Re: [CFRG] RSA blind signatures

Jeff Burdges <> Wed, 24 February 2021 08:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B1CB3A0DFC for <>; Wed, 24 Feb 2021 00:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bieMWIfwCSC4 for <>; Wed, 24 Feb 2021 00:03:41 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6DBE3A0DF3 for <>; Wed, 24 Feb 2021 00:03:40 -0800 (PST)
Received: from [] ( [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by (Postfix) with ESMTP id 203B91C00D2; Wed, 24 Feb 2021 09:04:49 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Jeff Burdges <>
In-Reply-To: <>
Date: Wed, 24 Feb 2021 09:03:32 +0100
Cc: IRTF CFRG <>, Taler <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Christopher Wood <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [CFRG] RSA blind signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2021 08:03:44 -0000

Hello Chris,

It’s critically important the blinding factor r be a uniformly random integer mod n, which I think deserves more emphasis than you give.  There is an easy deanonymization attack if r were say generated a random integer mod 2^{floor(log2 n)}.  You hould emphasize that random_integer should be instantiated with a CSPRNG and rejection sampling, maybe even specify the rejection sampling algorithm starting with shake or chacha.  

If I recall, RSA-PSS depends upon signer randomness for its security arguments.  As such, one should ideally not base an RSA blind signature off PSS but instead specify a full domain hash (FDH).  

At this point, one could specify the blinding factor be produced by applying the FDH to system randomness.  This is what I did for Taler’s blind RSA signatures:

Initially I wanted to point you to the RSA-FDH-VRF in except..  Actually the RSA-FDH-VRF draft does not properly specify the FDH either, but only points to which does not specify the FDH.

An FDH is a pretty easy notion but people get this wrong.  Also, there might be interoperability advantages in specifying it more fully. 


p.s.  I think one should not deploy RSA-FDH-VRF but instead work through all the tricks to make Rabin-Williams deterministic.  It’s not too hard but not as easy as RSA-FDH-VRF.  I’ve no looked at wether Rabin-Williams could be adopted to blind signatures, but I think some issues arose beyond what one alters for a Rabin-Williams VRF. 

> On 23 Feb 2021, at 18:37, Christopher Wood <> wrote:
> There are a growing number of use cases where we need something like VOPRFs but with public verifiability [1,2]. Given the results in 2020/945 [3], it seems prudent to try and fill the gap with something we know is reasonably safe. To that end, here's a draft describing RSA-based blind signatures:
> (I missed the deadline yesterday, so apologies for not having an actual datatracker draft to point at.)
> Obviously, something better than RSA (in terms of bandwidth and overall messages) would be great. But it's not clear what that is right now.
> Time permitting, I'd like to request some time on the agenda to present this to the group at IETF 110.
> Thanks,
> Chris
> [1]
> [2]
> [3]
> _______________________________________________
> CFRG mailing list