Evaluation Report on the ECDSA signature scheme

This document is an evaluation of the ECDSA signature scheme. Our work is based on the analysis of various documents [1, 32, 10, 11], which provide the specification of the scheme, as well as on various research papers related to the scheme. Among these research papers are the original work of Poincheval and Stern [33, 34] investigating the security of El Gamal-like signatures, and the series of papers related to the so-called generic model [29, 45, 27, 6]. Of particular interest to the present report is [6], which applies the generic model to argue towards the security of ECDSA. The present report is organized as follows: firstly, we briefly review the cryptographic primitive on which the signature scheme relies, namely the discrete logarithm problem on elliptic curves (ECDL), and analyze the various algorithms that are currently known to solve the problem. We specifically address the case of curves of special form, since some of the recommended examples proposed in the standard [11] are Koblitz curves. Next, we give formal definitions for signature schemes and recall the strongest security notion that is now mandatory for signature schemes: security against existential forgery under adaptive chosen-message attacks. We also provide a short history of the various signature schemes based on the discrete logarithm problem, and of the various strategies used to support their security: the random oracle model and the generic model. This allows us to prove the security of the generic version of ECDSA, against adaptive chosen-message attacks. We finally analyze the meaning of this proof, with respect to the actual ECDSA signature scheme. In particular, we discuss whether one can derive practical implications, notably in terms of key sizes. This is as requested by IPA.