Blind signatures allow the issuing of signatures on messages chosen by the user so that they ensure
of the message against the signer. Moreover, a malicious user cannot output
signatures while only finishing
signing sessions. This notion, called
-
unforgeability, comes in two flavors supporting either
or
sessions.
In this paper, we investigate the security of a class of blind signatures constructed from Sigma-protocols with small challenge space
(i.e., polynomial in the security parameter), using
repetitions of the protocol to decrease the chances of a cheating prover. This class of schemes includes, among others, the Schnorr blind signature scheme with bit challenges and the recently proposed isogeny-based scheme CSI-Otter (Crypto'23), as well as potential blind signatures designed from assumptions with the well-known Sigma-protocol for the graph-isomorphism problem (e.g., Lattice Isomorphism Problem).
For this class of blind signatures, we show a
-
attack that breaks one-more unforgeability for any
concurrent sessions in time
. Contrary to the ROS attack, ours is generic and does not require any particular algebraic structure. We also propose a computational trade-off, where, for any
, our attack works for
in time
.
The consequences of our attack are as follows. Schemes in the investigated class of blind signatures should not be used concurrently without applying specific transformations to boost the security to support more signing sessions. Moreover, for the parameters proposed for CSI-Otter (
and
), the scheme becomes forgeable after 128 concurrent signing sessions for the basic attack and with only eight sessions in our optimized attack. We also show that for those parameters, it is even possible to compute two signatures in around 10 minutes with just one signing session using the computation power of the Bitcoin network. Thus, we show that, for sequential security, the parameter
must be at least doubled in the security parameter for any of the investigated schemes.
History
Primary Research Area
Algorithmic Foundations and Cryptography
Journal
Cryptology ePrint Archive
Volume
2023
Page Range
1588-1588
Sub Type
Article
BibTeX
@article{Do:Hanzlik:Paracucchi:2023,
title = "M&M'S: Mix and Match Attacks on Schnorr-type Blind Signatures with Repetition.",
author = "Do, Khue" AND "Hanzlik, Lucjan" AND "Paracucchi, Eugenio",
year = 2023,
month = 10,
journal = "Cryptology ePrint Archive",
pages = "1588--1588"
}