Can the ECDSA still work without present of hashing function?

Question

According to walkthrough steps for ECDSA topic from wikipedia as shown below, What if the impact if we don't apply the hashing function (highlighted in blue in the image) to the raw messages?

Although this sounds a bit silly, but let's say we have both with or without SHA256 engine test cases like below.

Hex Message (256 bits): "0123456789012345678901234567890123456789012345678901234567890123"

Hex Message after SHA256 (256 bits): "9674d9e078535b7cec43284387a6ee39956188e735a85452b0050b55341cda56"

Can anyone explain what is the problems with the first Hex Message if I proceed with this to the subsequent ECDSA signing flow?

Just assume Alice signed the raw message in this case?

Answer 1

If the only change you make is removing the hashing step, things certainly fall apart. Using the description from Wikipedia you used in your question, this would mean to replace the first step with $e := m$ and then continue with the rest of the steps unchanged.

The second step would then define $z$ as the $L_n$ leftmost bits of $m$. Thus, any messages that differ only in bits further to the right than $L_n$ would immediately collide and thus allow for trivial forgeries.

If you further modify the signature scheme to exclude this type of forgery, e.g. by restricting the message length, Yehuda's answer applies.

Answer 2

The truthful answer here is that I don't know. I am pretty sure actually that the better answer is that this is unknown. The assumption that the hash is only required for collision resistance is blatantly false, since typically one needs a random oracle for such schemes. In ECDSA specifically, we don't have actually have proof of security even with a random oracle, so it's even worse. However, given that it's been around for so many years, its security is essentially a well accepted assumption. However, as soon as you change something, and not hashing the message is certainly changing something, then it falls apart.