taler
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] [CFRG] RSA blind signatures


From: Jeff Burdges
Subject: Re: [Taler] [CFRG] RSA blind signatures
Date: Thu, 25 Feb 2021 14:35:59 +0100


> On 25 Feb 2021, at 13:32, Christopher Wood <caw@heapingbits.net> wrote:
> On Wed, Feb 24, 2021, at 10:44 PM, Jeff Burdges wrote:
>> 
>> That’s randomness by the token holder.  I’m taking about randomness 
>> held by the issuer.
> 
> Perhaps I'm missing something, but my point was the following: Clients, who 
> actually encode messages -- either via FDH or PSS -- require randomness to 
> blind their message sent to the server. Servers (issuers), in contrast, 
> deterministically sign the blinded message sent to them. (They hopefully also 
> include some variant of blinding to mitigate obvious side channels, but 
> that's an implementation detail.)

There is no randomness inside FDH but the salt in PSS is randomness, which the 
security arguments for PSS require comes from the signer, and cannot come from 
the singer in a blind signature.  

This does not say PSS becomes insecure when this randomness comes from the 
user, but one cannot cite existing arguments about PSS being secure.  Instead, 
one should acknowledge that PSS with user controlled salt acts like a hash with 
domain [0..2^(k-8)] with k maximal such that 2^k < n, and then find some 
arguments that this suffices.

> I'm not an expert, and I'm certainly not advocating for it, but 2019/1268 [1] 
> seems to suggest it's safe.
> [1] https://eprint.iacr.org/2019/1268.pdf

Oh cool?  Where?  I missed anything about empty or fixed salts.  That’s what 
you want if you want to use PSS.

Jeff




reply via email to

[Prev in Thread] Current Thread [Next in Thread]