۱- Introduction

۲- Preliminaries

۳- The blind signature scheme by Zhu et al.

۴- Cryptoanalysis on Zhu et al. ’s blind signature scheme

۵- Discussion

۶- Conclusion

References

Abstract

In this note, we review the article published by Zhu et al. in Future Generation Computer Systems in 2017. We show that their construction of a blind signature does not hold the correctness requirement or the blindness requirement.

Discussion

In this section, we briefly describe the difficulties of building provably secure blind signatures and future work. To our best knowledge, from lattices, there is one known provably secure blind signature [3]. In [3], it is well described why building a provably secure blind signature is difficult in general and why it is more difficult when it comes to working with lattices. Here is a quick summary and we refer to [3] for details. First, building a provably secure blind signature is non-trivial in general since two security requirements of a blind signature scheme, the blindness and the one-more unforgeability have somewhat conflicting characteristics. To provide the blindness, the user is given an ability to modify the signature from the signer. However, the ability must be limited only to the single signature. Otherwise, it hurts the one-more unforgeability. Secondly, building a probably secure blind signature from lattices becomes harder because in lattices, the completeness is not naturally followed. In particular, the blind signature by Ruckert [ ¨ ۳] makes use of a commitment scheme and additional interactions to overcome the incompleteness. Moreover, in lattices, RSA-style design does not work [3]: the RSA-style using preimage trapdoor functions consists of the following procedures, (1) hash, (2) blind, (3) invert, then (4) unblind. In lattice, such a style does not work due to the linearity of the function (For details, we refer to [3]). As summarized in the above, building a blind signature that is provably secure in lattices requires a careful design and rigorous security analysis. Often plausible designs fail to be provably secure [1,5,6]. Since the problem becomes harder in lattices, a rigorous study is required. One possible approach is improving the scheme by Ruckert [ ¨ ۳] by lessening the number of interactions. One might try to lessen them by sending two or more commitments at a time. Another possible approach is building a lattice-based witness indistinguishability primitive first and then applying it as a building block like in [5,6]. The aforementioned methods require further research to ensure provable security analysis and concrete scheme design. In this paper, we focus on providing cryptoanalysis of the particular scheme. We will continue the further research as a future work.