[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] question about "how to issue": quantum computer attacks
|
From: |
Calvin Burns |
|
Subject: |
Re: [Taler] question about "how to issue": quantum computer attacks |
|
Date: |
Sat, 22 Oct 2022 12:41:26 +0000 |
On Fri, 10/21/2022 11:01:27 PM, Jeff Burdges wrote:
>
> On Oct 21 2022, at 4:55 pm, Calvin Burns via Taler <taler@gnu.org> wrote:
> > I cite from [1]: "Furthermore, RSA blinding would provide privacy protection
> > even against quantum computer attacks."
> >
> > Could someone please give an explanation for why this is true?
> > Or please give a link to literature or some keywords or other pointers.
>
> Many blind signature flavors like RSA, BLS, Schnor have issuing that
> morally looks like b^{-1} (sk (b x)) with () being protocol moves, so
> the bank sees b x when issuing and x when spending. As b is random,
> these are perfectly / statistically / information theoretically hiding,
> as opposed to only computationally hiding.
>
> Many zero knowledge proofs like Groth16 in ZCash are similarly perfectly
> hiding.
>
> Jeff
Thanks, Jeff.
So what an attacker (who does not know b) with a quantum computer (qc) could try
is to calculate sk⁽⁻¹⁾ ("morally") which gives bx. But for all messages x'
there is a b' ∈ B from the set B of blinding factors (like b) such that b'x' =
bx.
That means from the attackers perspective x could have been any message. He just
needs to choose an appropriate b' ∈ B to get bx.
signature.asc
Description: PGP signature