On the (in)security of ROS

Fabrice Benhamouda; Tancrède Lepoint; Julian Loss; Michele Orrù; Mariana Raykova

Paper 2020/945

On the (in)security of ROS

Fabrice Benhamouda

Tancrède Lepoint

Julian Loss

Michele Orrù

Mariana Raykova

Abstract

We present an algorithm solving the ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) problem in polynomial time for l > log p dimensions. Our algorithm can be combined with Wagner’s attack, and leads to a sub-exponential solution for any dimension l with best complexity known so far. When concurrent executions are allowed, our algorithm leads to practical attacks against unforgeability of blind signature schemes such as Schnorr and Okamoto--Schnorr blind signatures, threshold signatures such as GJKR and the original version of FROST, multisignatures such as CoSI and the two-round version of MuSig, partially blind signatures such as Abe-Okamoto, and conditional blind signatures such as ZGP17.

Note: 2024-02-01: clarified that our attacks do not extend to [BL13] and [CZMS06] and improved writing

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: A minor revision of an IACR publication in JOC 2022
DOI: 10.1007/s00145-022-09436-0
Keywords: digital signatures cryptanalysis
Contact author(s): fabrice benhamouda @ gmail com
crypto @ tancre de
lossjulian @ gmail com
michele @ tumbolandia net
marianar @ google com
History: 2024-02-01: last of 5 revisions; 2020-07-31: received; See all versions
Short URL: https://ia.cr/2020/945
License: CC BY

BibTeX

@misc{cryptoeprint:2020/945,
      author = {Fabrice Benhamouda and Tancrède Lepoint and Julian Loss and Michele Orrù and Mariana Raykova},
      title = {On the (in)security of {ROS}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/945},
      year = {2020},
      doi = {10.1007/s00145-022-09436-0},
      url = {https://eprint.iacr.org/2020/945}
}