Attack on Brands blind signature

Christian Paquin paquin at
Wed Jul 13 11:19:30 PDT 2005

cypherpunk wrote:
> is an attack by Xuesheng Zhong on several
> blind signature schemes, including one widely discussed on the
> Cypherpunks mailing list back in the 1990s by Stefan Brands.  The paper
> seems to show that it is possible for the bank/mint to recognize blind
> signatures (i.e. untraceable electronic cash tokens) when they are
> re-submitted for deposit, which is exactly what the blind signature is
> supposed to prevent. The math looks right although I haven't tried to
> look back at Brands' old work to see if it is correctly described in
> the new paper.

The claim that Brands' signature scheme is linkable is incorrect (I 
haven't checked the other claims in the paper). The attack checks that 
a^{c'c^{-1}}.g^{s'-c'c^{-1}s} = a' for a signature {m', z', c', s'} and 
a view {m, r, z, a, b, c, s}.

The above equation reduces to

  = g^s' a^{c'c^{-1}} g^{-c'c^{-1}s}
  = g^s' (a g^{-s})^{c'c^{-1}}
  = g^s' (g^s y^{-c} g^-s)^{c'c^{-1}}
  = g^s' y^{-c'}

which is the normal signature validation term. If fact, you can see that 
the attack will match _any_ signature with _any_ view. Therefore, it 
provides no information to the attacker.


  - Christian


Christian Paquin
Security Architect

More information about the cypherpunks-legacy mailing list