Actividades Secuencia de actividades Ariadna y el vals de las estrellas

ond limitation is that the forgery is a domain parameter attack. Usually, a trusted third-party authority generates and distributes domain parameters, including G. The attack presumes a corrupt authority. Note that a verifi- ably random generation ofG, which the revision of [ANSI X9.62] will allow, prevents this attack without relying on the implementer to check thatr= 0.

Rarely Zero Hash : If the effective hash function, which is the raw hash truncated and reduced moduloq, has probabilitypof equalling 0, then passive selective forgery is possible, as follows. The forger chooses signature (r, s) = (f([t]Y), t−1_{r), for somet∈Z. If the selected message is a zero of the hash,} which happens with probability p, then the forged signature is valid because

f([s−1_{]([H(m)]G+ [r]Y)) =f([tr}−1_{]([0]G+ [r]Y)) =f([t]Y) =r.}

This and other conditions on the hash function refer to theeffective hash function. This qualification is important for the security analysis because the reduction modulo qmight cause the condition to fail if q was chosen by an adversary. If the adversary chose the elliptic curve domain parameters, then it is possible thatq was chosen as the output, or the difference between two outputs, of the unreduced hash function, which would permit the adversary to find a zero or a collision in the effective (reduced) hash function.

Notice that clustering at values other than zero does not necessarily lead to a passive existential forgery. It can lead to other kind of attacks, as outlined below, because clustering at certain values can lead to weakened second- preimage resistance of the hash function.

Zero-Resistant Hash : A zero finder of a hash function is a probabilistic

algorithm that finds a message m such that H(m) = 0. A hash function

is zero-resistant if no zero finder exists. A passive existential forger can be constructed from a zero finder in a similar manner to above. The forger chooses signature (r, s) = (f([t]Y), t−1_{r) and, using the zero finder, finds a} message msuch thatH(m) = 0. Then (r, s) is a valid signature onm. Note that the forger is only existential because the forger has no control on them found by the zero finder.

A zero-resistant hash function is clearly rarely zero. The converse is false: a rarely zero hash function can fail to be zero-resistant. Note that this strict separation of the properties is also reflected in the types of forgery they re- late to, so therefore it is important to consider both properties in a security analysis.

A special case of this attack was first described by Vaudenay [331] as a domain parameter attack on DSA, where the zero is found by choosingqfor msuch thatH(m)≡0 (modq).

First-Preimage Resistant (One-Way) Hash : An inverter of a hash function is a probabilistic algorithm that, if given a random hash value e, finds a message msuch that H(m) =e. An inverter can be used to build a passive existential forger using a technique similar to that for a zero finder. The forged signature is (r, s) = (f([g]G+[y]Y), ry−1_{), and the forged message} m is a preimage of e =gs. The forger is existential, not selective, because the forger has no control on the mfound by the inverter.

If the hash function does not have an inverter, it is preimage-resistant. Such a hash is also known as a one-way hash function. We have just shown that for the signature scheme to be secure, the effective hash must be one-way. Preimage and zero-resistance are essentially independent properties of hashes. In particular, both properties are necessary to resist passive exis- tential forgery.

Second-Preimage Resistant Hash : A second-preimage finder of a hash function is a probabilistic algorithm that, if given a random messagemfrom a distributionU, a second messagemis found such thatH(m) =H(m). A second-preimage finder can be used to build an active selective forger. The forger obtains a signature (r, s) ofmfrom the signing oracle and then outputs (r, s) as a forgery ofm. The forger is selective because it can forge a challenge message m, and it is active because it requires access to a signing oracle.

Note that a second-preimage finder can be constructed from a hash- inverter provided that the distribution U has an image distribution H(U) that covers most of the range ofH with sufficiently high probability. This is implied by results noted by Stinson [321]. Therefore, under these conditions, a second-preimage finder also implies the existence of passive selective forger.

Collision-Resistant (One-Way) Hash : A collision finder of a hash function is a probabilistic algorithm that finds two messagesmandmsuch that H(m) =H(m). A collision finder results in an active existential forger as follows. The forger obtains a signature (r, s) ofm from the signing oracle and then outputs (r, s) as a forgery ofm, wheremandmhave been obtained from the collision finder. This forger is existential because it has no control over the messages m and m found by the collision finder, and it is active because it queries a signing oracle.

Note that a collision finder can be constructed from a second-preimage finder, provided that the distributionU is easy to sample. Also, generally, a collision finder can be constructed from a zero finder, unless the zero finder always outputs one particular zero of the hash function.

II.2.3. Extra Conditions and Models for Sufficiency. The conditions and models discussed below are used in the hypotheses of various provable security results for ECDSA. These conditions and models are not known to be necessary for the security of ECDSA. As such, they represent the other

II.2. DEFINITIONS AND CONDITIONS 29