[17861] in cryptography@c2.net mail archive
Re: Attack on Brands blind signature
daemon@ATHENA.MIT.EDU (Christian Paquin)
Wed Jul 13 22:09:00 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 13 Jul 2005 14:19:30 -0400
From: Christian Paquin <paquin@credentica.com>
To: cypherpunk <cyphrpunk@gmail.com>, cryptography@metzdowd.com,
cypherpunks@al-qaeda.net
In-Reply-To: <792ce43705071116066a638b63@mail.gmail.com>
cypherpunk wrote:
> eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several
> blind signature schemes, including one widely discussed on the
> Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper
> seems to show that it is possible for the bank/mint to recognize blind
> signatures (i.e. untraceable electronic cash tokens) when they are
> re-submitted for deposit, which is exactly what the blind signature is
> supposed to prevent. The math looks right although I haven't tried to
> look back at Brands' old work to see if it is correctly described in
> the new paper.
The claim that Brands' signature scheme is linkable is incorrect (I
haven't checked the other claims in the paper). The attack checks that
a^{c'c^{-1}}.g^{s'-c'c^{-1}s} = a' for a signature {m', z', c', s'} and
a view {m, r, z, a, b, c, s}.
The above equation reduces to
= g^s' a^{c'c^{-1}} g^{-c'c^{-1}s}
= g^s' (a g^{-s})^{c'c^{-1}}
= g^s' (g^s y^{-c} g^-s)^{c'c^{-1}}
= g^s' y^{-c'}
which is the normal signature validation term. If fact, you can see that
the attack will match _any_ signature with _any_ view. Therefore, it
provides no information to the attacker.
Cheers,
- Christian
--
Christian Paquin
Security Architect
Credentica
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
