Paper 2017/890
On the One-Per-Message Unforgeability of (EC)DSA and its Variants
Manuel Fersch, Eike Kiltz, and Bertram Poettering
Abstract
The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results. In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Published by the IACR in TCC 2017
- Keywords
- signature schemesDSAECDSA
- Contact author(s)
- bertram poettering @ rub de
- History
- 2017-09-17: received
- Short URL
- https://ia.cr/2017/890
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2017/890, author = {Manuel Fersch and Eike Kiltz and Bertram Poettering}, title = {On the One-Per-Message Unforgeability of ({EC}){DSA} and its Variants}, howpublished = {Cryptology {ePrint} Archive, Paper 2017/890}, year = {2017}, url = {https://eprint.iacr.org/2017/890} }