Abstract
Though existential unforgeability under adaptively chosen-message attacks is well-accepted for the security of digital signature schemes, the security against key substitution attacks is also of interest, and has been considered for several practical digital signature schemes such as DSA and ECDSA. In this paper, we consider generalized key substitution attacks where the base element is considered as a part of the public key and can be substituted. We first show that the general framework of certificate-based signature schemes defined in ISO/IEC 14888-3 is vulnerable to a generalized key substitution attack. We then prove that the Chinese standard SM2 signature scheme is existentially unforgeable against adaptively chosen-message attacks in the generic group model if the underlying hash function h is uniform and collision-resistant and the underlying conversion function f is almost-invertible, and the SM2 digital signature scheme is secure against the generalized key substitution attacks if the underlying hash functions H and h are modeled as non-programmable random oracles (NPROs).
Keywords
- Digital signatures
- Key substitution attacks
- Provable security
The work was supported by National Basic Research Program of China (No. 2013CB338003), and National Natural Science Foundation of China (No. 61170278).
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
In this case, if some \(z_i\) is equal to 0, it means that the corresponding group element is not involved in the computation.
- 3.
We use \(\mathcal {M}\) to denote the efficiently sampling message space of SM2.
- 4.
We also allow the adversary to output the identity \( ID^* \) of the owner of \(\textsc {pk}^*\). This is only because both the signing and verification algorithms of SM2 have an identity input. We do not have any additional restriction on \( ID^* \).
- 5.
To verify the validity of \((G^*,Y^*)\), the following conditions need to be satified: (1) \(G^*\in E(\mathbb {F}_q)\), (2) the order of \(G^*\) is n, and 3) \(Y^*\in <G^*> \backslash \ \{0\}\).
References
ISO/IEC 1st CD 14888–3 - Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms
GM/T 0003.2-2012, Public Key Cryptographic Algorithm SM2 based on Elliptic Curves - Part 2: Digital Signature Algorithm (2010). http://www.oscca.gov.cn/UpFile/2010122214822692.pdf
Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the Station-to-Station (STS) Protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)
Bohli, J.-M., Røhrich, S., Steinwandt, R.: Key substitution attacks revisited: taking into account malicious signers. Int. J. Inf. Secur. 5(1), 30–36 (2006)
Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Crypt. 35(1), 119–152 (2005)
Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)
Geiselmann, W., Steinwandt, R.: A Key Substitution Attack on SFLASH\(^{v3}\). Cryptology ePrint Archive, Report 2003/245 (2003). http://eprint.iacr.org/
Goldwasser, S., Micali, S., Rivest, R.L.: A paradoxical solution to the signature problem. In: Proceedings of the IEEE 25th Annual Symposium on Foundations of Computer Science, pp. 441–448. IEEE (1984)
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Trusted Computing Group. TCG TPM specification 2.0. (2013) http://www.trustedcomputinggroup.org/resources/tpm_library_specification
ISO/IEC 11889:2015. Information technology - Trusted Platform Module Library (2015)
Menezes, A., Smart, N.: Security of signature schemes in a multi-user setting. Des. Codes Crypt. 33(3), 261–274 (2004)
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)
Tan, C.H.: Key substitution attacks on some provably secure signature schemes. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E87–A(1), 226–227 (2004)
Vaudenay, S.: The security of DSA and ECDSA. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 309–323. Springer, Heidelberg (2002)
Vaudenay, S.: Digital signature schemes with domain parameters. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 188–199. Springer, Heidelberg (2004)
Acknowledgements
We would like to thank Hui Guo and the anonymous reviewers for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, Z., Yang, K., Zhang, J., Chen, C. (2015). Security of the SM2 Signature Scheme Against Generalized Key Substitution Attacks. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham. https://doi.org/10.1007/978-3-319-27152-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-27152-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27151-4
Online ISBN: 978-3-319-27152-1
eBook Packages: Computer ScienceComputer Science (R0)