Key substitution attacks revisited: Taking into account malicious signers
Regular Contribution
First Online:
- 167 Downloads
- 8 Citations
Abstract
Given a signature sfor some message malong with a corresponding public verification key yin a key substitution attack an attacker derives another verification key \(\overline{y}\) ≠ y—possibly along with a matching secret key—such that sis also a valid signature of mfor the verification key \(\overline{y}\). Menezes and Smart have shown that with suitable parameter restrictions DSA and EC-DSA are immune to such attacks. Here, we show that in the presence of a malicious signer key substitution attacks against several signature schemes that are secure in the sense introduced by Menezes and Smart can be mounted. While for EC-DSA such an attack is feasible, other established signature schemes, including EC-KCDSA, can be shown to be secure in this sense.
Keywords
Digital signature Cryptanalysis Key substitutionPreview
Unable to display preview. Download preview PDF.
References
- 1.Baek, J., Kim, K.: Remarks on the Unknown Key-Share Attacks. IEICE Trans. on Fundamentals of Electronics, Communications and Computer Sciences E83-A(12), 2766–2769 (2000)Google Scholar
- 2.Baier, H.: Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography. Ph.D. thesis, Technische Universität Darmstadt (2002)Google Scholar
- 3.Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: H. Imai, Y. Zheng (eds.) Public Key Cryptography. Second International Workshop on Practice and Theory in Public Key Cryptography, PKC '99, Lecture Notes in Computer Science, vol. 1560, pp. 154–170. Springer (1999)Google Scholar
- 4.Boneh, D., Boyen, X.: Short signatures without random oracles. In: C. Cachin, J. Camenisch (eds.) Advances in Cryptology—EUROCRYPT 2004, Lecture Notes in Computer Science, vol. 3027, pp. 56–73. Springer (2004)Google Scholar
- 5.Bosma, W., Cannon, J., Playoust, C.: The Magma Algebra System I: The User Language. Journal of Symbolic Computation 24, 235–265 (1997)MathSciNetCrossRefGoogle Scholar
- 6.Brickell, E., Pointcheval, D., Vaudenay, S., Yung, M.: Design validations for discrete logarithm based signature schemes. In: Y.Z.H. Imai (ed.) Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, Lecture Notes in Computer Science, vol. 1751, pp. 276–292. Springer (2000)Google Scholar
- 7.Geiselmann, W., Steinwandt, R.: A Key Substitution Attack on SFLASHv3. Journal of Discrete Mathematical Sciences & Cryptography (to appear)Google Scholar
- 8.Goldwasser, S., Micali, S., Rivest, R.L.: A “paradoxical” solution to the signature problem. In: Proceedings of the IEEE 25th Annual Symposium on Foundations of Computer Science, pp. 441–448 (1984)Google Scholar
- 9.Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17, 281–308 (1988)MathSciNetCrossRefGoogle Scholar
- 10.Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: Digital Signatures Using the NTRU Lattice. In: M. Joye (ed.) Topics in Cryptology—CT-RSA 2003: The Cryptographers' Track at the RSA Conference 2003, Lecture Notes in Computer Science, vol. 2612, pp. 122–140. Springer-Verlag Heidelberg (2003)Google Scholar
- 11.ISO/IEC 15946-1: Information technology—Security techniques—Cryptographic techniques based on elliptic curves—Part 1: General (2002)Google Scholar
- 12.ISO/IEC 15946-2: Information technology—Security techniques—Cryptographic techniques based on elliptic curves—Part 1: Digital Signatures (2002)Google Scholar
- 13.Menezes, A., Smart, N.: Security of signature schemes in a multi-user setting. Designs, Codes and Cryptography 33, 261–274 (2004)MathSciNetCrossRefGoogle Scholar
- 14.Regulierungsbehörde für Telekommunikation und Post, R.: Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen). To appear in Bundesanzeiger (2005). At the time of writing available at http://www.regtp.de/imperia/md/conte-nt/tech_reg_t/digisign/198.pdf
- 15.Rosa, T.: Key-collisions in (EC)DSA: Attacking Non-repudiation. Cryptology ePrint Archive: Report 2002/129 (2002). At the time of writing available at http://eprint.iacr.org/2002/129/ Google Scholar
- 16.Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in Applying Proof Methodologies to Signature Schemes. In: M. Yung (ed.) Advances in Cryptology—CRYPTO 2002, Lecture Notes in Computer Science, vol. 2442, pp. 93–110. Springer (2002)Google Scholar
- 17.Tan, C.H.: Key Substitution Attacks on Some Provably Secure Signature Schemes. IEICE Transactions on Fundamentals E87–A(1), 1–2 (2004)Google Scholar
- 18.U.S. Department of Commerce, National Institute of Standards and Technology: FIPS PUB 186-2 Digital Signature Standard (DSS) + Change Notice 1 (October 2001) (2000). At the time of writing available electronically at the URL http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf
- 19.Vaudenay, S.: Hidden collisions on DSS. In: N. Koblitz (ed.) Advances in Cryptology—CRYPTO '96, Lecture Notes in Computer Science, vol. 1109, pp. 83–88. Springer (1996)Google Scholar
- 20.Vaudenay, S.: The Security of DSA and ECDSA. In: Y. Desmedt (ed.) Public Key Cryptography—PKC 2003: 6th International Workshop on Practice and Theory in Public Key Cryptography, Lecture Notes in Computer Science, vol. 2567, pp. 309–323. Springer-Verlag (2003)Google Scholar
- 21.Vaudenay, S.: Digital signature schemes with domain parameters. In: V.V.H. Wang, J. Pieprzyk (eds.) Information Security and Privacy: 9th Australasian Conference, ACISP 2004, Lecture Notes in Computer Science, vol. 3108, pp. 188–199. Springer-Verlag (2004)Google Scholar
Copyright information
© Springer-Verlag 2005