# Generic Groups, Collision Resistance, and ECDSA

## Abstract

Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosen-message attacks. The sufficient conditions include (i) a uniformity property and collision-resistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical. Despite the similarity between DSA and ECDSA, the main result is not appropriate for DSA, because the fourth condition above seems to fail for DSA. (The corresponding necessary condition is plausible for DSA, but is not proved here nor is the security of DSA proved assuming this weaker condition.) Brickell et al. [Vol. 1751 of *Lecture Notes in computer Science*, pp. 276--292], Jakobsson et al. [Vol. 1976 of *Lecture Notes in computer Science*, pp. 73--89] and Pointcheval et al. [Vol. 13 of *Journal of Cryptology*, pp. 361--396] only consider signature schemes that include the ephemeral public key in the hash input, which ECDSA does not do, and moreover, assume a condition on the hash function stronger than the first condition above. This work seems to be the first advance in the provable security of ECDSA.

## Keywords

public key cryptography provable security digital signatures## Preview

Unable to display preview. Download preview PDF.

## References

- M. Abdalla, M. Bellare and P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES, In Topics in Cryptology CT-RSA 2001, D. Naccache, (ed.), Vol. 2020 of Lecture Notes in Computer Science, Springer-Verlag, (2001) pp. 143–158.Google Scholar
- ANSI X9.62. Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standards Institute, (1999).Google Scholar
- M. Bellare, S. Goldwasser and D. Micciancio, ‘‘Pseudo-Random’’ number generation within cryptographic algorithms: The DSS case, In Advances in Cryptology EUROCRYPT’97, W. Fumy (ed.), Vol. 1233 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 277–291.Google Scholar
- M. Bellare and P. Rogaway, The exact security of digital signatures–-how to sign with RSA and Rabin. In Advances in Cryptology EUROCRYPT ‘96, U. Maurer, (ed.), Vol. 1070 of Lecture Notes in Computer Science, Springer-Verlag, (1996) pp. 399–416.Google Scholar
- M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, In First ACM Conference on Computer and Communications Security, ACM, (1993) pp. 62–73. Google Scholar
- Blake, I., Seroussi, G., Smart, N. 1999Elliptic Curves in CryptographyCambridge University PressCambridgeVol. 265 of London Mathematical Society Lecture Notes SeriesGoogle Scholar
- S. Blake-Wilson, D. B. Johnson and A. J. Menezes, Key agreement protocols and their security analysis, In Proceedings of the 6th IMA International Conference on Cryptography and Coding, Vol. 1355 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 30–45.Google Scholar
- D. Bleichenbacher, On the generation of one-time keys in DSS, Presented at the Monteverta workshop, (2001). Google Scholar
- D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, In Advances in Cryptology –- EUROCRYPT ‘96 N. Koblitz (ed.), Vol. 1109 of Lecture Notes in Computer Science, (1996) pp. 283–297.Google Scholar
- D. K. Branstad and M. E. Smid, Response to comments on the NIST proposed digital signature standard, In Advances in Cryptology –- EUROCRYPT ‘92 E. F. Brickell, (ed.), Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, (1992) pp. 76–88. Google Scholar
- E. F. D. Brickell, S. Pointcheval, S. Vaudenay and M. Yung, Design validations for discrete logarithm based signature schemes, In Proceedings of Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, H. Imai and Y. Zheng, (ed.), Vol. 1751 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 276–292. Google Scholar
- D. R. L. Brown and D. B. Johnson, Formal security proofs for a signature scheme with partial message recovery, In Topics in Cryptology –- CT-RSA 2001, D. Naccache, (ed.), Vol. 2020 of Lecture Notes in Computer Science, Springer-Verlag, (2001) pp. 126–142. Google Scholar
- R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing, (1998).Google Scholar
- Certicom ECC challenge, November 1997. http://www.certicom.com/resources/eccchall/challenge. html. Google Scholar
- J.-S. Coron, On the exact security of full domain hash, In Advances in Cryptology –- CRYPTO 2000, M. Bellare, (ed.), Vol. 1880 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 229–235.Google Scholar
- Cramer, R., Shoup, V. 2000Signature schemes based on the strong RSA assumption ACM Transactions on Information and System Security3161185Extended abstract available at http://www.shoup.net/papers.Google Scholar
- I. B. Damgaard, Collision free hash functions and public key signatures schemes, In Advances in Cryptology –- EUROCRYPT ‘87 D. Chaum and W. L. Price, (ed), Vol. 304 of Lecture Notes in Computer Science, Springer-Verlag, (1987) pp. 203–216. Google Scholar
- I. B. Damgaard, A design principle for hash functions, In Advances in Cryptology –- CRYPTO ‘89 G. Brassard, (ed.), Vol. 435 of Lecture Notes in Computer Science, Springer-Verlag, (1989) pp. 416–427.Google Scholar
- B. Den boer, Diffie-Hellman is a strong as discrete log for certain primes, In Advances in Cryptology –- CRYPTO ‘88 S. Goldwasser, (ed.), Vol. 403 of Lecture Notes in Computer Science. Springer-Verlag. (1988).Google Scholar
- Dwork, C., Naor, M. 1998An efficient existentially unforgeable signature scheme and its applicationsJournal of Cryptology11187208Google Scholar
- FIPS 186-2. Digital Signature Standard, National Institute of Standards and Technology (2000).Google Scholar
- M. Fischlin, A note on security proofs in the generic model, In Advances in Cryptology –- ASIACRYPTO 2000 T. Okamoto, (ed.), Vol. 1976 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 458–469.Google Scholar
- P. Flajolet and A. M. Odlyzko, Random mapping statistics, In Advances in Cryptology –- EUROCRYPTO ‘89 J.-J. Quisquater and J. Vandewalle, (ed.), Vol. 434 of Lecture Notes in Computer Science, Springer-Verlag, (1989) pp. 329–354.Google Scholar
- R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign without the random oracle, In Advances in Cryptology –- EUROCRYPTO ‘99 J. Stern (ed.), Vol. 1592 of Lecture Notes in Computer Science, Springer-Verlag, (1999) pp. 123–139.Google Scholar
- Goldwasser, S., Micali, S., Rivest, R. 1998A digital signature scheme secure against adaptive chosen-message attacks.SIAM Journal of Computing17281308Google Scholar
- Howgrave-Graham, N.A., Smart, N.P. 2001Lattice attacks on digital signature schemesDesigns, Codes and Cryptography23283290Google Scholar
- IEEE Std 1363-2000, Standard Specifications for Public Key Cryptography, Institute of Electrical and Electronics Engineers, (2000).Google Scholar
- ISO/IEC 14888-3, Information Technology–-Security Techniques–-Digital Sigantures with Appendix–-Part 3: Certificate Based Mechanisms, International Standards Organization, (1998).Google Scholar
- M.. Jakobsson and C. P. Schnorr, Security of signed ElGamal encryption, In Advances in Cryptology–-ASIACRYPTO 2000 T. Okamoto, (ed.), Vol. 1976 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 73–89. Available at http://www.mi.informatik.uni-frankfurt.de/research/papers.html.Google Scholar
- D. Johnson and A. Menezes, The elliptic curve digital signature algorithm (ECDSA), Technical Report CORR 99–34, Deptartment of Combinatorics and Optimization, University of Waterloo, Waterloo, (1999). Available at http://www.cacr.math.uwaterloo.ca. Google Scholar
- B. S. Kaliski, A pseudo-random bit generator based on elliptic logarithms, In Advances in Cryptology –- CRYPTO ‘86 A. M. Odlyzko, (ed.), Vol. 263 of Lecture Notes in Computer Science, Springer-Verlag, (1986) pp. 84–103.Google Scholar
- Koblitz, N. 1987Elliptic curve cryptosystemsMathematics of Computation48203209Google Scholar
- N. Koblitz, Algebraic Aspects of Cryptography, Vol. 3 of Algorithms and Computation in Mathematics. Springer-Verlag, (1998).Google Scholar
- J. Malone-Lee, D. Pointcheval, N. P. Smart and J. Stern, Flaws in applying proof methodologies to signature schemes, In Advances in Cryptology–-CRYPTO 2002 M. Yung, (ed.), Vol. 2442 of Lecture Notes in Computer Science, Springer-Verlag, (2002) pp. 93–110. Available at http://www.di.ens.fr/ pointche/pub.php?reference=MaPoSmSt02.Google Scholar
- U. Maurer, Towards the equivalence of breaking the diffie-hellman protocol and computing discrete logarithms, In Advances in Cryptology–-CRYPTO ‘94 Y. Desmedt, (ed.), Vol. 839 of Lecture Notes in Computer Science, Springer-Verlag, (1994) pp. 271–281.Google Scholar
- U. Maurer and S. Wolf, Lower bounds on generic algorithms in groups, In Advances in Cryptology –- EUROCRYPTO ‘98 K. Nyberg, (ed.), Vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, pp. 72–84.Google Scholar
- Maurer, U., Wolf, S. 1999The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithmsSIAM Journal on Computing2816891721Google Scholar
- A. Menezes and N. Smart, Security of signature schemes in a multi-user setting. preprint, (2001).Google Scholar
- A. J. Menezes, Elliptic Curve Public Key Cryptosystems, Communications and Information Theory, Kluwer Academic Press, (1993).Google Scholar
- Menezes, A.J., Oorschot, P.C., Vanstone, S.A. 1997Handbook of Applied Cryptography, Discrete Mathematics and Its ApplicationsCRC PressBoca RatonGoogle Scholar
- V. S. Miller, Uses of elliptic curves in cryptography, In Advances in Cryptology –- CRYPTO ‘85 H. C. Williams, (ed.), Vol. 218 of Lecture Notes in Computer Science, Springer-Verlag, pp. 417–426. (1985).Google Scholar
- Nechaev, V.I. 1994Complexity of a determinate algorithm for the discrete logarithmMathematical Notes55165172Google Scholar
- P. Q. Nguyen and I. E. Shparlinski, The insecurity of the digital signature algorithm with partially known nonces, Journal of Cryptology, to appear.Google Scholar
- T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes, In Advances in Cryptology –- CRYPTO ‘92 E. F. Brickell, (ed.), Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, (1992) pp. 31–53.Google Scholar
- Pointcheval, D., Stern, J. 2000Security arguments for digital signatures and blind signaturesJournal of Cryptology13361396Google Scholar
- B. Preneel, The state of cryptographic hash functions, In Lectures on Data Security, I. Damgaard (ed.), Lectures on Data Security, Vol. 1561 of Lecture Notes in Computer Science, pp. 158–182. (1999).Google Scholar
- T. Schweinberger and V. Shoup. ACE: The advanced cryptographic engine. Submission to NESSIE, aug 2000. Available at http://shoup.net/papers/.Google Scholar
- SEC 1, Elliptic Curve Cryptography. Standards for Efficient Cryptography, Available at www.secg.org. (2000).Google Scholar
- V. Shoup, Lower bounds for discrete logarithms and related problems, In Advances in Cryptology –- EUROCRYPTO ‘97 W. Fumy, (ed.), Vol. 1233 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 256–266.Google Scholar
- V. Shoup, A proposal for an ISO standard for public key encryption (version 2.0), Sept. 2001. Available at http://shoup.net/papers/.Google Scholar
- D. R. Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions? In Advances in Cryptology –- EUROCRYPTO ‘98 K. Nyberg, (ed.), Vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, (1998) pp. 334–345.Google Scholar
- Stinson, D.R. 1995Cryptography: Theory and Practice, Discrete Mathematics and Its ApplicationsCRC PressBoca RatonGoogle Scholar
- D. R. Stinson, Some observations on the theory of cryptographic hash functions. Cryptology ePrint Archive, Report 2001/020, (2001). Available at http://eprint.iacr.org/. Google Scholar
- Vanstone, S. A. 1992Responses to NIST’s proposalCommunications of the ACM355052Google Scholar
- S. Vaudenay, Hidden collisions on DSS, In Advances in Cryptology –- CRYPTO ‘96 N. Koblitz, (ed.), Vol. 1109 of Lecture Notes in Computer Science, Springer-Verlag, (1996) pp. 83–87.Google Scholar