Results 1  10
of
11
Security of Blind Discrete Log Signatures against Interactive Attacks
 ICICS 2001, LNCS 2229
, 2001
"... We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following RO ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
We present a novel parallel onemore signature forgery against blind OkamotoSchnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following ROSproblem is intractable: find an overdetermined, solvable system of linear equations modulo q with random inhomogenities (right sides). There is an inherent weakness in the security result of Pointcheval and Stern. Theorem 26 [PS00] does not cover attacks with 4 parallel interactions for elliptic curves of order 2 200 . That would require the intractability of the ROSproblem, a plausible but novel complexity assumption. Conversely, assuming the intractability of the ROSproblem, we show that Schnorr signatures are secure in the random oracle and generic group model against the onemore signature forgery.
RoundOptimal Composable Blind Signatures in the Common Reference String Model
 In Advances in Cryptology — CRYPTO 2006, LNCS 4117
, 2006
"... marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user an ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
marc.fischlin @ gmail.com www.fischlin.de Abstract We build concurrently executable blind signatures schemes in the common reference string model, based on general complexity assumptions, and with optimal round complexity. Namely, each interactive signature generation requires the requesting user and the issuing bank to transmit only one message each. We also put forward the definition of universally composable blind signature schemes, and show how to extend our concurrently executable blind signature protocol to derive such universally composable schemes in the common reference string model under general assumptions. While this protocol then guarantees very strong security properties when executed within larger protocols, it still supports signature generation in two moves. 1
Concurrentlysecure blind signatures without random oracles or setup assumptions
 In TCC 2007
, 2007
"... ..."
Concurrent blind signatures without random oracles
 In SCN 2006, volume 4116 of LNCS
, 2006
"... We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The unforgeability of the employed signature scheme is guaranteed by the LRSW assumption while the blindness property of our scheme is guaranteed by the Decisional Linear DiffieHellman assumption. We prove our construction secure under the above assumptions as well as Paillier’s DCR assumption in the concurrent attack model of Juels, Luby and Ostrovsky from Crypto ’97 using a common reference string. Our construction is the first efficient construction for blind signatures in such a concurrent model without random oracles. We present two variants of our basic protocol: first, a blind signature scheme where blindness still holds even if the publickey generation is maliciously controlled; second, a blind signature scheme that incorporates a “publictagging ” mechanism. This latter variant of our scheme gives rise to a partially blind signature with essentially the same efficiency and security properties as our basic scheme. 1
Equivocal Blind Signatures and Adaptive UCSecurity
, 2007
"... We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where a simulator can construct the internal state of the client so that it matches a simulated transcript even after a signature was released. We present a general construction methodology for building practical adaptively secure blind signatures: the starting point is a 2move “lite blind signature”, a lightweight 2party signature protocol that we formalize and implement both generically as well as number theoretically: formalizing a primitive as “lite ” means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zeroknowledge (ZK) related security requirements from the remaining security properties in the primitive’s design methodology. We then focus on the exact ZK requirements for building blind signatures. To this effect, we formalize two special ZK ideal functionalities, singleverifierZK (SVZK) and singleproverZK (SPZK) and we investigate the requirements for realizing them in a commitandprove fashion as building blocks for adaptively secure UC blind signatures. SVZK can be realized without relying on a multisession UC commitment; as
On the security of onewitness blind signature schemes. Cryptology ePrint Archive, Report 2012/197
, 2012
"... Abstract. Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous ide ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Abstract. Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identification scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the randomoracle model. In this paper, we show that current techniques for proving security in the random oracle model do not work for the Schnorr blind signature by providing a metareduction which we call “personal nemesis adversary”. Our results generalize to other important blind signatures, such as the one due to Brands. Brands ’ blind signature is at the heart of Microsoft’s newly implemented UProve system, which makes this work relevant to cryptographic practice as well.
Impossibility of Blind Signatures From OneWay Permutations
"... Abstract. A seminal result in cryptography is that signature schemes can be constructed (in a blackbox fashion) from any oneway function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out blackbox constructions of blind signatur ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. A seminal result in cryptography is that signature schemes can be constructed (in a blackbox fashion) from any oneway function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out blackbox constructions of blind signature schemes from oneway functions. In fact, we rule out constructions even from a random permutation oracle, and our results hold even for blind signature schemes for 1bit messages that achieve security only against honestbutcurious behavior. 1
Enhancing the Security of Perfect Blind DLSignatures.
, 2004
"... Preliminary Version Abstract. We enhance the security of Schnorr blind signatures against the novel onemoreforgery of Schnorr [Sc01] and Wagner [W02] which is possible even if the discrete logarithm is hard to compute. We show two limitations of this attack. Firstly, replacing the group G by the s ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Preliminary Version Abstract. We enhance the security of Schnorr blind signatures against the novel onemoreforgery of Schnorr [Sc01] and Wagner [W02] which is possible even if the discrete logarithm is hard to compute. We show two limitations of this attack. Firstly, replacing the group G by the sfold direct product G ×s increases the work of the attack, for a given number of signer interactions, to the spower while increasing the work of the blind signature protocol merely by a factor s. Secondly, we bound the number of additional signatures per signer interaction that can be efficiently forged by known methods. That fraction of the additional forged signatures can be made arbitrarily small. Our security proofs assume both the random oracle and the generic group model. 1
E cient Blind and Partially Blind Signatures Without Random Oracles
, 2006
"... Abstract. This paper proposes a new e cient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more e ective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the exi ..."
Abstract
 Add to MetaCart
Abstract. This paper proposes a new e cient signature scheme from bilinear maps that is secure in the standard model (i.e., without the random oracle model). Our signature scheme is more e ective in many applications (e.g., blind signatures, group signatures, anonymous credentials etc.) than the existing secure signature schemes in the standard model. As typical applications of our signature scheme, this paper presents e cient blind signatures and partially blind signatures that are secure in the standard model. Here, partially blind signatures are a generalization of blind signatures (i.e., blind signatures are a special case of partially blind signatures) and have many applications including electronic cash and voting. Our blind signature scheme is more e cient than the existing secure blind signature schemes in the standard model such as the CamenischKoprowskiWarinsch [9] and JuelsLubyOstrovsky [24] schemes. Our partially blind signature scheme is the rst one that is secure in the standard model and it is also e cient (as e cient as our blind signatures). The security proof of our blind and partially blind signature schemes requires the 2SDH assumption, a stronger variant of the SDH assumption introduced by Boneh and Boyen [7]. This paper also presents an e cient way to convert our (partially) blind signature scheme in the standard model to a scheme secure for a concurrent run of users in the common reference string (CRS) model. Finally, we present a blind signature scheme based on the Waters signature scheme.
Security of Blind Signatures Revisited
"... Abstract. We revisit the definition of unforgeability of blind signatures as proposed by Pointcheval and Stern (Journal of Cryptology 2000). Surprisingly, we show that this established definition falls short in two ways of what one would intuitively expect from a secure blind signature scheme: It is ..."
Abstract
 Add to MetaCart
Abstract. We revisit the definition of unforgeability of blind signatures as proposed by Pointcheval and Stern (Journal of Cryptology 2000). Surprisingly, we show that this established definition falls short in two ways of what one would intuitively expect from a secure blind signature scheme: It is not excluded that an adversary submits the same message m twice for signing, and then produces a signature for m ′ = m. The reason is that the forger only succeeds if all messages are distinct. Moreover, it is not excluded that an adversary performs k signing queries and produces signatures on k + 1 messages as long as each of these signatures does not pass verification with probability 1. Finally, we proposed a new definition, honestuser unforgeability, that covers these attacks. We give a simple and efficient transformation that transforms any unforgeable blind signature scheme (with deterministic verification) into an honestuser unforgeable one.