The Digital Signature Algorithm (DSA) and the Elliptic Curve Digital Signature Algorithm (ECDSA) are described in the standards FIPS PUB 186-3 (U.S. Department of Commerce) and ANS X9.62-2005 (American National Standard for Financial Services), both of which are herein incorporated by reference in their entirety. These signature algorithms use public-key cryptography to enable the creation and verification of digital signatures on digital messages. Signatories in DSA and ECDSA possess a private key and a public key; the private key is used to generate a digital signature (i.e., to sign a message) and the public key is used by third parties to validate that signature.
DSA and ECDSA are widely deployed (e.g., in ssh, SSL/TLS, Canada Post digital postmarks, DTCP, AACS, MS-DRM) and can be used to provide data origin authentication, data integrity, and non-repudiation. However, any assurances that DSA and ECDSA signatures might provide are always subject to the assumption that a signatory's private key remains private (i.e., the private key does not leak to an attacker).
The following references provide additional background information, and are each incorporated by reference in their entirety:    [1] American National Standard for Financial Services, ANS X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), 16 Nov. 2005.    [2] D. Hankerson, A. Menezes, S. Vanstone, Guide to Elliptic Curve Cryptography, 2003.    [3] Information Technology Laboratory, National Institute of Standards and Technology, FIPS PUB 186-3, Digital Signature Standard (DSS), June 2009.    [4] Standards for Efficient Cryptography, SEC 1: Elliptic Curve Cryptography, Version 2.0, 21 May 2009.    [5] National Security Agency, NSA Suite B Cryptography, available from http://www.nsa.gov/ia/programs/suiteb_cryptography/    [6] Digital Transmission Content Protection Specification, Volume 1 (Informational Version), Revision 1.51, 1 Oct. 2007.
The signature generation operation of ECDSA and DSA is typically implemented in computer software, which is then run on a particular computing device (e.g., a cell phone, set-top box, smart card). In many applications, this operation takes place in an environment outside the signatory's control—possibly in the presence of adversaries (i.e., an adversary might observe the device as a signature is being computed).
An adversary who analyzes only the inputs and outputs of signature generation effectively treats that implementation like a black box. DSA and ECDSA were designed to resist such black box attackers. However, there is often more information available than just inputs and outputs. Additional information such as device power consumption, execution time, electromagnetic emanations, and response to data faults can give clues to an attacker about the execution of the software; it has been shown that this can leak bits of the private key and completely compromise the signature scheme.
A much more robust security model considers resistance against white box attackers. White box attackers have full visibility into the execution of the software that computes the signature. Resistance against white box attackers is a highly desired goal, but no white box implementations of DSA or ECDSA have yet been proposed.
As a concrete example of this problem, consider the DTCP protocol used to protect audio/video content. The following quotation comes from the DTCP specification, as defined in reference [6] above: