Re: [CFRG] RSA blind signatures

Jeff Burdges <> Thu, 25 February 2021 13:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0F4BD3A19F1 for <>; Thu, 25 Feb 2021 05:36:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hmuajmxE7NCH for <>; Thu, 25 Feb 2021 05:36:08 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 392463A19F0 for <>; Thu, 25 Feb 2021 05:36:07 -0800 (PST)
Received: from [] ( [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by (Postfix) with ESMTP id AD98C1C00D2; Thu, 25 Feb 2021 14:37:17 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Jeff Burdges <>
In-Reply-To: <>
Date: Thu, 25 Feb 2021 14:35:59 +0100
Cc: IRTF CFRG <>, Taler <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Christopher Wood <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [CFRG] RSA blind signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Feb 2021 13:36:11 -0000

> On 25 Feb 2021, at 13:32, Christopher Wood <> wrote:
> On Wed, Feb 24, 2021, at 10:44 PM, Jeff Burdges wrote:
>> That’s randomness by the token holder.  I’m taking about randomness 
>> held by the issuer.
> Perhaps I'm missing something, but my point was the following: Clients, who actually encode messages -- either via FDH or PSS -- require randomness to blind their message sent to the server. Servers (issuers), in contrast, deterministically sign the blinded message sent to them. (They hopefully also include some variant of blinding to mitigate obvious side channels, but that's an implementation detail.)

There is no randomness inside FDH but the salt in PSS is randomness, which the security arguments for PSS require comes from the signer, and cannot come from the singer in a blind signature.  

This does not say PSS becomes insecure when this randomness comes from the user, but one cannot cite existing arguments about PSS being secure.  Instead, one should acknowledge that PSS with user controlled salt acts like a hash with domain [0..2^(k-8)] with k maximal such that 2^k < n, and then find some arguments that this suffices.

> I'm not an expert, and I'm certainly not advocating for it, but 2019/1268 [1] seems to suggest it's safe.
> [1]

Oh cool?  Where?  I missed anything about empty or fixed salts.  That’s what you want if you want to use PSS.