Abstract
Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks. We give more examples, showing that provable security is more subtle than it at first appears. Our examples are in the area of signature schemes: one is related to the security proof of ESIGN and the other two to the security proof of ECDSA. We found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one. Concerning ECDSA, both examples are based on the concept of duplication: one shows how to manufacture ECDSA keys that allow for two distinct messages with identical signatures, a duplicate signature; the other shows that from any message-signature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown [7] does not account for our first example while it surprisingly rules out malleability, thus offering a proof of a property, non-malleability, that the actual scheme does not possess.
The first and last examples in this paper are based on the result of an evaluation requested by the Japanese Cryptrec program and performed by this author.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
American National Standards Institute. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm. ANSI X9.62-1998, January 1999.
M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among Notions of Security for Public-Key Encryption Schemes. In Crypto’ 98, LNCS 1462, pages 26–45, Springer-Verlag, 1998.
M. Bellare and P. Rogaway. Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In Proc. of the 1st CCS, pages 62–73, ACM Press, 1993.
M. Bellare and P. Rogaway. Optimal Asymmetric Encryption — How to Encrypt with RSA. In Eurocrypt’ 94, LNCS 950, pages 92–111, Springer-Verlag, 1995.
E. Brickell and J. M. DeLaurentis. An Attack on a Signature Scheme proposed by Okamoto and Shiraishi. In Crypto’ 85, LNCS 218, pages 28–32, Springer-Verlag, 1986.
E. Brickell, D. Pointcheval, S. Vaudenay, and M. Yung. Design Validations for Discrete Logarithm Based Signature Schemes. In PKC’ 2000, LNCS 1751, pages 276–292, Springer-Verlag, 2000.
D. R. L. Brown. The Exact Security of ECDSA, January 2001. IEEE 1363 [16].
R. Canetti, O. Goldreich, and S. Halevi. The Random Oracles Methodology, Revisited. In Proc. of the 30th STOC, pages 209–218, ACM Press, 1998.
T. ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, IT-31(4):469–472, July 1985.
A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions of Identification and Signature Problems. In Crypto’ 86, LNCS 263, pages 186–194, Springer-Verlag, 1987.
E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA-OAEP is Secure under the RSA Assumption. In Crypto’ 2001, LNCS 2139, pages 260–274, Springer-Verlag, 2001.
S. Goldwasser, S. Micali, and C. Rackoff. The Knowledge Complexity of Interactive Proof Systems. In Proc. of the 17th STOC, pages 291–304, ACM Press, 1985.
S. Goldwasser, S. Micali, and R. Rivest. A Digital Signature Scheme Secure Against Adaptative Chosen-Message Attacks. SIAM Journal of Computing, 17(2):281–308, April 1988.
L. Granboulan. How to repair ESIGN. NESSIE internal document, may 2002. See http://www.cryptonessie.org/. Document NES/DOC/ENS/WP5/019.
IEEE P1363. Standard Specifications for Public Key Cryptography, August 1998. See http://www.grouper.ieee.org/groups/1363/.
D. Naccache, D. Pointcheval, and J. Stern. Twin Signatures: an Alternative to the Hash-and-Sign Paradigm. In Proc. of the 8th CCS, ACM Press, 2001.
M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In Proc. of the 22nd STOC, pages 427–437. ACM Press, 1990.
V. I. Nechaev. Complexity of a Determinate Algorithm for the Discrete Logarithm. Mathematical Notes, 55(2):165–172, 1994.
NIST. Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186, November 1994. Revision (To include ECDSA): 186-2, January 2000.
NIST. Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-1, April 1995.
T. Okamoto, E. Fujisaki and H. Morita. TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash, 1998. IEEE 1363 [16].
J. M. Pollard. Monte Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918–924, July 1978.
C. Racko. and D. R. Simon. Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In Crypto’ 91, LNCS 576, pages 433–444. Springer-Verlag, 1992.
R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
C. P. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174, 1991.
C. P. Schnorr and M. Jakobsson. Security of Signed ElGamal Encryption. In Asiacrypt’ 2000, LNCS 1976, pages 458–469, Springer-Verlag, 2000.
V. Shoup. Lower Bounds for Discrete Logarithms and Related Problems. In Eurocrypt’ 97, LNCS 1233, pages 256–266, Springer-Verlag, 1997.
V. Shoup. OAEP Reconsidered. In Crypto’ 2001, LNCS 2139, pages 239–259, Springer-Verlag, 2001.
B. Vallée, M. Girault and P. Toffin. How to break Okamoto’s Cryptosystem by Reducing Lattice Bases. In Eurocrypt’ 88, LNCS 330, pages 281–292, Springer-Verlag, 1988.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P. (2002). Flaws in Applying Proof Methodologies to Signature Schemes. In: Yung, M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45708-9_7
Download citation
DOI: https://doi.org/10.1007/3-540-45708-9_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44050-5
Online ISBN: 978-3-540-45708-4
eBook Packages: Springer Book Archive