[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signa
Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signatures
Wed, 28 Apr 2021 23:38:30 -0500
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:22.214.171.124) Gecko/20090807 MultiZilla/126.96.36.199e SeaMonkey/1.1.17 Mnenhy/0.7.6.0
Riad S. Wahby wrote:
Jeff Burdges <email@example.com> wrote:
We need a strong clarification that blinding factors should be
rejection sampled from the RSA group, meaning same bit width
and rejection if they exceed the modulus. I’ve some GCD test
in GNU Taler’s code but that’s unnecessary since n - phi(n) = pq
- (p-1)(q-1) = p + q -1 << n.
As an alternative to rejection sampling, why not sample log2(n)+128
bits, interpret as an integer, and reduce mod n? That gives a result
statistically close to uniform mod n without a loop.
Or log2(n)+256 bits, if that feels better :)
Agreed that the GCD test is superfluous. The chance of getting a "bad"
value is morally equivalent to the chance of guessing a factor of n.
What are the consequences of using a "bad" value?
Does the GCD test itself cause a timing leak or is it completed in