## Generic Groups, Collision Resistance, and ECDSA (2002)

Venue: | Designs, Codes and Cryptography |

Citations: | 13 - 1 self |

### BibTeX

@ARTICLE{Brown02genericgroups,,

author = {Daniel R. L. Brown},

title = {Generic Groups, Collision Resistance, and ECDSA},

journal = {Designs, Codes and Cryptography},

year = {2002},

volume = {35},

pages = {119--152}

}

### OpenURL

### Abstract

Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosen-message attacks. The sufficient conditions include (i) a uniformity property and collision-resistance for the underlying hash function, (ii) pseudo-randomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.

### Citations

697 |
Elliptic curve cryptosystems
- Koblitz
- 1987
(Show Context)
Citation Context ...es not do, and moreover, assume a condition on the hash function stronger than thesrst condition above. This work seems to be thesrst advance in the provable security of ECDSA. 1 Introduction Koblitz =-=[32]-=- and Miller [40] independently proposed elliptic curve cryptography in 1985. The National Institute of Standards and Technology (NIST) proposed the Digital Signature Algorithm (DSA) in 1991 (see [10])... |

531 |
Use of elliptic curves in cryptography
- Miller
- 1986
(Show Context)
Citation Context ...oreover, assume a condition on the hash function stronger than thesrst condition above. This work seems to be thesrst advance in the provable security of ECDSA. 1 Introduction Koblitz [32] and Miller =-=[40]-=- independently proposed elliptic curve cryptography in 1985. The National Institute of Standards and Technology (NIST) proposed the Digital Signature Algorithm (DSA) in 1991 (see [10]). Vanstone [53] ... |

283 |
Elliptic Curve Public Key Cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...; y) : x; y 2 F q ; y 2 = x 3 +ax+bg if q is an odd prime or the set f(x; y) : x; y 2 F q ; y 2 + xy = x 3 + ax 2 + bg if q is a power of two. The group operations involve severalseld operations, see =-=[6, 31, 33, 38, 40, 47-=-] for example. Specic choices for the parameters q; a; b; n; t and G are recommended in [21, 47]. These recommendations help achieve eciency, security and interoperability. The ECDSA Conversion Functi... |

283 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ... necessary condition is plausible for DSA, but is not proved here nor is the security of DSA proved assuming this weaker condition.) Brickell et al. [11], Jakobsson et al. [29] and Pointcheval et al. =-=[44]-=- only consider signature schemes that include the ephemeral public key in the hash input, which ECDSA does not do, and moreover, assume a condition on the hash function stronger than thesrst condition... |

223 | Lower bounds for discrete logarithms and related problems
- Shoup
- 1997
(Show Context)
Citation Context ...erty and an additional minor property. Our condition for the group is stronger than [44]: we use more than just the intractability of the elliptic curve discrete logarithm; instead we model the group =-=[48]-=- generically. On balance, our conditions are roughly equal 3 to [44], since one condition is weaker and the other ? Supported in part by a National Science and Engineering Research Council of Canada I... |

111 | A proposal for the ISO standard for public-key encryption (version 2.0). Available from http://shoup.net - Shoup |

83 |
Algebraic aspects of cryptography
- Koblitz
- 1998
(Show Context)
Citation Context ...e analogue of DSA, the Elliptic Curve Digital Signature Algorithm (ECDSA), in 1992. The current form of ECDSA was proposed by the IEEE P1363 working group in 1995. Koblitz describes ECDSA in his book =-=[33-=-], as do Blake, Seroussi and Smart in their book [6]. Johnson and Menezes [30] give an excellent survey on ECDSA. Detailed specications of ECDSA are given in several approved standards: ISO 14888-3 [2... |

72 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ... for hash functions. For a more thorough treatment of the security issues surrounding the design of hash functions, see Damgard [17, 18], Menezes, van Oorschot and Vanstone [39], Preneel [45], Simon [=-=5-=-0] and Stinson [51, 52]. Some of our denitions are somewhat simplied to re ect the common practice of using asxed hash function in a signature scheme rather than the goal of designing a family of secu... |

66 |
Complexity of a Determinate Algorithm for the Discrete Logarithm
- NECHAEV
- 1994
(Show Context)
Citation Context ...dened below), which is closely related to the encoding of the secure group, some additional security conditions are important, namely conditions regarding this conversion function. The Nechaev-Shoup [=-=41, 48]-=- generic model of a group is an even stronger condition than the intractability of the discrete logarithm problem. Indeed, strictly speaking this condition is unattainable for an ecient group. Neverth... |

66 | The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
- Nguyen, Shparlinski
(Show Context)
Citation Context ...onfusion will result because our analysis will not focus on the DSA group specically. The DSA Conversion Function The DSA conversion function is f : hGi ! Zn : a 7! (a mod n). Nguyen and Sharplinksi [=-=42]-=- give partial results showing towards showing the DSA conversion function is almost-bijective. Experiments with small values of n show that the DSA conversion function is as almost-bijective of the sa... |

47 | The state of cryptographic hash functions
- Preneel
- 1999
(Show Context)
Citation Context ...y properties for hash functions. For a more thorough treatment of the security issues surrounding the design of hash functions, see Damgard [17, 18], Menezes, van Oorschot and Vanstone [39], Preneel [=-=4-=-5], Simon [50] and Stinson [51, 52]. Some of our denitions are somewhat simplied to re ect the common practice of using asxed hash function in a signature scheme rather than the goal of designing a fa... |

28 | Some Observations on the Theory of Cryptographic Hash Functions. Des. Codes Cryptography
- Stinson
- 2006
(Show Context)
Citation Context ...ns. For a more thorough treatment of the security issues surrounding the design of hash functions, see Damgard [17, 18], Menezes, van Oorschot and Vanstone [39], Preneel [45], Simon [50] and Stinson [=-=51, 5-=-2]. Some of our denitions are somewhat simplied to re ect the common practice of using asxed hash function in a signature scheme rather than the goal of designing a family of secure hash functions. Fo... |

21 |
A Pseudorandom Bit Generator based on Elliptic Logarithms
- Kaliski
- 1987
(Show Context)
Citation Context ...; y) : x; y 2 F q ; y 2 = x 3 +ax+bg if q is an odd prime or the set f(x; y) : x; y 2 F q ; y 2 + xy = x 3 + ax 2 + bg if q is a power of two. The group operations involve severalseld operations, see =-=[6, 31, 33, 38, 40, 47-=-] for example. Specic choices for the parameters q; a; b; n; t and G are recommended in [21, 47]. These recommendations help achieve eciency, security and interoperability. The ECDSA Conversion Functi... |

20 |
Cryptography: Theory and Practice. Discrete mathematics and its applications, Chapman & Hall/CRC
- Stinson
- 2006
(Show Context)
Citation Context ...ns. For a more thorough treatment of the security issues surrounding the design of hash functions, see Damgard [17, 18], Menezes, van Oorschot and Vanstone [39], Preneel [45], Simon [50] and Stinson [=-=51, 5-=-2]. Some of our denitions are somewhat simplied to re ect the common practice of using asxed hash function in a signature scheme rather than the goal of designing a family of secure hash functions. Fo... |

16 | Lower bounds on generic algorithms in groups - Maurer, Wolf |

14 | Security of signature schemes in a multi-user setting
- Menezes, Smart
- 2004
(Show Context)
Citation Context ...onsidered One can dene non-standard adversaries such as those thatsnd: an additional signature for an already signed message, an additional public-private key pair for a given message-signature pair [=-=7, 30, 3-=-7], attacks in the multi-user setting, and attacks depending on nonstandard modied key generation. We will not consider such adversaries here. 5.1 A Signature Scheme Generalizing ECDSA and DSA We dene... |

13 | collisions on DSS
- Vaudenay
- 1996
(Show Context)
Citation Context ...success probability 1 have runningtime about 2 80 . Thus it is reasonable to say that SHA-1 is collision-resistant of strength roughly (1; 2 80 ). For the purposes of ECDSA and DSA, however, Vaudenay =-=[54]-=- noted that collisions in the hash function h n;SHA-1 are what matters. Some measures are therefore needed to help ensure that the domain parameter n was not selected n = SHA-1(M 1 ) SHA-1(M 2 ) by a ... |

10 |
Provable Secure and Practical Identi Schemes and Corresponding Signature Schemes. CRYPTO '92
- Okamoto
(Show Context)
Citation Context ...using techniques that might extend to ECDSA upon further consideration, but they use a stronger set of the conditions 4 . Of course, digital signature schemes of many other kinds have security proofs =-=[4, 5, 12, 15-17, 20, 24, 43-=-] under a wide variety of conditions. The remaining sections are organized as follows. Section 2 describes the groups that are used in ECDSA and DSA, denes the term conversion function together with s... |

10 |
Responses to NISTâ€™s Proposal
- Vanstone
- 1992
(Show Context)
Citation Context ... [40] independently proposed elliptic curve cryptography in 1985. The National Institute of Standards and Technology (NIST) proposed the Digital Signature Algorithm (DSA) in 1991 (see [10]). Vanstone =-=[53]-=- proposed an elliptic curve analogue of DSA, the Elliptic Curve Digital Signature Algorithm (ECDSA), in 1992. The current form of ECDSA was proposed by the IEEE P1363 working group in 1995. Koblitz de... |

8 | Towards the equivalence of breaking the Di e-Hellman protocol and computing discrete logarithms - Maurer - 1994 |

7 |
Elliptic Curve Cryptography. Standards for Efficient Cryptography Group, 2000. Working Draft. Availabale from: http://www.secg.org
- SEC
- 2000
(Show Context)
Citation Context ...0] give an excellent survey on ECDSA. Detailed specications of ECDSA are given in several approved standards: ISO 14888-3 [28], IEEE Std 1363-2000 [27], ANSI X9.62 [2], and FIPS 186-2 [21] (see also [=-=47]-=-). Applications of ECDSA are proposed in several other standards such as WAP WTLS, IETF S/MIME, IETF TLS, and IETF IPSEC IKE. A proof of conditional security ensures that a cryptographic technique mee... |

4 | The relationship between breaking the Di#eHellman protocol and computing discrete logarithms - Maurer, Wolf - 1999 |

2 |
ACE: The advanced cryptographic engine. Submission to NESSIE, aug 2000. Available at http://shoup.net/papers
- Schweinberger, Shoup
- 2000
(Show Context)
Citation Context ...needed and D as large as needed. The pseudorandomness aspect of the above denition of uniformity is similar to a property called \entropysmoothing " by Shoup [49, page 20]. Schweinberger and Sho=-=up [46-=-] also use entropy-smoothing hash functions. 3.6 Relationships Between Hash Security Properties If the range of the hash-function is innite, then a collision-resistant hash function can fail to be one... |