Numerous issues, like PSS, blinding factor domain, etc.

[burdges]

I've pointed out numerous issues with the spec on the tor-access email list, like the fact that PSS cannot work with blind signatures due to the signer supplying entropy. I'm happy to write more specific issues here, but overall the issues noted there indicate that you guys have not really thought enough about blind signatures yet.

As I've said before, there are advantages to trying to do this starting with GNU Taler as a base, but perhaps the mostly important would be reducing the net auditing work required by all parties.

In any case, you might want to peruse my longer commit messages on commits the gnunet/src/util/crypto_*.c files from our svn repo at https://gnunet.org/svn/gnunet/src/util/, from which we generate Taler's RSA blind signature code using emscripten. Just checking out GNUNet and running svn log gnunet/src/util/crypto_rsa.c should give you a good start.

[burdges]

Anyways, there are two very serious deanonymizaton attacks in the spec as written so far, which deserve to be highlighted.

1. If one does not use a blinding factor indistinguishable from random that ranges over precisely the domain Z mod n, then you leak 1 bit per token to the mint.
2. If one does not check the GCD of both this hash and the blinding factor with the RSA modulus n, then one potentially leaks even more bits vs a malicious RSA key made from two bigish primes and several smaller primes.

In both cases, any leaked bits accumulate as you spend multiple tokens, or via an intersection attack, which quickly deanonymizes users.

[alxdavids]

Yeah I agree these are things that should be mentioned, we're happy for you to submit a PR with these changes to the spec. Otherwise I'll probably write them up myself at some point and submit them for review.