## Flaws in Applying Proof Methodologies to Signature Schemes (2002)

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.di.ens.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | In Advances in Cryptology crypto'02, Santa Barbara, Lectures Notes in Computer Science 2442 |

Citations: | 24 - 7 self |

### BibTeX

@INPROCEEDINGS{Stern02flawsin,

author = {Jacques Stern and David Pointcheval and John Malone-lee and Nigel P. Smart},

title = {Flaws in Applying Proof Methodologies to Signature Schemes},

booktitle = {In Advances in Cryptology crypto'02, Santa Barbara, Lectures Notes in Computer Science 2442},

year = {2002},

pages = {93--110},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Methods from provable security, developed over the last twenty years, have been recently extensively used to support emerging standards. However, the fact that proofs also need time to be validated through public discussion was somehow overlooked. This became clear when Shoup found that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks. We give more examples, showing that provable security is more subtle than it at first appears. Our examples are in the area of signature schemes: one is related to the security proof of ESIGN and the other two to the security proof of ECDSA. We found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one. Concerning ECDSA, both examples are based on the concept of duplication: one shows how to manufacture ECDSA keys that allow for two distinct messages with identical signatures, a duplicate signature; the other shows that from any message-signature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown [7] does not account for our first example while it surprisingly rules out malleability, thus offering a proof of a property, non-malleability, that the actual scheme does not possess. 1

### Citations

2896 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...e returning a random answer for each new query. A reduction still uses an adversary as a subroutine of a program that contradicts a mathematical assumption, such as the assumption that RSA is one-way =-=[25]-=-. However, probabilities are taken not only over coin tosses but also over the random oracle. Of course, the significance of proofs carried in the random oracle is debatable. Hash functions are determ... |

1330 | P.: Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...n that allow such a proof.sFlaws in Applying Proof Methodologies to Signature Schemes 97 The next step is to hope for a proof in a non-standard computational model, as proposed by Bellare and Rogaway =-=[3]-=-, following an earlier suggestion by Fiat and Shamir [11]. In this model, called the random oracle model, concrete objects such as hash functions are treated as random objects. This allows one to carr... |

1110 |
A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- El-Gamal
- 1985
(Show Context)
Citation Context ...oof to deal with the stronger CMA model. 4 Duplicates in ECDSA Let us now turn to the ECDSA signature scheme, on which we give two more examples. 4.1 Description of ECDSA The ElGamal signature scheme =-=[10]-=- appeared in 1985 as the first DL-based signature scheme. In 1989, using the Fiat and Shamir heuristic [11] based on fair zeroknowledge [13], Schnorr provided a zero-knowledge identification scheme [2... |

1032 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...ples. 4.1 Description of ECDSA The ElGamal signature scheme [10] appeared in 1985 as the first DL-based signature scheme. In 1989, using the Fiat and Shamir heuristic [11] based on fair zeroknowledge =-=[13]-=-, Schnorr provided a zero-knowledge identification scheme [26], together with the corresponding signature scheme. In 1994, a digital signature standard DSA [20] was proposed, whose flavor was a mixtur... |

830 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...on alone, in the random oracle model. Since the more general result could not hold, a different argument based on specific properties of the RSA function had to be used. Goldwasser, Micali and Rivest =-=[14]-=- introduced the notion of existential forgery against adaptive chosen-message attacks for public key signature schemes. This notion has become the de facto security definition for digital signature al... |

829 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...dologies to Signature Schemes 97 The next step is to hope for a proof in a non-standard computational model, as proposed by Bellare and Rogaway [3], following an earlier suggestion by Fiat and Shamir =-=[11]-=-. In this model, called the random oracle model, concrete objects such as hash functions are treated as random objects. This allows one to carry through the usual reduction arguments to the context of... |

579 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...0] appeared in 1985 as the first DL-based signature scheme. In 1989, using the Fiat and Shamir heuristic [11] based on fair zeroknowledge [13], Schnorr provided a zero-knowledge identification scheme =-=[26]-=-, together with the corresponding signature scheme. In 1994, a digital signature standard DSA [20] was proposed, whose flavor was a mixture of ElGamal and Schnorr. The standard was later adapted to th... |

448 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...n a relativized model of computation, he showed that, presumably, OAEP could not be proven secure from the one-wayness of the underlying trapdoor permutation. A closer look at the literature, notably =-=[4, 2]-=-, showed that the security proof was actually valid in a weaker security model, namely against indifferent chosenciphertext attacks (IND-CCA1), also called lunchtime attacks [18], and not in the full ... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...roof was actually valid in a weaker security model, namely against indifferent chosenciphertext attacks (IND-CCA1), also called lunchtime attacks [18], and not in the full (IND-CCA2) adaptive setting =-=[24]-=-. This came as a shock, even though Fujisaki, Okamoto, Pointcheval and Stern [12] were quickly able to establish that the security of RSA–OAEP could actually be proven under the RSA assumption alone, ... |

249 | Public-key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...literature, notably [4, 2], showed that the security proof was actually valid in a weaker security model, namely against indifferent chosenciphertext attacks (IND-CCA1), also called lunchtime attacks =-=[18]-=-, and not in the full (IND-CCA2) adaptive setting [24]. This came as a shock, even though Fujisaki, Okamoto, Pointcheval and Stern [12] were quickly able to establish that the security of RSA–OAEP cou... |

243 | The random oracle methodology, revisited - Canetti, Goldreich, et al. |

230 | Monte Carlo methods for index computation (mod p - Pollard - 1978 |

220 | bounds for discrete logarithms and related problems
- Shoup, Lower
- 1997
(Show Context)
Citation Context ...alled black-box group model, or generic model [27, 7, 17]. In particular, paper [7] considered the security of ECDSA in this model. Generic algorithms had been earlier introduced by Nechaev and Shoup =-=[19, 28]-=- to encompass group algorithms that do not exploit any special property of the encodings of group elements other than the property that each group element is encoded by a unique string. Typically, alg... |

204 | Optimal Asymmetric Encryption - How to Encrypt with RSA
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...n a relativized model of computation, he showed that, presumably, OAEP could not be proven secure from the one-wayness of the underlying trapdoor permutation. A closer look at the literature, notably =-=[4, 2]-=-, showed that the security proof was actually valid in a weaker security model, namely against indifferent chosenciphertext attacks (IND-CCA1), also called lunchtime attacks [18], and not in the full ... |

128 | RSA-OAEP is secure under the RSA assumption
- Fujisaki, Okamoto, et al.
(Show Context)
Citation Context ...osenciphertext attacks (IND-CCA1), also called lunchtime attacks [18], and not in the full (IND-CCA2) adaptive setting [24]. This came as a shock, even though Fujisaki, Okamoto, Pointcheval and Stern =-=[12]-=- were quickly able to establish that the security of RSA–OAEP could actually be proven under the RSA assumption alone, in the random oracle model. Since the more general result could not hold, a diffe... |

96 | OAEP Reconsidered
- Shoup
- 2001
(Show Context)
Citation Context ...f cryptography. By flaws, we do not mean plain mathematical errors but rather ambiguities or misconceptions in the security model. The first such example appeared recently, when Victor Shoup noted in =-=[29]-=- that there was a gap in the widely believed security proof of OAEP against adaptive chosen-ciphertext attacks. By means of a nice counter-example in a relativized model of computation, he showed that... |

66 |
Complexity of a Determinate Algorithm for the Discrete Logarithm
- NECHAEV
- 1994
(Show Context)
Citation Context ...alled black-box group model, or generic model [27, 7, 17]. In particular, paper [7] considered the security of ECDSA in this model. Generic algorithms had been earlier introduced by Nechaev and Shoup =-=[19, 28]-=- to encompass group algorithms that do not exploit any special property of the encodings of group elements other than the property that each group element is encoded by a unique string. Typically, alg... |

52 |
Standard Specifications for Public-Key Cryptography
- P1363
- 2000
(Show Context)
Citation Context ... binary expansions of integers < tq for some small integer t, provided that q is close enough to the size of the underlying field F. This is exactly what is recommended for cryptographic applications =-=[16, 9]-=-.s98 J. Stern et al. A generic algorithm A over a standard cyclic group Γ is a probabilistic algorithm that takes as input an encoding list L = {σ(x1), . . . , σ(xk)}, where each xi is in Γ . While it... |

41 | Security of Signed ElGamal Encryption
- Schnorr, Jakobsson
- 2000
(Show Context)
Citation Context ...o use yet another model to argue in favor of the security of cryptographic schemes, that could not be tackled by the random oracle model. This is the so-called black-box group model, or generic model =-=[27, 7, 17]-=-. In particular, paper [7] considered the security of ECDSA in this model. Generic algorithms had been earlier introduced by Nechaev and Shoup [19, 28] to encompass group algorithms that do not exploi... |

25 | Design and Validations for Discrete Logarithm Based
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...gital signature standard DSA [20] was proposed, whose flavor was a mixture of ElGamal and Schnorr. The standard was later adapted to the elliptic curve setting under the name ECDSA [1, 20]. Following =-=[6, 7]-=-, we propose the description of a generic DSA (see Figure 1), which operates in any cyclic group G of prime order q, thanks to a reduction function. This reduction function f applies to any element of... |

16 | On the provable security of ECDSA
- Brown
- 2005
(Show Context)
Citation Context ... signatures, a duplicate signature; the other shows that from any message-signature pair, one can derive a second signature of the same message, the malleability. The security proof provided by Brown =-=[7]-=- does not account for our first example while it surprisingly rules out malleability, thus offering a proof of a property, non-malleability, that the actual scheme does not possess. 1 Introduction In ... |

15 |
An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi
- Brickell, DeLaurentis
- 1986
(Show Context)
Citation Context ...ows to solve the AERP problem. It is unknown whether the converse is true, i.e. whether AERP and inverting RSA are computationally equivalent. Various attacks against AERP are known for e = 2, 3 (see =-=[5, 30]-=-). However, it is fair to say that there is no known attack against AERP when e is greater or equal than 4. 3.3 The Security Proof For this signature scheme, one can prove, in the random oracle model,... |

10 |
How to Break Okamoto’s Cryptosystems by Reducing Lattices Bases
- Vallee, Girault, et al.
- 1988
(Show Context)
Citation Context ...ows to solve the AERP problem. It is unknown whether the converse is true, i.e. whether AERP and inverting RSA are computationally equivalent. Various attacks against AERP are known for e = 2, 3 (see =-=[5, 30]-=-). However, it is fair to say that there is no known attack against AERP when e is greater or equal than 4. 3.3 The Security Proof For this signature scheme, one can prove, in the random oracle model,... |

8 |
TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash. Contribution to
- Okamoto, Fujisaki, et al.
(Show Context)
Citation Context ... different from a previously obtained signature of the same message, is a forgery or not, and namely an existential forgery. The first example that we give is related to the security proof offered in =-=[22]-=- for the ESIGN signature scheme. Crosschecking the proof, with the above observations in mind, it can be seen that it implicitly assumes that the attacker is not allowed to query the same message twic... |

6 | Twin Signatures: an Alternative to the Hash-and-Sign Paradigm
- Naccache, Pointcheval, et al.
- 2001
(Show Context)
Citation Context ...o use yet another model to argue in favor of the security of cryptographic schemes, that could not be tackled by the random oracle model. This is the so-called black-box group model, or generic model =-=[27, 7, 17]-=-. In particular, paper [7] considered the security of ECDSA in this model. Generic algorithms had been earlier introduced by Nechaev and Shoup [19, 28] to encompass group algorithms that do not exploi... |

5 |
Standard Speci for Public Key Cryptography
- P1363
- 1998
(Show Context)
Citation Context ... in the binary expansions of integerssfor some small integer t, provided that q is close enough to the size of the underlyingseld F. This is exactly what is recommended for cryptographic applications =-=[16, -=-9]. A generic algorithm A over a standard cyclic group is a probabilistic algorithm that takes as input an encoding list L = f(x 1 ); : : : ; (x k )g, where each x i is in . While it executes, the alg... |

4 |
Signature Standard (DSS) � The Federal Information Processing Standards Publication 186
- Digital
- 1994
(Show Context)
Citation Context ...ristic [11] based on fair zeroknowledge [13], Schnorr provided a zero-knowledge identification scheme [26], together with the corresponding signature scheme. In 1994, a digital signature standard DSA =-=[20]-=- was proposed, whose flavor was a mixture of ElGamal and Schnorr. The standard was later adapted to the elliptic curve setting under the name ECDSA [1, 20]. Following [6, 7], we propose the descriptio... |

3 |
How to repair ESIGN, NESSIE internal document
- Granboulan
- 2002
(Show Context)
Citation Context ...n of malleable signatures. Note that we have not broken any of the two schemes. In particular, there are some easy ways of revising ESIGN so that it satisfies the classical security notions (see e.g. =-=[15]-=-). 2 Digital Signature Schemes and Security Proofs 2.1 Formal Framework In modern terms (see [14]), a digital signature scheme consists of three algorithms (K, Σ, V ): – A key generation algorithm K, ... |

2 |
TSH-ESIGN: Ecient Digital Signature Scheme Using Trisection Size Hash
- Okamoto, Fujisaki, et al.
- 1998
(Show Context)
Citation Context ...age, dierent from a previously obtained signature of the same message, is a forgery or not, and namely an existential forgery. Thesrst example that we give is related to the security proof oered in [2=-=2]-=- for the ESIGN signature scheme. Crosschecking the proof, with the above observations in mind, it can be seen that it implicitly assumes that the attacker is not allowed to query the same message twic... |

1 |
Standards for efficient cryptography
- Certicom
- 2000
(Show Context)
Citation Context ... binary expansions of integers < tq for some small integer t, provided that q is close enough to the size of the underlying field F. This is exactly what is recommended for cryptographic applications =-=[16, 9]-=-.s98 J. Stern et al. A generic algorithm A over a standard cyclic group Γ is a probabilistic algorithm that takes as input an encoding list L = {σ(x1), . . . , σ(xk)}, where each xi is in Γ . While it... |

1 |
Standards for ecient cryptography
- Certicom
- 2000
(Show Context)
Citation Context ... in the binary expansions of integerssfor some small integer t, provided that q is close enough to the size of the underlyingseld F. This is exactly what is recommended for cryptographic applications =-=[16, -=-9]. A generic algorithm A over a standard cyclic group is a probabilistic algorithm that takes as input an encoding list L = f(x 1 ); : : : ; (x k )g, where each x i is in . While it executes, the alg... |