Practical algorithm substitution attack on extractable signatures

Yi Zhao; Kaitai Liang; Yanqi Zhao; Bo Yang; Yang Ming; Emmanouil Panaousis

doi:10.1007/s10623-022-01019-1

Practical algorithm substitution attack on extractable signatures

Yi Zhao, Kaitai Liang, Yanqi Zhao^*, Bo Yang, Yang Ming, Emmanouil Panaousis

^*Corresponding author for this work

Cyber Security

Research output: Contribution to journal › Article › Scientific › peer-review

29 Downloads (Pure)

Abstract

An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

Original language	English
Pages (from-to)	921-937
Number of pages	17
Journal	Designs, Codes, and Cryptography
Volume	90
Issue number	4
DOIs	https://doi.org/10.1007/s10623-022-01019-1
Publication status	Published - 2022

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

Algorithm substitution attack
Arbitrary collection
Discrete log
Extractable signatures

Access to Document

10.1007/s10623-022-01019-1

s10623-022-01019-1Final published version, 425 KB

Cite this

@article{65f37946a831440b9ec46a723766c334,

title = "Practical algorithm substitution attack on extractable signatures",

abstract = "An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.",

keywords = "Algorithm substitution attack, Arbitrary collection, Discrete log, Extractable signatures",

author = "Yi Zhao and Kaitai Liang and Yanqi Zhao and Bo Yang and Yang Ming and Emmanouil Panaousis",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.",

year = "2022",

doi = "10.1007/s10623-022-01019-1",

language = "English",

volume = "90",

pages = "921--937",

journal = "Designs, Codes, and Cryptography",

issn = "0925-1022",

publisher = "Springer",

number = "4",

}

TY - JOUR

T1 - Practical algorithm substitution attack on extractable signatures

AU - Zhao, Yi

AU - Liang, Kaitai

AU - Zhao, Yanqi

AU - Yang, Bo

AU - Ming, Yang

AU - Panaousis, Emmanouil

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2022

Y1 - 2022

N2 - An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

AB - An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

KW - Algorithm substitution attack

KW - Arbitrary collection

KW - Discrete log

KW - Extractable signatures

UR - http://www.scopus.com/inward/record.url?scp=85125694044&partnerID=8YFLogxK

U2 - 10.1007/s10623-022-01019-1

DO - 10.1007/s10623-022-01019-1

M3 - Article

AN - SCOPUS:85125694044

SN - 0925-1022

VL - 90

SP - 921

EP - 937

JO - Designs, Codes, and Cryptography

JF - Designs, Codes, and Cryptography

IS - 4

ER -

Practical algorithm substitution attack on extractable signatures

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this