On the (in)Security of ROS

We present an algorithm solving the ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) problem in polynomial time for ` > log p dimensions. Our algorithm can be combined with Wagner’s attack, and leads to a sub-exponential solution for any dimension ` with best complexity known so far. When concurrent executions are allowed, our algorithm leads to practical attacks against unforgeability of blind signature schemes such as Schnorr and Okamoto–Schnorr blind signatures, threshold signatures such as GJKR and the original version of FROST, multisignatures such as CoSI and the two-round version of MuSig, partially blind signatures such as Abe–Okamoto, and conditional blind signatures such as ZGP17.

[1]  Tsz Hon Yuen,et al.  Fast and Proven Secure Blind Identity-Based Signcryption from Pairings , 2005, CT-RSA.

[2]  Masayuki Abe,et al.  A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures , 2001, EUROCRYPT.

[3]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[4]  Tatsuaki Okamoto,et al.  Provably Secure Partially Blind Signatures , 2000, CRYPTO.

[5]  David Wolinsky,et al.  Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[6]  Ian Goldberg,et al.  FROST: Flexible Round-Optimized Schnorr Threshold Signatures , 2020, IACR Cryptol. ePrint Arch..

[7]  Jiayu Xu,et al.  On Pairing-Free Blind Signature Schemes in the Algebraic Group Model , 2020, IACR Cryptol. ePrint Arch..

[8]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[9]  Siu-Ming Yiu,et al.  Two Improved Partially Blind Signature Schemes from Bilinear Pairings , 2005, ACISP.

[10]  Eike Kiltz,et al.  Lattice-Based Blind Signatures, Revisited , 2020, IACR Cryptol. ePrint Arch..

[11]  Alistair Sinclair,et al.  The Extended k-tree Algorithm , 2011, Journal of Cryptology.

[12]  Georg Fuchsbauer,et al.  Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model , 2020, EUROCRYPT.

[13]  Manu Drijvers,et al.  On the Provable Security of Two-Round Multi-Signatures , 2018 .

[14]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[15]  Yannick Seurin,et al.  Simple Schnorr multi-signatures with applications to Bitcoin , 2019, Designs, Codes and Cryptography.

[16]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[17]  Claus-Peter Schnorr,et al.  Security of Blind Discrete Log Signatures against Interactive Attacks , 2001, ICICS.

[18]  Eike Kiltz,et al.  A Modular Treatment of Blind Signatures from Identification Schemes , 2019, IACR Cryptol. ePrint Arch..

[19]  Eike Kiltz,et al.  On the Security of Two-Round Multi-Signatures , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Aris Pagourtzis,et al.  Towards everlasting privacy and efficient coercion resistance in remote electronic voting , 2018, IACR Cryptol. ePrint Arch..

[21]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[22]  Aris Pagourtzis,et al.  Conditional Blind Signatures , 2017, IACR Cryptol. ePrint Arch..

[23]  Joseph K. Liu,et al.  Blind Spontaneous Anonymous Group Signatures for Ad Hoc Groups , 2004, ESAS.

[24]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.