Re: [CFRG] RSA blind signatures

Mihir Bellare <> Thu, 25 February 2021 16:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C08253A1C0B for <>; Thu, 25 Feb 2021 08:38:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3YirD4Zrs2Yq for <>; Thu, 25 Feb 2021 08:38:48 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E48EA3A1C11 for <>; Thu, 25 Feb 2021 08:38:47 -0800 (PST)
Received: by with SMTP id d8so9945461ejc.4 for <>; Thu, 25 Feb 2021 08:38:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TxphQOqkc2Gy+nxSDkhpXcb08m2lDekhLjP9rU7j56U=; b=bQ+YKbwGSA2wN2TdfwwQVNjVGuRM/bG/uWVij19rGc1eJS+NCmTmjA9837q3IHgFLZ 8zhWHR2M2ScI7BkkA73HVF4lqYaY71QyMdR8FpQDhM6YEXaAqJ6Kgiv/9UrxDT9dLxyZ w7cTwoGHwWKRMoGdDAWW8BrTY702xQ3VmEeWc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TxphQOqkc2Gy+nxSDkhpXcb08m2lDekhLjP9rU7j56U=; b=JqjByvYKnTszKOwyLhLpM6ERjsfGRm/uaAk1fCXiEB4Ugt3a4Gb4AwQ6+QIZUrGVvl CP0iNkNanOmDzrndMl+/OZSwyHSMlKFmAls6k704NL9Vuj9bj2r112QCEjl44e5sR+nM 1eN3T1sPykEJrvy9q6YlKNlc1PidlDjKe9Z87Hsc91t47A5a3lnKrTVSIykpti6mS7Rt 2zcKsPgmxNyYhvrXpPtbMEuyBloYDY2OkrU1zfAr8IOIAIFQ80/CFtYTJsVr8RE74dXh TE48EvC8SUKXLy5ypJOzJqZ0aE4K3aktpZgf5nIzipLfw+4+MTsR0nj7q9pd2SEOO0DM 1p+Q==
X-Gm-Message-State: AOAM530lwp6pZ5Avg4QLndl2Gx+ogsfRpCygrfBczspyi3ZAy/fvZM8P A9u31DZCZwZ+t2ogE7hpeLjc87RhH8BMPR+DTblfSA==
X-Google-Smtp-Source: ABdhPJzJTGqztU1wIauv7wOtraB1fZ+XHYguwJt34hmpFKmzKcVoYjarqL4re+FjvT6K0JhPRpSDqU/zGR2m77p/o2s=
X-Received: by 2002:a17:906:4088:: with SMTP id u8mr3492878ejj.208.1614271126245; Thu, 25 Feb 2021 08:38:46 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Mihir Bellare <>
Date: Thu, 25 Feb 2021 08:38:10 -0800
Message-ID: <>
To: Jeff Burdges <>
Cc: Christopher Wood <>, IRTF CFRG <>, Taler <>
Content-Type: multipart/alternative; boundary="0000000000000d274405bc2bc992"
Archived-At: <>
Subject: Re: [CFRG] RSA blind signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Feb 2021 16:38:50 -0000

On Wed, Feb 24, 2021 at 10:45 PM Jeff Burdges <> wrote:

> Bellare and Rogaway suggested PSS over FDH because PSS provides a tighter
> security argument than FDH, due to the signer providing randomness, i.e.
> purely a provable security reason.

The proofs for RSA-FDH and RSA-PSS as normal signatures are from the
one-wayness assumption on RSA. As you say, the reduction for RSA-PSS is
tight, and that for RSA-FDH is not. The proof for Blind-RSA-FDH is from the
One-More Discrete Log (OMDL) problem, and this would also be the case for
Blind-RSA-PSS. I have not done the latter proof in detail, so this is just
a guess, but I don't see a difference in tightness between the two. So from
the point of view of tightness of security arguments, my guess is that
Blind-RSA-FDH and Blind-RSA-PSS are about the same. I understand of course
that there may be many other factors and reasons to prefer one over the

PSS, when used as a normal signature, can be de-randomized in the usual way
of deriving the randomness by hashing the secret signing key and the
message, but this does not seem to apply in the blind case.