On the One-Per-Message Unforgeability of (EC)DSA and Its Variants. / Fersch, Manuel; Kiltz, Eike; Poettering, Bertram.

2017. 519-534 Paper presented at TCC 2017, .

Research output: Contribution to conferencePaper

Published

Documents

Links

Abstract

The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme (1984) and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results.

In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function (which is instantiated with SHA1 or SHA2 in a typical DSA/ECDSA setup) is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant.
Original languageEnglish
Pages519-534
Number of pages16
DOIs
Publication statusPublished - 2017
EventTCC 2017 -
Duration: 12 Nov 201715 Nov 2017

Conference

ConferenceTCC 2017
Period12/11/1715/11/17
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 29077389