[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signa

From: Riad S. Wahby
Subject: Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signatures
Date: Wed, 28 Apr 2021 08:33:03 -0400

Jeff Burdges <burdges@gnunet.org> wrote:
> We need a strong clarification that blinding factors should be
> rejection sampled from the RSA group, meaning same bit width
> and rejection if they exceed the modulus.  I’ve some GCD test
> in GNU Taler’s code but that’s unnecessary since n - phi(n) = pq
> - (p-1)(q-1) = p + q -1 << n.

As an alternative to rejection sampling, why not sample log2(n)+128
bits, interpret as an integer, and reduce mod n? That gives a result
statistically close to uniform mod n without a loop.

Or log2(n)+256 bits, if that feels better :)

Agreed that the GCD test is superfluous. The chance of getting a "bad"
value is morally equivalent to the chance of guessing a factor of n.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]