{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T13:11:29Z","timestamp":1778159489327,"version":"3.51.4"},"reference-count":85,"publisher":"Springer Science and Business Media LLC","issue":"11","license":[{"start":{"date-parts":[[2024,7,17]],"date-time":"2024-07-17T00:00:00Z","timestamp":1721174400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,17]],"date-time":"2024-07-17T00:00:00Z","timestamp":1721174400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Des. Codes Cryptogr."],"published-print":{"date-parts":[[2024,11]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the<jats:italic>linear identification protocol<\/jats:italic>abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT\u201919), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably secure in the random oracle model (ROM) against poly-logarithmically-many concurrent sessions assuming the subexponential hardness of the group action inverse problem. In more detail, our blind signature exploits the<jats:italic>quadratic twist<\/jats:italic>of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size 128\u00a0B and signature size 8\u00a0KB under the CSIDH-512 parameter sets\u2014these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new<jats:italic>ring<\/jats:italic>variant of the group action inverse problem (<jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{rGAIP}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><mml:mi>rGAIP<\/mml:mi><\/mml:math><\/jats:alternatives><\/jats:inline-formula>), we can halve the signature size to 4\u00a0KB while increasing the public key size to 512\u00a0B. We provide preliminary cryptanalysis of<jats:inline-formula><jats:alternatives><jats:tex-math>$${\\textsf{rGAIP}} $$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><mml:mi>rGAIP<\/mml:mi><\/mml:math><\/jats:alternatives><\/jats:inline-formula>and show that for certain parameter settings, it is essentially as secure as the standard<jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{GAIP}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\"><mml:mi>GAIP<\/mml:mi><\/mml:math><\/jats:alternatives><\/jats:inline-formula>. Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key\u2014constructing such a hash function in the isogeny setting remains an open problem.<\/jats:p>","DOI":"10.1007\/s10623-024-01441-7","type":"journal-article","created":{"date-parts":[[2024,7,17]],"date-time":"2024-07-17T16:02:09Z","timestamp":1721232129000},"page":"3587-3643","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["CSI-Otter: isogeny-based (partially) blind signatures from the class group action with a twist"],"prefix":"10.1007","volume":"92","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8496-0476","authenticated-orcid":false,"given":"Shuichi","family":"Katsumata","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yi-Fu","family":"Lai","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6239-6616","authenticated-orcid":false,"given":"Jason T.","family":"LeGrow","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ling","family":"Qin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,7,17]]},"reference":[{"key":"1441_CR1","doi-asserted-by":"publisher","unstructured":"Abdalla M., Eisenhofer T., Kiltz E., Kunzweiler S., Riepel D.: Password-authenticated key exchange from group actions. In: Dodis Y., Shrimpton T., et\u00a0al. (eds.) CRYPTO\u00a02022, Part\u00a0II. LNCS, vol. 13508, pp. 699\u2013728. Springer, Cham (2022). https:\/\/doi.org\/10.1007\/978-3-031-15979-4_24.","DOI":"10.1007\/978-3-031-15979-4_24"},{"key":"1441_CR2","doi-asserted-by":"publisher","unstructured":"Abe M.: A secure three-move blind signature scheme for polynomially many signatures. In: Pfitzmann B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 136\u2013151. Springer, Cham (2001).https:\/\/doi.org\/10.1007\/3-540-44987-6_9.","DOI":"10.1007\/3-540-44987-6_9"},{"key":"1441_CR3","doi-asserted-by":"publisher","unstructured":"Abe M., Fujisaki E.: How to date blind signatures. In: Kim K., Matsumoto T. (eds.) ASIACRYPT\u201996. LNCS, vol. 1163, pp. 244\u2013251. Springer, New York (1996).https:\/\/doi.org\/10.1007\/BFb0034851.","DOI":"10.1007\/BFb0034851"},{"key":"1441_CR4","doi-asserted-by":"publisher","unstructured":"Abe M., Okamoto T.: Provably secure partially blind signatures. In: Bellare M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271\u2013286. Springer, Berlin (2000). https:\/\/doi.org\/10.1007\/3-540-44598-6_17.","DOI":"10.1007\/3-540-44598-6_17"},{"key":"1441_CR5","doi-asserted-by":"publisher","unstructured":"Agrawal S., Kirshanova E., Stehl\u00e9 D., Yadav A.: Practical, round-optimal lattice-based blind signatures. In: Yin H., Stavrou A., Cremers C., Shi E. (eds.) ACM CCS 2022, pp. 39\u201353. ACM Press, New York (2022).https:\/\/doi.org\/10.1145\/3548606.3560650.","DOI":"10.1145\/3548606.3560650"},{"key":"1441_CR6","doi-asserted-by":"publisher","unstructured":"Alamati N., De Feo L., Montgomery H., Patranabis S.: Cryptographic group actions and applications. In: Moriai S., Wang H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 411\u2013439. Springer, Berlin (2020). https:\/\/doi.org\/10.1007\/978-3-030-64834-3_14.","DOI":"10.1007\/978-3-030-64834-3_14"},{"key":"1441_CR7","doi-asserted-by":"publisher","unstructured":"Alkeilani Alkadri N., El Bansarkhani R., Buchmann J.: BLAZE: practical lattice-based blind signatures for privacy-preserving applications. In: Bonneau J., Heninger N. (eds.) FC 2020. LNCS, vol. 12059, pp. 484\u2013502. Springer, Berlin (2020).https:\/\/doi.org\/10.1007\/978-3-030-51280-4_26.","DOI":"10.1007\/978-3-030-51280-4_26"},{"key":"1441_CR8","doi-asserted-by":"publisher","unstructured":"Alkeilani Alkadri N., El Bansarkhani R., Buchmann J.: On lattice-based interactive protocols: an approach with less or no aborts. In: Liu J.K., Cui H. (eds.) ACISP 20. LNCS, vol. 12248, pp. 41\u201361. Springer, Berlin (2020).https:\/\/doi.org\/10.1007\/978-3-030-55304-3_3.","DOI":"10.1007\/978-3-030-55304-3_3"},{"key":"1441_CR9","doi-asserted-by":"publisher","unstructured":"Alkeilani Alkadri N., Harasser P., Janson C.: BlindOR: an efficient lattice-based blind signature scheme from OR-proofs. In: Conti M., Stevens M., Krenn S. (eds.) CANS 21. LNCS, vol. 13099, pp. 95\u2013115. Springer, Berlin (2021).https:\/\/doi.org\/10.1007\/978-3-030-92548-2_6.","DOI":"10.1007\/978-3-030-92548-2_6"},{"key":"1441_CR10","doi-asserted-by":"publisher","unstructured":"Azarderakhsh R., Jao D., Koziel B., LeGrow J.T., Soukharev V., Taraskin O.: How not to create an isogeny-based PAKE. In: Conti M., Zhou J., Casalicchio E., Spognardi A. (eds.) ACNS 20, Part I. LNCS, vol. 12146, pp. 169\u2013186. Springer, Berlin (2020).https:\/\/doi.org\/10.1007\/978-3-030-57808-4_9.","DOI":"10.1007\/978-3-030-57808-4_9"},{"key":"1441_CR11","doi-asserted-by":"publisher","unstructured":"Baldimtsi F., Lysyanskaya A.: On the security of one-witness blind signature schemes. In: Sako K., Sarkar P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 82\u201399. Springer, Berlin (2013).https:\/\/doi.org\/10.1007\/978-3-642-42045-0_5.","DOI":"10.1007\/978-3-642-42045-0_5"},{"key":"1441_CR12","doi-asserted-by":"publisher","unstructured":"Beullens W., Kleinjung T., Vercauteren F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith S.D., Moriai S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 227\u2013247. Springer, Berlin (2019).https:\/\/doi.org\/10.1007\/978-3-030-34578-5_9.","DOI":"10.1007\/978-3-030-34578-5_9"},{"key":"1441_CR13","doi-asserted-by":"publisher","unstructured":"Beullens W., Katsumata S., Pintore F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai S., Wang H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 464\u2013492. Springer, Berlin (2020).https:\/\/doi.org\/10.1007\/978-3-030-64834-3_16.","DOI":"10.1007\/978-3-030-64834-3_16"},{"key":"1441_CR14","doi-asserted-by":"publisher","unstructured":"Beullens W., Dobson S., Katsumata S., Lai Y.-F., Pintore F.: Group signatures and more from isogenies and lattices: generic, simple, and efficient. In: Dunkelman O., Dziembowski S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 95\u2013126. Springer, Berlin (2022).https:\/\/doi.org\/10.1007\/978-3-031-07085-3_4.","DOI":"10.1007\/978-3-031-07085-3_4"},{"key":"1441_CR15","doi-asserted-by":"crossref","unstructured":"Beullens W., Lyubashevsky V., Nguyen N.K., Seiler G.: Lattice-based blind signatures: short, efficient, and round-optimal. Cryptology ePrint Archive, Paper 2023\/077. https:\/\/eprint.iacr.org\/2023\/077 (2023).","DOI":"10.1145\/3576915.3616613"},{"key":"1441_CR16","doi-asserted-by":"publisher","unstructured":"Biasse J.-F., Iezzi A., Jacobson M.J. Jr.: A note on the security of CSIDH. In: Chakraborty D., Iwata T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 153\u2013168. Springer, Berlin (2018).https:\/\/doi.org\/10.1007\/978-3-030-05378-9_9.","DOI":"10.1007\/978-3-030-05378-9_9"},{"key":"1441_CR17","doi-asserted-by":"crossref","unstructured":"Blazy O., Gaborit P., Schrek J., Sendrier N.: A code-based blind signature. In: 2017 IEEE International Symposium on Information Theory (ISIT), pp. 2718\u20132722 (2017). IEEE.","DOI":"10.1109\/ISIT.2017.8007023"},{"key":"1441_CR18","doi-asserted-by":"publisher","unstructured":"Bonnetain X., Naya-Plasencia M.: Hidden shift quantum cryptanalysis and implications. In: Peyrin T., Galbraith S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 560\u2013592. Springer, Berlin (2018).https:\/\/doi.org\/10.1007\/978-3-030-03326-2_19.","DOI":"10.1007\/978-3-030-03326-2_19"},{"key":"1441_CR19","doi-asserted-by":"publisher","unstructured":"Bonnetain X., Schrottenloher A.: Quantum security analysis of CSIDH. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 493\u2013522. Springer, Berlin (2020).https:\/\/doi.org\/10.1007\/978-3-030-45724-2_17.","DOI":"10.1007\/978-3-030-45724-2_17"},{"key":"1441_CR20","doi-asserted-by":"publisher","unstructured":"Brands S.: Untraceable off-line cash in wallets with observers (extended abstract). In: Stinson D.R. (ed.) CRYPTO\u201993. LNCS, vol. 773, pp. 302\u2013318. Springer, Berlin (1994).https:\/\/doi.org\/10.1007\/3-540-48329-2_26.","DOI":"10.1007\/3-540-48329-2_26"},{"issue":"12","key":"1441_CR21","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3572771","volume":"55","author":"M Buser","year":"2023","unstructured":"Buser M., Dowsley R., Esgin M., Gritti C., Kasra K.S., Kuchta V., LeGrow J., Liu J., Phan R., Sakzad A.: A survey on exotic signatures for post-quantum blockchain: challenges and research directions. ACM Comput. Surv. 55(12), 1\u201332 (2023).","journal-title":"ACM Comput. Surv."},{"key":"1441_CR22","doi-asserted-by":"publisher","unstructured":"Camenisch J., Lysyanskaya A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93\u2013118. Springer, Berlin (2001).https:\/\/doi.org\/10.1007\/3-540-44987-6_7.","DOI":"10.1007\/3-540-44987-6_7"},{"key":"1441_CR23","doi-asserted-by":"publisher","unstructured":"Castryck W., Decru T.: An efficient key recovery attack on SIDH. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, Part V. LNCS, vol. 14008, pp. 423\u2013447. Springer, Cham (2023).https:\/\/doi.org\/10.1007\/978-3-031-30589-4_15.","DOI":"10.1007\/978-3-031-30589-4_15"},{"key":"1441_CR24","doi-asserted-by":"publisher","unstructured":"Castryck W., Lange T., Martindale C., Panny L., Renes J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin T., Galbraith S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395\u2013427. Springer, Berlin (2018).https:\/\/doi.org\/10.1007\/978-3-030-03332-3_15.","DOI":"10.1007\/978-3-030-03332-3_15"},{"key":"1441_CR25","doi-asserted-by":"publisher","unstructured":"Castryck W., Dooms A., Emerencia C., Lemmens A.: A fusion algorithm for solving the hidden shift problem in finite abelian groups. In: Cheon J.H., Tillich J.-P. (eds.) Post-Quantum Cryptography-12th International Workshop, PQCrypto 2021, pp. 133\u2013153. Springer (2021).https:\/\/doi.org\/10.1007\/978-3-030-81293-5_8.","DOI":"10.1007\/978-3-030-81293-5_8"},{"issue":"1","key":"1441_CR26","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1007\/s00145-007-9002-x","volume":"22","author":"DX Charles","year":"2009","unstructured":"Charles D.X., Lauter K.E., Goren E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93\u2013113 (2009). https:\/\/doi.org\/10.1007\/s00145-007-9002-x.","journal-title":"J. Cryptol."},{"key":"1441_CR27","first-page":"199","volume-title":"CRYPTO\u201982","author":"D Chaum","year":"1982","unstructured":"Chaum D.: Blind signatures for untraceable payments. In: Chaum D., Rivest R.L., Sherman A.T. (eds.) CRYPTO\u201982, pp. 199\u2013203. Plenum Press, New York (1982)."},{"key":"1441_CR28","doi-asserted-by":"publisher","unstructured":"Chaum D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: G\u00fcnther C.G. (ed.) EUROCRYPT\u201988. LNCS, vol. 330, pp. 177\u2013182. Springer, Berlin (1988). https:\/\/doi.org\/10.1007\/3-540-45961-8_15.","DOI":"10.1007\/3-540-45961-8_15"},{"key":"1441_CR29","doi-asserted-by":"publisher","unstructured":"Chaum D., Pedersen T.P.: Wallet databases with observers. In: Brickell E.F. (ed.) CRYPTO\u201992. LNCS, vol. 740, pp. 89\u2013105. Springer, Berlin (1993).https:\/\/doi.org\/10.1007\/3-540-48071-4_7.","DOI":"10.1007\/3-540-48071-4_7"},{"key":"1441_CR30","series-title":"LNCS","first-page":"319","volume-title":"CRYPTO\u201988","author":"D Chaum","year":"1990","unstructured":"Chaum D., Fiat A., Naor M.: Untraceable electronic cash. In: Goldwasser S. (ed.) CRYPTO\u201988, vol. 403, pp. 319\u2013327. LNCS. Springer, Berlin (1990)."},{"issue":"1","key":"1441_CR31","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1515\/jmc-2012-0016","volume":"8","author":"A Childs","year":"2014","unstructured":"Childs A., Jao D., Soukharev V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1\u201329 (2014). https:\/\/doi.org\/10.1515\/jmc-2012-0016.","journal-title":"J. Math. Cryptol."},{"key":"1441_CR32","unstructured":"Couveignes J.-M.: Hard Homogeneous Spaces. Cryptology ePrint Archive, Report 2006\/291. https:\/\/eprint.iacr.org\/2006\/291 (2006)."},{"key":"1441_CR33","doi-asserted-by":"publisher","unstructured":"Cramer R., Damg\u00e5rd I., Schoenmakers B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt Y. (ed.) CRYPTO\u201994, vol. 839, pp. 174\u2013187. LNCS. Springer, Berlin (1994). https:\/\/doi.org\/10.1007\/3-540-48658-5_19.","DOI":"10.1007\/3-540-48658-5_19"},{"key":"1441_CR34","doi-asserted-by":"crossref","unstructured":"De\u00a0Feo L.: SeaSign: Compact Isogeny Signatures from Class Group Actions. Talk at Eurocrypt 2019 (2019). http:\/\/defeo.lu\/docet\/assets\/slides\/2019-05-23-eurocrypt.pdf.","DOI":"10.1007\/978-3-030-17659-4_26"},{"key":"1441_CR35","doi-asserted-by":"publisher","unstructured":"De Feo L., Galbraith S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 759\u2013789. Springer, Cham (2019).https:\/\/doi.org\/10.1007\/978-3-030-17659-4_26.","DOI":"10.1007\/978-3-030-17659-4_26"},{"key":"1441_CR36","doi-asserted-by":"publisher","unstructured":"De Feo L., Kohel D., Leroux A., Petit C., Wesolowski B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai S., Wang H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 64\u201393. Springer, Berlin (2020).https:\/\/doi.org\/10.1007\/978-3-030-64837-4_3.","DOI":"10.1007\/978-3-030-64837-4_3"},{"key":"1441_CR37","doi-asserted-by":"publisher","unstructured":"del Pino R., Katsumata S.: A new framework for more efficient round-optimal lattice-based (partially) blind signature via trapdoor sampling. In: Dodis Y., Shrimpton T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 306\u2013336. Springer, Berlin (2022).https:\/\/doi.org\/10.1007\/978-3-031-15979-4_11.","DOI":"10.1007\/978-3-031-15979-4_11"},{"issue":"4","key":"1441_CR38","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1080\/23799927.2020.1822446","volume":"5","author":"S Dobson","year":"2020","unstructured":"Dobson S., Galbraith S.D., LeGrow J., Ti Y.B., Zobernig L.: An adaptive attack on 2-sidh. Int. J. Comput. Math. 5(4), 282\u2013299 (2020). https:\/\/doi.org\/10.1080\/23799927.2020.1822446.","journal-title":"Int. J. Comput. Math."},{"key":"1441_CR39","doi-asserted-by":"crossref","unstructured":"Feo L.D., Fouotsa T.B., Kutas P., Leroux A., Merz S.-P., Panny L., Wesolowski B.: SCALLOP: scaling the CSI-FiSh. Cryptology ePrint Archive, Paper 2023\/058. https:\/\/eprint.iacr.org\/2023\/058 (2023).","DOI":"10.1007\/978-3-031-31368-4_13"},{"key":"1441_CR40","doi-asserted-by":"publisher","unstructured":"Fiat A., Shamir A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko A.M. (ed.) CRYPTO\u201986. LNCS, vol. 263, pp. 186\u2013194. Springer, Berlin (1987). https:\/\/doi.org\/10.1007\/3-540-47721-7_12.","DOI":"10.1007\/3-540-47721-7_12"},{"key":"1441_CR41","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1007\/11818175_4","volume-title":"CRYPTO 2006","author":"M Fischlin","year":"2006","unstructured":"Fischlin M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork C. (ed.) CRYPTO 2006, vol. 4117, pp. 60\u201377. LNCS. Springer, Berlin (2006)."},{"key":"1441_CR42","doi-asserted-by":"publisher","unstructured":"Fouotsa T.B., Moriya T., Petit C.: M-SIDH and MD-SIDH: countering SIDH attacks by masking information. In: Hazay C., Stam M. (eds.) EUROCRYPT 2023, Part V. LNCS, vol. 14008, pp. 282\u2013309. Springer, Berlin (2023).https:\/\/doi.org\/10.1007\/978-3-031-30589-4_10.","DOI":"10.1007\/978-3-031-30589-4_10"},{"issue":"1","key":"1441_CR43","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1137\/130907203","volume":"43","author":"K Friedl","year":"2014","unstructured":"Friedl K., Ivanyos G., Magniez F., Santha M., Sen P.: Hidden translation and translating coset in quantum computing. SIAM J. Comput. 43(1), 1\u201324 (2014).","journal-title":"SIAM J. Comput."},{"key":"1441_CR44","doi-asserted-by":"crossref","unstructured":"Fujioka A., Okamoto T., Ohta K.: A practical secret voting scheme for large scale elections. In: AUSCRYPT, pp. 244\u2013251 (1992). Springer.","DOI":"10.1007\/3-540-57220-1_66"},{"key":"1441_CR45","doi-asserted-by":"crossref","unstructured":"Galbraith S.D., Lai Y.-F.: Attack on sheals and heals: The second wave of gpst. In: Post-Quantum Cryptography: 13th International Workshop, PQCrypto 2022, Virtual Event, September 28\u201330, 2022, Proceedings, pp. 399\u2013421 (2022). Springer.","DOI":"10.1007\/978-3-031-17234-2_19"},{"issue":"2","key":"1441_CR46","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1007\/s00200-013-0185-0","volume":"24","author":"S Galbraith","year":"2013","unstructured":"Galbraith S., Stolbunov A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107\u2013131 (2013).","journal-title":"Appl. Algebra Eng. Commun. Comput."},{"key":"1441_CR47","doi-asserted-by":"publisher","unstructured":"Galbraith S.D., Hess F., Smart N.P.: Extending the GHS Weil descent attack. In: Knudsen L.R. (ed.) EUROCRYPT\u00a02002. LNCS, vol. 2332, pp. 29\u201344. Springer (2002).https:\/\/doi.org\/10.1007\/3-540-46035-7_3.","DOI":"10.1007\/3-540-46035-7_3"},{"key":"1441_CR48","doi-asserted-by":"publisher","unstructured":"Galbraith S.D., Petit C., Shani B., Ti Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT\u00a02016, Part\u00a0I. LNCS, vol. 10031, pp. 63\u201391. Springer (2016).https:\/\/doi.org\/10.1007\/978-3-662-53887-6_3.","DOI":"10.1007\/978-3-662-53887-6_3"},{"key":"1441_CR49","doi-asserted-by":"publisher","unstructured":"Hauck E., Kiltz E., Loss J.: A modular treatment of blind signatures from identification schemes. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT\u00a02019, Part\u00a0III. LNCS, vol. 11478, pp. 345\u2013375. Springer, (2019).https:\/\/doi.org\/10.1007\/978-3-030-17659-4_12.","DOI":"10.1007\/978-3-030-17659-4_12"},{"key":"1441_CR50","doi-asserted-by":"publisher","unstructured":"Hauck E., Kiltz E., Loss J., Nguyen N.K.: Lattice-based blind signatures, revisited. In: Micciancio D., Ristenpart T. (eds.) CRYPTO\u00a02020, Part\u00a0II. LNCS, vol. 12171, pp. 500\u2013529. Springer (2020).https:\/\/doi.org\/10.1007\/978-3-030-56880-1_18.","DOI":"10.1007\/978-3-030-56880-1_18"},{"key":"1441_CR51","unstructured":"Hendrickson S., Iyengar J., Pauly T., Valdez S., Wood C.A.: Private Access Tokens. Internet-Draft draft-private-access-tokens-01. Internet Engineering Task Force. Work in Progress (2022). https:\/\/datatracker.ietf.org\/doc\/draft-private-access-tokens\/."},{"key":"1441_CR52","volume-title":"Supersingular isogeny key encapsulation","author":"D Jao","year":"2017","unstructured":"Jao D., Azarderakhsh R., Campagna M., Costello C., De Feo L., Hess B., Jalali A., Koziel B., LaMacchia B., Longa P., Naehrig M., Renes J., Soukharev V., Urbanik D., Pereira G., Karabina K., Hutchinson A.: Supersingular isogeny key encapsulation. Technical report, National Institute of Standards and Technology (2017)."},{"issue":"1","key":"1441_CR53","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1515\/jmc-2015-0057","volume":"14","author":"D Jao","year":"2020","unstructured":"Jao D., LeGrow J., Leonardi C., Ruiz-Lopez L.: A subexponential-time, polynomial quantum space algorithm for inverting the cm group action. J. Math. Cryptol. 14(1), 129\u2013138 (2020). https:\/\/doi.org\/10.1515\/jmc-2015-0057.","journal-title":"J. Math. Cryptol."},{"key":"1441_CR54","doi-asserted-by":"crossref","unstructured":"Kastner J., Loss J., Xu J.: On pairing-free blind signature schemes in the algebraic group model. In: PKC, pp. 468\u2013497 (2022). Springer.","DOI":"10.1007\/978-3-030-97131-1_16"},{"key":"1441_CR55","doi-asserted-by":"publisher","unstructured":"Kastner J., Loss J., Xu J.: The Abe-Okamoto partially blind signature scheme revisited. In: Agrawal S., Lin D. (eds.) ASIACRYPT\u00a02022, Part\u00a0IV. LNCS, vol. 13794, pp. 279\u2013309. Springer (2022). https:\/\/doi.org\/10.1007\/978-3-031-22972-5_10.","DOI":"10.1007\/978-3-031-22972-5_10"},{"key":"1441_CR56","doi-asserted-by":"publisher","unstructured":"Katsumata S., Lai Y.-F., LeGrow J.T., Qin L.: CSI -otter: Isogeny-based (partially) blind signatures from the class group action with a twist. In: CRYPTO\u00a02023, Part\u00a0III. LNCS, pp. 729\u2013761. Springer (2023).https:\/\/doi.org\/10.1007\/978-3-031-38548-3_24.","DOI":"10.1007\/978-3-031-38548-3_24"},{"key":"1441_CR57","unstructured":"Katsumata S., Lai Y.-F., Reichle M.: Breaking Parallel ROS: Implication for Isogeny and Lattice-based Blind Signatures. Cryptology ePrint Archive, Paper 2023\/1603. https:\/\/eprint.iacr.org\/2023\/1603 (2023)."},{"issue":"1","key":"1441_CR58","doi-asserted-by":"publisher","first-page":"170","DOI":"10.1137\/S0097539703436345","volume":"35","author":"G Kuperberg","year":"2005","unstructured":"Kuperberg G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170\u2013188 (2005). https:\/\/doi.org\/10.1137\/S0097539703436345.","journal-title":"SIAM J. Comput."},{"key":"1441_CR59","unstructured":"Kuperberg G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. arXiv:1112.3333 (2011)."},{"key":"1441_CR60","doi-asserted-by":"publisher","unstructured":"Lai Y.-F., Galbraith S.D., Delpech de Saint Guilhem C.: Compact, efficient and UC-secure isogeny-based oblivious transfer. In: Canteaut A., Standaert F.-X. (eds.) EUROCRYPT\u00a02021, Part\u00a0I. LNCS, vol. 12696, pp. 213\u2013241. Springer (2021). https:\/\/doi.org\/10.1007\/978-3-030-77870-5_8.","DOI":"10.1007\/978-3-030-77870-5_8"},{"key":"1441_CR61","doi-asserted-by":"crossref","unstructured":"Lai Y.-F.: CAPYBARA and TSUBAKI: verifiable random functions from group actions and isogenies. Cryptology ePrint Archive, Report 2023\/182. https:\/\/eprint.iacr.org\/2023\/182 (2023).","DOI":"10.62056\/avr-11zn4"},{"key":"1441_CR62","doi-asserted-by":"crossref","unstructured":"Le H.Q., Susilo W., Khuc T.X., Bui M.K., Duong D.H.: A blind signature from module latices. In: Dependable and Secure Computing (DSC), pp. 1\u20138 (2019). IEEE.","DOI":"10.1109\/DSC47296.2019.8937613"},{"key":"1441_CR63","doi-asserted-by":"crossref","unstructured":"LeGrow J.T.: A faster method for fault attack resistance in static\/ephemeral CSIDH. J. Cryptogr. Eng. pp. 1\u201312 (2023).","DOI":"10.1007\/s13389-023-00318-0"},{"key":"1441_CR64","doi-asserted-by":"publisher","unstructured":"Lyubashevsky V., Nguyen N.K., Plan\u00e7on M.: Efficient lattice-based blind signatures via gaussian one-time signatures. In: Hanaoka G., Shikata J., Watanabe Y. (eds.) PKC\u00a02022, Part\u00a0II. LNCS, vol. 13178, pp. 498\u2013527. Springer (2022).https:\/\/doi.org\/10.1007\/978-3-030-97131-1_17.","DOI":"10.1007\/978-3-030-97131-1_17"},{"key":"1441_CR65","doi-asserted-by":"publisher","unstructured":"Maino L., Martindale C., Panny L., Pope G., Wesolowski B.: A direct key recovery attack on SIDH. In: Hazay C., Stam M. (eds.) EUROCRYPT\u00a02023, Part\u00a0V. LNCS, vol. 14008, pp. 448\u2013471. Springer, (2023).https:\/\/doi.org\/10.1007\/978-3-031-30589-4_16.","DOI":"10.1007\/978-3-031-30589-4_16"},{"key":"1441_CR66","doi-asserted-by":"publisher","unstructured":"Okamoto T., Ohta K.: Universal electronic cash. In: Feigenbaum J. (ed.) CRYPTO\u201991. LNCS, vol. 576, pp. 324\u2013337. Springer (1992).https:\/\/doi.org\/10.1007\/3-540-46766-1_27.","DOI":"10.1007\/3-540-46766-1_27"},{"key":"1441_CR67","unstructured":"Papachristoudis D., Hristu-Varsakelis D., Baldimtsi F., Stephanides G.: Leakage-Resilient Lattice-Based Partially Blind Signatures. Cryptology ePrint Archive, Report 2019\/1452. https:\/\/eprint.iacr.org\/2019\/1452 (2019)."},{"key":"1441_CR68","doi-asserted-by":"publisher","unstructured":"Peikert C.: He gives C-sieves on the CSIDH. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT\u00a02020, Part\u00a0II. LNCS, vol. 12106, pp. 463\u2013492. Springer (2020).https:\/\/doi.org\/10.1007\/978-3-030-45724-2_16.","DOI":"10.1007\/978-3-030-45724-2_16"},{"key":"1441_CR69","doi-asserted-by":"publisher","unstructured":"Petit C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi T., Peyrin T. (eds.) ASIACRYPT\u00a02017, Part\u00a0II. LNCS, vol. 10625, pp. 330\u2013353. Springer (2017).https:\/\/doi.org\/10.1007\/978-3-319-70697-9_12.","DOI":"10.1007\/978-3-319-70697-9_12"},{"key":"1441_CR70","doi-asserted-by":"crossref","unstructured":"Petzoldt A., Szepieniec A., Mohamed M.S.E.: A practical multivariate blind signature scheme. In: Kiayias A. (ed.) FC 2017. LNCS, vol. 10322, pp. 437\u2013454. Springer (2017).","DOI":"10.1007\/978-3-319-70972-7_25"},{"key":"1441_CR71","doi-asserted-by":"publisher","unstructured":"Pointcheval D., Stern J.: Security proofs for signature schemes. In: Maurer U.M. (ed.) EUROCRYPT\u201996. LNCS, vol. 1070, pp. 387\u2013398. Springer (1996).https:\/\/doi.org\/10.1007\/3-540-68339-9_33.","DOI":"10.1007\/3-540-68339-9_33"},{"issue":"3","key":"1441_CR72","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1007\/s001450010003","volume":"13","author":"D Pointcheval","year":"2000","unstructured":"Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361\u2013396 (2000). https:\/\/doi.org\/10.1007\/s001450010003.","journal-title":"J. Cryptol."},{"key":"1441_CR73","doi-asserted-by":"publisher","unstructured":"Quehen V., Kutas P., Leonardi C., Martindale C., Panny L., Petit C., Stange K.E.: Improved torsion-point attacks on SIDH variants. In: Malkin T., Peikert C. (eds.) CRYPTO\u00a02021, Part\u00a0III. LNCS, vol. 12827, pp. 432\u2013470. Springer, Virtual Event (2021). https:\/\/doi.org\/10.1007\/978-3-030-84252-9_15.","DOI":"10.1007\/978-3-030-84252-9_15"},{"key":"1441_CR74","unstructured":"Regev O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. (2004)."},{"key":"1441_CR75","doi-asserted-by":"publisher","unstructured":"Robert D.: Breaking SIDH in polynomial time. In: Hazay C., Stam M. (eds.) EUROCRYPT\u00a02023, Part\u00a0V. LNCS, vol. 14008, pp. 472\u2013503. Springer (2023).https:\/\/doi.org\/10.1007\/978-3-031-30589-4_17.","DOI":"10.1007\/978-3-031-30589-4_17"},{"key":"1441_CR76","unstructured":"Rostovtsev A., Stolbunov A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006\/145. https:\/\/eprint.iacr.org\/2006\/145 (2006)."},{"key":"1441_CR77","doi-asserted-by":"publisher","unstructured":"R\u00fcckert M.: Lattice-based blind signatures. In: Abe M. (ed.) ASIACRYPT\u00a02010. LNCS, vol. 6477, pp. 413\u2013430. Springer (2010).https:\/\/doi.org\/10.1007\/978-3-642-17373-8_24.","DOI":"10.1007\/978-3-642-17373-8_24"},{"key":"1441_CR78","doi-asserted-by":"publisher","unstructured":"Schnorr C.-P.: Efficient identification and signatures for smart cards. In: Brassard G. (ed.) CRYPTO\u201989. LNCS, vol. 435, pp. 239\u2013252. Springer (1990).https:\/\/doi.org\/10.1007\/0-387-34805-0_22.","DOI":"10.1007\/0-387-34805-0_22"},{"key":"1441_CR79","doi-asserted-by":"crossref","unstructured":"Schnorr C.-P.: Security of blind discrete log signatures against interactive attacks. In: Qing S., Okamoto T., Zhou J. (eds.) ICICS 01. LNCS, vol. 2229, pp. 1\u201312. Springer (2001).","DOI":"10.1007\/3-540-45600-7_1"},{"issue":"1","key":"1441_CR80","doi-asserted-by":"publisher","first-page":"219","DOI":"10.5802\/jtnb.142","volume":"7","author":"R Schoof","year":"1995","unstructured":"Schoof R.: Counting points on elliptic curves over finite fields. Journal de th\u00e9orie des nombres de Bordeaux 7(1), 219\u2013254 (1995).","journal-title":"Journal de th\u00e9orie des nombres de Bordeaux"},{"issue":"11","key":"1441_CR81","doi-asserted-by":"publisher","first-page":"612","DOI":"10.1145\/359168.359176","volume":"22","author":"A Shamir","year":"1979","unstructured":"Shamir A.: How to share a secret. Commun. ACM 22(11), 612\u2013613 (1979).","journal-title":"Commun. ACM"},{"issue":"2","key":"1441_CR82","doi-asserted-by":"publisher","first-page":"215","DOI":"10.3934\/amc.2010.4.215","volume":"4","author":"A Stolbunov","year":"2010","unstructured":"Stolbunov A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215\u2013235 (2010). https:\/\/doi.org\/10.3934\/amc.2010.4.215.","journal-title":"Adv. Math. Commun."},{"issue":"1","key":"1441_CR83","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1515\/jmc-2020-0071","volume":"15","author":"O Taraskin","year":"2021","unstructured":"Taraskin O., Soukharev V., Jao D., LeGrow J.T.: Towards isogeny-based password-authenticated key establishment. J. Math. Cryptol. 15(1), 18\u201330 (2021). https:\/\/doi.org\/10.1515\/jmc-2020-0071.","journal-title":"J. Math. Cryptol."},{"key":"1441_CR84","unstructured":"VPN by Google One, explained. https:\/\/one.google.com\/about\/vpn\/howitworks. (2022)."},{"key":"1441_CR85","doi-asserted-by":"publisher","unstructured":"Yi X., Lam K.-Y.: A new blind ECDSA scheme for bitcoin transaction anonymity. In: Galbraith S.D., Russello G., Susilo W., Gollmann D., Kirda E., Liang Z. (eds.) ASIACCS 19, pp. 613\u2013620. ACM Press (2019). https:\/\/doi.org\/10.1145\/3321705.3329816.","DOI":"10.1145\/3321705.3329816"}],"container-title":["Designs, Codes and Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-024-01441-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10623-024-01441-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-024-01441-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,11,24]],"date-time":"2024-11-24T08:38:29Z","timestamp":1732437509000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10623-024-01441-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,17]]},"references-count":85,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2024,11]]}},"alternative-id":["1441"],"URL":"https:\/\/doi.org\/10.1007\/s10623-024-01441-7","relation":{},"ISSN":["0925-1022","1573-7586"],"issn-type":[{"value":"0925-1022","type":"print"},{"value":"1573-7586","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,17]]},"assertion":[{"value":"16 August 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 May 2024","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 June 2024","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 July 2024","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no financial or non-financial interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}