Skip to main content

Security of the SM2 Signature Scheme Against Generalized Key Substitution Attacks

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9497)

Abstract

Though existential unforgeability under adaptively chosen-message attacks is well-accepted for the security of digital signature schemes, the security against key substitution attacks is also of interest, and has been considered for several practical digital signature schemes such as DSA and ECDSA. In this paper, we consider generalized key substitution attacks where the base element is considered as a part of the public key and can be substituted. We first show that the general framework of certificate-based signature schemes defined in ISO/IEC 14888-3 is vulnerable to a generalized key substitution attack. We then prove that the Chinese standard SM2 signature scheme is existentially unforgeable against adaptively chosen-message attacks in the generic group model if the underlying hash function h is uniform and collision-resistant and the underlying conversion function f is almost-invertible, and the SM2 digital signature scheme is secure against the generalized key substitution attacks if the underlying hash functions H and h are modeled as non-programmable random oracles (NPROs).

Keywords

  • Digital signatures
  • Key substitution attacks
  • Provable security

The work was supported by National Basic Research Program of China (No. 2013CB338003), and National Natural Science Foundation of China (No. 61170278).

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-27152-1_7
  • Chapter length: 14 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   44.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-27152-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   59.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

Notes

  1. 1.

    In [17], Vaudenay referred to this type of attacks presented in [16, 17] as domain parameter shifting attacks. Later, this kind of attacks are called domain parameter substitution attacks in [4].

  2. 2.

    In this case, if some \(z_i\) is equal to 0, it means that the corresponding group element is not involved in the computation.

  3. 3.

    We use \(\mathcal {M}\) to denote the efficiently sampling message space of SM2.

  4. 4.

    We also allow the adversary to output the identity \( ID^* \) of the owner of \(\textsc {pk}^*\). This is only because both the signing and verification algorithms of SM2 have an identity input. We do not have any additional restriction on \( ID^* \).

  5. 5.

    To verify the validity of \((G^*,Y^*)\), the following conditions need to be satified: (1) \(G^*\in E(\mathbb {F}_q)\), (2) the order of \(G^*\) is n, and 3) \(Y^*\in <G^*> \backslash \ \{0\}\).

References

  1. ISO/IEC 1st CD 14888–3 - Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms

    Google Scholar 

  2. GM/T 0003.2-2012, Public Key Cryptographic Algorithm SM2 based on Elliptic Curves - Part 2: Digital Signature Algorithm (2010). http://www.oscca.gov.cn/UpFile/2010122214822692.pdf

  3. Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the Station-to-Station (STS) Protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)

    CrossRef  Google Scholar 

  4. Bohli, J.-M., Røhrich, S., Steinwandt, R.: Key substitution attacks revisited: taking into account malicious signers. Int. J. Inf. Secur. 5(1), 30–36 (2006)

    CrossRef  Google Scholar 

  5. Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Crypt. 35(1), 119–152 (2005)

    MathSciNet  CrossRef  MATH  Google Scholar 

  6. Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)

    MathSciNet  CrossRef  Google Scholar 

  7. Geiselmann, W., Steinwandt, R.: A Key Substitution Attack on SFLASH\(^{v3}\). Cryptology ePrint Archive, Report 2003/245 (2003). http://eprint.iacr.org/

  8. Goldwasser, S., Micali, S., Rivest, R.L.: A paradoxical solution to the signature problem. In: Proceedings of the IEEE 25th Annual Symposium on Foundations of Computer Science, pp. 441–448. IEEE (1984)

    Google Scholar 

  9. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    MathSciNet  CrossRef  MATH  Google Scholar 

  10. Trusted Computing Group. TCG TPM specification 2.0. (2013) http://www.trustedcomputinggroup.org/resources/tpm_library_specification

  11. ISO/IEC 11889:2015. Information technology - Trusted Platform Module Library (2015)

    Google Scholar 

  12. Menezes, A., Smart, N.: Security of signature schemes in a multi-user setting. Des. Codes Crypt. 33(3), 261–274 (2004)

    MathSciNet  CrossRef  MATH  Google Scholar 

  13. Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  14. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)

    CrossRef  Google Scholar 

  15. Tan, C.H.: Key substitution attacks on some provably secure signature schemes. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E87–A(1), 226–227 (2004)

    Google Scholar 

  16. Vaudenay, S.: The security of DSA and ECDSA. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 309–323. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  17. Vaudenay, S.: Digital signature schemes with domain parameters. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 188–199. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

Download references

Acknowledgements

We would like to thank Hui Guo and the anonymous reviewers for their helpful comments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kang Yang .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhang, Z., Yang, K., Zhang, J., Chen, C. (2015). Security of the SM2 Signature Scheme Against Generalized Key Substitution Attacks. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-27152-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27151-4

  • Online ISBN: 978-3-319-27152-1

  • eBook Packages: Computer ScienceComputer Science (R0)