Skip to main content
SpringerLink
Log in

Generic Groups, Collision Resistance, and ECDSA

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosen-message attacks. The sufficient conditions include (i) a uniformity property and collision-resistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical. Despite the similarity between DSA and ECDSA, the main result is not appropriate for DSA, because the fourth condition above seems to fail for DSA. (The corresponding necessary condition is plausible for DSA, but is not proved here nor is the security of DSA proved assuming this weaker condition.) Brickell et al. [Vol. 1751 of Lecture Notes in computer Science, pp. 276--292], Jakobsson et al. [Vol. 1976 of Lecture Notes in computer Science, pp. 73--89] and Pointcheval et al. [Vol. 13 of Journal of Cryptology, pp. 361--396] only consider signature schemes that include the ephemeral public key in the hash input, which ECDSA does not do, and moreover, assume a condition on the hash function stronger than the first condition above. This work seems to be the first advance in the provable security of ECDSA.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  • M. Abdalla, M. Bellare and P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES, In Topics in Cryptology CT-RSA 2001, D. Naccache, (ed.), Vol. 2020 of Lecture Notes in Computer Science, Springer-Verlag, (2001) pp. 143–158.

  • ANSI X9.62. Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standards Institute, (1999).

  • M. Bellare, S. Goldwasser and D. Micciancio, ‘‘Pseudo-Random’’ number generation within cryptographic algorithms: The DSS case, In Advances in Cryptology EUROCRYPT’97, W. Fumy (ed.), Vol. 1233 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 277–291.

  • M. Bellare and P. Rogaway, The exact security of digital signatures–-how to sign with RSA and Rabin. In Advances in Cryptology EUROCRYPT ‘96, U. Maurer, (ed.), Vol. 1070 of Lecture Notes in Computer Science, Springer-Verlag, (1996) pp. 399–416.

  • M. Bellare and P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, In First ACM Conference on Computer and Communications Security, ACM, (1993) pp. 62–73.

  • I. Blake G. Seroussi N. Smart (1999) Elliptic Curves in Cryptography Cambridge University Press Cambridge

    Google Scholar 

  • S. Blake-Wilson, D. B. Johnson and A. J. Menezes, Key agreement protocols and their security analysis, In Proceedings of the 6th IMA International Conference on Cryptography and Coding, Vol. 1355 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 30–45.

  • D. Bleichenbacher, On the generation of one-time keys in DSS, Presented at the Monteverta workshop, (2001).

  • D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, In Advances in Cryptology –- EUROCRYPT ‘96 N. Koblitz (ed.), Vol. 1109 of Lecture Notes in Computer Science, (1996) pp. 283–297.

  • D. K. Branstad and M. E. Smid, Response to comments on the NIST proposed digital signature standard, In Advances in Cryptology –- EUROCRYPT ‘92 E. F. Brickell, (ed.), Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, (1992) pp. 76–88.

  • E. F. D. Brickell, S. Pointcheval, S. Vaudenay and M. Yung, Design validations for discrete logarithm based signature schemes, In Proceedings of Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, H. Imai and Y. Zheng, (ed.), Vol. 1751 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 276–292.

  • D. R. L. Brown and D. B. Johnson, Formal security proofs for a signature scheme with partial message recovery, In Topics in Cryptology –- CT-RSA 2001, D. Naccache, (ed.), Vol. 2020 of Lecture Notes in Computer Science, Springer-Verlag, (2001) pp. 126–142.

  • R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing, (1998).

  • Certicom ECC challenge, November 1997. http://www.certicom.com/resources/eccchall/challenge. html.

  • J.-S. Coron, On the exact security of full domain hash, In Advances in Cryptology –- CRYPTO 2000, M. Bellare, (ed.), Vol. 1880 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 229–235.

  • R. Cramer V. Shoup (2000) ArticleTitleSignature schemes based on the strong RSA assumption ACM Transactions on Information and System Security 3 IssueID3 161–185

    Google Scholar 

  • I. B. Damgaard, Collision free hash functions and public key signatures schemes, In Advances in Cryptology –- EUROCRYPT ‘87 D. Chaum and W. L. Price, (ed), Vol. 304 of Lecture Notes in Computer Science, Springer-Verlag, (1987) pp. 203–216.

  • I. B. Damgaard, A design principle for hash functions, In Advances in Cryptology –- CRYPTO ‘89 G. Brassard, (ed.), Vol. 435 of Lecture Notes in Computer Science, Springer-Verlag, (1989) pp. 416–427.

  • B. Den boer, Diffie-Hellman is a strong as discrete log for certain primes, In Advances in Cryptology –- CRYPTO ‘88 S. Goldwasser, (ed.), Vol. 403 of Lecture Notes in Computer Science. Springer-Verlag. (1988).

  • C. Dwork M. Naor (1998) ArticleTitleAn efficient existentially unforgeable signature scheme and its applications Journal of Cryptology 11 187–208

    Google Scholar 

  • FIPS 186-2. Digital Signature Standard, National Institute of Standards and Technology (2000).

  • M. Fischlin, A note on security proofs in the generic model, In Advances in Cryptology –- ASIACRYPTO 2000 T. Okamoto, (ed.), Vol. 1976 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 458–469.

  • P. Flajolet and A. M. Odlyzko, Random mapping statistics, In Advances in Cryptology –- EUROCRYPTO ‘89 J.-J. Quisquater and J. Vandewalle, (ed.), Vol. 434 of Lecture Notes in Computer Science, Springer-Verlag, (1989) pp. 329–354.

  • R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign without the random oracle, In Advances in Cryptology –- EUROCRYPTO ‘99 J. Stern (ed.), Vol. 1592 of Lecture Notes in Computer Science, Springer-Verlag, (1999) pp. 123–139.

  • S. Goldwasser S. Micali R. Rivest (1998) ArticleTitleA digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17 IssueID2 281–308

    Google Scholar 

  • N.A. Howgrave-Graham N.P. Smart (2001) ArticleTitleLattice attacks on digital signature schemes Designs, Codes and Cryptography 23 283–290

    Google Scholar 

  • IEEE Std 1363-2000, Standard Specifications for Public Key Cryptography, Institute of Electrical and Electronics Engineers, (2000).

  • ISO/IEC 14888-3, Information Technology–-Security Techniques–-Digital Sigantures with Appendix–-Part 3: Certificate Based Mechanisms, International Standards Organization, (1998).

  • M.. Jakobsson and C. P. Schnorr, Security of signed ElGamal encryption, In Advances in Cryptology–-ASIACRYPTO 2000 T. Okamoto, (ed.), Vol. 1976 of Lecture Notes in Computer Science, Springer-Verlag, (2000) pp. 73–89. Available at http://www.mi.informatik.uni-frankfurt.de/research/papers.html.

  • D. Johnson and A. Menezes, The elliptic curve digital signature algorithm (ECDSA), Technical Report CORR 99–34, Deptartment of Combinatorics and Optimization, University of Waterloo, Waterloo, (1999). Available at http://www.cacr.math.uwaterloo.ca.

  • B. S. Kaliski, A pseudo-random bit generator based on elliptic logarithms, In Advances in Cryptology –- CRYPTO ‘86 A. M. Odlyzko, (ed.), Vol. 263 of Lecture Notes in Computer Science, Springer-Verlag, (1986) pp. 84–103.

  • N. Koblitz (1987) ArticleTitleElliptic curve cryptosystems Mathematics of Computation 48 203–209

    Google Scholar 

  • N. Koblitz, Algebraic Aspects of Cryptography, Vol. 3 of Algorithms and Computation in Mathematics. Springer-Verlag, (1998).

  • J. Malone-Lee, D. Pointcheval, N. P. Smart and J. Stern, Flaws in applying proof methodologies to signature schemes, In Advances in Cryptology–-CRYPTO 2002 M. Yung, (ed.), Vol. 2442 of Lecture Notes in Computer Science, Springer-Verlag, (2002) pp. 93–110. Available at http://www.di.ens.fr/ pointche/pub.php?reference=MaPoSmSt02.

  • U. Maurer, Towards the equivalence of breaking the diffie-hellman protocol and computing discrete logarithms, In Advances in Cryptology–-CRYPTO ‘94 Y. Desmedt, (ed.), Vol. 839 of Lecture Notes in Computer Science, Springer-Verlag, (1994) pp. 271–281.

  • U. Maurer and S. Wolf, Lower bounds on generic algorithms in groups, In Advances in Cryptology –- EUROCRYPTO ‘98 K. Nyberg, (ed.), Vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, pp. 72–84.

  • U. Maurer S. Wolf (1999) ArticleTitleThe relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms SIAM Journal on Computing 28 1689–1721

    Google Scholar 

  • A. Menezes and N. Smart, Security of signature schemes in a multi-user setting. preprint, (2001).

  • A. J. Menezes, Elliptic Curve Public Key Cryptosystems, Communications and Information Theory, Kluwer Academic Press, (1993).

  • A.J. Menezes P.C. Oorschot Particlevan S.A. Vanstone (1997) Handbook of Applied Cryptography, Discrete Mathematics and Its Applications CRC Press Boca Raton

    Google Scholar 

  • V. S. Miller, Uses of elliptic curves in cryptography, In Advances in Cryptology –- CRYPTO ‘85 H. C. Williams, (ed.), Vol. 218 of Lecture Notes in Computer Science, Springer-Verlag, pp. 417–426. (1985).

  • V.I. Nechaev (1994) ArticleTitleComplexity of a determinate algorithm for the discrete logarithm Mathematical Notes 55 IssueID2 165–172

    Google Scholar 

  • P. Q. Nguyen and I. E. Shparlinski, The insecurity of the digital signature algorithm with partially known nonces, Journal of Cryptology, to appear.

  • T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes, In Advances in Cryptology –- CRYPTO ‘92 E. F. Brickell, (ed.), Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, (1992) pp. 31–53.

  • D. Pointcheval J. Stern (2000) ArticleTitleSecurity arguments for digital signatures and blind signatures Journal of Cryptology 13 IssueID3 361–396

    Google Scholar 

  • B. Preneel, The state of cryptographic hash functions, In Lectures on Data Security, I. Damgaard (ed.), Lectures on Data Security, Vol. 1561 of Lecture Notes in Computer Science, pp. 158–182. (1999).

  • T. Schweinberger and V. Shoup. ACE: The advanced cryptographic engine. Submission to NESSIE, aug 2000. Available at http://shoup.net/papers/.

  • SEC 1, Elliptic Curve Cryptography. Standards for Efficient Cryptography, Available at www.secg.org. (2000).

  • V. Shoup, Lower bounds for discrete logarithms and related problems, In Advances in Cryptology –- EUROCRYPTO ‘97 W. Fumy, (ed.), Vol. 1233 of Lecture Notes in Computer Science, Springer-Verlag, (1997) pp. 256–266.

  • V. Shoup, A proposal for an ISO standard for public key encryption (version 2.0), Sept. 2001. Available at http://shoup.net/papers/.

  • D. R. Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions? In Advances in Cryptology –- EUROCRYPTO ‘98 K. Nyberg, (ed.), Vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, (1998) pp. 334–345.

  • D.R. Stinson (1995) Cryptography: Theory and Practice, Discrete Mathematics and Its Applications CRC Press Boca Raton

    Google Scholar 

  • D. R. Stinson, Some observations on the theory of cryptographic hash functions. Cryptology ePrint Archive, Report 2001/020, (2001). Available at http://eprint.iacr.org/.

  • S. A. Vanstone (1992) ArticleTitleResponses to NIST’s proposal Communications of the ACM 35 50–52

    Google Scholar 

  • S. Vaudenay, Hidden collisions on DSS, In Advances in Cryptology –- CRYPTO ‘96 N. Koblitz, (ed.), Vol. 1109 of Lecture Notes in Computer Science, Springer-Verlag, (1996) pp. 83–87.

Download references

Author information

Authors and Affiliations

  1. Certicom Research, Canada

    Daniel R. L. Brown

Authors
  1. Daniel R. L. Brown
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel R. L. Brown.

Additional information

Communicated by :I. F. Blake

AMS classification: 94A60

Supported in part by a National Science and Engineering Research Council of Canada Industrial Research Fellowship.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Brown, D.R.L. Generic Groups, Collision Resistance, and ECDSA. Des Codes Crypt 35, 119–152 (2005). https://doi.org/10.1007/s10623-003-6154-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-003-6154-z

Keywords

Search

Navigation