5

Recently I've found the following work on the internet: An ECC-Based Blind Signature Scheme

The paper claims to be an ECDSA blind signature however it seems that their scheme has a flaw in it.

The process they describe is pretty standard:

  • Requester blinds a message using his key and sends blinded message to signer
  • The signer signs the message resulting with pair $(r,s)$ which is sent to requester
  • BUT then the requester unblinds ONLY $s$ component and $r$ component is published unchanged

It seems logical that after publishing $r$ the way it came from signer would allow
the signer to track transactions by keeping a database of all issued $(r,s)$ tokens?

Or am I missing something?

Lu4
  • 185
  • 5

1 Answers1

4

This paper—if I have guessed correctly through the broken link—is bogus. It fails to distinguish points on the curve from elements of the coordinate field and doesn't prove anything and even if you fix that by pretending any of it makes sense the whole thing is trivially breakable. Throw it away and forget the whole ordeal—except don't forget that the ‘Journal of Networks’ is a bullshit-publishing paper mill.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230