{"id":15715551,"url":"https://github.com/cloudflare/blindrsa-ts","last_synced_at":"2025-10-20T04:30:40.302Z","repository":{"id":187595487,"uuid":"677045107","full_name":"cloudflare/blindrsa-ts","owner":"cloudflare","description":"A TypeScript Library for Blind RSA Signature protocol","archived":false,"fork":false,"pushed_at":"2024-09-30T18:49:56.000Z","size":321,"stargazers_count":15,"open_issues_count":2,"forks_count":3,"subscribers_count":12,"default_branch":"main","last_synced_at":"2024-10-29T19:59:16.641Z","etag":null,"topics":["blind-rsa","cryptography","typescript"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudflare.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-10T15:55:18.000Z","updated_at":"2024-09-30T18:49:59.000Z","dependencies_parsed_at":null,"dependency_job_id":"22454bdd-b9d5-44bc-8bb9-a6a870c558e7","html_url":"https://github.com/cloudflare/blindrsa-ts","commit_stats":null,"previous_names":["cloudflare/blindrsa-ts"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fblindrsa-ts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fblindrsa-ts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fblindrsa-ts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fblindrsa-ts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudflare","download_url":"https://codeload.github.com/cloudflare/blindrsa-ts/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237261773,"owners_count":19281310,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blind-rsa","cryptography","typescript"],"created_at":"2024-10-03T21:41:59.711Z","updated_at":"2025-10-20T04:30:39.968Z","avatar_url":"https://github.com/cloudflare.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![NPM](https://img.shields.io/npm/v/@cloudflare/blindrsa-ts?style=plastic)](https://www.npmjs.com/package/@cloudflare/blindrsa-ts) [![NPM](https://img.shields.io/npm/l/@cloudflare/blindrsa-ts?style=plastic)](LICENSE.txt)\n\n[![NPM](https://nodei.co/npm/@cloudflare/blindrsa-ts.png)](https://www.npmjs.com/package/@cloudflare/blindrsa-ts)\n\n# blindrsa-ts: A TypeScript Library for Blind and Partially-Blind RSA Signature Protocols\n\n**Specification:** Library is compliant with the [RFC-9474](https://www.rfc-editor.org/info/rfc9474) document by IETF/IRTF, with [Partially Blind RSA Signatures Draft 02](https://datatracker.ietf.org/doc/html/draft-amjad-cfrg-partially-blind-rsa-02), and matches the provided [tests vectors](https://www.rfc-editor.org/rfc/rfc9474.html#appendix-A), [resp](https://datatracker.ietf.org/doc/html/draft-amjad-cfrg-partially-blind-rsa-02#name-test-vectors).\n\n## Blind RSA Signature Protocol\n\nThe RSA Blind Signature Protocol is a two-party protocol between a Client and Server where they interact to compute\n\n`sig = Sign(sk, input_msg)`\n\nwhere `input_msg = Prepare(msg)` is a prepared version of the private message `msg` provided by the Client, and `sk` is the private signing key provided by the Server.\n\n```js\n Client(pk, msg)                      Server(sk, pk)\n-----------------------------------------------------\ninput_msg = Prepare(msg)\nblinded_msg, inv = Blind(pk, input_msg)\n                      blinded_msg\n                      ----------\u003e\n               blind_sig = BlindSign(sk, blinded_msg)\n                       blind_sig\n                      \u003c----------\nsig = Finalize(pk, input_msg, blind_sig, inv)\n```\n\n## Partially-Blind RSA Signature Protocol\n\nOne possible generalization of the protocol above is Partially-Blind Signatures, in which an additional `info` string can be provided, allowing public metadata to be shared.\n\n```js\n Client(pk, msg, info)          Server(sk, pk, info)\n-------------------------------------------------------\ninput_msg = Prepare(msg)\nblind_msg, inv = Blind(pk, input_msg, info)\n                      blind_msg\n                      ----------\u003e\n          blind_sig = BlindSign(sk, blind_msg, info)\n                       blind_sig\n                      \u003c----------\nsig = Finalize(pk, input_msg, info, blind_sig, inv)\n```\n\n### Usage\n\n#### Variants Supported\n\nThis package supports the four variants specified in [RFC9474](https://www.rfc-editor.org/info/rfc9474). Consult [Section 5](https://www.rfc-editor.org/rfc/rfc9474.html#section-5) of the document for the proper usage of each variant in an application.\n\n```ts\nimport { RSABSSA } from '@cloudflare/blindrsa-ts';\nconst variants = [\n    RSABSSA.SHA384.PSS.Randomized,\n    RSABSSA.SHA384.PSSZero.Randomized,\n    RSABSSA.SHA384.PSS.Deterministic,\n    RSABSSA.SHA384.PSSZero.Deterministic,\n];\n```\n\nIn addition, it supports the four variants specified in [Partially Blind RSA Signatures Draft 02](https://datatracker.ietf.org/doc/html/draft-amjad-cfrg-partially-blind-rsa-02). Consult [Section 6](https://datatracker.ietf.org/doc/html/draft-amjad-cfrg-partially-blind-rsa-02#name-rsapbssa-variants) of the document for the proper usage of each variant in an application.\n\n```ts\nimport { RSAPBSSA } from '@cloudflare/blindrsa-ts';\nconst variants = [\n    RSAPBSSA.SHA384.PSS.Randomized,\n    RSAPBSSA.SHA384.PSSZero.Randomized,\n    RSAPBSSA.SHA384.PSS.Deterministic,\n    RSAPBSSA.SHA384.PSSZero.Deterministic,\n];\n```\n\n#### Platform specific configuration\n\n**Optimizations**\n\nBy default, this library uses the [WebCrypto API](https://w3c.github.io/webcrypto/). Certain platforms, such as [Cloudflare Workers](https://github.com/cloudflare/workerd/blob/6b63c701e263a311c2a3ce64e2aeada69afc32a1/src/workerd/api/crypto-impl-asymmetric.c%2B%2B#L827-L868), have implemented native operation. These can be enabled by passing `{ supportRSARAW: true }` when retrieving a suite.\nAt the time of writing, this dedicated optimization is done only for the `BlindSign` operation. Key type does not have to be modified, and will be set to `RSA-RAW` by the library for the time of the operation.\n\n**Partially Blind RSA verification**\n\nThis library does not support Partially Blind RSA signature verification in browser. This is due to [`crypto.subtle`](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle) implementations not allowing large public exponents required by Partially Blind RSA. You can follow bugs for [Chromium](https://issues.chromium.org/issues/340178598) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1896444).\n\n#### Setup\n\nOnce a Blind-RSA variant was chosen, start by generating the server's key pair. Both the key length and the public exponent can be specified.\n\n```ts\nconst suite = RSABSSA.SHA384.PSS.Randomized();\nconst { privateKey, publicKey } = await suite.generateKey({\n    publicExponent: Uint8Array.from([1, 0, 1]),\n    modulusLength: 2048,\n});\n```\n\nServer distributes its public key to clients.\n\n#### Partially Blind RSA Signatures consideration\n\nPartially Blind RSA Signatures requires Client and Server to have a public byte array `info` shared out-of-band. Where applicable, this byte array has to be provided as a parameter. Please refer to the example provided in [examples/partially_blindrsa.ts](./examples/partially_blindrsa.ts) to see usage.\n\n#### Step 1\n\nThe client prepares arbitrary input to be blindly-signed by the server. The `blind` method generates a blinded message and an inverse object that later will be used during the finalization step.\n\n```ts\nconst msgString = 'Alice and Bob';\nconst message = new TextEncoder().encode(msgString);\nconst preparedMsg = suite.prepare(message);\nconst { blindedMsg, inv } = await suite.blind(publicKey, preparedMsg);\n```\n\nThe client sends only the blinded message to the server.\n\n#### Step 2\n\nOnce the server received the blinded message, it responds to the client with a blind signature.\n\n```ts\nconst blindSignature = await suite.blindSign(privateKey, blindedMsg);\n```\n\nThe server sends the blinded signature to the client.\n\n#### Step 3\n\nThe client produces the final signature using blinded signature received from the server together with the inverse object generated at the first step.\n\n```ts\nconst signature = await suite.finalize(publicKey, preparedMsg, blindSignature, inv);\n```\n\nThus, the client obtains a pair `(preparedMsg, signature)` which can be verified for validity.\n\n#### Step 4\n\nAnyone with access to the server's public key can verify the signature on top of the `preparedMsg`.\n\n```ts\nconst isValid = await suite.verify(publicKey, signature, preparedMsg); // true\n```\n\n### Development\n\n| Task            | NPM scripts          |\n| --------------- | -------------------- |\n| Installing      | `$ npm ci`           |\n| Building        | `$ npm run build`    |\n| Unit Tests      | `$ npm run test`     |\n| Examples        | `$ npm run examples` |\n| Code Linting    | `$ npm run lint`     |\n| Code Formatting | `$ npm run format`   |\n\n#### Dependencies\n\nThis project uses the Stanford JavaScript Crypto Library [sjcl](https://github.com/bitwiseshiftleft/sjcl). Use the following command to configure the library.\n\n```sh\nmake -f sjcl.Makefile\n```\n\n### License\n\nThe project is licensed under the [Apache-2.0 License](LICENSE.txt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fblindrsa-ts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudflare%2Fblindrsa-ts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fblindrsa-ts/lists"}