Back to Search Start Over

CSI-Otter: isogeny-based (partially) blind signatures from the class group action with a twist.

Authors :
Katsumata S
Lai YF
LeGrow JT
Qin L
Source :
Designs, codes, and cryptography [Des Codes Cryptogr] 2024; Vol. 92 (11), pp. 3587-3643. Date of Electronic Publication: 2024 Jul 17.
Publication Year :
2024

Abstract

In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the linear identification protocol abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT'19), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably secure in the random oracle model (ROM) against poly-logarithmically-many concurrent sessions assuming the subexponential hardness of the group action inverse problem. In more detail, our blind signature exploits the quadratic twist of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size 128 B and signature size 8 KB under the CSIDH-512 parameter sets-these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new ring variant of the group action inverse problem ( rGAIP ), we can halve the signature size to 4 KB while increasing the public key size to 512 B. We provide preliminary cryptanalysis of rGAIP and show that for certain parameter settings, it is essentially as secure as the standard GAIP . Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key-constructing such a hash function in the isogeny setting remains an open problem.<br />Competing Interests: Conflict of interestThe authors declare that they have no financial or non-financial interests.<br /> (© The Author(s) 2024.)

Details

Language :
English
ISSN :
1573-7586
Volume :
92
Issue :
11
Database :
MEDLINE
Journal :
Designs, codes, and cryptography
Publication Type :
Academic Journal
Accession number :
39355284
Full Text :
https://doi.org/10.1007/s10623-024-01441-7