[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in G
Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler
Fri, 20 Aug 2021 05:04:04 +0200
EdDSA is not a blind signature scheme. There exists a classical blind Schnorr
signature scheme, but it turns out to be insecure.
There is a newer blind Schnorr signature that employs a clever abort trick, for
which security arguments exist in the algebraic group model, and some
Both add an extra round trip, which complicates the code..
At some point I’ll hopefully write down a blind adaptor certificate scheme,
almost identical to the newer blind Schnorr signature, which provides some
further savings, but still pays this extra round trip.