[security-dev 00063]: Re: Application of blind signature concept on ECDSA and incorporating that into JDK 7

Brad Wetmore Bradford.Wetmore at Sun.COM
Mon Feb 4 14:52:17 PST 2008


deepak sahu wrote previously:

>> We have fullfledged concept fo how to generate points on EC and are 
>> working on new blind signature concept.
>> We have also implemented our idea in java.

and in an email today:

 > What I want to know is where we can apply the concept of blind
 > signature in java.

It's not really clear what you are proposing and thus hard to judge 
whether it would appropriate for inclusion in the OpenJDK.

I was originally thinking that what you'd like the group to consider is 
to add a BlindSignature API/engine to the JDK, and that one of the 
possible implementations could be this new algorithm you're working on. 
  But in today's email when you mentioned "...where we can apply...", I 
was wondering if you were instead looking for existing components in the 
JDK that could receive benefit from using a blinding algorithm.

I'm not sure about the utility of a general BlindingSignature class, at 
least not in the way I'm thinking what such an object might look like 
(i.e. where a provider takes a datastream and does both 
blinding/signing).  If you're pumping in the actual object/datastream, a 
malicious provider could simply capture the data, negating the blinding 
effect.  It seems to me you'd want the blinding in your application 
layer that you trust, and have the providers sign the blinded data using 
a normal Signature object.  But again, more info here would be good.

>> Any one can guide us in including this  RFE  into jdk7 

The security group (security-dev@) is the right group, but we need to 
understand what's really being proposed.  And of course, whenever 
dealing in ECC (Elliptic Curve Cryptography), we will have to be very 
careful about patent issues.

As you probably know from:

     http://openjdk.java.net/contribute/

contributions to the OpenJDK effort are governed by the Sun Contributor 
Agreement (SCA).  If you're not already familiar with that information, 
please have a look.

In your email, you mentioned "we have..." so I assume there's more than 
one of you.  One of the things I needed to check on was how group 
contributions are handled.  There's a FAQ on the SCA at:

     http://www.sun.com/software/opensource/contributor_agreement.jsp

Are you part of a company, a university effort, a group of individuals, 
or something else?  If you're a group of individuals, I'm guessing each 
person would probably have to sign the SCA, but I'd need to check that.

I hope this helps.

Brad

P.S.  FYI, for JDK7/OpenJDK7 we are currently working on a java version 
of the general ECC algorithms for the Sun/SunJCE providers, and will be 
based on the NSS implementation.




More information about the security-dev mailing list