Welcome to the resource topic for 2025/1353
Title:
Introducing two ROS attack variants: breaking one-more unforgeability of BZ blind signatures
Authors: Bruno M. F. Ricardo, Lucas C. Cardoso, Leonardo T. Kimura, Paulo S. Barreto, Marcos A. Simplicio Jr
Abstract:In 2023, Barreto and Zanon proposed a three-round Schnorr-like blind signature scheme, leveraging zero-knowledge proofs to produce one-time signatures as an intermediate step of the protocol.
The resulting scheme, called BZ, is proven secure in the discrete-logarithm setting under the one-more discrete logarithm assumption with (allegedly) resistance to the Random inhomogeneities in a Overdetermined Solvable system of linear equations modulo a prime number p attack, commonly referred to as ROS attack.
The authors argue that the scheme is resistant against a ROS-based attack by building an adversary whose success depends on extracting the discrete logarithm of the intermediate signing key.
In this paper, however, we describe a distinct ROS attack on the BZ scheme, in which a probabilistic polynomial-time attacker can bypass the zero-knowledge proof step to break the one-more unforgeability of the scheme.
We also built a BZ variant that, by using one secure hash function instead of two, can prevent this particular attack.
Unfortunately, though, we show yet another ROS attack that leverages the BZ scheme’s structure to break the one-more unforgeability principle again, thus revealing that this variant is also vulnerable.
These results indicate that, like other Schnorr-based strategies, it is hard to build a secure blind signature scheme using BZ’s underlying structure.
ePrint: https://eprint.iacr.org/2025/1353
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .