It is known that DSA admits universal forgery under assumption that the Attacker can solve the equation $x\equiv R^x\pmod p.$ Are there any other protocols admitting universal forgery based on non-trivial mathematical problem?
Asked
Active
Viewed 245 times
1 Answers
2
Elliptic Curve Digital Signature Algorithm admits universal forgery if the Attacker can solve the equation $$z=\frac{\psi_{k-1}(x,y)\psi_{k+1}(x,y)}{\psi_{k}(x,y)^2},$$ where $k$ is unknown, $\psi_{k}(x,y)$ are Division polynomials and $(x,y)$ are the coordinates of a point $P$ on the elliptic curve $ E:y^{2}=x^{3}+Ax+B$. This UF is based on the formula for the coordinates of the nth multiple of $ P(x,y)$: $$kP=\left(x-\frac{\psi_{k-1}(x,y)\psi_{k+1}(x,y)}{\psi_{k}(x,y)^2},\ldots\right).$$
The question Elliptic curve sequences needed for universal forgery about hardness of this UF was asked at MathOverflow separately.
Alexey Ustinov
- 568
- 9
- 24