Online citations, reference lists, and bibliographies.
← Back to Search

Responses To NIST's Proposal

R. Rivest, M. Hellman, J. Anderson, J. Lyons
Published 1992 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
he U.S. Government agency NIST has recently proposed a public key digital signature standard [3, 4]. Although the proposal is nominally only "for government use" such a proposal, if adopted, would likely have an effect on commercial cryptography as well. In this note I review and comment on NIST's proposal. Positive Aspects The following positive aspects of the proposal are worth noting: • The U.S. government has finally recognized the utility of public key cryptography. • The proposal is based on reasonably familiar number-theoretic concepts, and is a variant of the E1-Gamal [1] and Schnorr [5] schemes. • Signatures are relatively short (only 320 bits). • When signing, computation of r can be done before the message m is available, in a "precomputation" step. Problems with the Proposed DSS DSS is different from the de facto public key standard (RSA). Two-thirds of the U.S. computer industry is already using RSA. among others. These companies are using industry-developed interoperable standards-the public key cryptography standard (PKCS) [2]. Moreover, DSS is not compatible with existing international standards. International standards organizations such as ISO, CCITT, and SWIFT, as well as other organizations (such as Internet) have accepted RSA as a standard. DSS is not compatible with ISO 9796, the most widely accepted international digital signature standard. Adopting DSS would create a double standard , causing difficulties for U.S. industry that have to maintain both DSS (for domestic or U.S. government use) and RSA (for international use). DSS also has patent problems. Users of the NIST proposal may be infringing one or more patents. Claus Schnorr claims that DSS infringes his U.S. patent #4,995,082, and Public Key Partners (PKP) asserts that DSS infringes U.S. patents #4,200,770 and #4,218,582. NIST does not give a firm opinion on this m~itter, and has not made licensing arrangements with either Schnorr or PKP. This leaves potential users of the NIST proposal vulnerable. To add to the patent confusion, NIST says it has filed for a patent on DSS; a move that has no obvious justification. NIST has not stated why it has filed for a patent. The only motivation I can imagine is that NIST may wish to force users, via licensing requirements, to use key sizes shorter than they might naturally wish to use. (See my discussion of weak cryptography.) DSS has engineering problems; it's buggy. The verification process can blow up due to division by zero-when s …
This paper references



This paper is referenced by
10.1007/978-3-030-26954-8_7
Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations
Guilhem Castagnos (2019)
10.1109/ACCESS.2018.2844190
2PAKEP: Provably Secure and Efficient Two-Party Authenticated Key Exchange Protocol for Mobile Environment
Kisung Park (2018)
10.1007/s10623-003-6154-z
Generic Groups, Collision Resistance, and ECDSA
D. L. Brown (2002)
10.1007/978-3-322-88782-5_22
Der "Digital Signature Standard": Aufwand, Implementierung und Sicherheit
D. Fox (1993)
10.1145/138844.643961
Viewpoint: A breach of the social contract
Peter Likins (1992)
10.1109/JIOT.2019.2923611
AKM-IoV: Authenticated Key Management Protocol in Fog Computing-Based Internet of Vehicles Deployment
M. Wazid (2019)
10.6633/IJNS.201501.17(1).06
Convertible Multi-authenticated Encryption Scheme for Data Communication
Hui-Feng Huang (2015)
10.1109/ICESS.2005.34
Authenticated public-key encryption based on elliptic curve
Y. Han (2005)
10.1007/978-3-540-72909-9_66
Improvement of an Authenticated Key Agreement Protocol
Y. Zhang (2007)
Security in signalling and digital signatures
Saw Sandra Roijakkers (1993)
10.1007/3-540-44750-4
Advances in Cryptology — CRYPT0’ 95
D. Coppersmith (1995)
10.1007/3-540-49649-1_15
A Study on the Proposed Korean Digital Signature Algorithm
C. H. Lim (1998)
SEC 1: Elliptic Curve Cryptography
S. Blake-Wilson (1999)
10.1007/3-540-45861-1_23
New Signcryption Schemes Based on KCDSA
Dae Hyun Yum (2001)
A Key Escrow System with Warrant
BoundsArjen K. Lenstra (1995)
10.1007/s11432-016-9030-0
Attacking OpenSSL ECDSA with a small amount of side-channel information
W. Wang (2016)
10.17706/JCP.13.1.77-89
A Review of Distributed Dynamic Key Management Schemes in Wireless Sensor Networks
S. R. Nabavi (2018)
10.11591/ijict.v3i1.pp67-72
Proxy-Protected Proxy Multi-Signature Based on Elliptic Curve
Manoj Kumar Chande (2014)
10.14722/usec.2015.23015
A first look at the usability of bitcoin key management
Shayan Eskandari (2018)
A Novel Cluster-based Key Management Scheme to Improve Scalability in Wireless Sensor Networks
Seyed Reza Nabavi (2016)
10.1109/MILCOM.2006.302083
Security of IEEE 802.16 in Mesh Mode
Yun Zhou (2006)
10.1007/978-3-642-85103-2_6
Internationale Standardisierung für Informationssicherheit
K. Vedder (1994)
10.1145/508791.508837
Implementation of fast RSA key generation on smart cards
Chenghuai Lu (2002)
10.1145/153520.153523
To tap or not to tap
D. Denning (1993)
10.1007/978-3-319-38898-4_17
Proxy Provable Data Possession with General Access Structure in Public Clouds
Huaqun Wang (2015)
Security in Internet of Things
Y. Song (2013)
10.1007/978-3-319-52153-4_9
Surnaming Schemes, Fast Verification, and Applications to SGX Technology
D. Boneh (2017)
10.1145/138844.376078
ACM forum
Diane Crawford (1992)
10.1016/S0045-7906(99)00011-7
The Korean certificate-based digital signature algorithm
C. H. Lim (1999)
10.1109/CNMT.2009.5374518
Key Management Integrated with Intrusion Detection in Wireless Sensor Networks
Xing Zhang (2009)
10.1007/s10916-016-0596-0
Analysis of Security Protocols for Mobile Healthcare
M. Wazid (2016)
10.1145/2976749.2978400
Attacking OpenSSL Implementation of ECDSA with a Few Signatures
S. Fan (2016)
See more
Semantic Scholar Logo Some data provided by SemanticScholar