On the One-Per-Message Unforgeability of (EC)DSA and Its Variants
The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme (1984) and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results.
In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function (which is instantiated with SHA1 or SHA2 in a typical DSA/ECDSA setup) is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant.
KeywordsElgamal signatures DSA ECDSA GOST SM2
The first author was supported by DFG SPP 1736 Big Data. The second author was supported in part by ERC Project ERCC (FP7/615074) and by DFG SPP 1736 Big Data. The third author was supported in part by ERC Project ERCC (FP7/615074).
- 2.Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_15 CrossRefGoogle Scholar
- 4.Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Cryptology ePrint Archive, Report 2002/026 (2002). http://eprint.iacr.org/2002/026
- 7.Brown, D.R.L.: One-up problem for (EC)DSA. Cryptology ePrint Archive, Report 2008/286 (2008). http://eprint.iacr.org/2008/286
- 9.Dolmatov, V., Degtyarev, A.: GOST R 34.10-2012: Digital Signature Algorithm. RFC 7091 (Informational), December 2013. http://www.ietf.org/rfc/rfc7091.txt
- 11.Fersch, M., Kiltz, E., Poettering, B.: On the provable security of (EC)DSA signatures. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, Vienna, Austria, 24–28 October 2016, pp. 1651–1662. ACM Press (2016)Google Scholar
- 12.Fersch, M., Kiltz, E., Poettering, B.: On the one-per-message unforgeability of (EC)DSA and its variants. Cryptology ePrint Archive, Report 2017/890 (2017). http://eprint.iacr.org/2017/890
- 13.García, C.P., Brumley, B.B., Yarom, Y.: Make sure DSA signing exponentiations really are constant-time. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, Vienna, Austria, 24–28 October 2016, pp. 1639–1650. ACM Press (2016)Google Scholar
- 14.Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, Vienna, Austria, 24–28 October 2016, pp. 1626–1638. ACM Press (2016)Google Scholar
- 15.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 197–206. ACM Press (2008)Google Scholar
- 19.ISO/IEC 11889:2015: Information technology—Trusted Platform Module library (2013). https://www.iso.org/
- 20.Kerry, C.F., Gallagher, P.D.: FIPS PUB 186–4 Federal Information Processing Standards publication: Digital Signature Standard (DSS) (2013). https://doi.org/10.6028/NIST.FIPS.186-4
- 26.Pointcheval, D., Vaudenay, S.: On provable security for digital signature algorithms. Technical report LIENS-96-17, LIENS (1996)Google Scholar