Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-02.txt

Jeff Burdges <burdges@gnunet.org> Mon, 30 August 2021 10:17 UTC

Return-Path: <burdges@gnunet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84FF63A08CF for <cfrg@ietfa.amsl.com>; Mon, 30 Aug 2021 03:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLwgIszY23Rv for <cfrg@ietfa.amsl.com>; Mon, 30 Aug 2021 03:17:49 -0700 (PDT)
Received: from vimdzmsp-nwas04.bluewin.ch (vimdzmsp-nwas04.bluewin.ch [195.186.228.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 809F33A08C1 for <cfrg@irtf.org>; Mon, 30 Aug 2021 03:17:48 -0700 (PDT)
Received: from [127.0.0.1] ([85.4.216.221]) by vimdzmsp-nwas04.bluewin.ch Swisscom AG with ESMTP id KeMEmQZJjvCjcKeMKmEa7i; Mon, 30 Aug 2021 12:17:46 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Jeff Burdges <burdges@gnunet.org>
In-Reply-To: <b4ab82f15439491bb265ba6d64d60185@uwaterloo.ca>
Date: Mon, 30 Aug 2021 12:17:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0EBB4DB4-E732-4188-B535-A4A0D664355A@gnunet.org>
References: <162791899203.1107.7194332652638927873@ietfa.amsl.com> <0aab06f7-7beb-4ccc-ab8b-3a09d4d3c8fc@www.fastmail.com> <20210802172912.GK6513@yoink.cs.uwaterloo.ca> <a154ab88-7410-4346-8f7a-110f8e9a5591@www.fastmail.com> <CAMr0u6=QrGQt5UPzbwEs+zmLuzgB+KC2OJ0R+C0Md0EkXWWFmw@mail.gmail.com> <b4ab82f15439491bb265ba6d64d60185@uwaterloo.ca>
To: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>, CFRG <cfrg@irtf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-CMAE-Envelope: MS4xfEd55R+NkxS5i42p//B+hTqY9gM703Xp9D3qnHx7kAb/LdG/naiE8EH1Yy0508VG8+z40ll6I3x0ft/dnbUEZbnZ7KjktxN6rT5UTPT8qBOJaZMVShUg VvTXmsZfYyO+DxyKT8e4AQ99WfQFulbPhygk9Zla5qPfAOeiH91HLRiCBuTR//VXqKbyVtuf2g6dDZyiEqyg2vYepZwMK9NkdmsYrx9ODmvrh+anYsav1Did
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Lx8qaM8hNNyvc2GikMsU00Y7QZA>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2021 10:17:55 -0000

I wonder if the underlying RSA scheme should be called roughly RSA-PDH or something, where PHD = partial domain hash, because the security does not come via the same argument as in PSS.

> On 30 Aug 2021, at 05:00, Chelsea Komlo <ckomlo@uwaterloo.ca> wrote:
> Section 5.1.1
> 
> "The blinding factor r must be randomly chosen from a uniform distribution. This is typically done via rejection sampling."
> 
> Is this not implied by the function random_integer_uniform?

In principle yes, but their desire to use PSS as a “partial domain hash” worried some of us that people would reuse the PSS “hasher” for the blinding factor, which instantly breaks the anonymity.  We’ve enough cases in elliptic curves where being full domain does not mater, ala ECDSA, that people do fuck this up in blind RSA.  I suggested finding more specific language for this reason.  

Jeff