taler
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] [CFRG] RSA blind signatures


From: Mihir Bellare
Subject: Re: [Taler] [CFRG] RSA blind signatures
Date: Thu, 25 Feb 2021 08:38:10 -0800



On Wed, Feb 24, 2021 at 10:45 PM Jeff Burdges <burdges@gnunet.org> wrote:
 
Bellare and Rogaway suggested PSS over FDH because PSS provides a tighter security argument than FDH, due to the signer providing randomness, i.e. purely a provable security reason.

The proofs for RSA-FDH and RSA-PSS as normal signatures are from the one-wayness assumption on RSA. As you say, the reduction for RSA-PSS is tight, and that for RSA-FDH is not. The proof for Blind-RSA-FDH is from the One-More Discrete Log (OMDL) problem, and this would also be the case for Blind-RSA-PSS. I have not done the latter proof in detail, so this is just a guess, but I don't see a difference in tightness between the two. So from the point of view of tightness of security arguments, my guess is that Blind-RSA-FDH and Blind-RSA-PSS are about the same. I understand of course that there may be many other factors and reasons to prefer one over the other.

PSS, when used as a normal signature, can be de-randomized in the usual way of deriving the randomness by hashing the secret signing key and the message, but this does not seem to apply in the blind case.

Mihir




 
 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]