1 / 12

Key Substitution Attacks on Some Provably Secure Signature Schemes

Key Substitution Attacks on Some Provably Secure Signature Schemes. Author: Chik-How Tan Source: IEICE Trans. Fundamentals, Vol.E87-A, No.1 Jan. 2004 Speaker: Su Sheng-Yao. Outline. Introduction Two Provably Secure Signature Scheme Fischlin Signature Scheme

raineym
Download Presentation

Key Substitution Attacks on Some Provably Secure Signature Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Key Substitution Attacks on Some Provably Secure Signature Schemes Author: Chik-How Tan Source: IEICE Trans. Fundamentals, Vol.E87-A, No.1 Jan. 2004 Speaker: Su Sheng-Yao

  2. Outline • Introduction • Two Provably Secure Signature Scheme • Fischlin Signature Scheme • Camenisch-Lysyanskaya Signature Scheme • Cryptoanalysis • Conclusion

  3. Introduction • Provable Security • Security could be proved under standard and well-believed complexity theoretic assumptions • Definition, Protocol, Proof • Provably Secure Signature Schemes • Key Substitution Attack • U’s public key and signature s on m • adversary A tries to produce a new public key s.t. s is also a valid A’s signature on m

  4. Application • e-lottery • the gambler uses his/her secret key to sign on the e-lottery to ensure that he owns the e-lottery • e-coupon (禮卷) • require be signed by the buyer and later signed by the shop

  5. History • (1998) Goldwasser, Micali and Rivest introduced the security notion of existential unforgeability against adaptive chosen-message attacks • (1999) Blake-Wilson and Menezes introduced a duplicate-signature key selection attacks • (2004) Menezes and Smart analyzed the security of some signature schemes against this attack, named as key substitution attacks

  6. Fischlin Signature Scheme (1/2) • Key Generation: N=pq ( p=2p’+1, so does q ) three random quadratic residues h1, h2, XZN* • Signature Generation: compute (l-bit) H(m), H(.): collision resistant hash fun. compute y=(Xh1ah2a XOR H(m))1/e mod N e: random (l+1)-bit prime a: l-bit long Public key (N, X, h1, h2) Private key (p, q) Signature (y, a, e)

  7. Fischlin Signature Scheme (2/2) • Signature Verification: check e : (l+1)-bit odd integer a: l-bit ye= (Xh1ah2a XOR H(m)) mod N

  8. Camenisch-Lysyanskaya Signature Scheme (1/2) • Key Generation: N=pq ( p=2p’+1, so does q ) three random quadratic residues h1, h2, XZN* • Signature Generation: compute y=(Xh1sh2m)1/e mod N e >2lm+1: random prime of length le=lm+2 s: random number st. ls=lN+lm+l Public key (N, X, h1, h2) Private key (p, q) Signature (y, s, e)

  9. Camenisch-Lysyanskaya Signature Scheme (2/2) • Signature Verification: • check e: 2le-1 < e < 2le ye= (Xh1sh2m) mod N

  10. Cryptanalysis (1/2) • Weak-key substitution attack (stronger) • produce public/private key • Strong-key substitution attack • public key (without knowing private key) Weak-Key Substitution Attack the same form X = yeh1-sh2-t mod N signature (y, a, e) where s=a, t=a XOR H(m) in Fischlin sheme t=m in C-L scheme

  11. Cryptanalysis (2/2) • choose two new primes st. • choose two random quadratic residues compute Then public key is valid with secret key and signature (y, a, e) of m

  12. Conclusion • Attack the two schemes by weak-key substitution attack • A signature scheme secure against existential forgery under adaptive chosen-message attack is inadequate • A scheme should be against key substitution attacks or rather under multi-user setting

More Related