[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] [CFRG] RSA blind signatures
|
From: |
Jeff Burdges |
|
Subject: |
Re: [Taler] [CFRG] RSA blind signatures |
|
Date: |
Thu, 25 Feb 2021 14:35:59 +0100 |
> On 25 Feb 2021, at 13:32, Christopher Wood <caw@heapingbits.net> wrote:
> On Wed, Feb 24, 2021, at 10:44 PM, Jeff Burdges wrote:
>>
>> That’s randomness by the token holder. I’m taking about randomness
>> held by the issuer.
>
> Perhaps I'm missing something, but my point was the following: Clients, who
> actually encode messages -- either via FDH or PSS -- require randomness to
> blind their message sent to the server. Servers (issuers), in contrast,
> deterministically sign the blinded message sent to them. (They hopefully also
> include some variant of blinding to mitigate obvious side channels, but
> that's an implementation detail.)
There is no randomness inside FDH but the salt in PSS is randomness, which the
security arguments for PSS require comes from the signer, and cannot come from
the singer in a blind signature.
This does not say PSS becomes insecure when this randomness comes from the
user, but one cannot cite existing arguments about PSS being secure. Instead,
one should acknowledge that PSS with user controlled salt acts like a hash with
domain [0..2^(k-8)] with k maximal such that 2^k < n, and then find some
arguments that this suffices.
> I'm not an expert, and I'm certainly not advocating for it, but 2019/1268 [1]
> seems to suggest it's safe.
> [1] https://eprint.iacr.org/2019/1268.pdf
Oh cool? Where? I missed anything about empty or fixed salts. That’s what
you want if you want to use PSS.
Jeff