FURTHER DISCUSSION 37 is very simple to analyze A more complex design might be more secure, al-

though it could also be more complex to analyze. With added complexity, one can never discount the possible appearance of an attack. For DSA, it’s possi- ble that somebody could attack the conversion function. For example, DSA could be insecure because the conversion function used is not almost-bijective or for some other reason. One could assume that the DSA conversion function is almost-bijective and try to find a provable security result, but nobody has done this yet.

The intuition that a one-way conversion function imparts some kind of se- curity attribute is not entirely ungrounded. Almost-invertibility means that the public key can be recovered from the message and signature (with rea- sonable probability). A one-way conversion function seems to prevent this. This difference does not have an impact on GMR security. It could have other impacts such as anonymity (hiding the signer’s identity) or efficiency (omitting the public key). Hiding the public key is not a stated objective of ECDSA.

Non-Pseuodrandomk : No result has shown thatkneeds to be indistin- guishable from a uniform random integer in [1, q−1]. Indeed, since ECDSA is not meant to provide confidentiality, the need for indistinguishability is not clear. Intuitively, a weaker condition than pseudo-randomness ought to be sufficient for ECDSA. Certainly, the private keys must be unguessable and arithmetically unbiased, because of known attacks, but these are weaker conditions than pseudo-randomness.

To see why pseudo-randomness might not be necessary for k, consider the following. Choose truly random private keys k subject to the condition that their hashes display a given pattern. Such kfail to be pseudo-random because they can be distinguished by applying the hash function, yet they do not seem to be weak. They are unlikely to have an attackable arithmetic bias. They may have enough entropy to be unguessable.

Also, some of the results do not involve a signing oracle and therefore do not require the ephemeral private keyskto be generated pseudo-randomly.

Deterministic k : In some of the proofs, the signing oracle value has the property that the same message query always gives the same signature response. Technically, this means the proof is only applicable to the deter- ministic mode of ECDSA signing, wherekis chosen as a secret deterministic function of the message m being signed. An intuitive explanation that the deterministic mode is more secure is that it reveals less signatures and theref- ere less information about the private key. A very cautious implementation of ECDSA could use the deterministic mode so that these provable security results apply.

II.5.3. Attack-Like Attributes of ECDSA. Despite the proofs of GMR security of ECDSA, it might be argued that GMR security itself is not the “right” definition. Logically speaking, of course, a definition, by definition, cannot be right or wrong. Nonetheless, cryptology is a practical science, not a purely mathematical one, and therefore definitions ought to be tailored to pertinent concerns, not purely arbitrary ones. With this perspective, some al- ternative definitions of security for signatures in which ECDSA can be deemed “insecure” are explored and assessed for their pertinence.

Many of the attributes that we explore hinge on the particular conversion function f used in ECDSA. Altering f to avoid these attributes could po- tentially do more harm than good, diminishing the reputational security of ECDSA and the provable security of ECDSA. Accordingly, addressing these attributes is best handled through other means.

Signature Non-Anomyity : Given a valid ECDSA signature (r, s) on message m, the associated public key Y can be recovered, as follows. (Note that this does not violate the GMR definition of signature security.) Solve for the public key as Y = [r−1_{]([s]R−[H(m)]G), where R is selected from} f−1_{(r), the set of points in the preimage ofr.}

Self-Signed Signatures : A signature of a message is self-signed if the message contains the signature. A self-signed ECDSA signature can be gen- erated as follows. Choose randomk ands. Computer=f([k]G). Form the message m containing the signature (r, s). Compute e= H(m). Now solve for a private key x that makes this signature valid, which can be found as x= (±sk−e)/r(modq).

This attribute does not violate GMR security. Indeed, it may be a useful attribute in the sense that it can be used to ensure that the private key was not stolen. It may also be useful for server-assisted key generation, where a server adds entropy to the messagemso the signer’s private keyxhas enough entropy. Additional modifications to the self-signed siganture verification are necessary, however, if the server cannot be trusted and the signer’s entropy forkis weak.

Unknown Private Key : A valid ECDSA signature can be generated without knowing the private key and yet not violate the GMR definition of signature security, as follows. This can be done for any elliptic curve domain parameters and any message m, by first generating a random value of the signature (r, s) and then solving for the public key asY = [r−1_]([s]R− [H(m)]G), where R ∈ f−1_{(r), the set of points in the preimage of r. If} f−1_{(r) ={}, then just try another value ofr.}

II.5. FURTHER DISCUSSION 39