[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
## Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in G

**From**: |
Jeff Burdges |

**Subject**: |
Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler |

**Date**: |
Fri, 20 Aug 2021 05:04:04 +0200 |

EdDSA is not a blind signature scheme. There exists a classical blind Schnorr
signature scheme, but it turns out to be insecure.
There is a newer blind Schnorr signature that employs a clever abort trick, for
which security arguments exist in the algebraic group model, and some
subtleties exist.
Both add an extra round trip, which complicates the code..
At some point I’ll hopefully write down a blind adaptor certificate scheme,
almost identical to the newer blind Schnorr signature, which provides some
further savings, but still pays this extra round trip.
Jeff