Add blind RSA protocol support

[chris-wood]

This change adds a generic interface for two-message blind signature protocols, along with a concrete implementation of the blind RSA protocol as currently being specified by the CFRG. This protocol is a very simple wrapper around the existing RSA implementation in the Go standard library.

I'm starting this as a draft PR since I have questions around how we might create signers and verifiers, and how the ergonomics of the API look:

1. Should the RSASigner and RSAVerifier constructors accept crypto.rsa types as input, or more standardized formats for keying material (PKCS12 for private keys, for example)?
2. Currently, one controls signature randomness by either supplying (or not) a source of randomness to the Blind function. If the randomness is nil, the signature is deterministic, and vice versa. Internally, we still always need a source of randomness to generate the blind, which we pull from crypto/rand. Does this sort of knob for controlling signature randomness make sense, or should we instead have a BlindDeterministic (or whatever) variant?
3. Where do we stick the Go LICENSE file (which is required to reuse and modify their code)?
4. ... there are probably other things we might want to ask ourselves =)

cc @wbl, @cjpatton, @claucece

Closes #307.

[cjpatton]

Just a couple comments to start. API looks sensible enough. One question I had is whether blind signatures that use techniques other than RSA would be able to implement this API?

[chris-wood]

One question I had is whether blind signatures that use techniques other than RSA would be able to implement this API?

Yeah, I think so. I could prototype blind BLS using this API as a sanity check. We don't have a BLS implementation yet, as far as I know, so that would have to be in a separate PR. Sounds like a TODO project for the next couple of weeks!

[chris-wood]

@cjpatton, @armfazh: I applied your suggestions. I think this PR is now ready for approval and merge. I'll squash before we merge.

[chris-wood]

@armfazh is there a way to silence the linter that complains about use of math/rand? I'm using it to mock crypto/rand. Do we have a way to do this already?

[cjpatton]

@armfazh is there a way to silence the linter that complains about use of math/rand? I'm using it to mock crypto/rand. Do we have a way to do this already?

It looks like your goal is to just have a deterministic stream of bits for testing purposes. You can do this by implementing your own io.Reader, which is all that crypto/rand.Reader is: https://pkg.go.dev/crypto/rand#pkg-variables

[chris-wood]

It looks like your goal is to just have a deterministic stream of bits for testing purposes. You can do this by implementing your own io.Reader, which is all that crypto/rand.Reader is: https://pkg.go.dev/crypto/rand#pkg-variables

Oh, yes, duh. That is simpler. Pushed that change!

[chris-wood]

@cjpatton suggestions applied, and the deterministic variant was dropped. Please let me know if more changes are needed!