[Cryptography] GNU's "anonymous-but-taxable electronic payments system" Heh.
burdges at gnunet.org
Mon Jun 6 21:02:42 EDT 2016
On Tue, 2016-06-07 at 00:13 +0000, zaki at manian.org wrote:
> Would you mind point out the blind signature implementation? I've
> looked around in the code for it but haven't managed to find it. I
> vaguely remember you mentioned writing it.
I did not write it. Christian, Sree, and others did.
I've tweaked it twice, once to use a full domain hash so that the proofs
of security against one-more-forgery attacks hold, and once to make the
blinding factor use the full domain of the RSA modulus to prevent
leaking a bit of identity information per coin. (cute attack)
There are a few parts of the code that we import from GNUnet for legacy
reasons, maybe that'll get cleaned up eventually. Our RSA blind
signature implementation based on libgcrypt is one of these. You'll
find it in the file crypto_rsa.c and cryto_*kdf.c here :
p.s. We use RSA blind signatures firstly because Tanja Lange told us
to. Additional reasons include : Schnorr blind signatures require an
extra round trip. Pairing based blind signatures are pairing based,
making them no more efficient than RSA. These alternative schemes might
be less susceptible to the RSA padding-like issues I dealt with. In
cases, I found their proofs of security against one-more-forgery feeling
kinda "fast" though, while I found the RSA blind signature literate
lucid by comparison, and it seemed better studied. And my tweaks were
easy once the issues became clear.
p.s.2 All these blind signatures schemes have post-quantum blinding
operations. I think the new fancier zero-knowledge schemes like
Zerocoin, Anonize, etc. are generally not post-quantum. Our refresh
protocol is not post-quantum either. I'm working on a paper that fixes
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the cryptography