The Security of DSA and ECDSA

Authors:
Serge Vaudenay
Affiliations:
-
Venue:
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
Year:
2003

Citing 9
Cited 2

Introduction to finite fields and their applications

Introduction to finite fields and their applications
A public key cryptosystem and a signature scheme based on discrete logarithms

Proceedings of CRYPTO 84 on Advances in cryptology
Modifications of ECDSA

SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
Flaws in Applying Proof Methodologies to Signature Schemes

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
CM-Curves with Good Cryptographic Properties

CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Hidden Collisions on DSS

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Design Validations for Discrete Logarithm Based Signature Schemes

PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Generating EIGamal signatures without knowing the secret key

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Lower bounds for discrete logarithms and related problems

EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques

A subliminal-free variant of ECDSA

IH'06 Proceedings of the 8th international conference on Information hiding
Cryptanalysis and improvement of a certificateless threshold signature secure in the standard model

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

DSA and ECDSA are well established standards for digital signature based on the discrete logarithmp roblem. In this paper we survey known properties, certification issues regarding the public parameters, and security proofs.ECDSA also includes a standard certification scheme for elliptic curve which is assumed to guarantee that the elliptic curve was randomly selected, preventing from any potential malicious choice. In this paper we show how to bypass this scheme and certify any elliptic curve in characteristic two. The prime field case is also studied. Although this does not lead to any attack at this time since all possible malicious choices which are known at this time are specifically checked, this demonstrates that some part of the standard is not well designed. We finally propose a tweak.