I've sent a bunch of emails to the tor-access list rather quickly, but just to reiterate the most important part :
There are two very serious deanonymizaton attacks in the spec as written so far.
First, if one does not use a blinding factor indistinguishable from random that ranges over precisely the domain Z mod n, then you leak 1 bit per token to the mint.
Second, if one does not check the GCD of both the hash and the blinding factor* with the RSA modulus n, then one potentially leaks even more bits vs a malicious RSA key made from two bigish primes and several smaller primes.
In both case, any leaked bits accumulate as you spend multiple tokens, or via an intersection attack, which quickly deanonymizes users.
If one checks out GNUNet's svn repository, then one could find my commits that address these attacks in Taler by running : svn log gnunet/src/util/crypto_rsa.c | less
Just wanted to reiterate this to it didn't get buried in all the minor concerns. Jeff
* Inversion mod n might catch this on the blinding factor side, but doing it that way might give worse error reporting.
p.s. I looked more seriously at blind BLS signatures, seemingly not as bad as I'd feared, although the public key validation issues are likely to remain tougher than one normally expects, especially for this application.