Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-02.txt

Watson Ladd <> Tue, 31 August 2021 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D00D23A0E5D for <>; Tue, 31 Aug 2021 14:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LZaVMB7CAx20 for <>; Tue, 31 Aug 2021 14:10:17 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BD7323A0E3F for <>; Tue, 31 Aug 2021 14:10:17 -0700 (PDT)
Received: by with SMTP id l10so761945ilh.8 for <>; Tue, 31 Aug 2021 14:10:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L1GCPDT4dLiqOiRjhVdZyokXmuHEo09gRD3lx4VhM6I=; b=lYG4FiQZ/pRhEFVvkZdGSvWeM3bXdoX7/diKflsKUFQMgiHRCca7ZwjNck8S9f3QYj HekKyBmXw2GCkPxZScsp4g+q+6Nb2lDlLr/6J42nN/u+Hmi/pV80Yw0DN/j1syqPG2Q5 djk+nxHKAImM8tRRaKD3thh0/ajsqCA+gPzUHEzf7BtMR1tIDP+4boFYtgxjIpGXw8BU YM4NX3qCEWmr2X4yoycx6KK5YNefKED2nR2f/NWIyibMZOyrJkyO4b0dfM/FjQvLKbk3 PBzn3GYBUvjjXyIbP1p+WhEJc+ETBJK5FA9g/OVZCs3kQv4vDXo9FiThbXZh3PDSpHpk g/BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L1GCPDT4dLiqOiRjhVdZyokXmuHEo09gRD3lx4VhM6I=; b=X/CLRU1Psun0sjDTYWEDE65sGa+G4X7/8x9qpMP/59JjyChGQzPkh6DxFX8ng7Ajls 163/0TPkSxUDpsfQUfCh7CvUv+6nRJMdNTOX8GYye8+W3wzZ6zaP8VLAY4i5lMDA6BQR XAaurEBNYC5E29Bjf1REUNA9SAJ2hhnzeiBEs7Y9roMrJwkBmrldJeuGmDkPIx4rTxeQ uKGORUtXz8JNAVz4X7OZVgnF7RqewGikSqhvSyTKiQrtAycxBoGW9P5Kvgz/e0li4s9v 1KUYszXlnMe3cJgsu0IvBE/kl3tyU60eaSmpSFDWHGuSvEUt2PQ5wFUUlVGknoFlNFtX IgAg==
X-Gm-Message-State: AOAM5332HI2XlRZNnkwqYLg6cohAzLQwzUquYTl1kQal1tXmVDdHwmSe ryz9/g8ZP40TDovUqXit6HV596uZdpREilBm32I=
X-Google-Smtp-Source: ABdhPJyicTQiic4b7Xwyij2LiejmMC1FvgTLU+46YDwjYXE2U31/6zpGdc7OGAct8G1JUxMI5YKfp25l87W8Ibclz1E=
X-Received: by 2002:a05:6e02:108:: with SMTP id t8mr21932289ilm.216.1630444215490; Tue, 31 Aug 2021 14:10:15 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Tue, 31 Aug 2021 17:10:04 -0400
Message-ID: <>
To: "Stanislav V. Smyshlyaev" <>
Cc: CFRG <>,
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Aug 2021 21:10:19 -0000

Salute omnes,

I've taken a look at the draft. First I think  that the section on
randomized vs deterministic signatures is a bit confusing. The server
never sees the unblinded message, so it's not possible to use the salt
as a subliminal channel. The draft also says that applications using a
deterministic salt should take into account the security
considerations but doesn't say what the security considerations that
should be taken into account are.

In the section discussing related protocols one of the big advantages
of RSA over alternatives, namely verification speed, is given short
shrift.  In cases such as privacy pass where issuance is gated by an
expensive verification, but verification must be exposed, expensive
verification is a liability. RSA verification can be as small as three
multiprecision multiplications: very hard to do much better.

I have also not verified the test vectors.


Astra mortemque praestare gradatim