Attack on Brands blind signature
Christian Paquin
paquin at credentica.com
Wed Jul 13 11:19:30 PDT 2005
cypherpunk wrote:
> eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several
> blind signature schemes, including one widely discussed on the
> Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper
> seems to show that it is possible for the bank/mint to recognize blind
> signatures (i.e. untraceable electronic cash tokens) when they are
> re-submitted for deposit, which is exactly what the blind signature is
> supposed to prevent. The math looks right although I haven't tried to
> look back at Brands' old work to see if it is correctly described in
> the new paper.
The claim that Brands' signature scheme is linkable is incorrect (I
haven't checked the other claims in the paper). The attack checks that
a^{c'c^{-1}}.g^{s'-c'c^{-1}s} = a' for a signature {m', z', c', s'} and
a view {m, r, z, a, b, c, s}.
The above equation reduces to
= g^s' a^{c'c^{-1}} g^{-c'c^{-1}s}
= g^s' (a g^{-s})^{c'c^{-1}}
= g^s' (g^s y^{-c} g^-s)^{c'c^{-1}}
= g^s' y^{-c'}
which is the normal signature validation term. If fact, you can see that
the attack will match _any_ signature with _any_ view. Therefore, it
provides no information to the attacker.
Cheers,
- Christian
--
Christian Paquin
Security Architect
Credentica
More information about the cypherpunks-legacy
mailing list