Re: [CFRG] RSA blind signatures

Jeff Burdges <> Thu, 25 February 2021 18:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 46A913A1F3B for <>; Thu, 25 Feb 2021 10:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qgIG7qigDoUH for <>; Thu, 25 Feb 2021 10:58:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 77B3B3A1EE2 for <>; Thu, 25 Feb 2021 10:58:50 -0800 (PST)
Received: from [] ( [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by (Postfix) with ESMTP id 85CB11C00D2; Thu, 25 Feb 2021 19:59:59 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Jeff Burdges <>
In-Reply-To: <>
Date: Thu, 25 Feb 2021 19:58:41 +0100
Cc: Christopher Wood <>, IRTF CFRG <>, Taler <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Mihir Bellare <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [CFRG] RSA blind signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Feb 2021 18:59:04 -0000

> On 25 Feb 2021, at 17:38, Mihir Bellare <> wrote:
> The proofs for RSA-FDH and RSA-PSS as normal signatures are from the one-wayness assumption on RSA. As you say, the reduction for RSA-PSS is tight, and that for RSA-FDH is not. The proof for Blind-RSA-FDH is from the One-More Discrete Log (OMDL) problem, and this would also be the case for Blind-RSA-PSS. I have not done the latter proof in detail, so this is just a guess, but I don't see a difference in tightness between the two. So from the point of view of tightness of security arguments, my guess is that Blind-RSA-FDH and Blind-RSA-PSS are about the same.

Cool, good enough.  :)

In this case, Chris' draft could just say PSS gets used only as a “large domain hash” or some similar phrasing, and maybe mention security arguments rest on OMDL as opposed to the usual PSS arguments.  I suppose the VRF draft could use PSS with an empty salt for the same reason this draft does.

> I understand of course that there may be many other factors and reasons to prefer one over the other.

I think both RSA VRFs and blind RSA require enough extra code to avoid footguns that folks could implement an FDH too, but if PSS suffices then reusing it avoids some mistakes.  


p.s.  It’s also worth mentioning that blind Schnorr signatures now make sense using although the two round trips make them painful.