Faulty Instantiations of Threshold Ring Signature from Threshold Proof-of-Knowledge Protocol

摘要

In this paper, we point out some faulty instantiations of threshold ring signatures (TRS) based on the threshold proof-of-knowledge (TPoK) protocol. Although a TRS can be regarded as the non-interactive version of the TPoK, the computational domains of the variables should be carefully chosen. We show that by choosing some inappropriate domains, two such instantiations suffer from forgery and anonymity attacks. Our attacks rely on algebraic techniques which involve solving some particular instances of the well-known subset sum problem. While we focus our attacks on two particular instantiations of the TRS, they are generic and are applicable to other schemes with the same choice of domains or a similar structure. We believe this paper can act as an important security remark on the design of future TRS schemes.