Advertisement

Designs, Codes and Cryptography

, Volume 35, Issue 1, pp 119–152 | Cite as

Generic Groups, Collision Resistance, and ECDSA

  • Daniel R. L. Brown
Article

Abstract

Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosen-message attacks. The sufficient conditions include (i) a uniformity property and collision-resistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical. Despite the similarity between DSA and ECDSA, the main result is not appropriate for DSA, because the fourth condition above seems to fail for DSA. (The corresponding necessary condition is plausible for DSA, but is not proved here nor is the security of DSA proved assuming this weaker condition.) Brickell et al. [Vol. 1751 of Lecture Notes in computer Science, pp. 276--292], Jakobsson et al. [Vol. 1976 of Lecture Notes in computer Science, pp. 73--89] and Pointcheval et al. [Vol. 13 of Journal of Cryptology, pp. 361--396] only consider signature schemes that include the ephemeral public key in the hash input, which ECDSA does not do, and moreover, assume a condition on the hash function stronger than the first condition above. This work seems to be the first advance in the provable security of ECDSA.

Keywords

public key cryptography provable security digital signatures 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Abdalla, M. Bellare and P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES, In Topics in Cryptology CT-RSA 2001, D. Naccache, (ed.), Vol. 2020 of Lecture Notes in Computer Science, Springer-Verlag, (2001) pp. 143–158.Google Scholar
  2. ANSI X9.62. Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standards Institute, (1999).Google Scholar
  3. M. Bellare, S. Goldwasser and D. Micciancio, ‘‘Pseudo-Random’’ number generation within cryptographic algorithms: The DSS case, In Advances in Cryptology EUROCRYPT’97, W. Fumy (ed.), Vol. 1233 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 277–291.Google Scholar
  4. M. Bellare and P. Rogaway, The exact security of digital signatures–-how to sign with RSA and Rabin. In Advances in Cryptology EUROCRYPT ‘96, U. Maurer, (ed.), Vol. 1070 of Lecture Notes in Computer Science, Springer-Verlag, (1996) pp. 399–416.Google Scholar
  5. M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, In First ACM Conference on Computer and Communications Security, ACM, (1993) pp. 62–73. Google Scholar
  6. Blake, I., Seroussi, G., Smart, N. 1999Elliptic Curves in CryptographyCambridge University PressCambridgeVol. 265 of London Mathematical Society Lecture Notes SeriesGoogle Scholar
  7. S. Blake-Wilson, D. B. Johnson and A. J. Menezes, Key agreement protocols and their security analysis, In Proceedings of the 6th IMA International Conference on Cryptography and Coding, Vol. 1355 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 30–45.Google Scholar
  8. D. Bleichenbacher, On the generation of one-time keys in DSS, Presented at the Monteverta workshop, (2001). Google Scholar
  9. D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, In Advances in Cryptology –- EUROCRYPT ‘96 N. Koblitz (ed.), Vol. 1109 of Lecture Notes in Computer Science, (1996) pp. 283–297.Google Scholar
  10. D. K. Branstad and M. E. Smid, Response to comments on the NIST proposed digital signature standard, In Advances in Cryptology –- EUROCRYPT ‘92 E. F. Brickell, (ed.), Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, (1992) pp. 76–88. Google Scholar
  11. E. F. D. Brickell, S. Pointcheval, S. Vaudenay and M. Yung, Design validations for discrete logarithm based signature schemes, In Proceedings of Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, H. Imai and Y. Zheng, (ed.), Vol. 1751 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 276–292. Google Scholar
  12. D. R. L. Brown and D. B. Johnson, Formal security proofs for a signature scheme with partial message recovery, In Topics in Cryptology –- CT-RSA 2001, D. Naccache, (ed.), Vol. 2020 of Lecture Notes in Computer Science, Springer-Verlag, (2001) pp. 126–142. Google Scholar
  13. R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing, (1998).Google Scholar
  14. Certicom ECC challenge, November 1997. http://www.certicom.com/resources/eccchall/challenge. html. Google Scholar
  15. J.-S. Coron, On the exact security of full domain hash, In Advances in Cryptology –- CRYPTO 2000, M. Bellare, (ed.), Vol. 1880 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 229–235.Google Scholar
  16. Cramer, R., Shoup, V. 2000Signature schemes based on the strong RSA assumption ACM Transactions on Information and System Security3161185Extended abstract available at http://www.shoup.net/papers.Google Scholar
  17. I. B. Damgaard, Collision free hash functions and public key signatures schemes, In Advances in Cryptology –- EUROCRYPT ‘87 D. Chaum and W. L. Price, (ed), Vol. 304 of Lecture Notes in Computer Science, Springer-Verlag, (1987) pp. 203–216. Google Scholar
  18. I. B. Damgaard, A design principle for hash functions, In Advances in Cryptology –- CRYPTO ‘89 G. Brassard, (ed.), Vol. 435 of Lecture Notes in Computer Science, Springer-Verlag, (1989) pp. 416–427.Google Scholar
  19. B. Den boer, Diffie-Hellman is a strong as discrete log for certain primes, In Advances in Cryptology –- CRYPTO ‘88 S. Goldwasser, (ed.), Vol. 403 of Lecture Notes in Computer Science. Springer-Verlag. (1988).Google Scholar
  20. Dwork, C., Naor, M. 1998An efficient existentially unforgeable signature scheme and its applicationsJournal of Cryptology11187208Google Scholar
  21. FIPS 186-2. Digital Signature Standard, National Institute of Standards and Technology (2000).Google Scholar
  22. M. Fischlin, A note on security proofs in the generic model, In Advances in Cryptology –- ASIACRYPTO 2000 T. Okamoto, (ed.), Vol. 1976 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 458–469.Google Scholar
  23. P. Flajolet and A. M. Odlyzko, Random mapping statistics, In Advances in Cryptology –- EUROCRYPTO ‘89 J.-J. Quisquater and J. Vandewalle, (ed.), Vol. 434 of Lecture Notes in Computer Science, Springer-Verlag, (1989) pp. 329–354.Google Scholar
  24. R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign without the random oracle, In Advances in Cryptology –- EUROCRYPTO ‘99 J. Stern (ed.), Vol. 1592 of Lecture Notes in Computer Science, Springer-Verlag, (1999) pp. 123–139.Google Scholar
  25. Goldwasser, S., Micali, S., Rivest, R. 1998A digital signature scheme secure against adaptive chosen-message attacks.SIAM Journal of Computing17281308Google Scholar
  26. Howgrave-Graham, N.A., Smart, N.P. 2001Lattice attacks on digital signature schemesDesigns, Codes and Cryptography23283290Google Scholar
  27. IEEE Std 1363-2000, Standard Specifications for Public Key Cryptography, Institute of Electrical and Electronics Engineers, (2000).Google Scholar
  28. ISO/IEC 14888-3, Information Technology–-Security Techniques–-Digital Sigantures with Appendix–-Part 3: Certificate Based Mechanisms, International Standards Organization, (1998).Google Scholar
  29. M.. Jakobsson and C. P. Schnorr, Security of signed ElGamal encryption, In Advances in Cryptology–-ASIACRYPTO 2000 T. Okamoto, (ed.), Vol. 1976 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 73–89. Available at http://www.mi.informatik.uni-frankfurt.de/research/papers.html.Google Scholar
  30. D. Johnson and A. Menezes, The elliptic curve digital signature algorithm (ECDSA), Technical Report CORR 99–34, Deptartment of Combinatorics and Optimization, University of Waterloo, Waterloo, (1999). Available at http://www.cacr.math.uwaterloo.ca. Google Scholar
  31. B. S. Kaliski, A pseudo-random bit generator based on elliptic logarithms, In Advances in Cryptology –- CRYPTO ‘86 A. M. Odlyzko, (ed.), Vol. 263 of Lecture Notes in Computer Science, Springer-Verlag, (1986) pp. 84–103.Google Scholar
  32. Koblitz, N. 1987Elliptic curve cryptosystemsMathematics of Computation48203209Google Scholar
  33. N. Koblitz, Algebraic Aspects of Cryptography, Vol. 3 of Algorithms and Computation in Mathematics. Springer-Verlag, (1998).Google Scholar
  34. J. Malone-Lee, D. Pointcheval, N. P. Smart and J. Stern, Flaws in applying proof methodologies to signature schemes, In Advances in Cryptology–-CRYPTO 2002 M. Yung, (ed.), Vol. 2442 of Lecture Notes in Computer Science, Springer-Verlag, (2002) pp. 93–110. Available at http://www.di.ens.fr/ pointche/pub.php?reference=MaPoSmSt02.Google Scholar
  35. U. Maurer, Towards the equivalence of breaking the diffie-hellman protocol and computing discrete logarithms, In Advances in Cryptology–-CRYPTO ‘94 Y. Desmedt, (ed.), Vol. 839 of Lecture Notes in Computer Science, Springer-Verlag, (1994) pp. 271–281.Google Scholar
  36. U. Maurer and S. Wolf, Lower bounds on generic algorithms in groups, In Advances in Cryptology –- EUROCRYPTO ‘98 K. Nyberg, (ed.), Vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, pp. 72–84.Google Scholar
  37. Maurer, U., Wolf, S. 1999The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithmsSIAM Journal on Computing2816891721Google Scholar
  38. A. Menezes and N. Smart, Security of signature schemes in a multi-user setting. preprint, (2001).Google Scholar
  39. A. J. Menezes, Elliptic Curve Public Key Cryptosystems, Communications and Information Theory, Kluwer Academic Press, (1993).Google Scholar
  40. Menezes, A.J., Oorschot, P.C., Vanstone, S.A. 1997Handbook of Applied Cryptography, Discrete Mathematics and Its ApplicationsCRC PressBoca RatonGoogle Scholar
  41. V. S. Miller, Uses of elliptic curves in cryptography, In Advances in Cryptology –- CRYPTO ‘85 H. C. Williams, (ed.), Vol. 218 of Lecture Notes in Computer Science, Springer-Verlag, pp. 417–426. (1985).Google Scholar
  42. Nechaev, V.I. 1994Complexity of a determinate algorithm for the discrete logarithmMathematical Notes55165172Google Scholar
  43. P. Q. Nguyen and I. E. Shparlinski, The insecurity of the digital signature algorithm with partially known nonces, Journal of Cryptology, to appear.Google Scholar
  44. T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes, In Advances in Cryptology –- CRYPTO ‘92 E. F. Brickell, (ed.), Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, (1992) pp. 31–53.Google Scholar
  45. Pointcheval, D., Stern, J. 2000Security arguments for digital signatures and blind signaturesJournal of Cryptology13361396Google Scholar
  46. B. Preneel, The state of cryptographic hash functions, In Lectures on Data Security, I. Damgaard (ed.), Lectures on Data Security, Vol. 1561 of Lecture Notes in Computer Science, pp. 158–182. (1999).Google Scholar
  47. T. Schweinberger and V. Shoup. ACE: The advanced cryptographic engine. Submission to NESSIE, aug 2000. Available at http://shoup.net/papers/.Google Scholar
  48. SEC 1, Elliptic Curve Cryptography. Standards for Efficient Cryptography, Available at www.secg.org. (2000).Google Scholar
  49. V. Shoup, Lower bounds for discrete logarithms and related problems, In Advances in Cryptology –- EUROCRYPTO ‘97 W. Fumy, (ed.), Vol. 1233 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 256–266.Google Scholar
  50. V. Shoup, A proposal for an ISO standard for public key encryption (version 2.0), Sept. 2001. Available at http://shoup.net/papers/.Google Scholar
  51. D. R. Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions? In Advances in Cryptology –- EUROCRYPTO ‘98 K. Nyberg, (ed.), Vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, (1998) pp. 334–345.Google Scholar
  52. Stinson, D.R. 1995Cryptography: Theory and Practice, Discrete Mathematics and Its ApplicationsCRC PressBoca RatonGoogle Scholar
  53. D. R. Stinson, Some observations on the theory of cryptographic hash functions. Cryptology ePrint Archive, Report 2001/020, (2001). Available at http://eprint.iacr.org/. Google Scholar
  54. Vanstone, S. A. 1992Responses to NIST’s proposalCommunications of the ACM355052Google Scholar
  55. S. Vaudenay, Hidden collisions on DSS, In Advances in Cryptology –- CRYPTO ‘96 N. Koblitz, (ed.), Vol. 1109 of Lecture Notes in Computer Science, Springer-Verlag, (1996) pp. 83–87.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  1. 1.Certicom ResearchCanada

Personalised recommendations