Online citations, reference lists, and bibliographies.
← Back to Search

Responses To NIST's Proposal

R. Rivest, M. Hellman, J. Anderson, J. Lyons
Published 1992 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
he U.S. Government agency NIST has recently proposed a public key digital signature standard [3, 4]. Although the proposal is nominally only "for government use" such a proposal, if adopted, would likely have an effect on commercial cryptography as well. In this note I review and comment on NIST's proposal. Positive Aspects The following positive aspects of the proposal are worth noting: • The U.S. government has finally recognized the utility of public key cryptography. • The proposal is based on reasonably familiar number-theoretic concepts, and is a variant of the E1-Gamal [1] and Schnorr [5] schemes. • Signatures are relatively short (only 320 bits). • When signing, computation of r can be done before the message m is available, in a "precomputation" step. Problems with the Proposed DSS DSS is different from the de facto public key standard (RSA). Two-thirds of the U.S. computer industry is already using RSA. among others. These companies are using industry-developed interoperable standards-the public key cryptography standard (PKCS) [2]. Moreover, DSS is not compatible with existing international standards. International standards organizations such as ISO, CCITT, and SWIFT, as well as other organizations (such as Internet) have accepted RSA as a standard. DSS is not compatible with ISO 9796, the most widely accepted international digital signature standard. Adopting DSS would create a double standard , causing difficulties for U.S. industry that have to maintain both DSS (for domestic or U.S. government use) and RSA (for international use). DSS also has patent problems. Users of the NIST proposal may be infringing one or more patents. Claus Schnorr claims that DSS infringes his U.S. patent #4,995,082, and Public Key Partners (PKP) asserts that DSS infringes U.S. patents #4,200,770 and #4,218,582. NIST does not give a firm opinion on this m~itter, and has not made licensing arrangements with either Schnorr or PKP. This leaves potential users of the NIST proposal vulnerable. To add to the patent confusion, NIST says it has filed for a patent on DSS; a move that has no obvious justification. NIST has not stated why it has filed for a patent. The only motivation I can imagine is that NIST may wish to force users, via licensing requirements, to use key sizes shorter than they might naturally wish to use. (See my discussion of weak cryptography.) DSS has engineering problems; it's buggy. The verification process can blow up due to division by zero-when s …
This paper references

This paper is referenced by
Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations
Guilhem Castagnos (2019)
2PAKEP: Provably Secure and Efficient Two-Party Authenticated Key Exchange Protocol for Mobile Environment
Kisung Park (2018)
Generic Groups, Collision Resistance, and ECDSA
D. L. Brown (2002)
Der "Digital Signature Standard": Aufwand, Implementierung und Sicherheit
D. Fox (1993)
Viewpoint: A breach of the social contract
Peter Likins (1992)
AKM-IoV: Authenticated Key Management Protocol in Fog Computing-Based Internet of Vehicles Deployment
M. Wazid (2019)
Convertible Multi-authenticated Encryption Scheme for Data Communication
Hui-Feng Huang (2015)
Authenticated public-key encryption based on elliptic curve
Y. Han (2005)
Improvement of an Authenticated Key Agreement Protocol
Y. Zhang (2007)
Security in signalling and digital signatures
Saw Sandra Roijakkers (1993)
Advances in Cryptology — CRYPT0’ 95
D. Coppersmith (1995)
A Study on the Proposed Korean Digital Signature Algorithm
C. H. Lim (1998)
SEC 1: Elliptic Curve Cryptography
S. Blake-Wilson (1999)
New Signcryption Schemes Based on KCDSA
Dae Hyun Yum (2001)
A Key Escrow System with Warrant
BoundsArjen K. Lenstra (1995)
Attacking OpenSSL ECDSA with a small amount of side-channel information
W. Wang (2016)
A Review of Distributed Dynamic Key Management Schemes in Wireless Sensor Networks
S. R. Nabavi (2018)
Proxy-Protected Proxy Multi-Signature Based on Elliptic Curve
Manoj Kumar Chande (2014)
A first look at the usability of bitcoin key management
Shayan Eskandari (2018)
A Novel Cluster-based Key Management Scheme to Improve Scalability in Wireless Sensor Networks
Seyed Reza Nabavi (2016)
Security of IEEE 802.16 in Mesh Mode
Yun Zhou (2006)
Internationale Standardisierung für Informationssicherheit
K. Vedder (1994)
Implementation of fast RSA key generation on smart cards
Chenghuai Lu (2002)
To tap or not to tap
D. Denning (1993)
Proxy Provable Data Possession with General Access Structure in Public Clouds
Huaqun Wang (2015)
Security in Internet of Things
Y. Song (2013)
Surnaming Schemes, Fast Verification, and Applications to SGX Technology
D. Boneh (2017)
ACM forum
Diane Crawford (1992)
The Korean certificate-based digital signature algorithm
C. H. Lim (1999)
Key Management Integrated with Intrusion Detection in Wireless Sensor Networks
Xing Zhang (2009)
Analysis of Security Protocols for Mobile Healthcare
M. Wazid (2016)
Attacking OpenSSL Implementation of ECDSA with a Few Signatures
S. Fan (2016)
See more
Semantic Scholar Logo Some data provided by SemanticScholar