Design Validations for Discrete Logarithm Based Signature Schemes

  • Ernest Brickell
  • David Pointcheval
  • Serge Vaudenay
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1751)

Abstract

A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSA-like) signatures abstracted as generic schemes. We show that the following holds: “if the schemes can be broken by an existential forgery using an adaptively chosen-message attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multi-collisions can be found.” Thus, for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties which are not desired (or expected) in strong practical hash functions (SHA-1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA.

Further, since our schemes coincide with (or are extremely close to) their standard counterparts they benefit from their desired properties: efficiency of computation/space, employment of certain mathematical operations and wide applicability to various algebraic structures. We feel that adding variants with strong validation of security is important to this family of signature schemes since, as we have experienced in the recent past, lack of such validation has led to attacks on standard schemes, years after their introduction. In addition, schemes with formal validation which is made public, may ease global standardization since they neutralize much of the suspicions regarding potential knowledge gaps and unfair advantages gained by the scheme designer’s country (e.g. the NSA being the designers of DSA).

References

  1. 1.
    Anderson, R., Vaudenay, S.: Minding your p’s and q’s. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 26–35. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proc. of the 1st CCCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Bleichenbacher, D.: Generating El Gamal Signatures without Knowing the Secret Key. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 10–18. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Brands, S.A.: An Efficient Off-Line Electronic Cash SystemB ased on the Representation Problem. Technical Report CS-R9323, CWI, Amsterdam (1993)Google Scholar
  7. 7.
    Brickell, E.F.: Invited lecture given at the Crypto 1996 conference (unpublished) (manuscript) (1996)Google Scholar
  8. 8.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracles Methodology, Revisited. In: Proc. of the 30th STOC, pp. 209–218. ACM Press, New York (1998)Google Scholar
  9. 9.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT–22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  10. 10.
    El Gamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory IT–31(4), 469–472 (1985)Google Scholar
  11. 11.
    Feige, U., Fiat, A., Shamir, A.: Zero-Knowledge Proofs of Identity. Journal of Cryptology 1, 77–95 (1988)MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions of Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  13. 13.
    Girault, M., Stern, J.: On the Length of Cryptographic Hash-Values used in Identification Schemes. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 202–215. Springer, Heidelberg (1994)Google Scholar
  14. 14.
    Goldwasser, S., Micali, S., Rivest, R.: A Paradoxical Solution to the Signature Problem. In: Proc. of the 25th FOCS, pp. 441–448. IEEE, New York (1984)Google Scholar
  15. 15.
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal of Computing 17(2), 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    ISO. ISO/IEC 14888 Final Draft – Information Technology – Security Techniques -Digital Signatures with Appendix. International Organization for Standardization, Berlin, Germany (1998) Google Scholar
  17. 17.
    KCDSA Task Force Team. The Korean Certificate-based Digital Signature Algorithm. IEEE P1363a Submission (August 1998), available from http://grouper.ieee.org/groups/1363/addendum.html
  18. 18.
    Lim, C.H., Lee, P.J.: A Study on the Proposed Korean Digital Signature Algorithm. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 175–186. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Naor, M., Yung, M.: Universal One-way Hash Functions and their Cryptographic Applications. In: Proceedings of 21st STOC (May 1989)Google Scholar
  20. 20.
    NIST. Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186 (November 1994)Google Scholar
  21. 21.
    NIST. Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180–1 (April 1995)Google Scholar
  22. 22.
    Ohta, K., Okamoto, T.: On Concrete Security Treatment of Signatures Derived from Identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354–369. Springer, Heidelberg (1998)Google Scholar
  23. 23.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology (1999), available from http://www.di.ens.fr/~pointche
  24. 24.
    Pointcheval, D., Vaudenay, S.: On Provable Security for Digital Signature Algorithms. Technical Report LIENS-96-17, LIENS (October 1996)Google Scholar
  25. 25.
    Rivest, R.: The MD5 Message-Digest Algorithm. RFC 1321, The Internet Engineering Task Force (April 1992)Google Scholar
  26. 26.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Rompel, J.: One-way Functions are Necessary and Sufficient for Signature. In: Proceedings of 22d STOC (May 1990)Google Scholar
  28. 28.
    Schnorr, C.P.: Efficient Identification and Signatures for Smart Cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 235–251. Springer, Heidelberg (1990)Google Scholar
  29. 29.
    Schnorr, C.P.: Efficient Signature Generation by Smart Cards. Journal of Cryptology 4(3), 161–174 (1991)MATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    van Oorschot, P.C., Wiener, M.J.: On Diffie-Hellman Key Agreement with Short Exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)Google Scholar
  31. 31.
    Vaudenay, S.: Hidden Collisions on DSS. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 83–88. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Ernest Brickell
    • 1
  • David Pointcheval
    • 2
  • Serge Vaudenay
    • 3
  • Moti Yung
    • 4
  1. 1.Intel Inc.PortlandUSA
  2. 2.CNRS-LIENSParisFrance
  3. 3.EPFLLausanneSwitzerland
  4. 4.CertcoNew YorkUSA

Personalised recommendations