Cryptanalysis of Lattice-Based Blind Signature and Blind Ring Signature Schemes

Abstract

A blind signature enables a user to obtain signatures on any message from an authority who cannot acquire any information on the message being signed. A blind ring signature scheme is designed as a ring signature scheme with the blindness property. The scheme allows any member of a group anonymously sign a message on behalf of the group. Also, the user with the message can blind it before transmitting to the group. At Asiacrypt 2010, Rückert constructed the first blind signature scheme using ideal lattices. Recently, Zhang, Jiang and Zheng, and Alkadri, Bansarkhani and Buchmann proposed two improved blind signature schemes based on the SIS problem and the Ring SIS problem in 2018 and 2020, respectively. At WISA 2019, motivated by these blind signature schemes, Le, Duong and Susilo constructed the first lattice-based blind ring signature scheme provably secure under the hardness assumption of the SIS problem in random oracle model. In this paper, we show that Rückert’s scheme, Alkadri-Bansarkhani-Buchmann scheme and Zhang-Jiang-Zheng scheme, and Le-Duong-Susilo scheme do not achieve blindness, i.e. the signer can link a valid message-signature pair after interacting with various users. We show that the cause of vulnerabilities of the blind schemes is that the blinding factors to hide real messages being signed are exposed by specific algebraic relations in the underlying rings. To hide the blinding factors, we use homomorphic encryption schemes. Finally, we propose a generic construction from a semantically secure homomorphic encryption scheme and a one-more unforgeable blind signature scheme that does not achieve blindness to a new blind signature scheme that achieves blindness as well as one-more unforgeability.