Skip to main content

Security of the SM2 Signature Scheme Against Generalized Key Substitution Attacks

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9497)


Though existential unforgeability under adaptively chosen-message attacks is well-accepted for the security of digital signature schemes, the security against key substitution attacks is also of interest, and has been considered for several practical digital signature schemes such as DSA and ECDSA. In this paper, we consider generalized key substitution attacks where the base element is considered as a part of the public key and can be substituted. We first show that the general framework of certificate-based signature schemes defined in ISO/IEC 14888-3 is vulnerable to a generalized key substitution attack. We then prove that the Chinese standard SM2 signature scheme is existentially unforgeable against adaptively chosen-message attacks in the generic group model if the underlying hash function h is uniform and collision-resistant and the underlying conversion function f is almost-invertible, and the SM2 digital signature scheme is secure against the generalized key substitution attacks if the underlying hash functions H and h are modeled as non-programmable random oracles (NPROs).


  • Digital signatures
  • Key substitution attacks
  • Provable security

The work was supported by National Basic Research Program of China (No. 2013CB338003), and National Natural Science Foundation of China (No. 61170278).

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    In [17], Vaudenay referred to this type of attacks presented in [16, 17] as domain parameter shifting attacks. Later, this kind of attacks are called domain parameter substitution attacks in [4].

  2. 2.

    In this case, if some \(z_i\) is equal to 0, it means that the corresponding group element is not involved in the computation.

  3. 3.

    We use \(\mathcal {M}\) to denote the efficiently sampling message space of SM2.

  4. 4.

    We also allow the adversary to output the identity \( ID^* \) of the owner of \(\textsc {pk}^*\). This is only because both the signing and verification algorithms of SM2 have an identity input. We do not have any additional restriction on \( ID^* \).

  5. 5.

    To verify the validity of \((G^*,Y^*)\), the following conditions need to be satified: (1) \(G^*\in E(\mathbb {F}_q)\), (2) the order of \(G^*\) is n, and 3) \(Y^*\in <G^*> \backslash \ \{0\}\).


  1. ISO/IEC 1st CD 14888–3 - Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms

    Google Scholar 

  2. GM/T 0003.2-2012, Public Key Cryptographic Algorithm SM2 based on Elliptic Curves - Part 2: Digital Signature Algorithm (2010).

  3. Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the Station-to-Station (STS) Protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)

    CrossRef  Google Scholar 

  4. Bohli, J.-M., Røhrich, S., Steinwandt, R.: Key substitution attacks revisited: taking into account malicious signers. Int. J. Inf. Secur. 5(1), 30–36 (2006)

    CrossRef  Google Scholar 

  5. Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Crypt. 35(1), 119–152 (2005)

    CrossRef  MathSciNet  MATH  Google Scholar 

  6. Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)

    CrossRef  MathSciNet  Google Scholar 

  7. Geiselmann, W., Steinwandt, R.: A Key Substitution Attack on SFLASH\(^{v3}\). Cryptology ePrint Archive, Report 2003/245 (2003).

  8. Goldwasser, S., Micali, S., Rivest, R.L.: A paradoxical solution to the signature problem. In: Proceedings of the IEEE 25th Annual Symposium on Foundations of Computer Science, pp. 441–448. IEEE (1984)

    Google Scholar 

  9. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    CrossRef  MathSciNet  MATH  Google Scholar 

  10. Trusted Computing Group. TCG TPM specification 2.0. (2013)

  11. ISO/IEC 11889:2015. Information technology - Trusted Platform Module Library (2015)

    Google Scholar 

  12. Menezes, A., Smart, N.: Security of signature schemes in a multi-user setting. Des. Codes Crypt. 33(3), 261–274 (2004)

    CrossRef  MathSciNet  MATH  Google Scholar 

  13. Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  14. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)

    CrossRef  Google Scholar 

  15. Tan, C.H.: Key substitution attacks on some provably secure signature schemes. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E87–A(1), 226–227 (2004)

    Google Scholar 

  16. Vaudenay, S.: The security of DSA and ECDSA. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 309–323. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  17. Vaudenay, S.: Digital signature schemes with domain parameters. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 188–199. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

Download references


We would like to thank Hui Guo and the anonymous reviewers for their helpful comments.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Kang Yang .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhang, Z., Yang, K., Zhang, J., Chen, C. (2015). Security of the SM2 Signature Scheme Against Generalized Key Substitution Attacks. In: Chen, L., Matsuo, S. (eds) Security Standardisation Research. SSR 2015. Lecture Notes in Computer Science(), vol 9497. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-27151-4

  • Online ISBN: 978-3-319-27152-1

  • eBook Packages: Computer ScienceComputer Science (R0)