Paper 2023/1603

Breaking Parallel ROS: Implication for Isogeny and Lattice-based Blind Signatures

Shuichi Katsumata, National Institute of Advanced Industrial Science and Technology, PQShield
Yi-Fu Lai, Ruhr University Bochum
Michael Reichle, ETH Zurich
Abstract

Many of the three-round blind signatures based on identification protocols are only proven to be $\ell$-concurrently unforgeable for $\ell = \mathsf{polylog}(\lambda)$. It was only recently shown in a seminal work by Benhamouda et al. (EUROCRYPT'21) that this is not just a limitation of the proof technique. They proposed an elegant polynomial time attack against the $\ell$-concurrently unforgeability of the classical blind Schnorr protocol for $\ell = \mathsf{poly}(\lambda)$. However, there are still many blind signatures following a similar recipe to blind Schnorr where the attack by Benhamouda et al. does not apply. This includes for instance the isogeny-based blind signature CSI-Otter by Katsumata et al (CRYPTO'23), the lattice-based blind signatures Blaze+ by Alkeilani et al. (ACISP'20) and BlindOR by Alkeilani et al. (CANS'20). In this work, we provide a simple and novel attack on blind signatures based on identification protocols performing parallel repetition to reduce the soundness error. Our attack translates to a polynomial time break for the $\ell$-concurrent unforgeability of CSI-Otter, Blaze+, and BlindOR for $\ell = \mathsf{poly}(\lambda)$. More formally, we define an intermediate problem called Parallel Random inhomogeneities in an Overdetermined Solvable system of linear equations (pROS) problem and show that an attack against pROS implies an attack to the above blind signatures. One takeaway of our finding is that while parallel repetition allows to exponentially reduce the soundness error of an identification protocol, this has minimal effect on the resulting blind signature. Our attack is concretely very efficient and for instance breaks $4$-concurrent unforgeability of CSI-Otter in time roughly $2^{34}$ hash computations.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Blind SignaturesROS problemLatticeIsogeny
Contact author(s)
shuichi katsumata @ pqshield com
Yi-Fu Lai @ ruhr-uni-bochum de
michael reichle @ inf ethz ch
History
2023-10-17: approved
2023-10-16: received
See all versions
Short URL
https://ia.cr/2023/1603
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1603,
      author = {Shuichi Katsumata and Yi-Fu Lai and Michael Reichle},
      title = {Breaking Parallel {ROS}:  Implication for Isogeny and Lattice-based  Blind Signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1603},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1603}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.