On the One-Per-Message Unforgeability of (EC)DSA and Its Variants

The American signature standards DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2, are of utmost importance in the current security landscape. The mentioned schemes are all rooted in the Elgamal signature scheme and use a hash function and a cyclic group as building blocks. Unfortunately, authoritative security guarantees for the schemes are still due: All existing positive results on their security use aggressive idealization approaches, like the generic group model, leading to debatable overall results. In this work we conduct security analyses for a set of classic signature schemes, including the ones mentioned above, providing positive results in the following sense: If the hash function is modeled as a random oracle, and the signer issues at most one signature per message, then the schemes are unforgeable if and only if they are key-only unforgeable, where the latter security notion captures that the adversary has access to the verification key but not to sample signatures. Put differently, for the named signature schemes, in the one-signature-per-message setting the signature oracle is redundant

Memory-Tight Reductions

Cryptographic reductions typically aim to be tight by transforming an adversary A into an algorithm that uses essentially the same resources as A. In this work we initiate the study of memory efficiency in reductions. We argue that the amount of working memory used (relative to the initial adversary) is a relevant parameter in reductions, and that reductions that are inefficient with memory will sometimes yield less meaningful security guarantees. We then point to several common techniques in reductions that are memory-inefficient and give a toolbox for reducing memory usage. We review common cryptographic assumptions and their sensitivity to memory usage. Finally, we prove an impossibility result showing that reductions between some assumptions must unavoidably be either memory- or time-inefficient. This last result follows from a connection to data streaming algorithms for which unconditional memory lower bounds are known

The provable security of elgamal-type signature schemes

Zu den in der Praxis am weitesten verbreiteten Signaturschemata gehören DSA und ECDSA. Sie sind in vielen Standards vertreten, darunter IEEE P1363, ANSI X9.62, und FIPS 186-4. In dieser Arbeit beschreiben wir GenElgamal, ein Rahmenwerk für Signaturschemata, das sowohl DSA und ECDSA, als auch deren russische und chinesische Pendants GOST 34.10 und SM2 umfasst. Nach sorgfältiger Modellierung der "modulo q"-Konversionsabbildung als Komposition von drei unabhängigen Funktionen beweisen wir Resultate zur Sicherheit von GenElgamal, die darauf schließen lassen, dass das Fälschen von Signaturen so schwer ist, wie das Berechnen diskreter Logarithmen. Mit einem konservativeren Ansatz zeigen wir weiter, dass das Signatur-Orakel redundant ist, wenn die Hash-Funktion von GenElgamal als Zufallsorakel modelliert wird und der Signierer höchstens eine Signatur pro Nachricht ausgibt. Abschließend diskutieren wir, ob und wie die oben beschriebenen Argumente speichereffizienter gemacht werden können.Among the signature schemes most widely deployed in practice are the DSA (Digital Signature Algorithm) and its elliptic curves variant ECDSA. They are represented in many international standards, including IEEE P1363, ANSI X9.62, and FIPS 186-4. In this work we propose GenElgamal, a signature framework that subsumes both DSA and ECDSA, as well as their Russian and Chinese counterparts GOST 34.10 and SM2. By carefully modeling the "modulo q" conversion function as a composition of three independent functions, we rigorously prove results on the security of GenElgamal that indicate that forging signatures is as hard as solving discrete logarithms. Taking a more conservative approach, we further show that if the hash function of GenElgamal is modeled as a random oracle, and the signer issues at most one signature per message, the signature oracle is redundant. Finally, we discuss if and how the results described above can be made more memory-efficient