Jeff Burdges <burdges@gnunet.org> wrote:
We need a strong clarification that blinding factors should be
rejection sampled from the RSA group, meaning same bit width
and rejection if they exceed the modulus. I’ve some GCD test
in GNU Taler’s code but that’s unnecessary since n - phi(n) = pq
- (p-1)(q-1) = p + q -1 << n.
As an alternative to rejection sampling, why not sample log2(n)+128
bits, interpret as an integer, and reduce mod n? That gives a result
statistically close to uniform mod n without a loop.
Or log2(n)+256 bits, if that feels better :)
Agreed that the GCD test is superfluous. The chance of getting a "bad"
value is morally equivalent to the chance of guessing a factor of n.