RKHD ElGamal signing and 1-way sums

Daniel R.  L.  Brown

Paper 2018/186

RKHD ElGamal signing and 1-way sums

Daniel R. L. Brown

Abstract

An ECDSA modification with signing equation $s = r k + h d$ has the properties that the signer avoids modular inversion and that passive universal forgery is equivalent to inverting a sum of two functions with freely independent inputs. Let $σ : s \mapsto s G$ and $ρ : R \mapsto - r R$ where $r$ is an integer representation of the point $R$ . The free sum of $ρ$ and $σ$ is $ν : (R, s) \mapsto ρ (R) + σ (s)$ . A RKHD signature $(R, s)$ verifies if and only if $ν (R, s) = h Q$ , where $h$ is the hash of the message and $Q$ is the public key. So RKHD security relies upon, among other things, the assumption that free sum $ν$ is 1-way (or unforgoable, to be precise). Other free sums are 1-way under plausible assumptions: elliptic curve discrete logs, integer factoring, and secure small-key Wegman--Carter--Shoup authentication. Yet other free sums of 1-way functions (integer-factoring based) fail to be 1-way. The ease with which these free sums arise hints at the ease determining RKHD security. RKHD signatures are very similar to ECGDSA (an elliptic curve version Agnew--Mullin--Vanstone signatures): variable- forgers of the two schemes are algorithmically equivalent. But ECGDSA requires the signer to do one modular inversion, a small implementation security risk.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint. MINOR revision.
Keywords: ElGamal signature
Contact author(s): danibrown @ blackberry com
History: 2018-02-20: received
Short URL: https://ia.cr/2018/186
License: CC BY

BibTeX

@misc{cryptoeprint:2018/186,
      author = {Daniel R.  L.  Brown},
      title = {{RKHD} {ElGamal} signing and 1-way sums},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/186},
      year = {2018},
      url = {https://eprint.iacr.org/2018/186}
}