The scheme we look at for doing this is built on RSA,
and it uses RSA signatures as we've seen in Unit 4.
But this time, instead of using them normally,
we'll use them in a way that blinds the message from the signer.
Here's the protocol--we'll assume Alice wants the bank to sign a message,
and Alice knows the bank's public key.
It's an RSA key pair with the exponent and a modulus.
So m is the message Alice wants the bank to sign. Alice also picks a random value, we'll call that k.
Next, Alice will compute t by multiplying the message by k raised to the eb power.
If k is random, select it from the integers from 1 up to nB-1.
And it is also relatively prime to nB, well that would make keB mod nB
A permutation of the values of ZnB. That means that this is also random in that range.
And so, m multiplied by this is random. This doesn't reveal to the bank the value of m.
We can safely send that to the bank without leaking any information.
And the bank will sign that message using its private key--its private exponent dB.
That produces the value t^dB power mod n, which the bank sends back to Alice.
As far as the bank is concern, it just signed the random value and it sent that back to Alice.
Is there anything Alice can do with this that is useful?
The question is, which of these is equivalent to the value produced by the bank.
Here are the choices. To answer this question, think about the properties of RSA.
