Attack on Brands blind signature
eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several blind signature schemes, including one widely discussed on the Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper seems to show that it is possible for the bank/mint to recognize blind signatures (i.e. untraceable electronic cash tokens) when they are re-submitted for deposit, which is exactly what the blind signature is supposed to prevent. The math looks right although I haven't tried to look back at Brands' old work to see if it is correctly described in the new paper. CP
cypherpunk wrote:
eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several blind signature schemes, including one widely discussed on the Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper seems to show that it is possible for the bank/mint to recognize blind signatures (i.e. untraceable electronic cash tokens) when they are re-submitted for deposit, which is exactly what the blind signature is supposed to prevent. The math looks right although I haven't tried to look back at Brands' old work to see if it is correctly described in the new paper.
The claim that Brands' signature scheme is linkable is incorrect (I haven't checked the other claims in the paper). The attack checks that a^{c'c^{-1}}.g^{s'-c'c^{-1}s} = a' for a signature {m', z', c', s'} and a view {m, r, z, a, b, c, s}. The above equation reduces to = g^s' a^{c'c^{-1}} g^{-c'c^{-1}s} = g^s' (a g^{-s})^{c'c^{-1}} = g^s' (g^s y^{-c} g^-s)^{c'c^{-1}} = g^s' y^{-c'} which is the normal signature validation term. If fact, you can see that the attack will match _any_ signature with _any_ view. Therefore, it provides no information to the attacker. Cheers, - Christian -- Christian Paquin Security Architect Credentica
participants (2)
-
Christian Paquin
-
cypherpunk