Unforgeability of Blind Schnorr in the Limited Concurrency Setting

CryptoDB

Unforgeability of Blind Schnorr in the Limited Concurrency Setting

Authors:	Franklin Harding , Brown University Jiayu Xu , Oregon State University
Download:	DOI: 10.62056/a3qj5w7sf URL: https://cic.iacr.org//p/1/3/16 Search ePrint Search Google
Abstract:	Blind signature schemes enable a user to obtain a digital signature on a message from a signer without revealing the message itself. Among the most fundamental examples of such a scheme is blind Schnorr, but recent results show that it does not satisfy the standard notion of security against malicious users, One-More Unforgeability (OMUF), as it is vulnerable to the ROS attack. However, blind Schnorr does satisfy the weaker notion of sequential OMUF, in which only one signing session is open at a time, in the Algebraic Group Model (AGM) + Random Oracle Model (ROM), assuming the hardness of the Discrete Logarithm (DL) problem. This paper serves as a first step towards characterizing the security of blind Schnorr in the limited concurrency setting. Specifically, we show that blind Schnorr satisfies OMUF when at most two signing sessions can be concurrently open (in the AGM+ROM, assuming DL). Our argument suggests that it is plausible that blind Schnorr satisfies OMUF for up to polylogarithmically many concurrent signing sessions. Our security proof involves interesting techniques from linear algebra and combinatorics.

Authors:

Franklin Harding , Brown University
Jiayu Xu , Oregon State University

Download:

DOI: 10.62056/a3qj5w7sf

URL: https://cic.iacr.org//p/1/3/16

Search ePrint

Search Google

Abstract:

Blind signature schemes enable a user to obtain a digital signature on a message from a signer without revealing the message itself. Among the most fundamental examples of such a scheme is blind Schnorr, but recent results show that it does not satisfy the standard notion of security against malicious users, One-More Unforgeability (OMUF), as it is vulnerable to the ROS attack. However, blind Schnorr does satisfy the weaker notion of sequential OMUF, in which only one signing session is open at a time, in the Algebraic Group Model (AGM) + Random Oracle Model (ROM), assuming the hardness of the Discrete Logarithm (DL) problem.
This paper serves as a first step towards characterizing the security of blind Schnorr in the limited concurrency setting. Specifically, we show that blind Schnorr satisfies OMUF when at most two signing sessions can be concurrently open (in the AGM+ROM, assuming DL). Our argument suggests that it is plausible that blind Schnorr satisfies OMUF for up to polylogarithmically many concurrent signing sessions. Our security proof involves interesting techniques from linear algebra and combinatorics. 

BibTeX

@article{cic-2024-34827,
  title={Unforgeability of Blind Schnorr in the Limited Concurrency Setting},
  journal={cic},
  publisher={International Association for Cryptologic Research},
  volume={1, Issue 3},
  url={https://cic.iacr.org//p/1/3/16},
  doi={10.62056/a3qj5w7sf},
  author={Franklin Harding and Jiayu Xu},
  year=2024
}

International Association for Cryptologic Research

International Associationfor Cryptologic Research

CryptoDB

Unforgeability of Blind Schnorr in the Limited Concurrency Setting

BibTeX

International Association
for Cryptologic Research