[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
## Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signa

**From**: |
Riad S. Wahby |

**Subject**: |
Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signatures |

**Date**: |
Wed, 28 Apr 2021 08:33:03 -0400 |

Jeff Burdges <burdges@gnunet.org> wrote:
>* We need a strong clarification that blinding factors should be*
>* rejection sampled from the RSA group, meaning same bit width*
>* and rejection if they exceed the modulus. I’ve some GCD test*
>* in GNU Taler’s code but that’s unnecessary since n - phi(n) = pq*
>* - (p-1)(q-1) = p + q -1 << n.*
As an alternative to rejection sampling, why not sample log2(n)+128
bits, interpret as an integer, and reduce mod n? That gives a result
statistically close to uniform mod n without a loop.
Or log2(n)+256 bits, if that feels better :)
Agreed that the GCD test is superfluous. The chance of getting a "bad"
value is morally equivalent to the chance of guessing a factor of n.
Cheers,
-=rsw