cypherpunk wrote:
eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several
blind signature schemes, including one widely discussed on the
Cypherpunks mailing list back in the 1990s by Stefan Brands. The paper
seems to show that it is possible for the bank/mint to recognize blind
signatures (i.e. untraceable electronic cash tokens) when they are
re-submitted for deposit, which is exactly what the blind signature is
supposed to prevent. The math looks right although I haven't tried to
look back at Brands' old work to see if it is correctly described in
the new paper.
The claim that Brands' signature scheme is linkable is incorrect (I
haven't checked the other claims in the paper). The attack checks that
a^{c'c^{-1}}.g^{s'-c'c^{-1}s} = a' for a signature {m', z', c', s'} and
a view {m, r, z, a, b, c, s}.
The above equation reduces to
= g^s' a^{c'c^{-1}} g^{-c'c^{-1}s}
= g^s' (a g^{-s})^{c'c^{-1}}
= g^s' (g^s y^{-c} g^-s)^{c'c^{-1}}
= g^s' y^{-c'}
which is the normal signature validation term. If fact, you can see that
the attack will match _any_ signature with _any_ view. Therefore, it
provides no information to the attacker.
Cheers,
- Christian
--
Christian Paquin
Security Architect
Credentica
