On the (in)Security of ROS

On the (in)Security of ROS

We present an algorithm solving the ROS ( R andom inhomogeneities in a O verdetermined S olvable system of linear equations) problem mod p in polynomial time for ℓ > log p dimensions. Our algorithm can be combined with Wagner’s attack, and leads to a sub-exponential solution for any dimension ℓ w...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of cryptology 2022-10, Vol.35 (4), Article 25
Hauptverfasser: Benhamouda, Fabrice, Lepoint, Tancrède, Loss, Julian, Orrù, Michele, Raykova, Mariana
Format: Artikel
Sprache:eng
Schlagworte:
Algorithms
Coding and Information Theory
Combinatorics
Communications Engineering
Computational Mathematics and Numerical Analysis
Computer Science
Linear equations
Networks
Polynomials
Probability Theory and Stochastic Processes
Research Article
Signatures
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:We present an algorithm solving the ROS ( R andom inhomogeneities in a O verdetermined S olvable system of linear equations) problem mod p in polynomial time for ℓ > log p dimensions. Our algorithm can be combined with Wagner’s attack, and leads to a sub-exponential solution for any dimension ℓ with the best complexity known so far. When concurrent executions are allowed, our algorithm leads to practical attacks against unforgeability of blind signature schemes such as Schnorr and Okamoto–Schnorr blind signatures, threshold signatures such as GJKR and the original version of FROST, multisignatures such as CoSI and the two-round version of MuSig, partially blind signatures such as Abe–Okamoto, and conditional blind signatures such as ZGP17. Schemes for e-cash (such as Brands’ signature) and anonymous credentials (such as Anonymous Credentials Light) inspired from the above are also affected.
ISSN:0933-2790
1432-1378
DOI:10.1007/s00145-022-09436-0