[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] question about "how to issue": quantum computer attacks

From: Calvin Burns
Subject: Re: [Taler] question about "how to issue": quantum computer attacks
Date: Sat, 22 Oct 2022 12:41:26 +0000

On Fri, 10/21/2022 11:01:27 PM, Jeff Burdges wrote:
> On Oct 21 2022, at 4:55 pm, Calvin Burns via Taler <taler@gnu.org> wrote:
> > I cite from [1]: "Furthermore, RSA blinding would provide privacy protection
> > even against quantum computer attacks."
> > 
> > Could someone please give an explanation for why this is true?
> > Or please give a link to literature or some keywords or other pointers.
> Many blind signature flavors like RSA, BLS, Schnor have issuing that
> morally looks like  b^{-1} (sk (b x))  with () being protocol moves, so
> the bank sees  b x  when issuing and  x  when spending.  As b is random,
> these are perfectly / statistically / information theoretically hiding,
> as opposed to only computationally hiding.
> Many zero knowledge proofs like Groth16 in ZCash are similarly perfectly 
> hiding.
> Jeff

Thanks, Jeff.

So what an attacker (who does not know b) with a quantum computer (qc) could try
is to calculate sk⁽⁻¹⁾ ("morally") which gives bx.  But for all messages x'
there is a b' ∈ B from the set B of blinding factors (like b) such that b'x' = 
That means from the attackers perspective x could have been any message. He just
needs to choose an appropriate b' ∈ B to get bx.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]