Re: [CFRG] RSA blind signatures

Jeff Burdges <burdges@gnunet.org> Wed, 24 February 2021 08:03 UTC

Return-Path: <burdges@gnunet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1CB3A0DFC for <cfrg@ietfa.amsl.com>; Wed, 24 Feb 2021 00:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bieMWIfwCSC4 for <cfrg@ietfa.amsl.com>; Wed, 24 Feb 2021 00:03:41 -0800 (PST)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.in.tum.de [131.159.0.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6DBE3A0DF3 for <cfrg@irtf.org>; Wed, 24 Feb 2021 00:03:40 -0800 (PST)
Received: from [127.0.0.1] (sam.net.in.tum.de [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by sam.net.in.tum.de (Postfix) with ESMTP id 203B91C00D2; Wed, 24 Feb 2021 09:04:49 +0100 (CET)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Jeff Burdges <burdges@gnunet.org>
In-Reply-To: <44983891-284f-4552-b4c7-bc432148d214@www.fastmail.com>
Date: Wed, 24 Feb 2021 09:03:32 +0100
Cc: IRTF CFRG <cfrg@irtf.org>, Taler <taler@gnu.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <19E2AA22-2B2B-4BCB-8171-B6386D39C616@gnunet.org>
References: <44983891-284f-4552-b4c7-bc432148d214@www.fastmail.com>
To: Christopher Wood <caw@heapingbits.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/goI4PumBdo-3zjppkn7JblDYYp0>
Subject: Re: [CFRG] RSA blind signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 08:03:44 -0000

Hello Chris,

It’s critically important the blinding factor r be a uniformly random integer mod n, which I think deserves more emphasis than you give.  There is an easy deanonymization attack if r were say generated a random integer mod 2^{floor(log2 n)}.  You hould emphasize that random_integer should be instantiated with a CSPRNG and rejection sampling, maybe even specify the rejection sampling algorithm starting with shake or chacha.  

If I recall, RSA-PSS depends upon signer randomness for its security arguments.  As such, one should ideally not base an RSA blind signature off PSS but instead specify a full domain hash (FDH).  

At this point, one could specify the blinding factor be produced by applying the FDH to system randomness.  This is what I did for Taler’s blind RSA signatures: https://taler.net/en/

Initially I wanted to point you to the RSA-FDH-VRF in https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/ except..  Actually the RSA-FDH-VRF draft does not properly specify the FDH either, but only points to https://tools.ietf.org/html/rfc8017 which does not specify the FDH.

An FDH is a pretty easy notion but people get this wrong.  Also, there might be interoperability advantages in specifying it more fully. 

Best,
Jeff

p.s.  I think one should not deploy RSA-FDH-VRF but instead work through all the tricks to make Rabin-Williams deterministic.  It’s not too hard but not as easy as RSA-FDH-VRF.  I’ve no looked at wether Rabin-Williams could be adopted to blind signatures, but I think some issues arose beyond what one alters for a Rabin-Williams VRF. 





> On 23 Feb 2021, at 18:37, Christopher Wood <caw@heapingbits.net> wrote:
> 
> There are a growing number of use cases where we need something like VOPRFs but with public verifiability [1,2]. Given the results in 2020/945 [3], it seems prudent to try and fill the gap with something we know is reasonably safe. To that end, here's a draft describing RSA-based blind signatures:
> 
>   https://chris-wood.github.io/draft-wood-cfrg-blind-signatures/draft-wood-cfrg-rsa-blind-signatures.html
> 
> (I missed the deadline yesterday, so apologies for not having an actual datatracker draft to point at.)
> 
> Obviously, something better than RSA (in terms of bandwidth and overall messages) would be great. But it's not clear what that is right now.
> 
> Time permitting, I'd like to request some time on the agenda to present this to the group at IETF 110.
> 
> Thanks,
> Chris
> 
> [1] https://github.com/ietf-wg-privacypass/base-drafts/issues/40
> [2] https://github.com/privacycg/private-click-measurement/issues/27
> [3] https://eprint.iacr.org/2020/945.pdf
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg