[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] Blind Rabin
|
From: |
Christian Grothoff |
|
Subject: |
Re: [Taler] Blind Rabin |
|
Date: |
Mon, 27 Jan 2020 19:37:45 +0100 |
|
User-agent: |
Evolution 3.30.5-1.1 |
On Sun, 2020-01-26 at 19:26 -0500, Jeff Burdges wrote:
> I’ve now forgotten, but did we ever consider using blind Rabin
> signatures?
>
> It's discussed is section 3.3 on page 7 of
> https://www.math.uzh.ch/aa/fileadmin/user/davide/publikation/SignatureRabin11.pdf
>
> It’s not exactly compatible with DJB’s Rabin-Williams signature
> variants from
> https://cr.yp.to/sigs/rwtight-20080201.pdf
> well see page 2 for the beginning of that discussion.
>
> I think these blind Rabin signatures should've the fastest
> verification for any blind signature scheme, but the signature size
> looks like at least twice that of RSA, which I think poses some
> problem for Taler, so probably not advantageous in practice, and they
> require more careful mathematics for security arguments.
>
I think we briefly looked at it and saw no big advantages over RSA.
Verification may be faster, but signing (just as relevant for the
exchange) seems significantly slower from how I read eBACS. Plus the
increased message size and the higher complexity both speak against it.
What is good is that it is also two-move like RSA, so it should be
pretty easy to plug it into Taler if for some reason RSA breaks while
Rabin survives.