The Security of DSA and ECDSA

DSA and ECDSA are well established standards for digital signature based on the discrete logarithm problem. In this paper we survey known properties, certification issues regarding the public parameters, and security proofs. ECDSA also includes a standard certification scheme for elliptic curve which is assumed to guarantee that the elliptic curve was randomly selected, preventing from any potential malicious choice. In this paper we show how to bypass this scheme and certify any elliptic curve in characteristic two. The prime field case is also studied. Although this does not lead to any attack at this time since all possible malicious choices which are known at this time are specifically checked, this demonstrates that some part of the standard is not well designed. We finally propose a tweak. DSA was published in 1994 following a long dynasty of digital signature schemes based on the ElGamal scheme [10, 11, 12]. Since then an extensive literature addressed security analysis, performances, and variants. Among the famous variants ECDSA was proposed in 1998. In this paper we aim to survey dedicated attacks and provable security. We also address the parameter validation issue. In particular we show that we may be able to maliciously choose an elliptic curve for ECDSA despite the standard validation scheme.