[Cryptography] GNU's "anonymous-but-taxable electronic payments system" Heh.

Ben Laurie ben at links.org
Sat Jun 11 06:25:26 EDT 2016

On 7 June 2016 at 02:02, Jeff Burdges <burdges at gnunet.org> wrote:
> On Tue, 2016-06-07 at 00:13 +0000, zaki at manian.org wrote:
>> Would you mind point out the blind signature implementation? I've
>> looked around in the code for it but haven't managed to find it. I
>> vaguely remember you mentioned writing it.
> I did not write it.   Christian, Sree, and others did.
> I've tweaked it twice, once to use a full domain hash so that the proofs
> of security against one-more-forgery attacks hold, and once to make the
> blinding factor use the full domain of the RSA modulus to prevent
> leaking a bit of identity information per coin.  (cute attack)
> There are a few parts of the code that we import from GNUnet for legacy
> reasons, maybe that'll get cleaned up eventually.  Our RSA blind
> signature implementation based on libgcrypt is one of these.  You'll
> find it in the file crypto_rsa.c and cryto_*kdf.c here :
>   https://gnunet.org/svn/gnunet/src/util
> Jeff
> p.s.  We use RSA blind signatures firstly because Tanja Lange told us
> to.  Additional reasons include : Schnorr blind signatures require an
> extra round trip.  Pairing based blind signatures are pairing based,
> making them no more efficient than RSA.  These alternative schemes might
> be less susceptible to the RSA padding-like issues I dealt with.  In
> cases, I found their proofs of security against one-more-forgery feeling
> kinda "fast" though, while I found the RSA blind signature literate
> lucid by comparison, and it seemed better studied.  And my tweaks were
> easy once the issues became clear.

Sounds like lucre:

More information about the cryptography mailing list