We are given two ports on a server, Sign and Verify. Sign will sign an integer using the RSA signature scheme and Verify asks us to sign an integer providing the the public modulus and exponent. Sign it correctly and the server will give us the flag. The tricky part is that Sign won’t sign any of the messages given to us by Verify, so we need to trick it into signing our message using an RSA blinding attack.

## Blind Signatures

Blind signatures are signatures generated when the signer is supposed unaware of the contents of what they are signing.

To accomplish RSA blind signatures, first a random number $r$ is chosen that is relatively prime to $N$. This is the blinding factor. The blinded message $M'$ is then calculated by:

where $M$ is the original message, $e$ is the public exponent, and $N$ is the public modulus.

Then the blinded signature, $S'$ is calcuated by the signer:

Now the unblinded-signature can be calculated knowing $r$:

The reason this works is because the signer is really just decrypting the message with their secret key, so we can say:

Now the RSA decryption gives us that $r^{ed} = r \bmod{N}$ making our equation:

and since the $gcd(r,N) = 1$ we now are left with:

which brings us the equation from earlier:

## Implementing the Attack

While we can do all the math by hand in Sage, the server gives us a new number to sign each time we connect and also has a timer running. This means that we need to write a program to connect and calculate the signature for us, so I again opted to use a (messy) Sage Script.

##### The Code:

Running this prevents us with the flag: