Cryptology ePrint Archive: Report 2017/890

On the One-Per-Message Unforgeability of (EC)DSA and its Variants

Manuel Fersch and Eike Kiltz and Bertram Poettering

Abstract: The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results.

In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant.

Category / Keywords: public-key cryptography / signature schemes, DSA, ECDSA

Original Publication (in the same form): IACR-TCC-2017

Date: received 13 Sep 2017, last revised 15 Sep 2017

Contact author: bertram poettering at rub de

Available format(s): PDF | BibTeX Citation

Version: 20170917:162426 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]