Additively related keys for signature: security models and results for Schnorr, GOST, ECDSA, and SM2

A. A. Babueva^a, S. N. Kyazhin<sup>ba

a</sup> Crypto-Pro LLC, Moscow
^b National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), Moscow

Abstract: We answer the question of how secure are the Schnorr, GOST, ECDSA, and SM2 signature schemes when using additively related keys. We systematize the known results and supplement them with new ones (including the detected mistakes in the security proofs for SM2). There are 8 related key security models for signature schemes. So, for 4 signature schemes there are 32 questions about the security of a particular scheme in a particular model. The known results provide answers to 13 questions, our results provide answers to 13 more questions. In particular, all 8 questions for the GOST scheme are answered: security has been proven for 4 models (if forgery for a new message is relevant), attacks exist for the other 4 models (if forgery for an arbitrary message is relevant).

Key words: related keys, schnorr signature, elGamal signature, gOST signature, eCDSA signature, sM2 signature, bIP32.

UDC: 519.719.2

Received 27.XII.2024

Language: English

DOI: 10.4213/mvk504