Re: [Taler] [CFRG] RSA blind signatures

taler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] [CFRG] RSA blind signatures

From:	Jeff Burdges
Subject:	Re: [Taler] [CFRG] RSA blind signatures
Date:	Wed, 24 Feb 2021 09:03:32 +0100

Hello Chris,

It’s critically important the blinding factor r be a uniformly random integer 
mod n, which I think deserves more emphasis than you give.  There is an easy 
deanonymization attack if r were say generated a random integer mod 
2^{floor(log2 n)}.  You hould emphasize that random_integer should be 
instantiated with a CSPRNG and rejection sampling, maybe even specify the 
rejection sampling algorithm starting with shake or chacha.  

If I recall, RSA-PSS depends upon signer randomness for its security arguments. 
 As such, one should ideally not base an RSA blind signature off PSS but 
instead specify a full domain hash (FDH).  

At this point, one could specify the blinding factor be produced by applying 
the FDH to system randomness.  This is what I did for Taler’s blind RSA 
signatures: https://taler.net/en/

Initially I wanted to point you to the RSA-FDH-VRF in 
https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/ except..  Actually the 
RSA-FDH-VRF draft does not properly specify the FDH either, but only points to 
https://tools.ietf.org/html/rfc8017 which does not specify the FDH.

An FDH is a pretty easy notion but people get this wrong.  Also, there might be 
interoperability advantages in specifying it more fully. 

Best,
Jeff

p.s.  I think one should not deploy RSA-FDH-VRF but instead work through all 
the tricks to make Rabin-Williams deterministic.  It’s not too hard but not as 
easy as RSA-FDH-VRF.  I’ve no looked at wether Rabin-Williams could be adopted 
to blind signatures, but I think some issues arose beyond what one alters for a 
Rabin-Williams VRF. 

> On 23 Feb 2021, at 18:37, Christopher Wood <caw@heapingbits.net> wrote:
> 
> There are a growing number of use cases where we need something like VOPRFs 
> but with public verifiability [1,2]. Given the results in 2020/945 [3], it 
> seems prudent to try and fill the gap with something we know is reasonably 
> safe. To that end, here's a draft describing RSA-based blind signatures:
> 
>   
> https://chris-wood.github.io/draft-wood-cfrg-blind-signatures/draft-wood-cfrg-rsa-blind-signatures.html
> 
> (I missed the deadline yesterday, so apologies for not having an actual 
> datatracker draft to point at.)
> 
> Obviously, something better than RSA (in terms of bandwidth and overall 
> messages) would be great. But it's not clear what that is right now.
> 
> Time permitting, I'd like to request some time on the agenda to present this 
> to the group at IETF 110.
> 
> Thanks,
> Chris
> 
> [1] https://github.com/ietf-wg-privacypass/base-drafts/issues/40
> [2] https://github.com/privacycg/private-click-measurement/issues/27
> [3] https://eprint.iacr.org/2020/945.pdf
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Taler] [CFRG] RSA blind signatures, Jeff Burdges <=
- Re: [Taler] [CFRG] RSA blind signatures, Christopher Wood, 2021/02/24
  - Re: [Taler] [CFRG] RSA blind signatures, Jeff Burdges, 2021/02/25
    - Re: [Taler] [CFRG] RSA blind signatures, Christopher Wood, 2021/02/25
    - Re: [Taler] [CFRG] RSA blind signatures, Jeff Burdges, 2021/02/25
    - Re: [Taler] [CFRG] RSA blind signatures, Mihir Bellare, 2021/02/25
    - Re: [Taler] [CFRG] RSA blind signatures, Jeff Burdges, 2021/02/25
- Re: [Taler] [CFRG] RSA blind signatures, Jeff Burdges, 2021/02/24

Prev by Date: Re: [Taler] (docs) taler-in-a-nutshell.txt
Next by Date: Re: [Taler] [CFRG] RSA blind signatures
Previous by thread: [Taler] Fwd: [CFRG] RSA blind signatures
Next by thread: Re: [Taler] [CFRG] RSA blind signatures
Index(es):
- Date
- Thread