Skip to main content
SpringerLink
Log in

On the (in)Security of ROS

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

We present an algorithm solving the ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) problem mod p in polynomial time for \(\ell > \log p\) dimensions. Our algorithm can be combined with Wagner’s attack, and leads to a sub-exponential solution for any dimension \(\ell \) with the best complexity known so far. When concurrent executions are allowed, our algorithm leads to practical attacks against unforgeability of blind signature schemes such as Schnorr and Okamoto–Schnorr blind signatures, threshold signatures such as GJKR and the original version of FROST, multisignatures such as CoSI and the two-round version of MuSig, partially blind signatures such as Abe–Okamoto, and conditional blind signatures such as ZGP17. Schemes for e-cash (such as Brands’ signature) and anonymous credentials (such as Anonymous Credentials Light) inspired from the above are also affected.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. Okamoto–Schnorr signatures are proven secure only for \(\ell \) parallel executions s.t. \(Q^\ell /p\ll 1\), where Q is the number of queries to \(\textsc {H}_{{\text {ros}}}\). Our attack does not contradict their analysis as our attack requires \(\ell> \log _2 p > \log _Q p\).

  2. In the actual attack, part of the second step is executed before to allow to choose these polynomials properly.

  3. Indeed, when considering the exact values of the constants in the asymptotics, the actual complexity of Wagner’s attack is \(2^{\lfloor \log (\ell +1)\rfloor }\cdot 2^{\frac{\lambda }{1 + \lfloor \log (\ell +1)\rfloor }}\).

  4. We do not use the fact that only a threshold \(t+1\) of the parties are required to sign in our attack. We assume that all the parties come to sign, to simplify the description of the attack.

  5. Pedersen commitments are unrelated to Pedersen’s DKG, apart from the fact that both were invented by Pedersen.

  6. https://www.microsoft.com/en-us/research/project/u-prove/

  7. http://www.cypherspace.org/credlib/

  8. From the specification: Multiple U-Prove tokens generated using identical common inputs MAY be issued in parallel [and the computation of M, Z] can be shared among all parallel protocol executions.

  9. For further information, read the C10K problem (’99) and the C10M problem (’11).

References

  1. Masayuki Abe. A secure three-move blind signature scheme for polynomially many signatures. In Birgit Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 136–151. Springer, Heidelberg, May 2001.

  2. Masayuki Abe and Tatsuaki Okamoto. Provably secure partially blind signatures. In Mihir Bellare, editor, CRYPTO 2000, volume 1880 of LNCS, pages 271–286. Springer, Heidelberg, August 2000.

  3. Foteini Baldimtsi, Anna Lysyanskaya. Anonymous credentials light. In Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 2013, pages 1087–1098. ACM Press, November 2013.

  4. Alexandra Boldyreva. Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In Yvo Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 31–46. Springer, Heidelberg, January 2003.

  5. Stefan Brands. Untraceable off-line cash in wallets with observers (extended abstract). In Douglas R. Stinson, editor, CRYPTO’93, volume 773 of LNCS, pages 302–318. Springer, Heidelberg, August 1994.

    Google Scholar 

  6. Tony K. Chan, Karyin Fung, Joseph K. Liu, and Victor K. Wei. Blind spontaneous anonymous group signatures for ad hoc groups. In ESAS, volume 3313 of Lecture Notes in Computer Science, pages 82–94. Springer, 2004.

  7. David Chaum. Blind signatures for untraceable payments. In David Chaum, Ronald L. Rivest, and Alan T. Sherman, editors, CRYPTO’82, pages 199–203. Plenum Press, New York, USA, 1982.

    Google Scholar 

  8. Sherman S. M. Chow, Lucas Chi Kwong Hui, Siu-Ming Yiu, and K. P. Chow. Two improved partially blind signature schemes from bilinear pairings. In Colin Boyd and Juan Manuel González Nieto, editors, ACISP 05, volume 3574 of LNCS, pages 316–328. Springer, Heidelberg, July 2005.

  9. Xiaofeng Chen, Fangguo Zhang, Yi Mu, and Willy Susilo. Efficient provably secure restrictive partially blind signatures from bilinear pairings. In Giovanni Di Crescenzo and Avi Rubin, editors, FC 2006, volume 4107 of LNCS, pages 251–265. Springer, Heidelberg, February / March 2006.

  10. Manu Drijvers, Kasra Edalatnejad, Bryan Ford, Eike Kiltz, Julian Loss, Gregory Neven, and Igors Stepanovs. On the security of two-round multi-signatures. In 2019 IEEE Symposium on Security and Privacy, pages 1084–1101. IEEE Computer Society Press, May 2019.

  11. Paul Feldman. A practical scheme for non-interactive verifiable secret sharing. In 28th FOCS, pages 427–437. IEEE Computer Society Press, October 1987.

  12. Georg Fuchsbauer, Antoine Plouviez, and Yannick Seurin. Blind schnorr signatures and signed ElGamal encryption in the algebraic group model. In Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS, pages 63–95. Springer, Heidelberg, May 2020.

  13. Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Secure distributed key generation for discrete-log based cryptosystems. Journal of Cryptology, 20(1):51–83, January 2007.

    Article  MathSciNet  Google Scholar 

  14. Panagiotis Grontas, Aris Pagourtzis, Alexandros Zacharakis, and Bingsheng Zhang. Towards everlasting privacy and efficient coercion resistance in remote electronic voting. In Aviv Zohar, Ittay Eyal, Vanessa Teague, Jeremy Clark, Andrea Bracciali, Federico Pintore, and Massimiliano Sala, editors, FC 2018 Workshops, volume 10958 of LNCS, pages 210–231. Springer, Heidelberg, March 2019.

  15. Eduard Hauck, Eike Kiltz, and Julian Loss. A modular treatment of blind signatures from identification schemes. In Yuval Ishai and Vincent Rijmen, editors, EUROCRYPT 2019, Part III, volume 11478 of LNCS, pages 345–375. Springer, Heidelberg, May 2019.

  16. Eduard Hauck, Eike Kiltz, Julian Loss, and Ngoc Khanh Nguyen. Lattice-based blind signatures, revisited. In Daniele Micciancio and Thomas Ristenpart, editors, CRYPTO 2020, Part II, volume 12171 of LNCS, pages 500–529. Springer, Heidelberg, August 2020.

  17. Chelsea Komlo and Ian Goldberg. FROST: Flexible round-optimized Schnorr threshold signatures, 2020. https://crysp.uwaterloo.ca/software/frost/frost-extabs.pdf; version from "January 7, 2020"; accessed 2020-10-04.

  18. Chelsea Komlo and Ian Goldberg. FROST: Flexible round-optimized Schnorr threshold signatures. Cryptology ePrint Archive, Report 2020/852, 2020. https://eprint.iacr.org/2020/852.

  19. Julia Kaster, Julian Loss, Michael Rosenberg, and Jiayu Xu. On pairing-free blind signature schemes in the algebraic group model. Cryptology ePrint Archive, Report 2020/1071, 2020.

  20. Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille. Simple Schnorr multi-signature with applications to Bitcoin. Cryptology ePrint Archive, Report 2018/068, Revision 20180118:124757, 2018. https://eprint.iacr.org/2018/068/20180118:124757.

  21. Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille. Simple Schnorr multi-signature with applications to Bitcoin. Cryptology ePrint Archive, Report 2018/068, Revision 20180520:191909, 2018. https://eprint.iacr.org/2018/068/20180520:191909.

  22. Lorenz Minder and Alistair Sinclair. The extended k-tree algorithm. In Claire Mathieu, editor, 20th SODA, pages 586–595. ACM-SIAM, January 2009.

  23. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361–396, June 2000.

    Article  Google Scholar 

  24. Christian Paquin and Greg Zaverucha. U-prove cryptographic specification v1. 1. Technical Report, Microsoft Corporation, 2011.

  25. W. A. Stein et al. Sage Mathematics Software (Version 9.1). The Sage Development Team, 2020. http://www.sagemath.org.

  26. Claus-Peter Schnorr. Security of blind discrete log signatures against interactive attacks. In Sihan Qing, Tatsuaki Okamoto, and Jianying Zhou, editors, ICICS 01, volume 2229 of LNCS, pages 1–12. Springer, Heidelberg, November 2001.

  27. Ewa Syta, Iulia Tamas, Dylan Visher, David Isaac Wolinsky, Philipp Jovanovic, Linus Gasser, Nicolas Gailly, Ismail Khoffi, and Bryan Ford. Keeping authorities “honest or bust” with decentralized witness cosigning. In 2016 IEEE Symposium on Security and Privacy, pages 526–545. IEEE Computer Society Press, May 2016.

  28. Stefano Tessaro and Chenzhi Zhu. Short pairing-free blind signatures with exponential security. Cryptology ePrint Archive, Report 2022/047, 2022. https://ia.cr/2022/047.

  29. David Wagner. A generalized birthday problem. In Moti Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 288–303. Springer, Heidelberg, August 2002.

  30. Tsz Hon Yuen and Victor K. Wei. Fast and proven secure blind identity-based signcryption from pairings. In Alfred Menezes, editor, CT-RSA 2005, volume 3376 of LNCS, pages 305–322. Springer, Heidelberg, February 2005.

  31. Alexandros Zacharakis, Panagiotis Grontas, and Aris Pagourtzis. Conditional blind signatures. Cryptology ePrint Archive, Report 2017/682, 2017. http://eprint.iacr.org/2017/682.

Download references

Author information

Authors and Affiliations

  1. Algorand Foundation, New York, NY, USA

    Fabrice Benhamouda

  2. Apple, New York, NY, USA

    Tancrède Lepoint

  3. University of Maryland, College Park, MD, USA

    Julian Loss

  4. UC Berkeley, Berkeley, CA, USA

    Michele Orrù

  5. Google, New York, NY, USA

    Mariana Raykova

Authors
  1. Fabrice Benhamouda
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tancrède Lepoint
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Julian Loss
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michele Orrù
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mariana Raykova
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michele Orrù.

Additional information

Communicated by Damien Stehlé

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Code Listing for Schnorr’s Blind Signature Forgery

Code Listing for Schnorr’s Blind Signature Forgery

figure a

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Benhamouda, F., Lepoint, T., Loss, J. et al. On the (in)Security of ROS. J Cryptol 35, 25 (2022). https://doi.org/10.1007/s00145-022-09436-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-022-09436-0

Search

Navigation