[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signa

From: Jacob Bachmeyer
Subject: Re: [Taler] [CFRG] Call for adoption for draft-wood-cfrg-rsa-blind-signatures
Date: Wed, 28 Apr 2021 23:38:30 -0500
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20090807 MultiZilla/ SeaMonkey/1.1.17 Mnenhy/

Riad S. Wahby wrote:
Jeff Burdges <burdges@gnunet.org> wrote:
We need a strong clarification that blinding factors should be
rejection sampled from the RSA group, meaning same bit width
and rejection if they exceed the modulus.  I’ve some GCD test
in GNU Taler’s code but that’s unnecessary since n - phi(n) = pq
- (p-1)(q-1) = p + q -1 << n.

As an alternative to rejection sampling, why not sample log2(n)+128
bits, interpret as an integer, and reduce mod n? That gives a result
statistically close to uniform mod n without a loop.

Or log2(n)+256 bits, if that feels better :)

Agreed that the GCD test is superfluous. The chance of getting a "bad"
value is morally equivalent to the chance of guessing a factor of n.

What are the consequences of using a "bad" value?

Does the GCD test itself cause a timing leak or is it completed in constant time?

-- Jacob

reply via email to

[Prev in Thread] Current Thread [Next in Thread]