[Cryptography] GNU's "anonymous-but-taxable electronic payments system" Heh.
Ben Laurie
ben at links.org
Sat Jun 11 06:25:26 EDT 2016
On 7 June 2016 at 02:02, Jeff Burdges <burdges at gnunet.org> wrote:
> On Tue, 2016-06-07 at 00:13 +0000, zaki at manian.org wrote:
>
>> Would you mind point out the blind signature implementation? I've
>> looked around in the code for it but haven't managed to find it. I
>> vaguely remember you mentioned writing it.
>
> I did not write it. Christian, Sree, and others did.
>
> I've tweaked it twice, once to use a full domain hash so that the proofs
> of security against one-more-forgery attacks hold, and once to make the
> blinding factor use the full domain of the RSA modulus to prevent
> leaking a bit of identity information per coin. (cute attack)
>
> There are a few parts of the code that we import from GNUnet for legacy
> reasons, maybe that'll get cleaned up eventually. Our RSA blind
> signature implementation based on libgcrypt is one of these. You'll
> find it in the file crypto_rsa.c and cryto_*kdf.c here :
> https://gnunet.org/svn/gnunet/src/util
>
> Jeff
>
> p.s. We use RSA blind signatures firstly because Tanja Lange told us
> to. Additional reasons include : Schnorr blind signatures require an
> extra round trip. Pairing based blind signatures are pairing based,
> making them no more efficient than RSA. These alternative schemes might
> be less susceptible to the RSA padding-like issues I dealt with. In
> cases, I found their proofs of security against one-more-forgery feeling
> kinda "fast" though, while I found the RSA blind signature literate
> lucid by comparison, and it seemed better studied. And my tweaks were
> easy once the issues became clear.
Sounds like lucre:
https://github.com/benlaurie/lucre/blob/master/html/theory2.pdf.
More information about the cryptography
mailing list