## 基于RSA实现如下“盲签名(Blind signature)”
Blind signature schemes, first introduced by Chaum , allow a person to get a message signed by another party without revealing any information about the message to the other party.
Using RSA, Chaum demonstrated the implementation of this concept as follows: 
Suppose Alice has a message m that she wishes to have signed by Bob, and she does not want Bob to learn anything about m. Let (n; e) be Bob’s public key and (n; d) be his private key.
Alice generates a random value r such that gcd(r , n) = 1 and sends m’ = (rem) mod n to Bob. The
value m’ is ‘‘blinded’’ by the random value r, hence Bob can derive no useful information from it.
Bob returns the signed value s’ = m’d mod n to Alice. Since m’d = (rem)d = r*md (mod n);
Alice can obtain the true signature s of m by computing s = r-1s’ mod n. Here r*r-1 = 1 mod n.
Now Alice’s message has a signature she could not have obtained on her own. This signature scheme is secure provided that factoring and root extraction remains difficult. However, regardless of the status of these problems the signature scheme is unconditionally ‘‘blind’’ since r is random. The random r does not allow the signer to learn about the message even if the signer can solve the underlying hard problems.


In [268]:
import random
from Crypto.Util import *
from Crypto.Util.number import *
import math
import random
from Crypto.PublicKey import RSA

# 生成RSA密钥对
def generate_key_pair():
    p = getPrime(128)
    q = getPrime(128)
    # p = 285998060343527081133315154251673471283 #getPrime(128)
    # q = 315237712832447837409600749717934211741 #getPrime(128)
    # print(p)
    # print(q)
    n = p * q
    phi_n = (p - 1) * (q - 1)
    e = 65537  # 选择公开指数e
    gcd = math.gcd(e, phi_n)
    while gcd != 1:
        e = random.randrange(1, phi_n)
        gcd = math.gcd(e, phi_n)
    d = inverse(e,phi_n)  # 计算私钥d
    public_key = RSA.construct((n, e))
    private_key = RSA.construct((n, e, d))
    return public_key, private_key

# 盲化消息
def blind_message(message, public_key):
    n = public_key.n
    r = random.randint(1, n - 1)  # 选择一个随机数r
    gcd = math.gcd(r, n)
    while gcd != 1:
        r = random.randrange(1, n)
        gcd = math.gcd(e, n)
    blind_factor = pow(r, public_key.e, n)
    blinded_message = (message * blind_factor) % n
    return blinded_message, r

# 盲签名
def blind_sign(blinded_message, private_key):
    n = private_key.n
    e = private_key.e
    d = private_key.d
    signature = pow(blinded_message, d, n)
    return signature

# 解盲化签名
def unblind_signature(blinded_signature, blind_factor, public_key):
    n = public_key.n
    unblinded_signature = (blinded_signature * inverse(blind_factor, n)) % n
    return unblinded_signature


In [269]:
# 示例
message = 12345
# 生成密钥对
public_key, private_key = generate_key_pair()
# 盲化消息
blinded_message, blind_factor = blind_message(message, public_key)
# 盲签名
blinded_signature = blind_sign(blinded_message, private_key)
# 解盲化签名
signature = unblind_signature(blinded_signature, blind_factor, public_key)

print("原始消息:", message)
print("盲化后的消息:", blinded_message)
print("盲签名后的消息:", blinded_signature)
print("解盲化签名后的消息:", signature)

原始消息: 12345
盲化后的消息: 24699475468059137096928389189418748420266519524510023235717340226618603457663
盲签名后的消息: 7677992836499766315748916027132740404428902176664119628726530787994200882440
解盲化签名后的消息: 38521009931625704057901262443876107601027897208231065206308804837415005800426


In [270]:
# 生成密钥对
public_key, private_key = generate_key_pair()

In [271]:
raw_text = """Blind signature schemes, first introduced by Chaum , allow a person to get a message signed by another party without revealing any information about the message to the other party.
Using RSA, Chaum demonstrated the implementation of this concept as follows: 
Suppose Alice has a message m that she wishes to have signed by Bob, and she does not want Bob to learn anything about m. Let (n; e) be Bob’s public key and (n; d) be his private key.
Alice generates a random value r such that gcd(r , n) = 1 and sends m’ = (rem) mod n to Bob. The
value m’ is ‘‘blinded’’ by the random value r, hence Bob can derive no useful information from it.
Bob returns the signed value s’ = m’d mod n to Alice. Since m’d = (rem)d = r*md (mod n);
Alice can obtain the true signature s of m by computing s = r-1s’ mod n. Here r*r-1 = 1 mod n.
Now Alice’s message has a signature she could not have obtained on her own. This signature scheme is secure provided that factoring and root extraction remains difficult. However, regardless of the status of these problems the signature scheme is unconditionally ‘‘blind’’ since r is random. The random r does not allow the signer to learn about the message even if the signer can solve the underlying hard problems."""
message = bytes_to_long(raw_text.encode())
# 盲化消息
blinded_message, blind_factor = blind_message(message, public_key)
# 盲签名
blinded_signature = blind_sign(blinded_message, private_key)
# 解盲化签名
signature = unblind_signature(blinded_signature, blind_factor, public_key)

print("原始消息:", "...")
print("盲化后的消息:", blinded_message)
print("盲签名后的消息:", blinded_signature)
print("解盲化签名后的消息:", signature)

原始消息: ...
盲化后的消息: 12641458535255181169334979667776220868583844427016299734308861845633512619933
盲签名后的消息: 15243334944684002739778842223818289011998755877863389574785337764533038905984
解盲化签名后的消息: 27988150930747368293356163281279027354181373083268156920856038025723766324046


In [272]:
# 盲化消息
blinded_message, blind_factor = blind_message(message, public_key)
# 盲签名
blinded_signature = blind_sign(blinded_message, private_key)
# 解盲化签名
signature = unblind_signature(blinded_signature, blind_factor, public_key)

print("原始消息:", "...")
print("盲化后的消息:", blinded_message)
print("盲签名后的消息:", blinded_signature)
print("解盲化签名后的消息:", signature)

原始消息: ...
盲化后的消息: 5785252765489820762390339276249777348245167871351000404159633458079118381230
盲签名后的消息: 32323658836304989380605987317611001837595965411550100345851371607194816055798
解盲化签名后的消息: 27988150930747368293356163281279027354181373083268156920856038025723766324046
