Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in G

taler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in G

From:	Jeff Burdges
Subject:	Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler
Date:	Fri, 20 Aug 2021 05:04:04 +0200

EdDSA is not a blind signature scheme.  There exists a classical blind Schnorr 
signature scheme, but it turns out to be insecure.  

There is a newer blind Schnorr signature that employs a clever abort trick, for 
which security arguments exist in the algebraic group model, and some 
subtleties exist.  

Both add an extra round trip, which complicates the code..

At some point I’ll hopefully write down a blind adaptor certificate scheme, 
almost identical to the newer blind Schnorr signature, which provides some 
further savings, but still pays this extra round trip.

Jeff

[Prev in Thread]

Current Thread

[Next in Thread]

[Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler, taler, 2021/08/19
- Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler, Jeff Burdges <=
- Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler, Özgür Kesim, 2021/08/21

Prev by Date: [Taler] Question on Purpose of RSA Blind Signatures
Next by Date: Re: [Taler] Money with capabilities
Previous by thread: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler
Next by thread: Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler
Index(es):
- Date
- Thread