Skip to main content
Springer Nature Link
Log in

Practical algorithm substitution attack on extractable signatures

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. https://www.python.org/downloads/release/python-365/.

References

  1. Ateniese G., Magri B., Venturi D.: Subversion-resilient signatures: Definitions, constructions and applications. Theor. Comput. Sci. 820, 91–122 (2020).

    Article  MathSciNet  Google Scholar 

  2. Baek J., Susilo W., Kim J., Chow Y.W.: Subversion in practice: How to efficiently undermine signatures. IEEE Access. 7, 68799–68811 (2019).

    Article  Google Scholar 

  3. Bellare M., Goldreich O.: On defining proofs of knowledge. In: Brickell E.F. (ed.) Advances in Cryptology—CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings. Lecture Notes in Computer Science vol. 740, pp. 390–420. Springer (1992)

  4. Bellare M., Rogaway P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Denning D.E., Pyle R., Ganesan R., Sandhu R.S., Ashby V, (eds.) CCS ’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3-5, 1993. pp. 62–73. ACM (1993)

  5. Bellare M., Rogaway P.: The exact security of digital signatures—How to sign with RSA and rabin. In Maurer UM, (ed.) Advances in Cryptology - EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12–16, 1996, Proceeding. Lecture Notes in Computer Science, vol. 1070, pp. 399–416. Springer (1996)

  6. Bellare M., Hoang V.T., Keelveedhi S.: Instantiating random oracles via uces. In: Canetti R., Garay, J.A. (eds.) Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013. Proceedings, Part II. Lecture Notes in Computer Science, vol. 8043, pp. 398–415. Springer (2013)

  7. Bellare M., Paterson K. G., Rogaway P.: Security of symmetric encryption against mass surveillance. In: International Cryptology Conference (2014)

  8. Bitansky N., Canetti R., Paneth O., Rosen A.: On the existence of extractable one-way functions. In: Shmoys D.B. (ed.) Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31–June 03, 2014. pp. 505–514. ACM (2014)

  9. Boneh D., Lynn B., Shacham H.: Short signatures from the weil pairing. J. Cryptol. 17(4), 297–319 (2004).

    Article  MathSciNet  Google Scholar 

  10. Canetti R., Dakdouk R.R.: Towards a theory of extractable functions. In: Reingold O, (ed.) Theory of Cryptography, 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15–17, 2009, Proceedings. Lecture Notes in Computer Science, vol. 5444, pp. 595–613. Springer (2009)

  11. Chi L., Chen R., Yi W., Wan, Y.: Asymmetric subversion attacks on signature schemes. (2018)

  12. Crescenzo G.D.: Equivocable and extractable commitment schemes. In: Cimato S, Galdi C, Persiano G, (eds.) Security in Communication Networks, Third International Conference, SCN 2002, Amalfi, Italy, September 11–13, 2002. Revised Papers. Lecture Notes in Computer Science, vol. 2576, pp. 74–87. Springer (2002)

  13. Groth J.: On the size of pairing-based non-interactive arguments. In: Fischlin M., Coron J.-S. (eds.) Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9666 , pp. 305–326. Springer (2016)

  14. Hofheinz D., Kiltz E.: Programmable hash functions and their applications. J. Cryptol. 25, 484–527 (2011).

    Article  MathSciNet  Google Scholar 

  15. Hohenberger S., Sahai A., Waters B.: Replacing a random oracle: Full domain hash from indistinguishability obfuscation. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 201–220. Springer (2014)

  16. Kiayias A., Liu F.-H., Tselekounis Y.: Practical non-malleable codes from l-more extractable hash functions. In: Weippl E.R., Katzenbeisser S., Kruegel C., Myers A.C., Halevi S, (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24–28, 2016, pp. 1317–1328. ACM (2016)

  17. Kravitz D.W.: Digital signature algorithm.

  18. Mironov I., Stephens-Davidowitz N.: Cryptographic reverse firewalls. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques (2015)

  19. Pointcheval D., Stern J.: Security proofs for signature schemes. Advances in Cryptology - EUROCRYPT ’96. Springer, Berlin (1996)

  20. Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000).

    Article  Google Scholar 

  21. Rackoff C., Simon D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum J, (ed.) Advances in Cryptology - CRYPTO ’91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11–15, 1991, Proceedings. Lecture Notes in Computer Science, vol. 576, pp. 433–444. Springer (1991)

  22. Schnorr C.-P.: Efficient identification and signatures for smart cards. In: Brassard G. (ed.) Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 1989, Proceedings. Lecture Notes in Computer Science, vol. 435, pp. 239–252. Springer (1989)

  23. Wee H.: Efficient chosen-ciphertext security via extractable hash proofs. In: Rabin T. (ed.) Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15–19, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6223, pp. 314–332. Springer (2010)

  24. Young A., Yung M.: The dark side of “black-box” cryptography or: Should we trust capstone? In: International Cryptology Conference on Advances in Cryptology (1996)

  25. Young A.L., Yung M.: The prevalence of kleptographic attacks on discret-log based cryptosystems. In: Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 1997, Proceedings. (1997)

  26. Zhandry M.: The magic of elfs. In: Robshaw M., Katz J. (eds.) Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9814, pp. 479–508. Springer (2016)

Download references

Author information

Authors and Affiliations

  1. School of Information Engineering, Chang’an University, Xi’an, 710064, China

    Yi Zhao & Yang Ming

  2. Faculty of Electrical Engineering, Mathematics & Computer Science, Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  3. School of Cyberspace Security, Xi’an University of Posts and Telecommunications, Xi’an, 710121, China

    Yanqi Zhao

  4. School of Computer Science, Shaanxi Normal University, Xi’an, 710062, China

    Bo Yang

  5. School of Computing and Mathematical Sciences, University of Greenwich, London, UK

    Emmanouil Panaousis

Authors
  1. Yi Zhao
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Kaitai Liang
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Yanqi Zhao
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Bo Yang
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Yang Ming
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Emmanouil Panaousis
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Yanqi Zhao.

Additional information

Communicated by C. Padro.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supported by the National Key R&D Program of China (Grant No. 2017YFB0802000), the National Natural Science Foundation of China (Grant Nos. 62072054, 61772326, 61802242, 61802241), the Fundamental Research Funds for the Central Universities, CHD (Grant No. 300102240102), European Union’s Horizon 2020 research and innovation programme under grant agreement No. 952697 (ASSURED) and No. 101021727 (IRIS), the Natural Science Basic Research Plan in Shaanxi Province of China (Grant No. 2018JQ6088), the National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20180217)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhao, Y., Liang, K., Zhao, Y. et al. Practical algorithm substitution attack on extractable signatures. Des. Codes Cryptogr. 90, 921–937 (2022). https://doi.org/10.1007/s10623-022-01019-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-022-01019-1

Keywords

Mathematics Subject Classification