3

I was recently asked whether a certain library supports the ECDSAwithNone Signature algorithm. Clearly this would mean ECDSA with the identity function as the hash function. I know this is a really bad idea. And I also know that there's a trivial attack if two messages have the same prefix as the "hash" gets truncated to the first q bits (q being bitlength of the order of the curve).

However I wanted to know: What are the "worst" possible attack(s) against this signature scheme?

The worst attack is hereby defined to be the attack that needs the least known or chosen signatures while being executable in reasonable amount of time.

SEJPM
  • 46,697
  • 9
  • 103
  • 214

1 Answers1

4

There is a way to generate forgeries for (EC)DSA when the hash function is not one-way:

  • Let $n$ be the order of the group, $P$ a generator, and $Q = aP$ for some secret $a$;
  • Pick arbitrary $\alpha$ and $\beta$ $\in \{0, \dotsc, n\}$;
  • $r = x \bmod n$, where $(x, y) = \alpha P + \beta Q$;
  • $s = r \beta^{-1} \bmod n$;
  • $h = s \alpha \bmod n$;
  • Invert $H(h)$ to get $m$. Since we are using the identity function here, $m = h$.

You can verify that $(h s^{-1}) P + (r s^{-1}) Q = (\alpha P + \beta Q)$, whose $x$ coordinate is precisely $r$. Therefore this is indeed a valid signature.

Samuel Neves
  • 12,960
  • 46
  • 54