Is it possible to generate a new valid signature for some arbitrary message using DSA if we know existing signatures for the same message? We are an adversary, therefore we do not hold the private key, but we have access to a couple of signatures for the same message, say $(r_1, s_1)$, $(r_2, s_2)$.
Asked
Active
Viewed 264 times
1 Answers
4
As far as we know, no, it's not possible to generate a new valid DSA signature from existing ones (for given public key), even for an already signed (known) message (assuming secure choice of parameter and hash). DSA is believed secure under sEF-CMA. But I don't know a proof of that.
ECDSA is EF-CMA, but not sEF-CMA: we can turn a signature $(r,s)$ into $(r,n-s)$ which is a different signature valid for the same message. When that's an issue, it can be fixed by forcing $s$ to be in $[1,n/2)$, or forcing $s$ to be even in $[1,n)$.
fgrieu
- 149,326
- 13
- 324
- 622