-ENCODE raises an error, raise the error and stop
   3. m = OS2IP(encoded_message)
   4. r = random_integer_uniform(1, n)
   5. r_inv = inverse_mod(r, n)
   6. If finding the inverse fails, raise an "invalid blind" error
      and stop
   7. x = RSAVP1(pkS, r)
   8. z = m * x mod n
   9. blinded_msg = I2OSP(z, kLen)
   10. inv = I2OSP(r_inv, kLen)
   11. output blinded_msg, inv

5.1.2.  BlindSign

   rsabssa_blind_sign performs the RSA private key operation on the
   client's blinded message input and returns the output encoded as an
   octet string.  RSASP1 is as defined in [RFC3447].

   rsabssa_blind_sign(skS, blinded_msg)

   - kLen, the length in octets of the RSA modulus n

   - blinded_msg, encoded and blinded message to be signed, an
     octet string

   - blind_sig, an octet string of length kLen

   - "unexpected input size": Raised when a byte string input doesn't
     have the expected length.

   1. If len(blinded_msg) != kLen, raise "unexpected input size"
      and stop
   2. m = OS2IP(blinded_msg)
   3. s = RSASP1(skS, m)
   4. blind_sig = I2OSP(s, kLen)
   5. output blind_sig

5.1.3.  Finalize

   rsabssa_finalize validates the server's response, unblinds the
   message to produce a signature, verifies it for correctness, and
   outputs the signature upon success.  Note that this function will
   internally hash the input message as is done in rsabssa_blind.

   rsabssa_finalize(pkS, msg, blind_sig, inv)

   - kLen, the length in octets of the RSA modulus n

   - pkS, server public key
   - msg, message to be signed, an octet string
   - blind_sig, signed and blinded element, an octet string of
     length kLen
   - inv, inverse of the blind, an octet string of length kLen

   - sig, an octet string of length kLen

   - "invalid signature": Raised when the signature is invalid
   - "unexpected input size": Raised when a byte string input doesn't
     have the expected length.

   1. If len(blind_sig) != kLen, raise "unexpected input size" and stop
   2. If len(inv) != kLen, raise "unexpected input size" and stop
   3. z = OS2IP(blind_sig)
   4. r_inv = OS2IP(inv)
   5. s = z * r_inv mod n
   6. sig = I2OSP(s, kLen)
   7. result = RSASSA-PSS-VERIFY(pkS, msg, sig)
   8. If result = "valid signature", output sig, else
      raise "invalid signature" and stop

5.2.  Encoding Options

   The RSASSA-PSS parameters are defined as in [RFC8230].
   Implementations MUST support PS384-encoding, using SHA-384 as hash
   function for the message and mask generation function with a 48-byte

   The RSA-PSS encoding functions take the following optional

   *  Hash: hash function (hLen denotes the length in octets of the hash
      function output)

   *  MGF: mask generation function

   *  sLen: intended length in octets of the salt

   The blinded functions above are orthogonal to the choice of these

6.  Public Key Certification

   If the server public key is carried in an X.509 certificate, it MUST
   use the RSASSA-PSS OID [RFC5756].  It MUST NOT use the rsaEncryption
   OID [RFC5280].

7.  Security Considerations

   Bellare et al.  [BNPS03] proved security of Chaum's original blind
   signature scheme based on RSA-FDH based on "one-more-RSA-inversion."
   Note that the design in this document differs only in message
   encoding, i.e., using PSS instead of FDH.

   [[OPEN ISSUE: confirm that results from BNPS03 apply to this

7.1.  Timing Side Channels

   rsabssa_blind_sign is functionally a remote procedure call for
   applying the RSA private key operation.  As such, side channel
   resistance is paramount to protect the private key from exposure
   [RemoteTiming].  Implementations MUST include side channel attack
   mitigations, such as RSA blinding, to avoid leaking information about
   the private key through timing side channels.

7.2.  Message Robustness

   An essential property of blind signature schemes is that signer
   learns nothing of the message being signed.  In some circumstances,
   this may raise concerns of arbitrary signing oracles.  Applications
   using blind signature schemes should take precautions to ensure that
   such oracles do not cause cross-protocol attacks.  This can be done,
   for example, by keeping blind signature keys distinct from signature
   keys used for other protocols, such as TLS.

   An alternative solution to this problem of message blindness is to
   give signers proof that the message being signed is well-structured.
   Depending on the application, zero knowledge proofs could be useful
   for this purpose.  Defining such a proof is out of scope for this

7.3.  Salt State

   The PSS salt is a randomly generated string chosen when a message is
   encoded.  If the salt is not generated randomly, or is otherwise
   constructed maliciously, it might be possible for the salt to carry
   client information to the server.  For example, the salt might be
   maliciously constructed to encode the local IP address of the client.
   Implementations MUST ensure that the salt is generated correctly to
   mitigate such issues.

7.4.  Key Substitution Attacks

   RSA is well known to permit key substitution attacks, wherein an
   attacker generates a key pair (skA, pkA) that verify some known
   (message, signature) pair produced under a different (skS, pkS) key
   pair [WM99].  This means it may be possible for an attacker to use a
   (message, signature) pair from one context in another.  Entities that
   verify signatures must take care to ensure a (message, signature)
   pair verifies with the expected public key.

7.5.  Alternative RSA Encoding Functions

   This document document uses PSS encoding as specified in [RFC3447]
   for a number of reasons.  First, it is recommended in recent
   standards, including TLS 1.3 [RFC8446], X.509v3 [RFC4055], and even
   PKCS#1 itself.  According to [RFC3447], "Although no attacks are
   known against RSASSA-PKCS#1 v1.5, in the interest of increased
   robustness, RSA-PSS is recommended for eventual adoption in new
   applications."  While RSA-PSS is more complex than RSASSA-PKCS#1 v1.5
   encoding, ubiquity of RSA-PSS support influenced the design decision
   in this draft, despite PKCS#1 v1.5 having equivalent security
   properties for digital signatures [JKM18]

   Full Domain Hash (FDH) [RSA-FDH] encoding is also possible, and this
   variant has equivalent security to PSS [KK18].  However, FDH is less
   standard and not used widely in related technologies.  Moreover, FDH
   is deterministic, whereas PSS is probabilistic.

7.6.  Alternative Blind Signature Schemes

   There are a number of blind signature protocols beyond RSA.  This
   section summarizes these at a high level, and discusses why an RSA-
   based variant was chosen for the basis of this specification.

   *  Blind Schnorr [Sch01]: This is a three-message protocol based on
      the classical Schnorr signature scheme over elliptic curve groups.
      Although simple, the hardness problem upon which this is based -
      Random inhomogeneities in a Overdetermined Solvable system of

      linear equations, or ROS - can be broken in polynomial time when a
      small number of concurrent signing sessions are invoked
      [PolytimeROS].  This can lead to signature forgeries in practice.
      Signers can enforce concurrent sessions, though the limit
      (approximately 256) for reasonably secure elliptic curve groups is
      small enough to make large-scale signature generation prohibitive.
      In contrast, the variant in this specification has no such
      concurrency limit.

   *  Clause Blind Schnorr [FPS20]: This is a three-message protocol
      based on a variant of the blind Schnorr signature scheme.  This
      variant of the protocol is not known to be vulnerable to the
      attack in [PolytimeROS], though the protocol is still new and
      under consideration.  In the future, this may be a candidate for
      future blind signatures based on blind signatures.  However, the
      three-message flow necessarily requires two round trips between
      the client and server, which may be prohibitive for large-scale
      signature generation.  Further analysis and experimentation with
      this scheme is needed.

   *  BSA [Abe01]: This is a three-message protocol based on elliptic
      curve groups similar to blind Schnorr.  It is also not known to be
      vulnerable to the ROS attack in [PolytimeROS].  Kastner et al.
      [KLRX20] proved concurrent security with a polynomial number of
      sessions.  For similar reasons to the clause blind Schnorr scheme
      above, the additional number of round trips requires further
      analysis and experimentation.

   *  Blind BLS [BLS-Proposal]: The Boneh-Lynn-Shacham
      [I-D.irtf-cfrg-bls-signature] scheme can incorporate message
      blinding when properly instantiated with Type III pairing group.
      This is a two-message protocol similar to the RSA variant, though
      it requires pairing support, which is not common in widely
      deployed cryptographic libraries backing protocols such as TLS.
      In contrast, the specification in this document relies upon widely
      deployed cryptographic primitives.

7.7.  Post-Quantum Readiness

   The blind signature scheme specified in this document is not post-
   quantum ready since it is based on RSA.  (Shor's polynomial-time
   factorization algorithm readily applies.)

8.  IANA Considerations

   This document makes no IANA requests.

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
              2003, <>.

   [RFC5756]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
              "Updates for RSAES-OAEP and RSASSA-PSS Algorithm
              Parameters", RFC 5756, DOI 10.17487/RFC5756, January 2010,

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <>.

   [RFC8230]  Jones, M., "Using RSA Algorithms with CBOR Object Signing
              and Encryption (COSE) Messages", RFC 8230,
              DOI 10.17487/RFC8230, September 2017,

9.2.  Informative References

   [Abe01]    Abe, M., "A Secure Three-Move Blind Signature Scheme for
              Polynomially Many Signatures",
              DOI 10.1007/3-540-44987-6_9, Lecture Notes in Computer
              Science pp. 136-151, 2001,

              "[Privacy-pass] External verifiability: a concrete
              proposal", n.d., <

   [BNPS03]   Bellare, ., Namprempre, ., Pointcheval, ., and . Semanko,
              "The One-More-RSA-Inversion Problems and the Security of
              Chaum's Blind Signature Scheme",
              DOI 10.1007/s00145-002-0120-1, Journal of Cryptology Vol.
              16, pp. 185-215, June 2003,

   [Chaum83]  "Blind Signatures for Untraceable Payments",

   [FPS20]    Fuchsbauer, G., Plouviez, A., and Y. Seurin, "Blind
              Schnorr Signatures and Signed ElGamal Encryption in the
              Algebraic Group Model", DOI 10.1007/978-3-030-45724-2_3,
              Advances in Cryptology - EUROCRYPT 2020 pp. 63-95, 2020,

              Davidson, A., "Privacy Pass: The Protocol", Work in
              Progress, Internet-Draft, draft-davidson-pp-protocol-01,
              13 July 2020, <

              Boneh, D., Gorbunov, S., Wahby, R., Wee, H., and Z. Zhang,
              "BLS Signatures", Work in Progress, Internet-Draft, draft-
              irtf-cfrg-bls-signature-04, 10 September 2020,

              Davidson, A., Faz-Hernandez, A., Sullivan, N., and C.
              Wood, "Oblivious Pseudorandom Functions (OPRFs) using
              Prime-Order Groups", Work in Progress, Internet-Draft,
              draft-irtf-cfrg-voprf-05, 2 November 2020,

   [JKK14]    "Round-Optimal Password-Protected Secret Sharing and
              T-PAKE in the Password-Only model",

   [JKM18]    Jager, T., Kakvi, S., and A. May, "On the Security of the
              PKCS#1 v1.5 Signature Scheme",
              DOI 10.1145/3243734.3243798, Proceedings of the 2018 ACM
              SIGSAC Conference on Computer and Communications Security,
              January 2018, <>.

   [KK18]     Kakvi, S. and E. Kiltz, "Optimal Security Proofs for Full
              Domain Hash, Revisited", DOI 10.1007/s00145-017-9257-9,
              Journal of Cryptology Vol. 31, pp. 276-306, April 2017,

   [KLRX20]   "On Pairing-Free Blind Signature Schemes in the Algebraic
              Group Model", n.d., <>.

              "On the (in)security of ROS", n.d.,

              "Remote Timing Attacks are Practical", 2003,

   [RFC4055]  Schaad, J., Kaliski, B., and R. Housley, "Additional
              Algorithms and Identifiers for RSA Cryptography for use in
              the Internet X.509 Public Key Infrastructure Certificate
              and Certificate Revocation List (CRL) Profile", RFC 4055,
              DOI 10.17487/RFC4055, June 2005,

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,

   [RSA-FDH]  "Random Oracles are Practical: A Paradigm for Designing
              Efficient Protocols", October 1995,

   [Sch01]    Schnorr, C., "Security of Blind Discrete Log Signatures
              against Interactive Attacks", DOI 10.1007/3-540-45600-7_1,
              Information and Communications Security pp. 1-12, 2001,

   [WM99]     "Unknown key-share attacks on the station-to-station (STS)
              protocol", n.d..

Appendix A.  Test Vector

   This section includes a test vector for the blind signature scheme
   defined in this document.  The following parameters are specified:

   *  p, q, n, e, d: RSA private and public key parameters, each encoded
      as a hexadecimal string.

   *  msg: Messsage being signed, encoded as a hexadecimal string.  Its
      hash is computed using the hash function identified by the 'hash'
      test vector parameter.

   *  salt: Randomly-generated salt used when computing the signature.

   *  inv: The message blinding inverse, encoded as a hexadecimal

   *  blinded_message, blind_sig: The protocol values exchanged during
      the computation, encoded as hexadecimal strings.

   *  sig: The message signature.

   p = e1f4d7a34802e27c7392a3cea32a262a34dc3691bd87f3f310dc756734889305
   q = c601a9caea66dc3835827b539db9df6f6f5ae77244692780cd334a006ab353c8
   n = aec4d69addc70b990ea66a5e70603b6fee27aafebd08f2d94cbe1250c556e047

   e = 010001
   d = 0d43242aefe1fb2c13fbc66e20b678c4336d20b1808c558b6e62ad16a2870771
   msg = 8f3dc6fb8c4a02f4d6352edf0907822c1210a9b32f9bdda4c45a698c80023a
   salt = 051722b35f458781397c3a671a7d3bd3096503940e4c4f1aaa269d60300ce
   inv = 80682c48982407b489d53d1261b19ec8627d02b8cda5336750b8cee332ae26
   encoded_message = 6e0c464d9c2f9fbc147b43570fc4f238e0d0b38870b3addcf7

   blinded_msg = 10c166c6a711e81c46f45b18e5873cc4f494f003180dd7f115
   blind_sig = 364f6a40dbfbc3bbb257943337eeff791a0f290898a67912
   sig = 6fef8bf9bc182cd8cf7ce45c7dcf0e6f3e518ae48f06f3c670c649ac737a8b

Authors' Addresses

   Frank Denis
   Fastly Inc.


   Frederic Jacobs
   Apple Inc.


   Christopher A. Wood


