Is it possible to generate a new valid signature for some arbitrary message using DSA if we know existing signatures for the same message? We are an adversary, therefore we do not hold the private key, but we have access to a couple of signatures for the same message, say $(r_1, s_1)$, $(r_2, s_2)$.
Asked
Active
Viewed 238 times
2
-
3@MaartenBodewes They said "for the same message". For ECDSA, you can output $(r, -s)$ as a valid second signature; I'm not sure if the same "feature" is present with finite field DSA. – DannyNiu Nov 14 '22 at 02:48
-
@DannyNiu That's exactly what I meant, an alternate signature for the same message. It is not a security breach either, given that the owner of the key has already signed the message. – anand Nov 14 '22 at 03:09
-
@anand, is the question also for when the message-signature pair remains valid for a new adversary generated key pair? – Marc Ilunga Nov 14 '22 at 07:11
1 Answers
4
As far as we know, no, it's not possible to generate a new valid DSA signature from existing ones (for given public key), even for an already signed (known) message (assuming secure choice of parameter and hash). DSA is believed secure under sEF-CMA. But I don't know a proof of that.
ECDSA is EF-CMA, but not sEF-CMA: we can turn a signature $(r,s)$ into $(r,n-s)$ which is a different signature valid for the same message. When that's an issue, it can be fixed by forcing $s$ to be in $[1,n/2)$, or forcing $s$ to be even in $[1,n)$.
fgrieu
- 140,762
- 12
- 307
- 587
-
Thanks for the answer. I now understand that a better phrasing for my question could have been - "Is DSA secure under sEF-CMA/Does DSA satisfy sUF-CMA?" – anand Nov 14 '22 at 18:35