On the Provable Security of ECDSA

Abstract

Introduction Background . The Elliptic Curve Digital Signature Algorithm is now in many standards or recommendations, such as [ ANSI X9.62 ], [ SECG ], [ FIPS 186.2 ], [ IEEE 1363 ], [ ISO 15946-2 ], [ NESSIE ] and [ RFC 3278 ]. Organizations chose ECDSA because they regarded its reputational security sufficient, on the grounds that (a) it is a very natural elliptic curve analogue of DSA, and that (b) both elliptic curve cryptography and DSA were deemed to have sufficiently high reputational security. The standardization of ECDSA has created more intense public scrutiny. Despite this, no substantial weaknesses in ECDSA have been found, and thus its reputational security has increased. At one point, proofs of security, under certain assumptions, were found for digital signature schemes similar to DSA and ECDSA. The proof techniques in these initial proofs did not, and still do not, appear applicable to DSA and ECDSA. Thus, for a time, provable security experts suggested a change to the standardization of reputationally secure schemes, because slight modifications could improve provable security. Further investigation, however, led to new provable security results for ECDSA. New proof techniques and assumptions were found that overcame or avoided the difficulty in applying the initial techniques to ECDSA. This chapter describes some of these results, sketches their proofs, and discusses the impact and interpretation of these results.