Question: blinding mechanism

[rriemann]

Hello!

n = key.params['n'].to_i
r = (rand*(n-1)).to_i

Don't you have to use here 2**n instead of n?

All the best,\ Robert

[Inversion-des]

According to https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures.5B2.5D:235 We just looking for "random value r, such that r is relatively prime to N".

So r = (rand*(2**n-1)).to_i will just change the starting point of search for gcd. Is it important? Do you have any formulas/docs for this approach?

I think I just used this search from some other implementation, so it can be not ideal, but it works.

[rriemann]

From the one-time pad cipher scheme, we learn, that if the ciphertext shall provide no information on the message, than the random secret must be of the same size (entropy) like the message.

We increase the secret (key) lengths to make signing more robust in face of brute force attacks and I think also the random secret should be as large as the key in order to safeguard from this kind of attacks.

What has been your source?

[Inversion-des]

Ok, makes sense. Thank you for the explanation! I really do not have any good source for that formula, just reused one from someone else's implementation.