On the One-Per-Message Unforgeability of (EC)DSA and Its Variants

  • Manuel FerschEmail author
  • Eike Kiltz
  • Bertram Poettering
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10678)


The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme (1984) and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results.

In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function (which is instantiated with SHA1 or SHA2 in a typical DSA/ECDSA setup) is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant.


Elgamal signatures DSA ECDSA GOST SM2 



The first author was supported by DFG SPP 1736 Big Data. The second author was supported in part by ERC Project ERCC (FP7/615074) and by DFG SPP 1736 Big Data. The third author was supported in part by ERC Project ERCC (FP7/615074).


  1. 1.
    Agnew, G., Mullin, R., Vanstone, S.: Improved digital signature scheme based on discrete exponentiation. Electron. Lett. 26(14), 1024–1025 (1990)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  3. 3.
    Brickell, E., Pointcheval, D., Vaudenay, S., Yung, M.: Design validations for discrete logarithm based signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 276–292. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  4. 4.
    Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Cryptology ePrint Archive, Report 2002/026 (2002).
  5. 5.
    Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Crypt. 35(1), 119–152 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Brown, D.R.L.: On the provable security of ECDSA. In: Blake, I.F., Seroussi, G., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography, pp. 21–40. Cambridge University Press, Cambridge (2005). CrossRefGoogle Scholar
  7. 7.
    Brown, D.R.L.: One-up problem for (EC)DSA. Cryptology ePrint Archive, Report 2008/286 (2008).
  8. 8.
    Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  9. 9.
    Dolmatov, V., Degtyarev, A.: GOST R 34.10-2012: Digital Signature Algorithm. RFC 7091 (Informational), December 2013.
  10. 10.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). CrossRefGoogle Scholar
  11. 11.
    Fersch, M., Kiltz, E., Poettering, B.: On the provable security of (EC)DSA signatures. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, Vienna, Austria, 24–28 October 2016, pp. 1651–1662. ACM Press (2016)Google Scholar
  12. 12.
    Fersch, M., Kiltz, E., Poettering, B.: On the one-per-message unforgeability of (EC)DSA and its variants. Cryptology ePrint Archive, Report 2017/890 (2017).
  13. 13.
    García, C.P., Brumley, B.B., Yarom, Y.: Make sure DSA signing exponentiations really are constant-time. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, Vienna, Austria, 24–28 October 2016, pp. 1639–1650. ACM Press (2016)Google Scholar
  14. 14.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, Vienna, Austria, 24–28 October 2016, pp. 1626–1638. ACM Press (2016)Google Scholar
  15. 15.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 197–206. ACM Press (2008)Google Scholar
  16. 16.
    Harn, L.: New digital signature scheme based on discrete logarithm. Electron. Lett. 30(5), 396–398 (1994)CrossRefGoogle Scholar
  17. 17.
    Harn, L., Xu, Y.: Design of generalised ElGamal type digital signature schemes based on discrete logarithm. Electron. Lett. 30(24), 2025–2026 (1994)CrossRefGoogle Scholar
  18. 18.
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    ISO/IEC 11889:2015: Information technology—Trusted Platform Module library (2013).
  20. 20.
    Kerry, C.F., Gallagher, P.D.: FIPS PUB 186–4 Federal Information Processing Standards publication: Digital Signature Standard (DSS) (2013).
  21. 21.
    Leadbitter, P.J., Page, D., Smart, N.P.: Attacking DSA under a repeated bits assumption. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 428–440. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  22. 22.
    Malone-Lee, J., Smart, N.P.: Modifications of ECDSA. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 1–12. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  23. 23.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. The CRC Press Series on Discrete Mathematics and Its Applications. CRC Press, Boca Raton (1997). 2000 N.W. Corporate Blvd., FL 33431–9868, USAzbMATHGoogle Scholar
  24. 24.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  25. 25.
    Poettering, B., Stebila, D.: Double-authentication-preventing signatures. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 436–453. Springer, Cham (2014). Google Scholar
  26. 26.
    Pointcheval, D., Vaudenay, S.: On provable security for digital signature algorithms. Technical report LIENS-96-17, LIENS (1996)Google Scholar
  27. 27.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). Google Scholar
  28. 28.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  29. 29.
    Vaudenay, S.: Hidden collisions on DSS. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 83–88. Springer, Heidelberg (1996). Google Scholar
  30. 30.
    Vaudenay, S.: The security of DSA and ECDSA. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 309–323. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  31. 31.
    Zhang, Z., Yang, K., Zhang, J., Chen, C.: Security of the SM2 signature scheme against generalized key substitution attacks. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 140–153. Springer, Cham (2015). CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Manuel Fersch
    • 1
    Email author
  • Eike Kiltz
    • 1
  • Bertram Poettering
    • 1
    • 2
  1. 1.Horst Görtz Institute for IT SecurityRuhr University BochumBochumGermany
  2. 2.Information Security GroupRoyal Holloway, University of LondonLondonUK

Personalised recommendations