[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] [CFRG] RSA blind signatures
|
From: |
Jeff Burdges |
|
Subject: |
Re: [Taler] [CFRG] RSA blind signatures |
|
Date: |
Thu, 25 Feb 2021 19:58:41 +0100 |
> On 25 Feb 2021, at 17:38, Mihir Bellare <mihir@eng.ucsd.edu> wrote:
> The proofs for RSA-FDH and RSA-PSS as normal signatures are from the
> one-wayness assumption on RSA. As you say, the reduction for RSA-PSS is
> tight, and that for RSA-FDH is not. The proof for Blind-RSA-FDH is from the
> One-More Discrete Log (OMDL) problem, and this would also be the case for
> Blind-RSA-PSS. I have not done the latter proof in detail, so this is just a
> guess, but I don't see a difference in tightness between the two. So from the
> point of view of tightness of security arguments, my guess is that
> Blind-RSA-FDH and Blind-RSA-PSS are about the same.
Cool, good enough. :)
In this case, Chris' draft could just say PSS gets used only as a “large domain
hash” or some similar phrasing, and maybe mention security arguments rest on
OMDL as opposed to the usual PSS arguments. I suppose the VRF draft could use
PSS with an empty salt for the same reason this draft does.
> I understand of course that there may be many other factors and reasons to
> prefer one over the other.
I think both RSA VRFs and blind RSA require enough extra code to avoid footguns
that folks could implement an FDH too, but if PSS suffices then reusing it
avoids some mistakes.
Jeff
p.s. It’s also worth mentioning that blind Schnorr signatures now make sense
using https://eprint.iacr.org/2019/877.pdf although the two round trips make
them painful.