DSA Signature Scheme Immune to the Fault Cryptanalysis

ACM International Conference Proceeding Series, 2011

Elliptic curve cryptosystems proved to be well suited for securing systems with constrained resources like embedded and portable devices. In a fault attack, errors are induced during the computation of a cryptographic primitive, and the faulty results are collected to derive information about the secret key stored into the device in a non-readable way. Scenarios where the secure devices are seized by an opponent are quite common. Consequently, it is possible for an attacker to induce changes in the working environment of the device to cause alterations in the computation of the cryptographic primitive. We introduce a new fault model and attack methodology to recover the secret key employed in implementations of the Elliptic Curve Digital Signature Algorithm. Our attack exploits the information leakage induced when altering the execution of the modular arithmetic operations used in the signature primitive and does not rely on the properties of the underlying elliptic curve mathematical structure, thus being applicable to curves defined on both prime fields and binary fields. The attack is easily reproducible with low cost fault injection technologies relying on transient errors placed within a single datapath width of the target architecture.

Fault tolerance and data security are two important issues in modern communication systems. In this paper, we propose a secure and efficient digital signature scheme with fault tolerance based on the improved RSA system. The proposed scheme for the RSA cryptosystem contains three prime numbers and overcome several attacks possible on RSA. By using the Chinese Reminder Theorem (CRT) the proposed scheme has a speed improvement on the RSA decryption side and it provides high security also.

Journal of Cryptology

We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a black-box containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is aected by a random hardware fault causing it to output incorrect values. For example, the hardware fault ips an internal register bit at some point during the computation. We show that for many digital signature and identication schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for non-CRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in Fiat-Shamir ...

2000

Fault attacks are one of the most severe attacks against secure embed- ded cryptographic implementations. Block ciphers such as AES, DES or public key algorithms such as RSA can be broken with as few as a single or a handful of erroneous computation results. Many countermeasures have been proposed both at the algorithmic level and using ad-hoc methods. In this

2005

Now these days, many technical concepts and tools have been developed in the cryptographic field. Most digital signature schemes used in practice, such as RSA or DSA, have an important role in information privacy and secure authentication for perfect user. A clearly advantage of such schemes over with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relative weak requirements regarding computation, bandwidth and storage, these scheme have so far beaten proven secure schemes in practice. Our aim is to contribute to bridge the gap that exists between the theory and practice of digital signature schemes. In this paper we present a digital signature that ensures information privacy. More precisely, under an appropriate assumption about RSA, the scheme is proven to be existentially forgeable under adaptively chosen message attacks. This mechanism can be applied to smart cards or E-Wallet for maintaining secure authentication for...

International Journal of Electrical and Computer Engineering (IJECE), 2019

We present a new digital signature scheme with message recovery and its authenticated encryption based on elliptic curve discrete logarithm and quadratic residue. The main idea is to provide a higher level of security than all other techniques that use signatures with single hard problem including factoring, discrete logarithm, residuosity, or elliptic curves. The proposed digital signature schemes do not involve any modular exponentiation operations that leave no gap for attackers. The security analysis demonstrates the improved performance of the proposed schemes in comparison with existing techniques in terms of the ability to resist the most common attacks. 1. INTRODUCTION Digital signature with message recovery has become one of the most important aspects of data security. It is used to allow a message owner to send only a signature of his message. The verifiers use the received signature for verification first and then to recover the original message from the signature. In [1-3] Nyberg and Rueppel presented several signature schemes based on the discrete logarithm problem (DLP) to recover the encrypted messages from the received signatures. Later, Horster et al. [4] proposed an authenticated encryption scheme modified from Nyberg and Rueppel algorithms, where only the designated verifiers can retrieve and verify the messages from the signatures. Therefore, the scheme can be classified as a combination of the data encryption scheme and the digital signature scheme. In order to recover the original message from the signature, the message cannot be hashed to reduce its size. However, if the message is large, it should be divided into a sequence blocks, and each block is encrypted and signed as a signature block individually. Consequently, each message block contains some data redundancy. The redundant data is employed to correctly link all the data blocks together. The main drawback of the above scheme is the high cost of communications. Hwang et al. [5] proposed an authenticated encryption scheme with message linkages based on Horster et al. scheme [4]. Since then, several improved authenticated encryption schemes have been proposed [6-8] to increase the performance. Girault in [9] presents the concept of the self-certified public keys. A public key is obtained from the signature of the user's private key, with his/her identity signed by the system authority. The public key of each user does not need to be companied by a separate certificate. The proof of the public key can implicitly computed with the signature verification. Thus, the storage space and computations cost is reduced by using

People have traditionally used signatures as a means of informing others that the signature has read and understood a document. Digital signature in a document is bound to that document in such a way that altering the signed document or moving the signature to a different document invalidates the signature. This security eliminates the need for paper copies of documents and can speed the processes involving documents that require signatures. Digital Signatures are messages that identify and authenticate a particular person as the source of the electronic message, and indicate such persons approval of the information contained in the electronic message. Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptosystem as unique security solutions. On the other hand, these solutions clearly expose the fact, that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certification authority keys, and e-cash keys). They help users to achieve basic security building blocks such as identification, authentication, and integrity.

The Computer Journal, 2000

Security of ordinary digital signature schemes relies on a computational assumption. Fail-stop signature schemes provide security for a sender against a forger with unlimited computational power by enabling the sender to provide a proof of forgery, if it occurs. In this paper, we give an efficient fail-stop signature scheme that uses two hard problems, discrete logarithm and factorisation, as the basis of receiver's security. We show that the scheme has provable security against adaptively chosen message attack and is the most efficient scheme with respect to the ratio of the message length to the signature length. The scheme provides an efficient solution to signing messages up to 1881 bits.

DSA and ECDSA are well established standards for digital signature based on the discrete logarithm problem. In this paper we survey known properties, certification issues regarding the public parameters, and security proofs. ECDSA also includes a standard certification scheme for elliptic curve which is assumed to guarantee that the elliptic curve was randomly selected, preventing from any potential malicious choice. In this paper we show how to bypass this scheme and certify any elliptic curve in characteristic two. The prime field case is also studied. Although this does not lead to any attack at this time since all possible malicious choices which are known at this time are specifically checked, this demonstrates that some part of the standard is not well designed. We finally propose a tweak.

Lecture Notes in Computer Science, 2002

We propose a new notion of signer-base intrusion-resilient (SiBIR) signatures, which generalizes and improves upon both forward-secure [And97, BM99] and key-insulated [DKXY02] signature schemes. Specifically, as in the prior notions, time is divided into predefined time periods (e.g., days); each signature includes the number of the time period in which it was generated; while the public key remains the same, the secret keys evolve with time. Also, as in key-insulated schemes, the user has two modules, signer and home base: the signer generates signatures on his 1 own, and the base is needed only to help update the signer's key from one period to the next. The main strength of intrusion-resilient schemes, as opposed to prior notions, is that they remain secure even after arbitrarily many compromises of both modules, as long as the compromises are not simultaneous. Moreover, even if the intruder does compromise both modules simultaneously, she will still be unable to generate any signatures for the previous time periods. We provide an efficient intrusion-resilient signature scheme, provably secure in the random oracle model based on the strong RSA assumption. We also discuss how such schemes can eliminate the need for certificate revocation in the case of on-line authentication. 1 Introduction Key exposures appear to be unavoidable. Thus, limiting their impact is extremely important and is the focus of active research. While this issue applies to a wide range of security protocols, here we focus on digital signatures.

Applied Mathematics and Computation, 2003

In 1991, Girault introduced the notion of a self-certified public key. Recently, Tseng et al. proposed a digital signature scheme with message recovery (TJC-DSMR) extended from the self-certified public key system proposed by Girault. They also presented two variants of the proposed scheme. One allows only the specified receiver to verify and recover the message. The other is the extension of the previous one with message linkages, which is used to transmit larger messages. They supposed that there exists a trusted system authority (SA). However, SA is not guaranteed to be honest in the real world. Hence, we propose digital signature schemes that provide the same properties as Tseng et al.Õs method without the assumption that SA is trustworthy.

2010 International Conference on Advances in Computer Engineering, 2010

A digital signature scheme allows one to sign an electronic message and later the produced signature can be validated by the owner of the message or by any verifier. Most of the existing digital signature schemes were developed based on the use of hash function and massage redundancy to resist against forgery attack. In this paper we propose a signature scheme with message recovery and without using one way hash function which is secure and practical. The proposed scheme is shown to be secure against the parameter reduction attack and forgery attack. Security of the scheme is based on the complexity of solving the discrete logarithm problem and integer factorization. The proposed scheme does not use message redundancy and is suitable to provide signature on long messages.

In this paper the realization of one algorithm for digital signature, DSA (Digital Signature Algorithm), is presented. In the algorithm, for calculating the variables needed to generate public and private key, one-way hash function, SHA (Secure Hash Algorithm), is used. A method of realization of SHA and DSA is presented, and the time required to digitally sign messages of different sizes and time required to generate the keys are measured. The results are compared with the analogous result based on another software implemented system for digitally signing with hash function and RSA algorithm.

Journal of Cryptology, 2002

We present a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. For most significant or least significant bits, the number of required bits is about log 1/2 q, but can be decreased to log log q with a running time q O(1/log log q) subexponential in log q, and even further to two in polynomial time if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. For arbitrary consecutive bits, the attack requires twice as many bits. All previously known results were only heuristic, including those of Howgrave-Graham and Smart who recently introduced that topic. Our attack is based on a connection with the hidden number problem (HNP) introduced at Crypto '96 by Boneh and Venkatesan in order to study the bit-security of the Diffie-Hellman key exchange. The HNP consists, given a prime number q, of recovering a number α ∈ F q such that for many known random t ∈ F q a certain approximation of tα is known. To handle the DSA case, we extend Boneh and Venkatesan's results on the HNP to the case where t has not necessarily perfectly uniform distribution, and establish uniformity statements on the DSA signatures, using exponential sum techniques. The efficiency of our attack has been validated experimentally, and illustrates once again the fact that one should be very cautious with the pseudo-random generation of the nonce within DSA.

Proceedings of the 2017 International Conference on Education and Technology (2017 ICEduTech), 2018

Authenticity of access in very information are very important in the current era of Internet-based technology, there are many ways to secure information from irresponsible parties with various security attacks, some of technique can use for defend attack from irresponsible parties are using steganography, cryptography or also use digital signatures. Digital signatures could be one of solution where the authenticity of the message will be verified to prove that the received message is the original message without any change, Ong-Schnorr-Shamir is the algorithm are used in this research and the experiment are perform on the digital signature scheme and the hidden channel scheme.