with sk_sign and sk_blind. In particular, this yields a valid ECDSA signature (r, s) under a public key blind_key = pk_blind = (sk_blind * sk_sign) * G where G is the base point. Both the attester and issuer will accept this valid signature.
Now, consider a second client
Client 2 registers to the attester with pk2 = alpha^(-1) * pk_blind, for a random alpha.
Note that client 2 does not know the secret key associated with its public key pk2. However, it can send the samecontext and (r, s) as above, and a randomizer sk_blind2 = alpha to the attester. The attester will reconstruct pk_blind2 = sk_blind2 * pk2 = pk_blind, and verify the signature (r, s) against pk_blind, which is valid!
We end up in a setting where a client has sent a valid signature on a message without knowing the secret key. This is the same message context and signature as above.
compute beta = H(context2)/H(context) mod q, and register with public key pk3 = alpha^(-1) * beta * pk_blind, and provide randomizer sk_blind3 = alpha and signature (r, beta * s mod q). Once again, the client doesn't know the secret key sk3 associated to pk3. Since this is an ECDSA signature, it holds that
beta * s = k^(-1) (beta * H(context) + beta * sk_blind * sk_sign * r) mod q
= k^(-1) ( H(context2) + sk3 * r ) mod q
It seems that the notion used in this part of the protocol does not rely on the unforgeability of the signature in the related key attack model. It would be valuable to specify which security properties are used from the ECDSA key blinding protocol, and what security properties they enable to prove for the rate-limited token issuance protocol.
As pointed out in https://github.com/chris-wood/draft-dew-cfrg-signature-key-blinding/issues/14, ECDSA with multiplicative key blinding is not unforgeable in the RKA model. Applied to the Rate-Limited Token Issuance Protocol, this gives the following unusual settings.
pk_sign, sk_sign
, and registers to the Attester withpk_sign
;with
sk_sign
andsk_blind
. In particular, this yields a valid ECDSA signature(r, s)
under a public keyblind_key = pk_blind = (sk_blind * sk_sign) * G
whereG
is the base point. Both the attester and issuer will accept this valid signature.Now, consider a second client
pk2 = alpha^(-1) * pk_blind
, for a randomalpha
.Note that client 2 does not know the secret key associated with its public key
pk2
. However, it can send the samecontext
and(r, s)
as above, and a randomizersk_blind2 = alpha
to the attester. The attester will reconstructpk_blind2 = sk_blind2 * pk2 = pk_blind
, and verify the signature(r, s)
againstpk_blind
, which is valid!We end up in a setting where a client has sent a valid signature on a message without knowing the secret key. This is the same message
context
and signature as above.Alternatively, client 2 could generate a context
compute
beta = H(context2)/H(context) mod q
, and register with public keypk3 = alpha^(-1) * beta * pk_blind
, and provide randomizersk_blind3 = alpha
and signature(r, beta * s mod q)
. Once again, the client doesn't know the secret keysk3
associated topk3
. Since this is an ECDSA signature, it holds thatIt seems that the notion used in this part of the protocol does not rely on the unforgeability of the signature in the related key attack model. It would be valuable to specify which security properties are used from the ECDSA key blinding protocol, and what security properties they enable to prove for the rate-limited token issuance protocol.