9

My question concerns the recently uploaded paper On the (in)security of ROS that describes an expected polynomial-time attack on the unforgeability of Schnorr blind signatures.

a) Does this mean that Schnorr blind signatures should not be used anymore (ie. is the attack merely theoretic or can it be used in practice)?

b) How does this attack affect Okamoto-Schnorr blind signatures? In particular, I do not understand the comment of the authors that their attack does not contradict the analysis of Pointcheval-Stern. Were Okamoto-Schnorr blind signatures already broken?

c) The ROS problem mentioned by the authors and initially by Schnorr himself seems quite generic. Could the attack be applied to all blind signature schemes?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Panagiotis Grontas
  • 863
  • 5
  • 15

1 Answers1

2

The attack is practical. The only safe way to use blind Schnorr and Okamoto-Schnorr signatures is to forbid parallel sessions, that may be impossible if performance is critical. You can see great explanation of attack here https://youtu.be/W-uwVdGeUUs (Authors of paper offer solution against ROS attack - some modification of Schnorr blind signature, but IMHO it's unsafe) RSA and BLS blind signatures are not affected by ROS attack.

Oleg
  • 21
  • 3