[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in G
Re: [Taler] Question on the Rationale in Using RSA Blind Signatures in GNU Taler
Sat, 21 Aug 2021 10:51:54 +0200
Thus spake taler--- via Taler (firstname.lastname@example.org):
> I am confused as to why the GNU Taler developers chose to use RSA
> blind signatures over--say--using EDDSA signatures.
> What comparative advantage would RSA-blind FDH signatures have over
> modern elliptic-curve based signatures such as Ed25519 for the
> purposes of GNU Taler.
Maybe you are missing the notion of _blind_ signatures here[^1]? Blind
signatures solve a particular problem:
Assume Alice wants Erin to sign a message m so that Beatrice can verify
that it was signed by Erin. However, Alice does _not_ want to disclose
the message m to Erin.
RSA allows for such blind signatures:
Instead of sending message m to Erin, Alice sends message m' with
m' = r^e * m (mod N)
Here, where r is a "blinding factor" - appropriately chosen at random by
Alice - and e is the public key of Erin. When Erin signs message m' she
learns nothing about m. She gives Alice the signature
s' = (m')^d (mod N)
Because (m')^d = (r^e * m)^d = r^(ed) * m^d = r * m^d (mod N), Alice
can calculate a _valid_ signature from Erin for the original message m
by diving by r:
s = s' * r^(-1) (mod N)
AFAIK, this feature is sort of unique to RSA.
So, in Taler, the minting process is done using blind signatures. That
way the user get's validly signed tokens but the exchange does not "see"
the tokens when signing/minting them.
Does that make sense?