International Association for Cryptologic Research

International Association
for Cryptologic Research


On the (in)Security of ROS

Fabrice Benhamouda
Tancrède Lepoint
Julian Loss
Michele Orrù
Mariana Raykova
DOI: 10.1007/s00145-022-09436-0
Search ePrint
Search Google
Abstract: We present an algorithm solving the ROS ( R andom inhomogeneities in a O verdetermined S olvable system of linear equations) problem mod p in polynomial time for $$\ell > \log p$$ ℓ > log p dimensions. Our algorithm can be combined with Wagner’s attack, and leads to a sub-exponential solution for any dimension $$\ell $$ ℓ with the best complexity known so far. When concurrent executions are allowed, our algorithm leads to practical attacks against unforgeability of blind signature schemes such as Schnorr and Okamoto–Schnorr blind signatures, threshold signatures such as GJKR and the original version of FROST, multisignatures such as CoSI and the two-round version of MuSig, partially blind signatures such as Abe–Okamoto, and conditional blind signatures such as ZGP17. Schemes for e-cash (such as Brands’ signature) and anonymous credentials (such as Anonymous Credentials Light) inspired from the above are also affected.
  title={On the (in)Security of ROS},
  journal={Journal of Cryptology},
  author={Fabrice Benhamouda and Tancrède Lepoint and Julian Loss and Michele Orrù and Mariana Raykova},