Paper 2002/129

Key-collisions in (EC)DSA: Attacking Non-repudiation

Tomas Rosa

Abstract

A new kind of attack on the non-repudiation property of digital signature schemes is presented. We introduce a notion of key-collisions, which may allow an attacker to claim that the message (presented to a judge) has been signed by someone else. We show how to compute key-collisions for the DSA and ECDSA signature schemes effectively. The main idea of these attacks has been inspired by the well-known notion of message-collisions, where an attacker claims that the signature presented at the court belongs to a different message. Both of these collision-based attacks significantly weaken the non-repudiation property of signature schemes. Moreover, they weaken the non-repudiation of protocols based on these schemes. It is shown that key-collision resistance of the (EC)DSA schemes requires the incorporation of a mechanism ensuring honest generation of (EC)DSA instances. The usage of such a mechanism shall be verifiable by an independent third party without revealing any secret information. We propose and discuss basic general countermeasures against key-collision attacks on the (EC)DSA schemes.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Paper supports a talk given at CRYPTO 2002 Rump Session (was: On Key-collisions in (EC)DSA Schemes)
Keywords
digital signaturesnon-repudiation
Contact author(s)
t_rosa @ volny cz
History
2004-01-10: last of 2 revisions
2002-08-26: received
See all versions
Short URL
https://ia.cr/2002/129
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2002/129,
      author = {Tomas Rosa},
      title = {Key-collisions in ({EC}){DSA}: Attacking Non-repudiation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2002/129},
      year = {2002},
      url = {https://eprint.iacr.org/2002/129}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.