Re: [CFRG] RSA blind signatures

Mihir Bellare <mihir@eng.ucsd.edu> Thu, 25 February 2021 16:38 UTC

Return-Path: <mihir@eng.ucsd.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C08253A1C0B for <cfrg@ietfa.amsl.com>; Thu, 25 Feb 2021 08:38:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eng.ucsd.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YirD4Zrs2Yq for <cfrg@ietfa.amsl.com>; Thu, 25 Feb 2021 08:38:48 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E48EA3A1C11 for <cfrg@irtf.org>; Thu, 25 Feb 2021 08:38:47 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id d8so9945461ejc.4 for <cfrg@irtf.org>; Thu, 25 Feb 2021 08:38:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TxphQOqkc2Gy+nxSDkhpXcb08m2lDekhLjP9rU7j56U=; b=bQ+YKbwGSA2wN2TdfwwQVNjVGuRM/bG/uWVij19rGc1eJS+NCmTmjA9837q3IHgFLZ 8zhWHR2M2ScI7BkkA73HVF4lqYaY71QyMdR8FpQDhM6YEXaAqJ6Kgiv/9UrxDT9dLxyZ w7cTwoGHwWKRMoGdDAWW8BrTY702xQ3VmEeWc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TxphQOqkc2Gy+nxSDkhpXcb08m2lDekhLjP9rU7j56U=; b=JqjByvYKnTszKOwyLhLpM6ERjsfGRm/uaAk1fCXiEB4Ugt3a4Gb4AwQ6+QIZUrGVvl CP0iNkNanOmDzrndMl+/OZSwyHSMlKFmAls6k704NL9Vuj9bj2r112QCEjl44e5sR+nM 1eN3T1sPykEJrvy9q6YlKNlc1PidlDjKe9Z87Hsc91t47A5a3lnKrTVSIykpti6mS7Rt 2zcKsPgmxNyYhvrXpPtbMEuyBloYDY2OkrU1zfAr8IOIAIFQ80/CFtYTJsVr8RE74dXh TE48EvC8SUKXLy5ypJOzJqZ0aE4K3aktpZgf5nIzipLfw+4+MTsR0nj7q9pd2SEOO0DM 1p+Q==
X-Gm-Message-State: AOAM530lwp6pZ5Avg4QLndl2Gx+ogsfRpCygrfBczspyi3ZAy/fvZM8P A9u31DZCZwZ+t2ogE7hpeLjc87RhH8BMPR+DTblfSA==
X-Google-Smtp-Source: ABdhPJzJTGqztU1wIauv7wOtraB1fZ+XHYguwJt34hmpFKmzKcVoYjarqL4re+FjvT6K0JhPRpSDqU/zGR2m77p/o2s=
X-Received: by 2002:a17:906:4088:: with SMTP id u8mr3492878ejj.208.1614271126245; Thu, 25 Feb 2021 08:38:46 -0800 (PST)
MIME-Version: 1.0
References: <44983891-284f-4552-b4c7-bc432148d214@www.fastmail.com> <19E2AA22-2B2B-4BCB-8171-B6386D39C616@gnunet.org> <c569e285-f592-45ed-9ce9-e68572b15b96@www.fastmail.com> <A40CA8AA-CE6B-4361-9AF1-EEE0D927F97E@gnunet.org>
In-Reply-To: <A40CA8AA-CE6B-4361-9AF1-EEE0D927F97E@gnunet.org>
From: Mihir Bellare <mihir@eng.ucsd.edu>
Date: Thu, 25 Feb 2021 08:38:10 -0800
Message-ID: <CACEhwkQuM71bBV=c6DavNj=PADdxNbOESrEkRT859jRE6UmJww@mail.gmail.com>
To: Jeff Burdges <burdges@gnunet.org>
Cc: Christopher Wood <caw@heapingbits.net>, IRTF CFRG <cfrg@irtf.org>, Taler <taler@gnu.org>
Content-Type: multipart/alternative; boundary="0000000000000d274405bc2bc992"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/sGQOVtmxAEeqM0nBF2M4Kn_-LtM>
Subject: Re: [CFRG] RSA blind signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 16:38:50 -0000

On Wed, Feb 24, 2021 at 10:45 PM Jeff Burdges <burdges@gnunet.org> wrote:


> Bellare and Rogaway suggested PSS over FDH because PSS provides a tighter
> security argument than FDH, due to the signer providing randomness, i.e.
> purely a provable security reason.


The proofs for RSA-FDH and RSA-PSS as normal signatures are from the
one-wayness assumption on RSA. As you say, the reduction for RSA-PSS is
tight, and that for RSA-FDH is not. The proof for Blind-RSA-FDH is from the
One-More Discrete Log (OMDL) problem, and this would also be the case for
Blind-RSA-PSS. I have not done the latter proof in detail, so this is just
a guess, but I don't see a difference in tightness between the two. So from
the point of view of tightness of security arguments, my guess is that
Blind-RSA-FDH and Blind-RSA-PSS are about the same. I understand of course
that there may be many other factors and reasons to prefer one over the
other.

PSS, when used as a normal signature, can be de-randomized in the usual way
of deriving the randomness by hashing the secret signing key and the
message, but this does not seem to apply in the blind case.

Mihir