摘要： 在国家密码管理局公开征集下一代商密公钥密码算法标准的背景下,从效率和安全性方面,对基于离散对数问题(DLP)或椭圆曲线DLP的ISO/IEC 14888-3中7种数字签名标准及国密SM2标准进行对比分析。结果表明,数字签名算法（DSA)是Schnorr和ElGamal签名算法的结合,其应用广泛,现已发展为EC-DSA,且安全性高于SM2。Pointcheval/Vaudenay算法是可证明安全的,KCDSA和EC-KCDSA的效率及安全性均较高,EC-RDSA和EC-GDSA的签名生成过程较快。给出针对EC-RDSA的攻击方法,证明其在自适应性选择消息攻击下不是强存在性不可伪造的。上述研究结果对我国下一代商密公钥密码算法标准的设计和制定具有参考作用。

关键词: 离散对数问题, 椭圆曲线离散对数问题, 数字签名标准, 随机谕示模型, SM2算法

Abstract: As Chinese state encryption administration is seeking the next generation of Digital Signature Standard(DSS),this paper analyzes and compares seven DSS listed in ISO/IEC 14888-3 and SM2 which are based on Discrete Logarithm Problem(DLP) or Elliptic Curve Discrete Logarithm Problem(ECDLP).Results show that the widely used Digital Signature Algorithm(DSA) is a combination of Schnorr and ElGamal signature algorithm and it becomes Elliptic Curve Digital Signature Algorithm (EC-DSA).SM2 may be more vulnerable than EC-DSA.Moreover,the Pointcheval/Vaudenay algorithm is provably secure.The Korean Certificate-based Digital Signature Algorithm(KCDSA) and its elliptic curve version Elliptic Curve Korean Certificate-based Digital Signature Algorithm(EC-KCDSA) performs better both in security and efficiency issues.The signature algorithms of Elliptic Curve Russia Digital Signature Algorithm(EC-RDSA) and Elliptic Curve Germany Digital Signature Algorithm(EC-GDSA) are faster.It is worth noting that an attack against EC-RDSA is proposed,implying that EC-RDSA is not strongly existential unforgeability under the adaptive chosen-message attack.The comparative results is helpful for the research,as well as for the finalization of the next generation of DSS.

Key words: Discrete Logarithm Problem(DLP), Elliptic Curve Discrete Logarithm Problem(ECDLP), Digital Signature Standard(DSS), Random Oracle Model(ROM), SM2 algorithm

中图分类号: 

• TP309