Attacks on ECDSA
Learn about attacks on ECDSA and their categories in this lesson.
We'll cover the following
The security of ECDSA is vital to assure the integrity of any ECC signature-based system. An adversary who launches an attack against Alice aims at obtaining a valid signature on a single message in an unauthorized manner.
- Attacks on the ECDLP.
- Attacks on the hash function employed.
- Attacks on the ephemeral key.
In the following points, we describe these attacks in more detail.
Attacks on the ECDLP
This type of attack intends to derive the private key from Alice’s domain parameters and her public key , which is equivalent to solving the ECDLP. We outlined the possible attacks in this lesson. An adversary who successfully grabs Alice’s private key can subsequently forge her signature on any message of their own choice.
Attacks on the hash function employed
An attack against ECDSA can be successfully launched if the underlying hash function isn’t preimage resistant or collision-resistant (see this definition
give the following strategy to forge a signature if isn’t preimage resistant: Eve arbitrarily selects an integer and computes . Then, she computes . In the last step, she sets and computes . Since isn’t preimage resistant, Eve is able to find a message such that . Now, is a valid signature for and a public key .Hankerson et al. (2006) Darrel Hankerson, Alfred J. Menezes, and Scott Vanstone. Guide to Elliptic Curve Cryptography. Springer Professional Computing. New York, 2006. Springer.
Proof
In accordance with Algorithm 3, we omit step 1, but compute and then in step 3. Then, we skip step 4 , set and compute in step 5. Hence, we obtain the signature . Now, we claim that we find such that , since isn’t preimage resistant.
Now, the following happens during the ECDSA signature verification (Algorithm 4
and $$u_{2}=r w=r s^{-1}.
Since and , it follows that
thus and therefore .
- An insufficient collision resistance of the employed hash function would undermine the non-repudiation of the signature on a message . If the underlying hash function isn’t collision-resistant, an adversary thus may be able to repudiate signatures by adopting the following strategy: they first generate two different messages, and , such that . Since the signature generation algorithm uses (see step 5 of Algorithm 3
), every valid signature for is also a valid signature for . Therefore, the adversary can sign message but later claims to have signed the message .: Algorithm_3
Subtracting (1) from (2) gives
and hence
Thus, if the ephemeral key is used twice, the adversary can determine and then recover the private key . Consequently, is to be generated randomly for each message to sign.
Get hands-on with 1400+ tech skills courses.