RSA-盲消息方案仍然容易受到攻击吗?
我知道这或多或少是一个算法或设计问题,而不是编程问题,但我希望没关系。
我正在使用盲消息并由 C 签名。签名后我想删除盲消息并让其他用户 A 和 B 能够共享该消息。这是否安全,或者如果签名者拥有公钥和私钥,他们仍然可以阅读这些消息吗?揭盲后我是否应该采取进一步措施以确保机密性?
我读过各种数学公式来解释它是如何工作的,但我更像是一名程序员而不是数学家。我想确保机密性,但我不确定它是否有效。
I know this is more or less an algorithm or design problem and not so much programming, but I hope it's alright.
I am using a blinded message and having it signed by C. After the signing I want to remove the blinding and have other users A and B be able to share the message. Is this safe or can the signer still read these messages if they have the public and private keys? Should I take further steps after unblinding to ensure the confidentiality?
I have read various math formulas explaining how this works, but I am more of a programmer than a mathematician. I want to ensure the confidentiality and I am not sure if it's working.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
签名并不能确保机密性。如果您有必须传输但应保密的数据,那么您必须使用确保机密性的传输机制。
您显然还希望实体 C 对消息进行签名,但不向 C 提供有关消息的任何线索。一般来说,签名实体只需要知道签名数据的哈希值。然后,签名者可以尝试通过对潜在消息进行散列来“猜测”数据,并查看其中是否与收到的散列相匹配。这就是盲签名发挥作用的时刻:防止签名者看到经过哈希处理的消息。
碰巧的是,使用 RSA,可以从签名和签名者的公钥中恢复散列消息。签名者(C)当然知道他自己的公钥。因此,签名本身必须保密(否则,一开始使用盲签名就没有意义)。因此,当消息从 A 传输到 B 时,无论使用什么机制来保持消息本身的机密性,都必须应用于签名(而签名不是该机制)。
Signatures do not ensure confidentiality. If you have data which must be transmitted but should remain confidential, then you must use a transmission mechanism which ensures confidentiality.
You apparently also want the message to be signed by entity C, but without giving any clue on the message to C. Generally speaking, the signing entity only needs to know the hash of the signed data. The signer may then try to "guess" the data by hashing potential messages and see if one matches the hash it received. This is the point where blind signatures come into action: to prevent the signer from even seeing the hashed message.
It so happens that with RSA, the hashed message can be recovered from the signature and the signer's public key. The signer (C) certainly knows his own public key. Hence, the signature itself must be kept confidential (otherwise, it would make no sense to use blind signatures in the first place). Thus, whatever mechanism you use to keep the message itself confidential when it is transmitted from A to B, must also be applied to the signature (and the signature is not that mechanism).