Skip to main content
SpringerLink
Log in

\(\mathsf {CSI\text {-}Otter}\): Isogeny-Based (Partially) Blind Signatures from the Class Group Action with a Twist

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14083))

Included in the following conference series:

Abstract

In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the linear identification protocol abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT’19), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme does not seem susceptible to the recent efficient ROS attack exploiting the linear nature of the underlying mathematical tool.

In more detail, our blind signature exploits the quadratic twist of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size 128 B and signature size 8 KB under the CSIDH-512 parameter sets—these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new ring variant of the group action inverse problem (\(\textsf{rGAIP}\)), we can halve the signature size to 4 KB while increasing the public key size to 512 B. We provide preliminary cryptanalysis of \({\textsf{rGAIP}} \) and show that for certain parameter settings, it is essentially as secure as the standard \(\textsf{GAIP}\). Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key—constructing such a hash function in the isogeny setting remains an open problem.

Author list in alphabetical order; see https://ams.org/profession/leaders/CultureStatement04.pdf.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For readability, we focus on blind signatures below when the distinction between the partial and non-partial difference is insignificant.

  2. 2.

    ROS stands for for Random inhomogenities in an Overdetermined, Solvable system of linear equations.

  3. 3.

    We note that proving the security of a partially blind signature is more subtle and difficult. Indeed, it was only recently that Kastner, Loss, and Xu [30] provided a corrected proof of the Abe-Okamoto (partially) blind signature [2].

  4. 4.

    The notation for the quadratic twist is not totally uniform in the literature. When \(E/k :y^2 = x^3 + Ax^2 + x\) and \(c \in k^\times \setminus k^{\times 2}\) one sometimes denotes \(E^c/k :cy^2 = x^3 + Ax^2 + x\). In this work we will always have \(-1 \in k^\times \setminus k^{\times 2}\) (since \(k = \mathbb {F}_p\) and \(p \equiv 3 \pmod {4}\)), and we will have \(E^{-1} \cong E':y^2 = x^3 - Ax^2 +x\) by the change of variables \( (x,y) \mapsto (-x,y)\). So this notation—while not usually used in the CSIDH literature—is reasonable, and will be convenient for our protocol description.

  5. 5.

    Note that this is a standard (optimized variant of an) isogeny-based sigma protocol where 0 is removed from the challenge space (see for instance [8]).

  6. 6.

    Since parallel repetition is not required to show blindness, we only focus on the small challenge space for simplicity.

  7. 7.

    For the overview, we will ignore when such \(\zeta _d\) exists and how to find them (see Sect. 7.1 for more details).

  8. 8.

    We assume without loss of generality that \(\textsf{sk} \) includes \(\textsf{pk} \) and \(\textsf{state}_\textsf{S}\) includes \((\textsf{pk}, \textsf{sk})\) and omit it when the context is clear. Below, we also assume that \(\textsf{state}_\textsf{U}\) includes \(\textsf{M}\). .

  9. 9.

    Note that the proof in [30] relies on the fact that there are two possible signing keys per public key. Therefore, their proof does not work for the original Schnorr blind signature [17], which is known to be secure if we further rely on the algebraic group model [31].

  10. 10.

    For those unfamiliar with Schnorr-type signatures, we encourage to look at our concrete construction, where the meaning would be clear from context.

  11. 11.

    [30] defined the witness extractors in such a way that it outputs only \((\textsf{sk} _0, \bot )\) or \((\bot , \textsf{sk} _1)\). However, this restriction is not required as long as Lemma 3.1 (i.e., [30, Corollary 3]) holds. We note that we need this extra relaxation for it to be useful in our partially blind signature. Moreover, note that the extractors are only required to output \(\textsf{W} '_b\) included in \(\textsf{sk} _b = (b, \textsf{W} '_b)\). We use \(\textsf{W} '_b\) and \(\textsf{sk} _b\) interchangeably for readability.

  12. 12.

    Recall that we assume \(\textsf{state}_\textsf{S}\) includes \(\textsf{sk} \) (cf. Footnote 2.1).

References

  1. Abe, M., Fujisaki, E.: How to date blind signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 244–251. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034851

    Chapter  Google Scholar 

  2. Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271–286. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_17

    Chapter  Google Scholar 

  3. Agrawal, S., Kirshanova, E., Stehlé, D., Yadav, A.: Practical, round-optimal lattice-based blind signatures. In: ACM CCS 2022, pp. 39–53 (2022)

    Google Scholar 

  4. Baldimtsi, F., Lysyanskaya, A.: On the security of one-witness blind signature schemes. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 82–99. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_5

    Chapter  Google Scholar 

  5. Benhamouda, F., Lepoint, T., Loss, J., Orrù, M., Raykova, M.: On the (in)security of ROS. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 33–53. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_2

    Chapter  MATH  Google Scholar 

  6. Beullens, W., Dobson, S., Katsumata, S., Lai, Y.-F., Pintore, F.: Group signatures and more from isogenies and lattices: generic, simple, and efficient. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 95–126. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_4

    Chapter  Google Scholar 

  7. Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_16

    Chapter  Google Scholar 

  8. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9

    Chapter  Google Scholar 

  9. Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 493–522. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_17

    Chapter  Google Scholar 

  10. Brands, S.: Untraceable off-line cash in wallet with observers (extended abstract). In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_26

    Chapter  MATH  Google Scholar 

  11. Buser, M., et al.: A survey on exotic signatures for post-quantum blockchain: challenges and research directions. ACM Comput. Surv. 55(12), 1–32 (2023)

    Article  Google Scholar 

  12. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7

    Chapter  Google Scholar 

  13. Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15

    Chapter  Google Scholar 

  14. Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology. LNCS, pp. 199–203. Springer, Boston (1983). https://doi.org/10.1007/978-1-4757-0602-4_18

    Chapter  Google Scholar 

  15. Chaum, D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 177–182. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_15

    Chapter  Google Scholar 

  16. Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_25

    Chapter  Google Scholar 

  17. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7

    Chapter  Google Scholar 

  18. Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19

    Chapter  Google Scholar 

  19. De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26

    Chapter  Google Scholar 

  20. De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3

    Chapter  Google Scholar 

  21. del Pino, R., Katsumata, S.: A new framework for more efficient round-optimal lattice-based (partially) blind signature via trapdoor sampling. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 306–336. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_11

    Chapter  Google Scholar 

  22. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  23. Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_4

    Chapter  Google Scholar 

  24. Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_66

    Chapter  Google Scholar 

  25. Galbraith, S., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107–131 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  26. Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_3

    Chapter  Google Scholar 

  27. Hauck, E., Kiltz, E., Loss, J.: A modular treatment of blind signatures from identification schemes. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 345–375. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_12

    Chapter  Google Scholar 

  28. Hauck, E., Kiltz, E., Loss, J., Nguyen, N.K.: Lattice-based blind signatures, revisited. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 500–529. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_18

    Chapter  Google Scholar 

  29. Hendrickson, S., Iyengar, J., Pauly, T., Valdez, S., Wood, C.A.: Private access tokens. internet-draft draft-private-access-tokens-01

    Google Scholar 

  30. Kastner, J., Loss, J., Xu, J.: The abe-okamoto partially blind signature scheme revisited. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part IV. LNCS, vol. 13794, pp. 279–309. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_10

    Chapter  Google Scholar 

  31. Kastner, J., Loss, J., Xu, J.: On pairing-free blind signature schemes in the algebraic group model. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC. LNCS, vol. 13178, pp. 468–497. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_16

    Chapter  Google Scholar 

  32. Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  33. Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. arXiv preprint arXiv:1112.3333

  34. Lyubashevsky, V., Nguyen, N.K., Plançon, M.: Efficient lattice-based blind signatures via gaussian one-time signatures. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022, Part II. LNCS, vol. 13178, pp. 498–527. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_17

    Chapter  Google Scholar 

  35. Okamoto, T., Ohta, K.: Universal electronic cash. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 324–337. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_27

    Chapter  Google Scholar 

  36. Peikert, C.: He gives C-Sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_16

    Chapter  Google Scholar 

  37. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33

    Chapter  Google Scholar 

  38. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    Article  MATH  Google Scholar 

  39. Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. arXiv preprint quant-ph/0406151

    Google Scholar 

  40. Schnorr, C.-P.: Security of blind discrete log signatures against interactive attacks. In: Qing, S., Okamoto, T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 1–12. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45600-7_1

    Chapter  Google Scholar 

  41. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  42. Vpn by Google one, explained. https://one.google.com/about/vpn/howitworks

  43. Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_19

    Chapter  Google Scholar 

  44. Yi, X., Lam, K.-Y.: A new blind ECDSA scheme for bitcoin transaction anonymity. In: ASIACCS 2019, pp. 613–620 (2019)

    Google Scholar 

Download references

Acknowledgements

Shuichi Katsumata was partially supported by JST, CREST Grant Number JPMJCR22M1 and by JST, AIP Acceleration Research JPMJCR22U5. Yi-Fu Lai, Jason T. LeGrow, and Ling Qin were supported in part by the Ministry for Business, Innovation and Employment of New Zealand. Jason T. LeGrow was supported in part by the Commonwealth of Virginia’s Commonwealth Cyber Initiative (CCI), an investment in the advancement of cyber R &D, innovation, and workforce development. For more information about CCI, visit http://www.cyberinitiative.org.

Author information

Authors and Affiliations

  1. PQShield, Ltd., Oxford, UK

    Shuichi Katsumata

  2. AIST, Tokyo, Japan

    Shuichi Katsumata

  3. Department of Mathematics, University of Auckland, Auckland, New Zealand

    Yi-Fu Lai & Ling Qin

  4. Department of Mathematics, Virginia Polytechnic Institute and State University, Blacksburg, USA

    Jason T. LeGrow

Authors
  1. Shuichi Katsumata
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yi-Fu Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jason T. LeGrow
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ling Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shuichi Katsumata .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Katsumata, S., Lai, YF., LeGrow, J.T., Qin, L. (2023). \(\mathsf {CSI\text {-}Otter}\): Isogeny-Based (Partially) Blind Signatures from the Class Group Action with a Twist. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation