[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-43005-en":3,"doc-seo-43005-105":29,"detail-sidebar-cat-0-en-105":90},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},43005,4810365810221,"Aurora","https://ap-avatar.wpscdn.com/davatar_155a257f0dc6eb9ab79c44ca47cae57d",8,"Research & Report","Extremely Simple (Almost) Fail-Stop ECDSA Signatures","Fail-stop signatures enable a signer to prove that a specific forged signature is indeed a forgery, after which the system can be halted. This work presents a new simple ECDSA fail-stop signature scheme based on the minimal assumption that a quantum-capable adversary cannot break the (second) preimage resistance of a cryptographically secure hash function. The scheme is as efficient as traditional ECDSA, does not restrict the number of signatures per signer, and produces signatures indistinguishable from regular ECDSA while keeping minimal overhead in signing.","Extremely Simple  \n(Almost) Fail-Stop ECDSA Signatures  \nMario Yaksetig  \nParfin  \nAbstract. Fail-stop signatures are digital signatures that allow a signer to prove that a specific forged signature is indeed a forgery. After such a proof is published, the system can be stopped.  \nWe introduce a new simple ECDSA fail-stop signature scheme. Our proposal is based on the minimal assumption that an adversary with a quantum computer is not able to break the (second) preimage resistance of a cryptographically-secure hash function. Our scheme is as efficient as traditional ECDSA, does not limit the number of signatures that a signer can produce, and relies on minimal security assumptions. Using our construction, the signer has minimal computational overhead in the signature producing phase and produces a signature indistinguishable from a‘regular’ ECDSA signature.  \nKeywords: Fail-stop signatures · Formal Methods Analysis · ECDSA.  \n1 Introduction  \nPresently, the Internet relies heavily on the Elliptic Curve Digital Signature Algorithm (ECDSA) as this signature scheme represents the backbone for the issuance of digital signatures online. This issue is even more relevant in the cryptocurrency landscape, where the majority of blockchain platforms use ECDSA to secure their transactions. Effectively, this signature scheme secures a hundreds of billions of dollars since the cryptocurrency funds of each user are secure only as long as no one can steal their funds. Therefore, strengthening the ECDSA scheme, which secures these funds, is of extreme importance.  \nIn this work, we introduce a new protocol that allows legitimate users to prove whether or not a specific signature is a forgery. This is particularly useful in a setting involving a dispute between the real user and an adversary who maliciously obtained the secret key.  \n1.1 Motivation  \nBlockchains are not designed to be easily upgraded, and such upgrades are traditionally very controversial. To cause no friction and no need for any type of hard forks, we introduce a new fail-stop variant of the ECDSA scheme that allows users to prove whether or not a signature using a specific key is legitimate  \n2 M. Yaksetig  \nor not without requiring any change to existing ECDSA verification algorithms. This is useful as it implies that smart contracts and existing wallet and node infrastructure can remain unchanged.  \nFail-stop signatures, which can detect and halt forgery attempts, represent an innovative step forward in cryptographic security. In a world where ECDSAbased cryptocurrencies face relentless security breaches leading to substantial financial losses, the integration of fail-stop signatures could provide a powerful defense. This approach significantly reduces the risk of fraudulent transactions, and enables a dispute resolution in case of a key compromise.  \n1.2 Our Contributions  \nWe introduce a very lightweight addition to the traditional ECDSA to encode quantum-secure secret key information in the nonce used to produce each ECDSA signature. This encoding allows the signer to, in an event of a dispute, selectively open the nonce used in that signature and prove whether or not a signature is well-formed. Unlike the original failstop signatures [4], our proposal does not set a limit on signatures that can be constructed using the same secret key and does not affect the signature size, which remains exactly the same asa traditional ECDSA signature. Our approach can be integrated in any ellipticcurve based digital signature scheme and also complements existing fallback designs as proposed by Chaum et al. [2,1] .  \nArguably, the most important part of our construction is that an adversary able to break the ECDLP is not able to obtain the secret preimage used to generate the nonce for any individual signature. This feature allows the real owner of the signing keys to prove that a specific signature is a forgery.  \n1.3 Fail-stop Signatures  \nFail-stop signatures operate similarly to tr","cbCaieYAEPZCLUbV","https://ap.wps.com/l/cbCaieYAEPZCLUbV","pdf",269396,1,5,"English","en",105,"# Introduction\n## Motivation\n## Our Contributions\n## Fail-stop Signatures","[{\"question\":\"What is the core idea of fail-stop signatures in this work?\",\"answer\":\"Fail-stop signatures add the ability for a signer to prove a particular signature is forged during a dispute. A judge can test the proof and reach a verdict, supporting system halting when forgery is established.\"},{\"question\":\"What security assumption does the proposed (almost) fail-stop ECDSA scheme rely on?\",\"answer\":\"The scheme relies on the minimal assumption that even an adversary with a quantum computer cannot break the (second) preimage resistance of a cryptographically secure hash function.\"},{\"question\":\"How does the scheme differ from traditional ECDSA in practice?\",\"answer\":\"It encodes quantum-secure secret-key information in the nonce for each ECDSA signature, enabling selective nonce opening in disputes. It remains efficient like traditional ECDSA, does not reduce the number of signatures a signer can produce, and keeps signature size unchanged.\"}]",1783375565,13,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":85,"head_meta":87,"extra_data":89,"updated_unix":27},"extremely-simple-almost-fail-stop-ecdsa-signatures","",{"@graph":35,"@context":84},[36,53,67],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/extremely-simple-almost-fail-stop-ecdsa-signatures/43005/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":61,"encodingFormat":60,"isAccessibleForFree":62,"interactionStatistic":63},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-06",true,{"@type":64,"interactionType":65,"userInteractionCount":4},"InteractionCounter",{"@type":66},"ViewAction",{"@type":68,"mainEntity":69},"FAQPage",[70,76,80],{"name":71,"@type":72,"acceptedAnswer":73},"What is the core idea of fail-stop signatures in this work?","Question",{"text":74,"@type":75},"Fail-stop signatures add the ability for a signer to prove a particular signature is forged during a dispute. A judge can test the proof and reach a verdict, supporting system halting when forgery is established.","Answer",{"name":77,"@type":72,"acceptedAnswer":78},"What security assumption does the proposed (almost) fail-stop ECDSA scheme rely on?",{"text":79,"@type":75},"The scheme relies on the minimal assumption that even an adversary with a quantum computer cannot break the (second) preimage resistance of a cryptographically secure hash function.",{"name":81,"@type":72,"acceptedAnswer":82},"How does the scheme differ from traditional ECDSA in practice?",{"text":83,"@type":75},"It encodes quantum-secure secret-key information in the nonce for each ECDSA signature, enabling selective nonce opening in disputes. It remains efficient like traditional ECDSA, does not reduce the number of signatures a signer can produce, and keeps signature size unchanged.","https://schema.org",{"og:url":51,"og:type":86,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":88,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":91},[92,96,100,104,108,113,118,121,126,129,133],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":93,"show_sort_weight":94,"slug":95},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":97,"show_sort_weight":98,"slug":99},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":101,"show_sort_weight":102,"slug":103},"Exam",70,"exam",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":105,"show_sort_weight":106,"slug":107},"Comic",60,"comic",{"id":109,"doc_module":4,"doc_module_name":45,"category_name":110,"show_sort_weight":111,"slug":112},6,"Technology",50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":119,"slug":120},30,"research-report",{"id":122,"doc_module":4,"doc_module_name":45,"category_name":123,"show_sort_weight":124,"slug":125},9,"Religion & Spirituality",20,"religion-spirituality",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":127,"show_sort_weight":124,"slug":128},"World Cup","world-cup",{"id":130,"doc_module":4,"doc_module_name":45,"category_name":131,"show_sort_weight":130,"slug":132},10,"Lifestyle","lifestyle",{"id":134,"doc_module":4,"doc_module_name":45,"category_name":135,"show_sort_weight":21,"slug":136},19,"General","general"]