[security-dev 00063]: Re: Application of blind signature concept on ECDSA and incorporating that into JDK 7
Brad Wetmore
Bradford.Wetmore at Sun.COM
Mon Feb 4 22:52:17 UTC 2008
deepak sahu wrote previously:
>> We have fullfledged concept fo how to generate points on EC and are
>> working on new blind signature concept.
>> We have also implemented our idea in java.
and in an email today:
> What I want to know is where we can apply the concept of blind
> signature in java.
It's not really clear what you are proposing and thus hard to judge
whether it would appropriate for inclusion in the OpenJDK.
I was originally thinking that what you'd like the group to consider is
to add a BlindSignature API/engine to the JDK, and that one of the
possible implementations could be this new algorithm you're working on.
But in today's email when you mentioned "...where we can apply...", I
was wondering if you were instead looking for existing components in the
JDK that could receive benefit from using a blinding algorithm.
I'm not sure about the utility of a general BlindingSignature class, at
least not in the way I'm thinking what such an object might look like
(i.e. where a provider takes a datastream and does both
blinding/signing). If you're pumping in the actual object/datastream, a
malicious provider could simply capture the data, negating the blinding
effect. It seems to me you'd want the blinding in your application
layer that you trust, and have the providers sign the blinded data using
a normal Signature object. But again, more info here would be good.
>> Any one can guide us in including this RFE into jdk7
The security group (security-dev@) is the right group, but we need to
understand what's really being proposed. And of course, whenever
dealing in ECC (Elliptic Curve Cryptography), we will have to be very
careful about patent issues.
As you probably know from:
http://openjdk.java.net/contribute/
contributions to the OpenJDK effort are governed by the Sun Contributor
Agreement (SCA). If you're not already familiar with that information,
please have a look.
In your email, you mentioned "we have..." so I assume there's more than
one of you. One of the things I needed to check on was how group
contributions are handled. There's a FAQ on the SCA at:
http://www.sun.com/software/opensource/contributor_agreement.jsp
Are you part of a company, a university effort, a group of individuals,
or something else? If you're a group of individuals, I'm guessing each
person would probably have to sign the SCA, but I'd need to check that.
I hope this helps.
Brad
P.S. FYI, for JDK7/OpenJDK7 we are currently working on a java version
of the general ECC algorithms for the Sun/SunJCE providers, and will be
based on the NSS implementation.
More information about the security-dev
mailing list