[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
## [Taler] OPRFs

**From**: |
Jeff Burdges |

**Subject**: |
[Taler] OPRFs |

**Date**: |
Fri, 10 Nov 2017 16:01:36 +0100 |

Florian & Christian,
Oblivious pseudorandom functions (OPRFs) are something a bit "less" than
blind signatures, but they are good to know about because they will be a
competitor to Taler for some applications :
https://blog.cloudflare.com/privacy-pass-the-math/
In fact, we could likely deploy Taler with an OPRF where the secret t is
the coin public key. We'd loose some functionality though :
In Taler, I'd imagine the merchant checks the exchange's denomination
key signature before running the deposit protocol. An OPRF makes this
impossible, so merchants could be used to hide botnet nodes in a DDoS
attack on an exchange, and maybe merchants should be slightly more
careful about delays in depositing.
In principle, the OPRF described here should have "more secure" blinding
than Taler because an adversary must compromise both the scalar
multiplication on NIST P256 and the hash function that produces the
blinding scalar. In practice, I'd worry the blinding scalar might not
actually be full domain, like say if P256 plays games with the sign like
curve25519, so a quantum adversary who could break the scalar
multiplication could gain a fraction of a bit of information about the
coin spender's identity.
In practice, we've already addressed any complexities in RSA, and doing
so is commonplace, while all the OPRF scheme incurs unknown new
complexities. And our coins represent real money not a fraction of a
CAPTCHA, so the extra bandwidth for RSA sounds okay.
Jeff

**
**`signature.asc`

*Description:* This is a digitally signed message part

**[Taler] OPRFs**,
*Jeff Burdges* **<=**