Practical algorithm substitution attack on extractable signatures

Journal Article (2022)
Authors

Yi Zhao (Chang'an University)

K. Liang (TU Delft - Cyber Security)

Yanqi Zhao (Xi’an University of Posts and Telecommunications, Xi'an)

Bo Yang (Shaanxi Normal University)

Yang Ming (Chang'an University)

Emmanouil Panaousis (University of Greenwich)

Research Group
Cyber Security
Copyright
© 2022 Yi Zhao, K. Liang, Yanqi Zhao, Bo Yang, Yang Ming, Emmanouil Panaousis
To reference this document use:
https://doi.org/10.1007/s10623-022-01019-1
More Info
expand_more
Publication Year
2022
Language
English
Copyright
© 2022 Yi Zhao, K. Liang, Yanqi Zhao, Bo Yang, Yang Ming, Emmanouil Panaousis
Research Group
Cyber Security
Issue number
4
Volume number
90
Pages (from-to)
921-937
DOI:
https://doi.org/10.1007/s10623-022-01019-1
Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

Files

S10623_022_01019_1.pdf
(pdf | 0.495 Mb)
- Embargo expired in 01-07-2023
License info not available