Paper 2025/306

Dimensional eROSion: Improving the ROS Attack with Decomposition in Higher Bases

Antoine Joux, Helmholtz Center for Information Security
Julian Loss, Helmholtz Center for Information Security
Giacomo Santato, Helmholtz Center for Information Security, Saarland University
Abstract

We revisit the polynomial attack to the ROS problem modulo p from [BLLOR22]. Our new algorithm achieves a polynomial time solution in dimension 0.725log2p, extending the range of dimensions for which a polynomial attack is known beyond the previous bound of >log2p. We also combine our new algorithm with Wagner's attack to improve the general attack complexity for some of the dimensions where a polynomial solution is still not known. We implement our polynomial attack and break the one-more unforgeability of blind Schnorr signatures over 256-bit elliptic curves in a few seconds with 192 concurrent sessions.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
ROS problemROS attackSchnorr signatures
Contact author(s)
joux @ cispa de
loss @ cispa de
giacomo santato @ cispa de
History
2025-02-21: approved
2025-02-20: received
See all versions
Short URL
https://ia.cr/2025/306
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/306,
      author = {Antoine Joux and Julian Loss and Giacomo Santato},
      title = {Dimensional e$\mathsf{{ROS}}$ion: Improving the $\mathsf{{ROS}}$ Attack with Decomposition in Higher Bases},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/306},
      year = {2025},
      url = {https://eprint.iacr.org/2025/306}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.