Practical algorithm substitution attack on extractable signatures

Yi Zhao, Kaitai Liang, Yanqi Zhao*, Bo Yang, Yang Ming, Emmanouil Panaousis

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

30 Downloads (Pure)


An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

Original languageEnglish
Pages (from-to)921-937
Number of pages17
JournalDesigns, Codes, and Cryptography
Issue number4
Publication statusPublished - 2022

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


  • Algorithm substitution attack
  • Arbitrary collection
  • Discrete log
  • Extractable signatures


Dive into the research topics of 'Practical algorithm substitution attack on extractable signatures'. Together they form a unique fingerprint.

Cite this