
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

On the Security of Schnorr Signatures, DSA, and ElGamal Signatures against RelatedKey Attacks
Hiraku MORITA Jacob C.N. SCHULDT Takahiro MATSUDA Goichiro HANAOKA Tetsu IWATA
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E100A
No.1
pp.7390 Publication Date: 2017/01/01 Online ISSN: 17451337
DOI: 10.1587/transfun.E100.A.73 Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Keyword: relatedkey attacks, Schnorr signatures, DSA, ElGamal signatures.,
Full Text: PDF>>
Summary:
In the ordinary security model for signature schemes, we consider an adversary that tries to forge a signature on a new message using only his knowledge of other valid message and signature pairs. To take into account side channel attacks such as tampering or faultinjection attacks, Bellare and Kohno (Eurocrypt 2003) formalized relatedkey attacks (RKA), where stronger adversaries are considered. In the RKA security model for signature schemes, we consider an adversary that can also manipulate the signing key and obtain signatures computed under the modified key. RKA security is defined with respect to the relatedkey deriving functions which are used by an adversary to manipulate the signing key. This paper considers RKA security of three established signature schemes: the Schnorr signature scheme, a variant of DSA, and a variant of ElGamal signature scheme. First, we show that these signature schemes are secure against a weak notion of RKA with respect to polynomial functions. Second, we demonstrate that, on the other hand, none of the Schnorr signature scheme, DSA, nor the ElGamal signature scheme achieves the standard notion of RKA security with respect to linear functions, by showing concrete attacks on these. Lastly, we show that slight modifications of the Schnorr signature scheme, (the considered variant of) DSA, and the variant of ElGamal signature scheme yield fully RKA secure schemes with respect to polynomial functions.

