In the ordinary security model for signature schemes, we consider an adversary that may forge a signature on a new message using only his knowledge of other valid message and signature pairs. To take into account side channel attacks such as tampering or faultinjection attacks, Bellare and Kohno (Eurocrypt 2003) formalized relatedkey attacks (RKA), where stronger adversaries are considered. In RKA for signature schemes, the adversary can also manipulate the signing key and obtain signatures for the modified key. This paper considers RKA security of two established signature schemes: the Schnorr signature scheme and (a well-known variant of) DSA. First, we show that these signature schemes are secure against a weak notion of RKA. Second, we demonstrate that, on the other hand, neither the Schnorr signature scheme nor DSA achieves the standard notion of RKA security, by showing concrete attacks on these. Lastly, we show that a slight modification of both the Schnorr signature scheme and (the considered variant of) DSA yields fully RKA secure schemes.
CITATION STYLE
Morita, H., Schuldt, J. C. N., Matsuda, T., Hanaoka, G., & Iwata, T. (2016). On the security of the schnorr signature scheme and DSA against related-key attacks. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 9558, pp. 20–35). Springer Verlag. https://doi.org/10.1007/978-3-319-30840-1_2
Mendeley helps you to discover research relevant for your work.