Security of Blind Discrete Log Signatures against Interactive Attacks

We present a novel parallel one-more signature forgery against blind Okamoto-Schnorr and blind Schnorr signatures in which an attacker interacts some l times with a legitimate signer and produces from these interactions l + 1 signatures. Security against the new attack requires that the following ROS-problem is intractable: find an overdetermined,s olvable system of linear equations modulo q withrandom inhomogenities (right sides).There is an inherent weakness in the security result of Pointcheval and Stern. Theorem 26[PS00] does not cover attacks with 4 parallel interactions for elliptic curves of order 2200. That would require the intractability of the ROS-problem, a plausible but novel complexity assumption. Conversely, assuming the intractability of the ROS-problem, we show that Schnorr signatures are secure in the random oracle and generic group model against the one-more signature forgery.