Blind signatures have proved an essential building block for applications that protect privacy while
ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most ecient blind
signature schemes is the one due to Schnorr that is based on his famous identication scheme. Although it
was proposed over twenty years ago, its unforgeability remains an open problem, even in the random-oracle
model. In this paper, we show that current techniques for proving security in the random oracle model do not
work for the Schnorr blind signature. Our results generalize to other important blind signatures, such as the
one due to Brands. Brands\' blind signature is at the heart of Microsoft\'s newly implemented UProve system,
which makes this work relevant to cryptographic practice as well.