Paper 2017/890

On the One-Per-Message Unforgeability of (EC)DSA and its Variants

Manuel Fersch, Eike Kiltz, and Bertram Poettering


The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results. In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant.

Available format(s)
Public-key cryptography
Publication info
Published by the IACR in TCC 2017
signature schemesDSAECDSA
Contact author(s)
bertram poettering @ rub de
2017-09-17: received
Short URL
Creative Commons Attribution


      author = {Manuel Fersch and Eike Kiltz and Bertram Poettering},
      title = {On the One-Per-Message Unforgeability of (EC)DSA and its Variants},
      howpublished = {Cryptology ePrint Archive, Paper 2017/890},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.