Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-02.txt

Ian Goldberg <> Wed, 18 August 2021 21:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A05A23A0AA4 for <>; Wed, 18 Aug 2021 14:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 79I12ohDlMEb for <>; Wed, 18 Aug 2021 14:49:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 82B523A0A9D for <>; Wed, 18 Aug 2021 14:49:27 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.7/8.14.7) with ESMTP id 17ILnMCG003933 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 18 Aug 2021 17:49:25 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 17ILnMCG003933
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1629323365; bh=zqOkhRFv0/em0ScJJjXfimZcx9sgcoQbOFLHOBJAZKE=; h=Date:From:To:Subject:References:In-Reply-To:From; b=1uUSgr5AYD8n1zHUJEo14svEmcOyTxF1s3gFzaXxWOsFfn0MINAgAHZ2tL6WroVTX zDT8A3mtE0efnGrh3nAOgXVoQKtrwRvCspEaQeDhgOCj+oQRi7dm5Umt0DLctTpC9A IR3Y5LuEZyxW71PWqeZ+pNg6Qc25bBSjGC59IPsc=
Received: from yoink ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 560565FC0168; Wed, 18 Aug 2021 17:49:22 -0400 (EDT)
Received: from iang by yoink with local (Exim 4.90_1) (envelope-from <>) id 1mGTR3-0001RR-GF; Wed, 18 Aug 2021 17:49:21 -0400
Date: Wed, 18 Aug 2021 17:49:21 -0400
From: Ian Goldberg <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-UUID: 6ae47717-10be-4bdc-b203-6cc0e6a21741
Archived-At: <>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Aug 2021 21:49:33 -0000

On Mon, Aug 02, 2021 at 01:29:12PM -0400, Ian Goldberg wrote:
> On Mon, Aug 02, 2021 at 08:48:49AM -0700, Christopher Wood wrote:
> > As of now, there are no more outstanding issues against this draft. The editors think this version is feature complete and would welcome additional review. Please send any and all feedback either here on the list or as an issue:
> > 
> >
> In 8.6, should "Signers can enforce concurrent sessions" be "Signers can
> enforce a limit on concurrent sessions"?

Here are more notes.  I did not check the test vectors.


"secret keys entities" -> "secret keys to entities"
"are doubled" -> "is doubled"


There's a MUST here, but the thing that MUST be included just says "such
as RSA blinding".  First, "RSA blinding" should have a reference so that
implementers know exactly what they MUST implement (especially since
this document itself might at first glance appear to be that), but the
larger question is what does "MUST implement an X such as Y" actually
mean?  It's OK to implement X if you do it in a manner other than Y?
What if you do it in a really bad manner?


"is that signer" -> "is that the signer"


"Signers can enforce concurrent sessions, though the limit
(approximately 256) for reasonably secure elliptic curve groups is small
enough to make large-scale signature generation prohibitive.": this
sentence makes it sound as though, if you keep concurrency to less than
256, you're safe.  That's not (as I understand it) the case.  The paper
shows a very fast attack for 256 using its new [PolytimeROS] attack, but
the original subexponential [Wagner02] attack works for much smaller
levels of parallelism: for 15 parallel sessions, the attack runs in
~2^55 time (says [FPS20]), which is much lower than the desired security
parameter.  Even Clause Blind Schnorr just multiplies the complexity by
2^15 (for 15 parallel sessions), so ~2^70, which is still a far cry from
the desired 2^128 security level.


The [WM99] entry is missing authors, date, URL.

[BLS-Proposal], [PolytimeROS], [RemoteTiming] are missing dates

Ian Goldberg
Canada Research Chair in Privacy Enhancing Technologies
Professor, Cheriton School of Computer Science
University of Waterloo