Paper 2022/895

Security Analysis of RSA-BSSA

Anna Lysyanskaya

In a blind signature scheme, a user can obtain a digital signature on a message of her choice without revealing anything about the message or the resulting signature to the signer. Blind signature schemes have recently found applications for privacy-preserving web browsing and ad ecosystems, and as such, are ripe for standardization. In this paper, we show that the recent proposed standard of Denis, Jacobs and Wood [18, 17] constitutes a strongly one-more-unforgeable blind signature scheme in the random-oracle model under the one-more-RSA assumption. Fur- ther, we show that the blind version of RSA-FDH proposed and analyzed by Bellare, Namprempre, Pointcheval and Semanko [6] does not satisfy blindness when the public key is chosen maliciously, but satisfies a weaker notion of a blind token.

Note: This revision takes into account the feedback I got from the PKC review process.

Available format(s)
Cryptographic protocols
Publication info
A minor revision of an IACR publication in PKC 2023
Blind signatures
Contact author(s)
anna_lysyanskaya @ brown edu
2023-03-10: revised
2022-07-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Anna Lysyanskaya},
      title = {Security Analysis of {RSA}-{BSSA}},
      howpublished = {Cryptology ePrint Archive, Paper 2022/895},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.