[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signa
Riad S. Wahby
Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signatures
Wed, 28 Apr 2021 08:33:03 -0400
Jeff Burdges <firstname.lastname@example.org> wrote:
> We need a strong clarification that blinding factors should be
> rejection sampled from the RSA group, meaning same bit width
> and rejection if they exceed the modulus. I’ve some GCD test
> in GNU Taler’s code but that’s unnecessary since n - phi(n) = pq
> - (p-1)(q-1) = p + q -1 << n.
As an alternative to rejection sampling, why not sample log2(n)+128
bits, interpret as an integer, and reduce mod n? That gives a result
statistically close to uniform mod n without a loop.
Or log2(n)+256 bits, if that feels better :)
Agreed that the GCD test is superfluous. The chance of getting a "bad"
value is morally equivalent to the chance of guessing a factor of n.