## Design Validations for Discrete Logarithm Based Signature Schemes (2000)

Venue: | In PKC ’00, LNCS 1751 |

Citations: | 25 - 3 self |

### BibTeX

@INPROCEEDINGS{Brickell00designvalidations,

author = {Ernest Brickell and David Pointcheval and Serge Vaudenay and Moti Yung},

title = {Design Validations for Discrete Logarithm Based Signature Schemes},

booktitle = {In PKC ’00, LNCS 1751},

year = {2000},

pages = {276--292},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSA-like) signatures abstracted as generic schemes. We show that the following holds: “if the schemes can be broken by an existential forgery using an adaptively chosen-message attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multicollisions can be found. ” Thus, for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties which are not desired (or expected) in strong practical hash functions (SHA-1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA. Further, since our schemes coincide with (or are extremely close to) their standard counterparts they benefit from their desired properties: efficiency of computation/space, employment of certain mathematical operations and wide applicability to various algebraic

### Citations

3067 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...fully into our study. The random oracle methodology was first employed informally by Fiat and Shamir [12], and formalized in Bellare and Rogaway [2]. It was used in showing variants of RSA signatures =-=[26, 4]-=-. At the same time Pointcheval and Stern 2[23] formalized the Fiat-Shamir technique and then validated security for an El Gamal variant signature, Schnorr signature [28, 29] and Fiat-Shamir signature... |

2845 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ssage Attacks, Existential Forgeries, Random Oracle Model, DSA, KCDSA, Security Validation 1 Introduction One of the greatest achievements of Public-key Cryptography, introduced by Diffie and Hellman =-=[9]-=-, is the provision of a strong (non-repudiated) integrity function known as “digital signature.” The research regarding digital signature schemes has taken a number of basic directions. The first one ... |

1394 | Random Oracles are Practical: A Paradigm for Designing Efficient
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... guided by any structure. The next proof direction is to assume that certain hash functions which are available and which everyone has a black-box access to, are ideal (i.e., are like a random oracle =-=[2]-=-). Since the available hash functions cannot in fact be random oracles but rather computationally indistinguishable from one, the proof becomes an argument for security: As long as there is no evidenc... |

868 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
(Show Context)
Citation Context ...et have a strength of being validated. We believe that perhaps the standard bodies should look carefully into our study. The random oracle methodology was first employed informally by Fiat and Shamir =-=[12]-=-, and formalized in Bellare and Rogaway [2]. It was used in showing variants of RSA signatures [26, 4]. At the same time Pointcheval and Stern 2[23] formalized the Fiat-Shamir technique and then vali... |

856 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ardized, in particular NIST standardized the DSA signature scheme (DSS) [20]. Whereas the theoretical signature schemes have been presented with a security proof against (existential forgery) attacks =-=[14, 15]-=-, the practical schemes were given in an ad-hoc fashion based on intuitive feeling of security. However, as we know in the past and the recent future many schemes believed to be secure have been later... |

853 |
The MD5 Message-Digest Algorithm
- Rivest
(Show Context)
Citation Context ...simplicity, a collision-resistant hash function is, in general, a 2-collisionresistant hash function. 2.3 The Random Oracle Model In many signature schemes, a cryptographic hash function, such as MD5 =-=[25]-=- or SHA-1 [21], is used, namely to reduce the size of the message. Such a cryptographic hash function has the property that it is collision-resistant, and therefore one-way. Many recent proofs [3, 4, ... |

604 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...variants of RSA signatures [26, 4]. At the same time Pointcheval and Stern 2[23] formalized the Fiat-Shamir technique and then validated security for an El Gamal variant signature, Schnorr signature =-=[28, 29]-=- and Fiat-Shamir signatures. In so doing they formalized the “forking lemma” methodology which we will follow. Further analysis and investigation of multi-signature was performed by Ohta and Okamoto [... |

343 | The exact security of digital signatures { how to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...fully into our study. The random oracle methodology was first employed informally by Fiat and Shamir [12], and formalized in Bellare and Rogaway [2]. It was used in showing variants of RSA signatures =-=[26, 4]-=-. At the same time Pointcheval and Stern 2[23] formalized the Fiat-Shamir technique and then validated security for an El Gamal variant signature, Schnorr signature [28, 29] and Fiat-Shamir signature... |

332 |
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- Gamal
(Show Context)
Citation Context ...pment is the design of digital signature schemes based on the hardness of the discrete logarithm problem (which started with the introduction of the El Gamal c○ Springer-Verlag 2000.signature scheme =-=[10]-=-). A number of efficient schemes have appeared since then and a few of them were standardized, in particular NIST standardized the DSA signature scheme (DSS) [20]. Whereas the theoretical signature sc... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1990
(Show Context)
Citation Context ...n reducing the computational assumption required for signature, in order to understand the inherent nature of the primitive. Indeed, digital signature turned out to be equivalent to one-way functions =-=[19, 27]-=-. Another direction has produced various flavors of signatures (blind, undeniable, fail-stop, etc.). The third direction was the design and standardization of efficient signature schemes which are ver... |

320 |
Efficient Identification and Signatures for Smart Cards
- Schnorr
- 1989
(Show Context)
Citation Context ...variants of RSA signatures [26, 4]. At the same time Pointcheval and Stern 2[23] formalized the Fiat-Shamir technique and then validated security for an El Gamal variant signature, Schnorr signature =-=[28, 29]-=- and Fiat-Shamir signatures. In so doing they formalized the “forking lemma” methodology which we will follow. Further analysis and investigation of multi-signature was performed by Ohta and Okamoto [... |

317 |
Zero knowledge proofs of identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...n-free. Here, we need similar tools, namely their “splitting lemma” and an improved version of their “forking lemma”. The “splitting lemma” is a formal probabilistic version of the “heavy rows lemma” =-=[11, 22]-=-. Lemma 9 (The Splitting Lemma). Let A ⊂ X × Y and we assume that Pr[(x, y) ∈ A] ≥ ε. Define { B = (x, y) ∈ X × Y Pr y ′ ∈Y [(x, y′ ) ∈ A] ≥ ε } and 2 ¯ B = (X × Y )\B, then the following statements h... |

293 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...y was first employed informally by Fiat and Shamir [12], and formalized in Bellare and Rogaway [2]. It was used in showing variants of RSA signatures [26, 4]. At the same time Pointcheval and Stern 2=-=[23]-=- formalized the Fiat-Shamir technique and then validated security for an El Gamal variant signature, Schnorr signature [28, 29] and Fiat-Shamir signatures. In so doing they formalized the “forking lem... |

253 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...sally for every scheme: an artificial theoretical construction was shown which is provably secure under random oracle assumption but becomes insecure under any “concrete implementation” of the oracle =-=[8]-=-. Luckily, this is only an example, and its structure does not apply to the practical signature schemes we study (intuitively, in these schemes there is a separation of the role of the hash function f... |

210 | Optimal Asymmetric Encryption — How to Encrypt with RSA
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...D5 [25] or SHA-1 [21], is used, namely to reduce the size of the message. Such a cryptographic hash function has the property that it is collision-resistant, and therefore one-way. Many recent proofs =-=[3, 4, 22, 23]-=- make the assumption that this cryptographic hash function is an ideal random function also known as random oracle: for any new query, the answer is uniformly distributed in the output set, independen... |

202 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...n reducing the computational assumption required for signature, in order to understand the inherent nature of the primitive. Indeed, digital signature turned out to be equivalent to one-way functions =-=[19, 27]-=-. Another direction has produced various flavors of signatures (blind, undeniable, fail-stop, etc.). The third direction was the design and standardization of efficient signature schemes which are ver... |

138 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ...and therefore T = G(M) ̸= G(M ′ ) = T ′ , since G is collision-resistant. Because of the TEGTSS–I properties, one has two distinct representations of the same R in the basis (g, Y ), which leads to X =-=[6]-=-. – case 2: A outputs a verifiable tuple, (M, R, S, T, U), in which R = Qj for some j ≤ Q and A made a direct query for the value of H(Qj). Using the forking lemma (Lemma 10), after less than (1 + 24Q... |

59 | On Diffie–Hellman Key Agreement with Short Exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ... Schnorr [28, 29] improved the scheme using the modulo q truncating function, playing in a prime subgroup. This fixes some weaknesses later on discovered by Bleichenbacher [5], van Oorchot and Wiener =-=[30]-=- and also discussed by Anderson and Vaudenay [1]. This latter scheme has been formally proven unforgeable in the random oracle model relative to the discrete logarithm problem [22, 23]. However, as di... |

41 | On concrete security treatment of signatures derived from identification
- Ohta, Okamoto
(Show Context)
Citation Context ...] and Fiat-Shamir signatures. In so doing they formalized the “forking lemma” methodology which we will follow. Further analysis and investigation of multi-signature was performed by Ohta and Okamoto =-=[22]-=-. However, the case of variants of the standardized DSA-like signature which we analyze herein was left open. Outline of the Paper. In the next Section we present our basic definitions and in Section ... |

32 |
and Rivest: A “paradoxical” solution to the signature problem
- Goldwasser
- 1984
(Show Context)
Citation Context ...ardized, in particular NIST standardized the DSA signature scheme (DSS) [20]. Whereas the theoretical signature schemes have been presented with a security proof against (existential forgery) attacks =-=[14, 15]-=-, the practical schemes were given in an ad-hoc fashion based on intuitive feeling of security. However, as we know in the past and the recent future many schemes believed to be secure have been later... |

25 | Minding Your P’s and Q’s
- Anderson, Vaudenay
- 1996
(Show Context)
Citation Context ...odulo q truncating function, playing in a prime subgroup. This fixes some weaknesses later on discovered by Bleichenbacher [5], van Oorchot and Wiener [30] and also discussed by Anderson and Vaudenay =-=[1]-=-. This latter scheme has been formally proven unforgeable in the random oracle model relative to the discrete logarithm problem [22, 23]. However, as discussed in the introduction many other variants ... |

24 |
On the length of cryptographic hash-values used in identi¯cation schemes
- Girault, Stern
- 1994
(Show Context)
Citation Context ...s the attractive property of providing short signatures. Indeed, a hash function that returns 80-bits digests can be considered as 5-collision-resistant, since a search would require 264 computations =-=[13]-=-. Therefore, since the practical signature consists of the pair (S, T ) where S ∈ q and T the digest produced by G, a 5-collision-resistant hash function, it can be shorter than 30 byte-long. 7 Conclu... |

11 |
collisions on DSS
- Hidden
- 1996
(Show Context)
Citation Context ... that the “x ↦→ (g x mod p) mod q” map has (log q)-multi-collision. Indeed, even just a 2-collision would lead to an important weakness in the original DSA design by an attack similar than Vaudenay’s =-=[31]-=-: if for a given (p, q, g) provided by a honest authority someone happens to find out a 2-collision 14 T = g k mod p mod q = g k′ mod p mod q then he can choose two different messages M and M ′ and a ... |

8 |
Generating El Gamal Signatures without Knowing the Secret Key
- Bleichenbacher
- 1996
(Show Context)
Citation Context ...ete logarithm problem. Then, Schnorr [28, 29] improved the scheme using the modulo q truncating function, playing in a prime subgroup. This fixes some weaknesses later on discovered by Bleichenbacher =-=[5]-=-, van Oorchot and Wiener [30] and also discussed by Anderson and Vaudenay [1]. This latter scheme has been formally proven unforgeable in the random oracle model relative to the discrete logarithm pro... |

8 |
On Provable Security for Digital Signature Algorithms
- Pointcheval, Vaudenay
- 1997
(Show Context)
Citation Context ...om Lemma 7 and Theorem 8. ⊓⊔Remark 18. One can first remark that for any random function G, the probability that x ↦→ G(g x mod p) has a (ℓ + 1)-multi-collision is approximately less than q/(ℓ + 1)! =-=[24]-=-, which is very small for ℓ = log q. This provides a security argument for a very slight variant of the original DSA, where the H(M) is just replaced by H(M, T ). Indeed, it is very unlikely that the ... |

5 | Rivest: A "Paradoxical" Solution to the Signature - Goldwasser, Micali, et al. - 1984 |

2 | A Study on the Proposed Korean Digital Signature Algorithm - Lim, Lee - 1998 |

1 |
Invited lecture given at the Crypto ’96 conference. unpublished manuscript
- Brickell
(Show Context)
Citation Context ... standard schemes is given in Section 6, where Section 7 concludes the work. Remark. The paper is based on a merge, crystallization and generalization of initial ideas reported in our earlier studies =-=[7, 24]-=-. The current version contains improved and more elegant analysis as well as the important direction of minimizing the use of the “random oracle” assumption. 2 Definitions In this section, we recall s... |