The Elliptic Curve Digital Signature Algorithm (ECDSA)

The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard and in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponential-time algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues.

[1]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[2]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[3]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[4]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[5]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[6]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[7]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[8]  R. McEliece Finite Fields for Computer Scientists and Engineers , 1986 .

[9]  N. Koblitz A Course in Number Theory and Cryptography , 1987 .

[10]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[11]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[12]  R. McEliece Finite field for scientists and engineers , 1987 .

[13]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[14]  Ronald C. Mullin,et al.  Optimal normal bases in GF(pn) , 1989, Discret. Appl. Math..

[15]  Ian F. Blake,et al.  Low complexity normal bases , 1989, Discret. Appl. Math..

[16]  Neal Koblitz,et al.  Constructing Elliptic Curve Cryptosystems in Characteristic 2 , 1990, CRYPTO.

[17]  François Morain Building Elliptic Curves Modulo Large Primes , 1991, EUROCRYPT.

[18]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[19]  Yvo Desmedt,et al.  The Eurocrypt '92 Controversial Issue: Trapdoor Primes and Moduli (Panel) , 1992, EUROCRYPT.

[20]  Shuhong Gao,et al.  Optimal normal bases , 1992, Des. Codes Cryptogr..

[21]  Willi Meier,et al.  Efficient Multiplication on Certain Nonsupersingular Elliptic Curves , 1992, CRYPTO.

[22]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[23]  Miles E. Smid,et al.  Response to Comments of the NIST Proposed Digital Signature Standard , 1992, CRYPTO.

[24]  Daniel M. Gordon,et al.  Designing and Detecting Trapdoors for Discrete Log Cryptosystems , 1992, CRYPTO.

[25]  Ronald L. Rivest,et al.  Responses to NIST's proposal , 1992, CACM.

[26]  Rainer A. Rueppel,et al.  A new signature scheme based on the DSA giving message recovery , 1993, CCS '93.

[27]  Oliver Schirokauer Discrete logarithms and local units , 1993, Philosophical Transactions of the Royal Society of London. Series A: Physical and Engineering Sciences.

[28]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[29]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[30]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[31]  Harald Niederreiter,et al.  Introduction to finite fields and their applications: Theoretical Applications of Finite Fields , 1994 .

[32]  Rainer A. Rueppel,et al.  Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[33]  Horst G. Zimmer,et al.  Constructing elliptic curves with given group order over large finite fields , 1994, ANTS.

[34]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[35]  Reynald Lercier,et al.  Counting the Number of Points on Elliptic Curves over Finite Fields: Strategies and Performance , 1995, EUROCRYPT.

[36]  Hilarie K. Orman,et al.  Fast Key Exchange with Elliptic Curve Systems , 1995, CRYPTO.

[37]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[38]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[39]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[40]  Daniel Bleichenbacher,et al.  Generating EIGamal Signatures Without Knowing the Secret Key , 1996, EUROCRYPT.

[41]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[42]  Reynald Lercier,et al.  Computing Isogenies in F2n , 1996, ANTS.

[43]  Serge Vaudenay,et al.  Hidden Collisions on DSS , 1996, CRYPTO.

[44]  A. Stein Equivalences between elliptic curves and real quadratic congruence function fields , 1997 .

[45]  Shukri Wakid Entity Authentication Using Public Key Cryptography , 1997 .

[46]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[47]  Reynald Lercier,et al.  Finding Good Random Elliptic Curves for Cryptosystems Defined over F2n , 1997, EUROCRYPT.

[48]  Jerome A. Solinas An Improved Algorithm for Arithmetic on a Family of Elliptic Curves , 1997, CRYPTO.

[49]  Alfred Menezes,et al.  Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques , 1997, Security Protocols Workshop.

[50]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[51]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[52]  R. Lercier,et al.  "Finding good random elliptic curves for cryptosystems defined over F_ ," EUROCRYPT '97 , 1997 .

[53]  Kazuhiro Yokoyama,et al.  Efficient Implementation of Schoof's Algorithm , 1998, ASIACRYPT.

[54]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[55]  Burton S. Kaliski,et al.  Storage-Efficient Finite Field Basis Conversion , 1998, Selected Areas in Cryptography.

[56]  Robert J. Zuccherato,et al.  The Equivalence Between Elliptic Curve and Quadratic Function Field Discrete Logarithms in Characteristic 2 , 1998, ANTS.

[57]  Bart Preneel,et al.  On the Performance of Signature Schemes Based on Elliptic Curves , 1998, ANTS.

[58]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[59]  Joe Suzuki,et al.  Elliptic Curve Discrete Logarithms and the Index Calculus , 1998, ASIACRYPT.

[60]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[61]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[62]  R. Balasubramanian,et al.  The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm , 1998, Journal of Cryptology.

[63]  R. Gallant,et al.  Improving the Parallelized Pollard Lambda Search on Binary Anomalous Curves , 1998 .

[64]  Mitsuru Matsui,et al.  A Practical Implementation of Elliptic Curve Cryptosystems over GF(p) on a 16-bit Microcomputer , 1998, Public Key Cryptography.

[65]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[66]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[67]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[68]  Tim Polk,et al.  Internet X.509 Public Key Infrastructure Representation of Elliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates , 1999 .

[69]  Ian F. Blake,et al.  Elliptic Curves in Cryptography: Preface , 1999 .

[70]  Andreas Enge Elliptic Curves and Their Applications to Cryptography - an introduction , 1999 .

[71]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[72]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[73]  Steven D. Galbraith,et al.  A Cryptographic Application of Weil Descent , 1999, IMACC.

[74]  Andreas Stein,et al.  Computing discrete logarithms in real quadratic congruence function fields of large genus , 1999, Math. Comput..

[75]  Jerome A. Solinas,et al.  Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[76]  Andreas Stein,et al.  Analysis of the Xedni Calculus Attack , 2000, Des. Codes Cryptogr..

[77]  Alfred Menezes,et al.  PGP in Constrained Wireless Devices , 2000, USENIX Security Symposium.

[78]  Alfred Menezes,et al.  Software Implementation of Elliptic Curve Cryptography over Binary Fields , 2000, CHES.

[79]  Joseph H. Silverman The Xedni Calculus and the Elliptic Curve Discrete Logarithm Problem , 2000, Des. Codes Cryptogr..

[80]  Ernest F. Brickell,et al.  Design Validations for Discrete Logarithm Based Signature Schemes , 2000, Public Key Cryptography.

[81]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[82]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[83]  G. Frey Applications of Arithmetical Geometry to Cryptographic Constructions , 2001 .

[84]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[85]  Alfred Menezes,et al.  Analysis of the Weil Descent Attack of Gaudry, Hess and Smart , 2001, CT-RSA.

[86]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .