[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] Clause Blind Schnorr Signatures
|
From: |
Christian Grothoff |
|
Subject: |
Re: [Taler] Clause Blind Schnorr Signatures |
|
Date: |
Thu, 26 Sep 2019 16:23:10 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 |
Interesting, albeit the paper doesn't (easily) give me some other key
bits: do you have any idea on performance (CPU, message size)? Three
moves _may_ not be an issue if we can integrate them with the
refresh/reveal stages which are 3 move already anyway --- but of course
that would always a major drawback for regular /withdraw operations.
Overall, my first impression is that this doesn't really improve for us
over RSA (3 moves, still not post-quantum) and has the obvious drawback
of being very new and thus inherently not well-studied (and quite
complex!). So for now, I'd not even seriously consider switching,
unless (1) we know for some reason that RSA blind signatures were broken
beyond the point that increasing the key size would fix it, (2) this is
somehow extended to a post-quantum scheme and we have a quantum
computer, or (3) unexpectedly this thing trumps RSA by a significant
margin in size and CPU speed (for same security level) *and* it has seen
at least a decade of intense study ;-).
My 2 cents
Christian
On 9/26/19 4:00 PM, Jeff Burdges wrote:
>
> There is a recent paper https://eprint.iacr.org/2019/877.pdf in section 5 of
> which the authors produce a secure blind Schnorr signature in the algebraic
> group model plus OMDL. In essence, it opens parallel signing queries and the
> signer random selects which to finish, which sounds fairly amenable to Taler,
> except blind Schnorr still need three moves, while blind RSA and blind BLS
> only need two,
>
> Jeff
>
signature.asc
Description: OpenPGP digital signature