Cryptanalysis of Lattice-Based Blind Signature and Blind Ring Signature Schemes

A blind signature enables a user to obtain signatures on any message from an authority who cannot acquire any information on the message being signed. A blind ring signature scheme is designed as a ring signature scheme with the blindness property. The scheme allows any member of a group anonymously sign a message on behalf of the group. Also, the user with the message can blind it before transmitting to the group. At Asiacrypt 2010, Rückert constructed the first blind signature scheme using ideal lattices. Recently, Zhang, Jiang and Zheng, and Alkadri, Bansarkhani and Buchmann proposed two improved blind signature schemes based on the SIS problem and the Ring SIS problem in 2018 and 2020, respectively. At WISA 2019, motivated by these blind signature schemes, Le, Duong and Susilo constructed the first lattice-based blind ring signature scheme provably secure under the hardness assumption of the SIS problem in random oracle model. In this paper, we show that Rückert’s scheme, Alkadri-Bansarkhani-Buchmann scheme and Zhang-Jiang-Zheng scheme, and Le-Duong-Susilo scheme do not achieve blindness, i.e. the signer can link a valid message-signature pair after interacting with various users. We show that the cause of vulnerabilities of the blind schemes is that the blinding factors to hide real messages being signed are exposed by specific algebraic relations in the underlying rings. To hide the blinding factors, we use homomorphic encryption schemes. Finally, we propose a generic construction from a semantically secure homomorphic encryption scheme and a one-more unforgeable blind signature scheme that does not achieve blindness to a new blind signature scheme that achieves blindness as well as one-more unforgeability.


I. INTRODUCTION
Since its invention in the late 1970s [1], public-key cryptography is fundamental buildingblock for secure communications in cyber security. E-commerce, online banking, cloud computing and mobile communication depend on the security of the underlying cryptographic algorithms. Basic security requirements, confidentiality, user authentication, data integrity and non-repudiation are assured by using appropriate public-key and symmetric-key cryptographic algorithms. In particular, public-key signature schemes provide nonrepudiation, integrity of transmitted messages and authentication. In real-world scenarios, a number of applications need special security requirements other than the basic security requirements. A typical example of the special security The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . requirements is anonymity suitable for electronic voting systems and e-cash system. To meet these demands, the concepts of blind signatures, ring signatures and blind ring signatures have been proposed.
Chaum [2] proposed a notion of blind signature scheme which allows a user to get signatures from an authority on any message, in such a way that the authority learns nothing on the message being signed. Blind signature schemes allow users to generate signatures on messages while interacting with a signer such that the signer obtains no information about the messages being signed (this property is called blindness or unlinkability). The blind signature schemes are suitable for electronic voting systems, electronic auctions and e-cash systems such as Bitcoin.
Rivest et al. [3] proposed a ring signature scheme which provides anonymity. In the ring signature scheme, a signer in a ring consisting of members to sign a message on behalf VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ of the ring and a verifier can confirm that the signature is given by a public key in the ring, but anyone cannot reveal the real signer's identity, thus guarantees anonymity of the signer. Ring signatures are useful for whistle blowing [3] and anonymous membership authentication for ad hoc groups [4]. One wants to make a single e-bank system more scalable by supporting many banks and adding some other properties like anonymity of the signing banks and unlinkability of two different signatures in some real-life applications. Various real-life scenarios such as e-cash systems and multi authority e-voting require a combination of blind signatures and ring signatures.
With the threat of a quantum computer capable of running Shor's quantum algorithm [5] to break currently used public-key cryptographic algorithms, cryptography and security communities have inspired great interest in postquantum cryptography, where post-quantum cryptography means cryptographic primitives believed to protect both classical and quantum attacks. Post-quantum cryptography have considered as post-quantum replacements, where lattice-based cryptographic algorithms is one of the most promising candidates due to their security under worst-case hardness assumptions. At Asiacrypt 2010, Rückert [6] constructed the first blind signature scheme using ideal lattices. For that reason, a number of lattice-based blind signature schemes and blind signature schemes have been proposed. Recently, Zhang et al. [7] and Alkadri et al.'s scheme [8] proposed improved blind signature schemes based on the SIS problem and the Ring SIS problem in 2018 and 2020, respectively. The first lattice-based ring signature scheme using Lyubashevsky's signature scheme [9] over ideal lattices was proposed by Aguilar-Melchor et al. [10]. In 2018, Wang et al. [11] proposed a new ring signature scheme using the improved scheme of Lyubashevsky [12]. At WISA 2019, motivated by these signature schemes [6], [7], [11], Le et al. [13] constructed the lattice-based first blind ring signature scheme proven secure under the hardness of the SIS problem in random oracle model. In this paper, we show that Rückert's scheme [6] [13] in Section II. We show that these four schemes do not achieve blindness and discuss some improvements in Section III. Section IV concludes this paper.

II. PRELIMINARIES
We introduce the definitions of blind signature and blind ring signature schemes and describe three blind signature schemes in [7] and a blind ring signature scheme in [13].
A. BLIND SIGNATURE AND BLIND RING SIGNATURE SCHEMES 1) BLIND SIGNATURE SCHEME A blind signature scheme is defined by three polynomial-time algorithms (KenGen, Signature Issuing Protocol, Verify).
• KeyGen(1 λ ). For a security parameter λ, output a secret signing key sk and a public key pk.
• Blind Signature Protocol. This interactive protocol between a user U and a signer S runs as: -Blind: A signer and a user send and receive 'commitment' and 'challenge', respectively. -Sign: After receiving the challenge, the signer with the secret key sk generates a blind signature σ * on a blind message m * and transmits it to the user. -Unblind: For a blind signature σ * of a message m using the secret key sk, output a unblinded signature σ .
• Verify. This algorithm Verify(pk, σ, m) returns 1 if σ is a valid signature of m for pk and otherwise 0.

2) SECURITY NOTIONS OF BLIND SIGNATURE SCHEME
Security notion of the blind signature scheme captures two properties: blindness and one-more unforgeability.
• Blindness. It means that a signer in the blind signing protocol cannot learn any information on the messages the user obtained signatures on. i.e. it means that the signer is unable to link a valid message-signature pair after interacting with various users.
• One-more Unforgeability. It is a special type of unforgeability, i.e. the user that has been involved in l runs of the blind signing protocol cannot get more than l signatures.

3) BLIND RING SIGNATURE SCHEME
A blind ring signature scheme is defined by four polynomialtime algorithms, (Setup, KeyGen, Sign, Verify).
• KeyGen(P). For the public parameters P, return a secret key sk and a public key pk associated to a signer of the ring R = {S 1 , · · · , S l } with PK as a set of public keys in R.
• Sign(sk j , P, µ, PK ). This interactive protocol between a ring of signers R = {S 1 , · · · , S l } and a user U runs as follows: -For a message µ, U generates a blind message µ * and sends µ * to R. The ring R selects a member, S j , to interact with the user as the real signer, where S j possess a secret key sk j . -The signer gets the blinded signature * on µ * and returns its view, V. -By un-blinding * , U returns as a final signature on µ. Note that U may obtain a failure symbol ⊥.
• Verify( , P, µ, PK ). For a signature on a message µ, the set of public keys PK and the public parameters P, return 1 if is valid or 0 otherwise.

4) SECURITY NOTIONS OF BLIND RING SIGNATURE SCHEME
Security notion of the blind ring signature schemes capture three properties: anonymity, blindness and one-more unforgeability.
• Anonymity. This guarantees that, in the blind ring signature protocol, a user cannot know which member of the ring was the real signer. The other properties are the same as those of the blind signature schemes.

B. NOTATIONS
• We denote a column vector as small bold letter and a matrix as bold capital letter.
• Given any positive integer q, we denote Z q as the set of integers in the range [−q/2, q/2) ∩ Z.
• Notation a ← $ A means that a is sampled uniformly at random from a set A.

C. DESCRIPTIONS OF THREE BLIND SIGNATURE SCHEMES
Here, we describe three blind signature scheme using lattices, Rückert's scheme [

1) Rückert's BLIND SIGNATURE SCHEME
To describe Rückert's scheme [6], we define the followings. Let n be a power of 2 and d s be a positive integer constant less than q/(4n), a constant c m > 1/ log(2d s ), m = c m log q +1, a prime q ≥ 4mn √ n log(n)d D . All sets are subsets of the ring R = Z q [X ]/(X n + 1) and are defined via a norm bound: where ψ, φ are positive integer constant greater than 1, Rückert's scheme runs as follows: • KeyGen(1 n ). For a security parameter n, this key generation algorithm generates a secret/public key pair as: -Calculate a public key S ← h(ŝ) and output (ŝ, S) as a secret/public key pair.
• Signature Protocol. This interactive protocol between a user U and a signer S runs as: Ifẑ ∈ G m , the user outputs a signature (r,ẑ, ).

2) ZHANG et al.'s BLIND SIGNATURE SCHEME
• Key Generation. For a security parameter λ, this algorithm generates a secret/public key as: -Output (A, T) as a public key and S as a secret key.
• Signature Protocol. This interactive protocol between a signer S and a user U runs as: -To sign a message µ, S selects a random vector r ← D m σ 2 and sends a commitment x ← Ar. -After receiving x, U picks blind factors a ← D m σ 3 , b ← D m σ 1 and computes x + Aa + Tb and C = com(µ, t). Then U computes c = H (x + Aa + Tb, C) transmits e = c+b to S with some probability, where H : -After getting e, S calculates y = r + Se and transmits it to U. -On the receipt of y, U outputs z = y + a with the probability D m rejection area J , U outputs a final signature (µ, (z, c, t)).
Otherwise, U computes result = (a, b, com(µ, t)) and sends to the signer S. S restarts the signing protocol after checking the following conditions: parse where η > 1, so that the probability of verification algorithm is about 1 − 2 −λ .

3) BLAZE
To describe BLAZE, we define the following functions: • Expand is a random function that expands a uniform random seed in {0, 1} λ to any desired length for the security parameter λ.
, 1} λ is a computational binding and statistically hiding commitment function.
• H : {0, 1} * → T n κ is a cryptographic hash function. • Compress and Decompress are functions to (de)compress Gaussian elements. BLAZE runs as follows: • Key Generation. For a security parameter λ, this algorithm generates a secret/public key pair as: -Select a random seed in {0, 1} λ and expand it to a polynomialâ ∈ R q utilizing the Expand function. -A secret key consists of two polynomials sk = (ŝ 2 ,ŝ 2 ) chosen from D n Z,σ and a public key is given by pk = (seed,b =âŝ 1 +ŝ 2 mod q).

D. DESCRIPTIONS OF LE et al's BLIND RING SIGNATURE SCHEME
Here, we describe Le et al's blind ring signature scheme based on the SIS problem [13].
• BRS.Setup(1 n ). For a security parameter n, this algorithm returns parameters P.
• BRS.KeyGen. For a ring R = {S 1 , . . . , S l } of l members, this algorithm generates a public key and a secret key of each member as: -By running l times BRS.KeyGen which uses the preimage sample functions, for given a matrix T ← $ Z n×k q , generate a secret key and then (T, A i ) is a public key. The secret key S i follows a discrete Gaussian distribution D m×k σ .
• BRS.Sign. This interactive protocol between a ring R = {S 1 , · · · , S l } and a user U runs as follows, where U knows that, to interact with U, the ring secretly delegates some signer S j in R.  If the signer obtains result = accept, he restarts the protocol after checking the conditions.

III. CRYPTANALYSIS OF BLIND SIGNATURE AND BLIND RING SIGNATURE SCHEMES
Now, we show the three blind signature schemes in [6]- [8] and the blind ring signature scheme in [17] do not achieve blindness: a signer can distinguish the views generated by distinct messages.

A. CRYPTANALYSIS OF THREE LATTICE-BASED BLIND SIGNATURE SCHEME
In the blind signature schemes, blindness is a fundamental feature: the signer can only see views which are independent of the message being signed, in other words, the views generated by two distinct messages are indistinguishable. Rückert [6], Alkadri et al. [8] and Zhang et al. [7] proved that their blind signature schemes were statistically blind. They claimed that the signer cannot link a valid message-signature pair after interacting with various users (unlinkability). We show that the schemes do not achieve blindness (unlinkability) unlike their claims: a signer can distinguish the views generated by distinct messages. A main idea of our attacks is that the exposure of blinding factors in a given view and a blind signature makes it possible to determine linkability by checking the validity of the related verification equation.

Adversarial Model of Blind Signature Schemes for
Blindness. An adversarial model of the blind signature schemes for blindness is defined by a game between an adversary A and a challenger C, A's advantage Adv BS,A is determined by the probability of success as: • Setup. After running the KeyGen algorithm, C gives A the resulting system parameters.
• Sign-View Queries. When A wants to get viewsignature pairs, C outputs the view-signature pairs from the by Blind Signature Protocol oracle.
• Output. At last, A returns a linked view-signature pair (V, σ ) on a message m and wins the game if Vfy(pk, m, σ ) = 1. We present attacks on the four blind signature schemes to break blindness. In the blind signature schemes, there are three entities, a signer, a user and a verifier, where a signer who signs a blinded message generate a blinded signature on the blinded message, a user generates a unblinded signature on the unblinded real message from the signer's a blinded signature and a verifier checks the validity of the user's unblind signature. In the above adversarial model of the blind signature schemes, an adversary can access a number of view-signature pairs as much as he wants since the adversary can access the blind signature signing oracle. The adversary can access view-signature pairs validly generated by each entity according to the protocol specifications. We show that via the attacks, the adversary including the signer can link a valid message-signature pair after interacting with various users.
• If it satisfies the following equation then the pair is linked.
• The signature comes from the view if and only if it satisfies Thus, if the equation (1) holds, then the pair is linked, so the scheme does not achieve blindness.
• In the scheme, the user utilizes α and β to generate the blinded message and its final signature. Anyone can compute the blinding factors α and β from the given view and the signature that makes it possible to determine linkability by checking the validity of the related verification equation.

3) LINKABILITY OF ZHANG et al.'s BLIND SIGNATURE SCHEME
• For a pair of a view, V = (x, (e, y)), and a signature on µ, σ = (µ, (z, c, t)), if it satisfies the following equation then the pair (V, σ ) is linked.  (3) holds then the pair is linked.

B. CRYPTANALYSIS OF LE et al 's BLIND RING SIGNATURE SCHEME
Here, we show that Le et al 's blind ring signature scheme does not achieve blindness. More precisely, given a view V and a signature σ generated by a signer in the scheme, the signer or anyone can determine whether σ comes from V or not. Thus, the signer can link a valid message-signature pair after interacting with various users.  com(µ, t), PK ) = c, since (z i − y i ) = a i and e − c = b. Thus, if the equation (4) holds then the pair is linked.

C. DISCUSSIONS ON SOME IMPROVEMENTS
In this section, we discuss why the blind signature schemes do not achieve blindness, and two countermeasures for achieving blindness. We then propose a generic construction for blindness.

1) DISCUSSIONS
In the blind signature schemes [6]- [8], [13], we show that the cause of vulnerabilities of the blind schemes against our attacks is that the blinding factors to hide real messages being signed are exposed by specific algebraic relations in the underlying rings.
• The blinding factors (α, β) in Rückert's scheme [6] and (a, b) in Zhang et al.'s scheme [7], can be computed from the views and the signatures and then the linkability can be determined by the known algebraic relations. If one can prevent this exposure of the blinding factors then blindness can be achieved. The corresponding blind factors and the used algebraic relations to recover the blind factors form the view-signature pairs in our attacks on the four blind signature schemes are summarized in TABLE 1. To prevent our attacks, it needs a method to hide the blinding factors. There are two ways to hide the blinding factors as: • If one can find appropriate algebraic relations to make the blinding factors hidden then blindness can be achieved.
-In Camenisch et al.'s two blind signature schemes [14], one was based on the modified Digital Signature Standard (DSA) [15] and the other was based on Nyberg-Rueppel signature scheme [16]. They successfully hid the blinding factors a and b used in the blinded messages and their related signatures using some algebraic relations in the underlying groups.
• If one encrypts the hiding factors using a public-key encryption scheme and their operations are preserved then it is possible to construct blind signature schemes secure against our attacks. Such a public-key encryption scheme is a homomorphic encryption.
-At Asia CCS 2019 [17], Yi and Lam proposed a new blind signature scheme based on the international standard signature scheme, ECDSA. Their scheme used a variant of the Paillier cryptosystem [18] and its homomorphic properties to achieve the blind property. They showed that if the modified Paillier cryptosystem is semantically secure, then their blind signature scheme achieves blindness and onemore unforgeability.

2) GENERIC CONSTRUCTION FOR BLINDNESS
Now, we propose a generic construction from a semantically secure homomorphic encryption scheme and a one-more unforgeable blind signature scheme that does not achieve blindness to a new blind signature scheme that achieves blindness as well as one-more unforgeability. To hide the blinding factors, we use homomorphic encryption schemes: i) the homomorphic encryption scheme can encrypt the related information so that the blinding factors cannot be recovered from the cipertexts by using the algebraic relations and ii) the homomorphic encryption scheme can allow to a valid unblinded signature from the cipertext of a blinded signature since the scheme preserves the ring operations in the signatures.
Let BS=(Setup, KeyGen, Signature Issuing Protocol, Verify) be a blind signature scheme that does not achieve blindness and HE = (KeyGen, Enc, Dec) be a homomorphic encryption whose operations are compatible with the operations defined on the underlying ring or group of BS. A new blind signature scheme BS * HE is constructed as follows: • KeyGen(1 λ ). For a security parameter λ, output a secret/public key pair (sk, pk) by running the KeyGen algorithm of BS and a secret/public key pair (SK , PK ) by running the KeyGen algorithm of HE.
• Blind Signature Protocol. This interactive protocol between a user U and a signer S runs as: -Blind: A signer send 'commitment' to a user. After receiving the commitment, a user generates a challenge, computes C = Enc(PK , Ch, m) and sends C to the signer. -Sign: After receiving the encrypted challenge and message, the signer with the signing secret key sk generates a blind signature σ * on C and transmits it to the user. -Unblind: For a blind signature σ * on the encrypted message, using the secret key SK , a user decrypts σ = Dec(SK , σ * ) and output a unblinded signature σ .
• Verify. This algorithm Verify(pk, σ, m) returns 1 if σ is a valid signature of m for pk and otherwise 0. In our generic construction, the blind factors can be encrypted by the homomorphic encryption scheme and valid unblinded signatures can be generated due to the following properties Sign(sk, Enc(PK , Ch, m)) = Enc(PK , Sign(sk, Ch, m)).
Thus, if the homomorphic encryption scheme HE is semantically secure, then the blind signature scheme constructed from the generic method achieves blindness.
Theorem 1: If the underlying homomorphic encryption scheme HE is semantically secure (indistinguishability under chosen-plaintext attacks (IND-CPA)) and and the blind signature scheme BS achieves one-more unforgeability then the resulting blind signature scheme BS * HE from our generic construction achieves blindness and one-more unforgeability.
Proof: It is known that the ciphertext indistinguishability under chosen-plaintext attacks is equivalent to semantic security in probabilistic encryption schemes [19]. This indistinguishability of the homomorphic encryption scheme HE induces indistinguishability between the ciphertexts of the views generated by distinct messages and random distributions. One-more unforgeability of BS * HE is preserved from one-more unforgeability of BS and the homomorphic property of HE.
As seen Theorem 1, if one uses an efficient and secure lattice-based homomorphic encryption scheme to hide the blinding factors in the blind signature schemes then their improved schemes from the generic construction can achieve blindness. However, the improved schemes require additional overhead for encryptions and decryptions to generate views. Thus, it remains an open problem to construct secure lattice-based blind signature and lattice-based blind ring signature schemes without using the homomorphic encryption schemes.

IV. CONCLUSION
We have shown that the three lattice-based blind signature schemes [6]- [8] and the blind ring signature scheme [17] do not achieve blindness. Their vulnerabilities against our attacks are due to the exposure of the blinding factors used in the blinded messages and their related signatures. We have proposed a generic construction from a semantically secure homomorphic encryption scheme and a one-more unforgeable blind signature scheme which does not achieve blindness, whose resulting blind signature scheme achieves blindness as well as one-more unforgeability. However, the improved schemes are very inefficient since they require additional overhead for encryptions and decryptions to generate views. Thus, we can say that it remains an open problem to construct secure and efficient lattice-based blind signature and lattice-based blind ring signature schemes based on algebraic relations for hiding the blind factors without using the homomorphic encryption schemes.