taler
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] Clause Blind Schnorr Signatures

From: Jeff Burdges
Subject: Re: [Taler] Clause Blind Schnorr Signatures
Date: Fri, 27 Sep 2019 00:31:34 +0200 

> On 26 Sep 2019, at 16:23, Christian Grothoff <address@hidden> wrote:
> Interesting, albeit the paper doesn't (easily) give me some other key
> bits: do you have any idea on performance (CPU, message size)?

It’s seemingly one extra curve point multiplication over regular Schnorr, but 
actually the paper mentions possibly doing even more of these, so one should 
actually look over the security bounds and especially figure out if a Wagner 
attack can be “aborted” to withdraw valid coins.

> Three moves _may_ not be an issue if we can integrate them with the
> refresh/reveal stages which are 3 move already anyway --- but of course
> that would always a major drawback for regular /withdraw operations.

It’d clearly add a move to withdrawal.  In refresh, we have the user submit the 
planchets in the first move, so this would add an initial 0th move to refresh 
too.  I think doing the nonces in some preliminary step sounds fragile.

> Overall, my first impression is that this doesn't really improve for us over 
> RSA (3 moves,

There is a lot of extra code complexity in that extra move, really two extra 
moves since the user initiates.  If however the system is busy enough then 
maybe the extra complexity is worth the space savings, like 64 bytes vs RSA 
sizes, or the significantly faster signatures and verification, or the nice 
batch verification.

There are systems like CloudFlare or Tor’s new proposed hidden service spam 
defence token in which the service initiates the pay out.   Tor was seriously 
considering the CloudFlare style OPRF, but I argued that blind signatures fit 
their use case better.  I even argued they should simply accept the forgeries 
from Wagner’s attack, instead of using OPRFs.  I forget the whole reason now, 
but partialy that blind signatures work better for certificate transparency.

> still not post-quantum

It’s possible Wagners attack and this trick might prove relevant, as many 
lattice signatures look much like Schnorr.

> and has the obvious drawback
> of being very new and thus inherently not well-studied (and quite
> complex!).

I’m mostly worried about if merely two nonces suffice or if you need more.

Jeff

Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to
[Prev in Thread] Current Thread [Next in Thread]