Ernest F. Brickell

Design Validations for Discrete Logarithm Based Signature Schemes

A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSA-like) signatures abstracted as generic schemes. We show that the following holds: “if the schemes can be broken by an existential forgery using an adaptively chosen-message attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multi-collisions can be found.” Thus, for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties which are not desired (or expected) in strong practical hash functions (SHA-1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA.

Sharing Block Ciphers

Threshold cryptosystems use algebraic properties such as homomorphisms in order to allow several parties to jointly evaluate a cryptographic primitive. Several cryptographic primitives, however, avoid -by definition- the use of algebraic properties, or otherwise their security is compromised; this is the case, for instance, of block ciphers, pseudo-random functions, and pseudo-random permutations. Is it then impossible to construct a threshold cryptosystem in order to share the computation of a block cipher ?