Key Substitution Attacks on Lattice Signature Schemes Based on SIS Problem

An, Youngjoo; Lee, Hyang-Sook; Lee, Juhee; Lim, Seongan

doi:https://doi.org/10.1155/2018/8525163

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2018 | Article ID 8525163 | https://doi.org/10.1155/2018/8525163

Key Substitution Attacks on Lattice Signature Schemes Based on SIS Problem

Youngjoo An,¹Hyang-Sook Lee,¹Juhee Lee,²and Seongan Lim²

Academic Editor: Salvatore D’Antonio

Received12 Jun 2018

Revised03 Aug 2018

Accepted30 Aug 2018

Published23 Sept 2018

Abstract

The notion of key substitution security on digital signatures in the multiuser setting has been proposed by Menezes and Smart in 2004. Along with the unforgeability of signature, the key substitution security is very important since it is a critical requirement for the nonrepudiation and the authentication of the signature. Lattice-based signature is a promising candidate for post-quantum cryptography, and the unforgeability of each scheme has been relatively well studied. In this paper, we present key substitution attacks on BLISS, Lyubashevsky’s signature scheme, and GPV and thus show that these signature schemes do not provide nonrepudiation. We also suggest how to avoid key substitution attack on these schemes.

1. Introduction

The classical cryptography based on factoring or discrete-logarithm problem is vulnerable to cryptanalysis by quantum computers. To prepare for a security plan after the emergence of quantum computing, NIST [1] and ETSI [2] currently try to standardize public key algorithms of three categories, namely, digital signature, public key encryption, and key exchange protocol. Among them, digital signatures are commonly used for authenticated key exchange protocol, software distribution, financial transactions, and contract management software and in other cases where it is important to detect forgery or tampering.

The established security notion for digital signature schemes is existentially unforgeable against adaptive chosen-message attacks introduced by Goldwasser, Micali, and Rivest [3]. Although a signature scheme secure in this scenario offers rather strong security guarantees, further requirements can be crucial in certain applications. For example, Koblitz, Menezes, and Smart [4, 5] indicate that the GMR security is not sufficient in a multiuser setting by proposing a new type of attack on digital signature scheme, which is called a key substitution attack. In the key substitution attack, an adversary is given a public key and a signature on a message under , and then he tries to produce a new public key different from , which validates the same signature on the same message under the new public key .

A serious practical danger of key substitution attacks is that they not only undermine nonrepudiation but are disable to authenticate the signer who signed the message. These are core functionalities the digital signature can offer. Nonrepudiation refers to the ability to ensure that a sender who signed a message or document cannot later deny having sign it. The US government standard for digital signatures states that nonrepudiation and authentication are main characteristics of a signature scheme [6]. In the key substitution attack, a successful attacker obtains a new public key , which validates a given signature signed by the signer. As a result, one signature is valid under two different public keys which affects these functionalities of the signature scheme. In other words, the threat of the key substitution attack is that there are two (or more) different valid public keys for the same given signature.

A typical scenario where the key substitution attack has damaging consequences is the following. Suppose that Bob has signed an important contract with Alice. When the contract was nullified by Bob, he cannot claim that he did not sign the contract with Alice if the nonrepudiation property of the digital signature scheme works properly, because Alice presents the contract signed by Bob’s signature corresponding to his public key as an evidence of his lying. However, if the signature scheme is attacked by the key substitution attack, the scheme loses its function of nonrepudiation. Then Bob insists that he has not signed the contract with Alice and the signature on the contract presented by Alice is not what he has signed. As a proof of his claim, he mounts a key substitution attack to obtain a new public key different from and shows that the contract signed by the same signature can be validated by using the public key . It means that it is hard to prove that Bob has signed a contract with Alice by using . It is serious issue to weaken the usability of the digital signature scheme in the real world. Therefore, it is crucial for the digital signature scheme to prevent the key substitution attack. It is noteworthy that the legal signer, Bob, could be a potential attacker in the key substitution attacks. For more real-world impact of the key substitution attack, we refer to [4].

In this paper, we present key substitution attacks on the lattice signature schemes based on SIS problem such as GPV signature scheme [7], Lyubashevsky’s signature scheme [8], and BLISS [9]. Note that lattice-based cryptography is a most promising candidate for post-quantum cryptography, and BLISS (Bimodal Lattice Signature Scheme) is currently one of the most compact and efficient lattice-based signature schemes that is provably secure under lattice assumptions.

We present two kinds of key substitution attacks. The first one is weak key substitution attack in which the adversary who may be a legal signer wants to ruin the properties of the digital signature schemes by obtaining new public and private key pairs. This type of attack is considered in [10, 11], and e-coupon and e-lottery were presented as concrete examples of these attacks. For instance, an electronic coupon (e-coupon) system works as follows. When issuing the e-coupon for a customer, in order to prevent illegal use of the e-coupon, it requires the customer to sign the e-coupon. Then the e-coupon is signed by the issuer and it will be issued to the customer as a legitimate buyer. Before he redeems the e-coupon at the store, he needs to show the ownership of the e-coupon by zero-knowledge proof of his secret key. Assume that a successful weak key substitution attacker Alice has a valid e-coupon and duplicates the e-coupon with the same signature under and . Then she can use the e-coupon multiple times to buy the goods because she is able to prove that she owns the e-coupons by using . Moreover, if Alice sells the copies of e-coupon with and to unauthorized users, she gets the financial benefits from it and illegal users obtain the goods using the e-coupon with at the shop.

The other is strong key substitution attack in which an adversary, not necessary to be a signer, wants to compute a new public key validating a given signature. In this case the attacker may interfere with the communication between a signer and a verifier in order to achieve his malicious goal, like the unknown key share attack proposed in [12].

In our attacks on these signature schemes, we solve linear equations for a valid new public key to pass the verification algorithm. One of the important requirements is to check if a hash value for given and is correct. On SIS-based signature schemes mentioned above, we succeed in substituting a new public key using algebraic structures depending on each signature scheme without finding the collision of hash function on the same message.

This paper is organized as follows. In Section 2, we introduce some necessary cryptographic and mathematical backgrounds, including the definitions of SIS problem and key substitution attack. In Section 3, we recall three lattice-based signature schemes, namely, GPV signature [7], Lyubashevsky’s signature [8], and BLISS [9], and present key substitution attacks on these schemes. In Section 4, we examine the effectiveness of the proposed attacks and explain how to avoid key substitution attacks on these schemes. In Section 5, we conclude our paper.

2. Preliminaries

2.1. Notations

We assume that all vectors are column vectors and vectors will be written in bold lower case letters. Matrices will be written in upper case letters. For vectors , let denote a matrix whose -th column is .

The norm of a vector is denoted by and we will usually avoid writing the for the norm. For a distribution , we use the notation to mean that is chosen according to the distribution . If is a set, then means that is chosen uniformly at random from . For integers , let denote the set of integers .

2.2. Some Basics on Lattices

Let consist of linearly independent vectors. The -dimensional lattice generated by the basis is . A lattice is a discrete additive subgroup of . If , we say that is full-rank.

The minimum distance of a lattice is the length of its shortest nonzero vector in the norm: . We write to denote the minimum distance of a lattice in the norm. More generally, the -th minimum for is defined as the smallest such that contains linearly independent vectors of norm . If is a basis matrix of , the fundamental parallelepiped of is the set . The volume of is an invariant of the lattice which is denoted by . Minkowski’s theorem states that . The dual lattice of , denoted by , is defined as .

The following background results are borrowed from [13, Section 2]. Let a power of , , and . An ideal of is a subset of which is closed under addition and multiplication by arbitrary elements of . By mapping polynomials to the vectors of their coefficients, we can see that an ideal corresponds to a full-rank sublattice of . An ideal lattice for is a sublattice of that corresponds to a nonzero ideal of . The algebraic norm is the cardinality of and it is equal to where is regarded as a lattice. Any nonzero ideal of satisfies .

For an integer , the elements in are represented by integers in the range . Let for some positive integers . We consider two kinds of full-rank -dimensional integer lattices defined by . The first consists of those integer vectors that are orthogonal (modulo ) to the rows of A, and it is defined as . The second lattice is generated by the transposed rows of , and it is defined as for some . In terminology of coding theory, is the parity check matrix for the linear code over , and is the generator matrix for the lattice over . When is clear in the context, we can omit it and just write and .

Micciancio and Regev [14] introduced a lattice quantity called the smoothing parameter.

Definition 1 (see [14]). For any -dimensional lattice and positive real , the smoothing parameter is the smallest real such that .

The following lemma shows that a Gaussian sample over is distributed almost-uniformly modulo a sublattice , if .

Lemma 2 (see [14]). Let , be -dimensional lattices, with . Then for any , any , and any , the distribution of is within statistical distance at most of uniform over .

The following lemma also shows that the smoothing parameter of a lattice is related to the minimum distance of its dual lattice in the norm or to the -th minimum of the lattice.

Lemma 3 (see [15]). For any -dimensional lattice and real , we have

Lemma 4 (see [14]). For any -dimensional lattice and real , we have

2.3. SIS Problems on Lattices

We recall the definition of the generalized Short Integer Solution (SIS) problem. This average case problem proposed by Ajtai [16] is to find a short nonzero integer solution to the homogeneous linear system for uniformly random . This is syntactically equivalent to finding an approximately short nonzero vector in . The problem was formalized as follows in [14].

Definition 5 ( problem). The small integer solution problem SIS (in the norm) is defined as follows: given an integer , a random matrix , and a positive real number , find a nonzero vector such that and .

By the pigeonhole principle, if , then the SIS instances are guaranteed to have a solution. We now recall a variant problem, which is to find a short solution to a random inhomogeneous system, specifically, (where both and are uniformly random).

Definition 6 ( problem). The inhomogeneous small integer solution problem ISIS (in the norm) is as follows: given an integer , a matrix , a syndrome , and a real , find an integer vector such that and .

2.4. Probability Distributions

The continuous normal distribution over centered at with standard deviation is defined by the function . When , we write . The discrete normal distribution over an -dimensional lattice centered at some with standard deviation is defined as where the quantity is just a scaling quantity needed to make the function into a probability distribution. When , we write as , and denotes . When , we write as .

The following lemma shows the equivalence of two distributions which is used in the construction of Lyubashevsky’s signature scheme [8] and BLISS [9].

Lemma 7 (rejection sampling [9]). Let be an arbitrary set, and let and be probability distributions. If is a family of probability distributions indexed by with property that there exists a such that , , , then the output distributions of the following two algorithms are identical:(1), , output with probability .(2), , output with probability .

2.5. Signatures and Key Substitution Attack

In this section we recall the definition of digital signature schemes and introduce the key substitution attack against it.

Definition 8 (signature scheme [11]). A signature scheme is a triple of algorithms , where, for security parameter ,(i), the key pair generation algorithm, is a probabilistic polynomial-time algorithm which outputs a private/public key pair on input of domain parameters which is an output of the setup algorithm taking a security parameter as an input;(ii), the signature generation algorithm, is a probabilistic polynomial-time algorithm which on input of message and a private key associated with domain parameters outputs a digital signature ;(iii), the signature verification algorithm, is a deterministic algorithm which on input of a message , signature , valid domain parameters , and a public key outputs 1 (= valid) or 0 (= invalid).

A digital signature scheme is secure if it is correct and existentially unforgeable under adaptive chosen-message attack (EUF-CMA). These properties are defined below. For simplicity, we omit the input in and and just write it as and .

Definition 9 (correctness). A digital signature scheme is correct if for all , all key pairs , and all messages we have

Definition 10 (EUF-CMA). A digital signature scheme is existentially unforgeable under adaptive chosen-message attacks if for all probabilistic polynomial-time algorithms with access to a signing oracle there is a negligible function such thatwhere is the set of queries which has accessed to the signing oracle.

We consider an additional checking algorithm to check the validity of a public key . Given the domain parameters and a candidate public key , the checking algorithm returns if and only if the is valid under the domain parameters .

Definition 11 (key substitution attack [11]). Given a signature scheme , a key substitution attack (with malicious signer) is a probabilistic polynomial-time algorithm which on input of valid domain parameters outputs two valid public keys and (passing the tests for and ) and a message/signature pair where and . When taking into account certificates, key substitution attack has access to a certification oracle.

A key substitution attack is called weak if an adversary also needs to output private keys and corresponding to and , respectively; otherwise key substitution attack is called strong. A digital signature scheme is strong (resp., weak) key substitution secure if it is secure against strong (resp., weak) key substitution attacks.

Remark 12. When considering the nonrepudiation property of signature schemes, it is important to note that the legal signers can be considered as attackers since the repudiation of a signature is a malicious goal of legal signers.

Remark 13. A more general version of key substitution attack, which is called message and key substitution (MKS) attack by Menezes and Smart [5], states that the adversary has generated a valid public key and a message such that the same signature is valid under public key for given valid signature on a message under the public key . In [5], Menezes and Smart regarded MKS as an attack with little meaning, since signatures by themselves have no meaning and so they cannot envision a realistic scenario where this ability can have damaging consequence.

3. Key Substitution Attacks on SIS-Based Signature Schemes

In this section, we describe three SIS-based signature schemes: GPV signature scheme [7], Lyubashevsky’s signature scheme [8], and BLISS [9]. We present strong key substitution attacks on these schemes. We also provide weak key substitution attacks on these schemes where a legal signer acts as an attacker, and this implies that these signature schemes have a problem in providing nonrepudiation property, even if the certificate authority requires users to prove possession of user’s private key before issuing certificates. We note that even though our weak key substitution attack is not successful when the attacker is not the original signer, at least it can be said that there may be a problem in providing nonrepudiation with these signature schemes.

3.1. Attacks on GPV Signature Scheme

Description of GPV Signature Scheme. First, we present key substitution attacks on GPV signature scheme designed by Gentry, Peikert, and Vaikuntanathan [7]. Before continuing, we briefly describe the key generation algorithm , signature generation algorithm , and signature verification algorithm of the GPV signature scheme. : On the given input , the algorithm samples a pair of matrices , where is a matrix of rank over and is a matrix of rank over satisfying , and , where denotes -th column vector of . The key generation algorithm also sets a collision resistant function and outputs public parameters and a pair of public key and private key . : On the given inputs , and a message , the algorithm computes and finds such that . The signing algorithm also samples satisfying and , using the short basis of induced from . The signing algorithm finally outputs as a signature of the message . : On the given inputs , the algorithm outputs 1 (= valid) if and only if

Strong Key Substitution Attack. We present a strong key substitution attacks on the GPV signature scheme.

Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key where is a valid signature on the message under this new public key .(1)Compute a matrix such that and the rank of the matrix is .(a)Let . In the construction of , the vector can be chosen arbitrarily such that . In particular, we select column vectors of which are linearly independent over , namely, (we may assume that ). And we set for and choose other ’s so that . Then has linearly independent column vectors over , which means the rank.(2)Set .(3)Output and as a signature on under the public key .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

Weak Key Substitution Attack. We now present a weak key substitution attack on the GPV signature scheme. In the proposed attack, we assume that the signer acts as an attacker to undermine the nonrepudiation property of the signature scheme and so the attacker knows .

Suppose that a valid signature on a message under the public key is given. The attacker proceeds as follows to obtain a new public key and the corresponding private key such that is a valid signature on the message under this new public key .(1)Compute a matrix such that is an eigenvector of with eigenvalue ; that is, .(a) is chosen as an invertible matrix over with eigenvector and eigenvalue 1 so that has rank . More precisely, one can construct as follows. We may assume that and . For any , we set the following. Then is invertible, , and the rank of is .(2)Set .(3)Output and as a signature on the message under the public key , and output as a private key of .

Noting that the private key corresponding to the public key satisfies , we know that is also a private key of the new public key . Thus, the attacker who knows also knows the private key of .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

Therefore, the attacker, who was the original signer, has succeeded in a weak strong key substitution attack on the GPV signature scheme.

3.2. Attacks on Lyubashevsky’s Signature Scheme

Description of Lyubashevsky’s Signature Scheme. We describe Lyubashevsky’s signature scheme based on SIS problem [8]. : On the given input , the algorithm samples two matrices , where is a matrix of rank and . The algorithm computes satisfying . The algorithm sets an integer such that and sets so that . The key generation algorithm also sets a hash function and outputs public parameters and a pair of public key and private key . : On the given inputs , and a message , the algorithm samples an -dimensional vector from , then computes , and finally obtains by applying the rejection sampling algorithm. The signature algorithm only outputs as a signature with probability . If nothing is printed, run the algorithm again until some signature is outputted. : On the given inputs , the algorithm outputs 1 if and only if

Strong Key Substitution Attack. Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key such that is a valid signature on the message under the new public key .(1)Compute a matrix such that . It is easy to compute in a similar way that is described in the strong key substitution attack on the GPV signature scheme.(2)Set .(3)Output and as a signature on the message under the public key .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

Weak Key Substitution Attack. We now present a weak key substitution attack on Lyubashevsky’s signature scheme. Suppose that a valid signature on a message under the public key is given. As we have commented before, the signer is an attacker and it is assumed that the attacker knows such that . The attacker proceeds as follows to obtain a new public key such that is a valid signature on the message under the new public key .(1)Compute a matrix satisfying .(i)With high probability, we may assume that has at least two nonzero components, say and . Let and with . We also assume which occurs with overwhelming probability. Let which will be determined later. We set as follows. Then, it satisfies that . Let . The only terms of differing from are and . If , then one can choose any . If and , then set so that . If and , then set so that .(2)Set .(3)Output and as a signature on under the public key .

Note that is a valid private key corresponding to since and . Therefore, the attacker, who knows such that also knows the private key of .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

Therefore, the attacker, who was the original signer, has succeeded in a weak key substitution attack on Lyubashevsky’s signature scheme.

3.3. Attacks on BLISS Signature Scheme

BLISS [9] is possibly one of the most efficient lattice-based signature schemes. It has been implemented in both software and hardware and boasts implementation efficiency comparable to classical factoring and discrete-logarithm-based schemes. BLISS can be seen as a ring-based optimization of the earlier lattice-based scheme of Lyubashevsky, sharing the same “Fiat-Shamir with aborts” structure.

The security of the BLISS signature scheme is based on the hardness of the problem which is the ring variant of the SIS problem. We first describe the matrix version of BLISS signature scheme and then explain its ring version. For more detailed descriptions and definition of the problem, we refer to [9]. The scheme construction and proof work for matrix version are equally well for ring version, when instantiated with polynomials.

In this subsection, we will assume that is a prime such that and is a power of 2. For any integer , we define the quotient ring and .

Let and be the set of binary and ternary integers, respectively. We define (resp., ), the set of binary vectors (resp., ternary vectors) of length and Hamming weight (i.e., vectors with exactly out of nonzero entries). Depending on the context, we consider and as a subset of or and regard bold lower case letters as vectors or polynomials. For every integer in the range and any positive integer , can be uniquely written , where . For every integer vector , denotes . Let denote the concatenation of two vectors and .

3.3.1. Matrix Version of BLISS

Description of the Matrix Version of BLISS. We describe the key generation algorithm , signature generation algorithm , and verification algorithm of the matrix version of the BLISS signature scheme. : On the given input , the algorithm outputs the key pair such that has a small norm, , and . The algorithm set so that . Let denote a hash function . The algorithm also outputs public parameter . : On the given inputs , , , and a message , the algorithm computes a signature of the message as follows:(1).(2).(3)Choose a random bit .(4).(5)Output with probability ; otherwise restart. : On the given inputs , and a signature , the algorithm accepts or rejects the signature according to the following steps:(1)If , then output .(2)If , then output .(3)Output 1 if and only if .

Note that the signer outputs the signature where is distributed according to . It can be seen from Lemma 7 by taking and where .

Strong Key Substitution Attack. We present a strong key substitution attack on the matrix version of BLISS signature scheme.

Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key such that the signature is a valid signature on the message under the new public key .

To succeed in strong key substitution attack, it is enough to find a new matrix such that , which holds when . In the following we show how to find such a matrix .(1)We may assume that there exists such that is invertible modulo .(2)Let and . For each , choose uniformly at random from , and then compute .(3)Defining a matrix , we have because of step .(4)Output and as a signature on the message under the public key .

We note that the validity of as a signature on the message under can be checked as follows:(i) and since is a valid signature.(ii)The equation implies that .

The described attack succeeds unless there is no such that is invertible in . Note that the signer outputs the signature where is distributed according to by Lemma 7. Therefore it is enough to estimate the success probability of our attack for . Let and be a positive real number. Since is a nonincreasing function in , and . We thus have and . We also note that for any . Then where for parameters proposed in BLISS (). This implies that the probability that all of are noninvertible modulo is at most . Thus, the success probability of our attack is at least which is very high.

Weak Key Substitution Attack. We now present a weak key substitution attack on the matrix version of BLISS signature scheme.

Suppose that a valid signature on a message under the public key is given. The signer, who owns and such that , proceeds as follows to obtain a new public key and the corresponding private key such that the signature is a valid signature on the message under the new public key . To succeed in weak key substitution attack, it is sufficient to find matrices and such that and . In the following we show how to find such matrices and .(1)Compute a matrix such that and , which imply that .(a)Computing such a matrix, is easy if . We first compute a matrix such that . We then set . It is clear to see that and .(2)We set .

Since and satisfy , we have and . From the construction of , we also have and , which imply . Thus, the signer obtains a valid key pair and .

The validity of as a signature on the message under the public key can be checked as follows:(i) and since is a valid signature.(ii) from the following equations:

Therefore, the signer of the signature succeeds in a weak key substitution attack on the matrix version of BLISS signature scheme.

3.3.2. Ring Version of BLISS

Description of the Ring Version of BLISS. We describe the key generation algorithm , signature generation algorithm , and verification algorithm of the ring version of the BLISS signature scheme. Let us define where is the number of dropped bits, and such that .

The notation means that and are sampled from the distribution .

For and an integer , define where and is a matrix in such that -th column of is the coefficient vector of polynomial for and . : On the given input , the algorithm outputs the key pair generated as follows. We note that a key pair satisfies . The algorithm sets so that . The algorithm also sets a positive integer and a constant so that 25% of the keys are accepted. Let denote a hash function . The algorithm also outputs public parameter where .(1)Choose as uniform polynomials of degree less than with exactly entries in , entries in , and other entries in where and are given densities.(2).(3)If , then restart.(4) (restart if is not invertible).(5). : On the given inputs , , , and a message , the algorithm computes a signature of the message as follows:(1).(2).(3).(4)Choose a random bit .(5).(6).(7)Continue with probability ; otherwise restart.(8).(9)Output . : On the given inputs , the algorithm accepts or rejects the signature according to the following steps:(1).(2)If , then output .(3)If , then output .(4)Output 1 if and only if .

As in the matrix version of BLISS, the signer outputs the signature where is sampled from by Lemma 7.

Strong Key Substitution Attack. Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key where the signature is a valid signature on the message under the new public key .

Since we want to find satisfying the equation where , it suffices to find such that . To find such a polynomial , we consider the greatest common divisor of two polynomials and . Let be the gcd of and modulo , and let be the gcd of and modulo . Since , the polynomial is completely factorized as a product of distinct linear polynomials modulo ; that is, . Since is a power of two, we also have .

Case 1. If , there exists such that for some . We set and define . In this case, we output as a new public key and as a signature on the message under the public key .

Case 2. If , we set and define . In this case, we output as a new public key and as a signature on the message under the public key .

In both cases, the validity of as a signature on the message under the public key can be checked as follows:(i) and since is a valid signature.(ii)In both cases and , we have , which implies Thus, we have .

As described, our attack succeeds when is noninvertible in or is noninvertible in . Note that the signer outputs the signature where is distributed according to by Lemma 7. Therefore it is enough to estimate the success probability of our attack for . To compute success probability of our attack, we first consider the case that is noninvertible in . Recall that, by Lemma 2, if , the distribution of is within statistical distance at most of uniform over . Noting that and , by Lemma 3, we have Therefore, if , then the distribution of is uniform over within statistical distance at most . Hence, for , the probability that is not invertible in is greater than or equal to . This is summarized in the following theorem.

Theorem 14. If ,

Taking , we have . For the proposed parameter sets for BLISS, we have and , which imply . Thus, the probability that is noninvertible in is greater than or equal to .

We now consider the case that is noninvertible in . Before continuing we first show that the following theorem holds. Note that this is essentially from [13, Lemma 11].

Theorem 15. Let be a power of such that splits into linear factors modulo prime as . Let be an arbitrary real number. For , we have the following. (i)If , (ii)If ,

Proof. Let be an ideal of . From , we have and so by Minkowski’s theorem. Since is an ideal of , we have , and Lemma 4 gives . Thus, if , by Lemma 2, is within statistical distance to the uniform distribution on . As a result, we have .
Let be an ideal of . We then have and , because . Lemmas 4 and 2 then show that is within statistical distance to the uniform distribution on when . On the other hand, since for , , is equivalent to and . Thus, by combining these results, we have .

If , we have

Taking , if , the probability that is noninvertible in is at least , which is nonnegligible in since in general is polynomial in . For the proposed parameter sets of BLISS having at least -bit security, we have and and always satisfies ; thus the success probability is at least .

Weak Key Substitution Attack. We present a weak key substitution attack on the ring version of the BLISS signature scheme. In this case, our attack is successful only in a very limited case.

Suppose that a valid signature on a message under the public key is given. In weak key substitution attacks the signer who owns the key pair wants to obtain a new public key and the corresponding private key so that the signature is a valid signature on the message under the new public key .

Similar to the strong key substitution attack on BLISS, it suffices to find and such that and . In the following we show how to find such polynomials.(1)Compute a polynomial such that in by using a similar method in the strong key substitution attack. This implies that in .(2)We set in .

Since , we have . However, we cannot guarantee that is small enough. Therefore, the signer obtains a valid key pair and only if one can make small. One way to get a smaller is to apply a lattice reduction algorithm on the ideal lattice generated by . However, it does not guarantee that is small enough to be a valid private key.

The validity of as a signature on the message under can be checked as follows:(i) and since is a valid signature.(ii) from the following equalities: .

Therefore, the signer of succeeds in a weak key substitution attack on BLISS of ring version as long as is small enough for a valid private key.

4. Attack Possibility and Its Defense

4.1. Possibility of Key Substitution Attacks

In general, there are two ways for the certificate authority to register a new user as the owner of a public key. One is that the certificate authority (CA) requires users to prove possession of user’s private key before issuing certificates using zero-knowledge proof. The other is that CA only checks whether the public key is different from any previously issued one.

Clearly, if CA only checks freshness of public keys to issue certificates, by our strong key substitution attacks, GPV signature scheme, Lyubashevsky’s signature scheme, and BLISS do not provide the nonrepudiation property.

Thus, a simple and natural way to prevent strong key substitution attack is to require that CA issues certificate only after checking the possession of private key using zero-knowledge proofs. The problem with this solution is that all known approaches for lattice-based zero-knowledge proofs are not practical. The first zero-knowledge proofs in the lattice setting were introduced by Kawachi et al. and Ling et al. [17, 18]. If one would like to have 128 bits of quantum security, one of the most basic application[19] requires KB of total proof size and more complicated applications need more megabytes. Baum and Lyubashevsky [20] give a new approach for constructing amortized zero-knowledge proofs of knowledge of short solutions over polynomial rings. When the number of relations is as small as the security parameter, their proof is practical. However, as the number of samples increases, the protocol has the same efficiency as the previous works. Still, it seems that more researches on the lattice-based zero-knowledge proofs need to be done to design efficient lattice-based authentication systems.

Even if CA issues certificates using zero-knowledge proof, in order to provide the nonrepudiation property, it requires that the underlying signature scheme be secure under the weak key substitution attack since any malicious signer can be a successful weak key substitution attacker and repudiates his/her valid signature in the system. Our weak key substitution attacks on GPV signature scheme, Lyubashevsky’s signature scheme, and BLISS show that these schemes cannot provide nonrepudiation of the signatures.

4.2. How to Prevent Key Substitution Attacks

Another way to prevent key substitution attack is to modify signature schemes to resist this attack. Menezes and Smart [5] took such an approach and suggested a method, we call it MS conversion, that converts a signature scheme into a new signature scheme by prepend the signer’s public key to the message in some unambiguous way prior to signing (for example, a field of fixed length may be reserved for the public key). By using formatted messages specific to each public key, the goal of the key substitution attack against is converted to compute from a valid triple , which was regarded as meaningless by Menezes and Smart [5] since it belongs to message key substitution (MKS) attacks against .

However, we note that MS conversion is not enough to guarantee the original meaning of KS security without considering MKS security. The specific MKS attack of computing indicates that anyone can use it to claim that the signature on the message is signed by the user with the public key , which is exactly the goal of key substitution attack. Therefore, it is important to check the infeasibility of computing from a valid triple in the MS conversions to guarantee the security against key substitution attacks. Form our analysis, it is straightforward to prove that MS-Lyubashevsky’s signature scheme and MS-BLISS signature scheme are secure against key substitution attacks if the hash function is collision resistant.

Unlike these Fiat-Shamir type signature schemes as Lyubashevsky’s signature scheme and BLISS, we see that the collision resistance of the hash function is not enough for the MKS security of MS-GPV signature scheme. The MKS security of MS-GPV scheme introduces the following new problem: given a such that , compute a new satisfying . One can solve this new problem as follows: for a given ,

Step 1. Compute

Step 2. Compute and such that

Step 3. Output

It is clear to see that . The hardness of this new problem has not been studied for the parameters of the GPV signature. It seems somewhat heuristic, but it needs more research to assess the hardness of the problem and we expect that it is easier than the classical computational problems such as the collision resistance of a hash function or SIS problem.

Table 1 summarizes the results of our key substitution attacks on three signature schemes and MS conversion.

5. Conclusion

In this paper, we present strong/weak key substitution attacks on GPV signature scheme, Lyubashevsky’s signature scheme, and BLISS. These attacks draw concerns in practice since they make the digital signature scheme to disable the functionalities of nonrepudiation and authentication. And we suggest using the MS conversion [5] which binds the signer’s public key and the message being signed on Lyubashevsky’s signature scheme and BLISS. Also, we point out that it is necessary to prove the security against message and key substitution (MKS) attacks for the MS conversion of digital signature in order to guarantee the security against key substitution attacks.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research was supported by Priority Research Centers Program of the Ministry of Education (Grant Number 2009-0093827). Seongan Lim was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, and Future Planning (no: 2016R1D1A1B01008562).

References

“NIST scoring package certification procedures in conjunction with NIST special databases 2 and 6,” National Institute of Standards and Technology NIST IR 5173, 1993.
View at: Publisher Site | Google Scholar
European Telecommunications Standards Institute, “Quantum-Safe Cryptography,” http://www.etsi.org/technologies-clusters/technologies/, quantum-safe-cryptography.
View at: Google Scholar
S. Goldwasser, S. Micali, and R. L. Rivest, “'Paradoxical' Solution to The Signature Problem,” in Proceedings of the 25th Annual IEEE Symposium on the Foundations of Computer Science, pp. 441–448, 1984.
View at: Google Scholar
N. Koblitz and A. Menezes, “Another look at security definitions,” Advances in Mathematics of Communications, vol. 7, no. 1, pp. 1–38, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
A. Menezes and N. Smart, “Security of signature schemes in a multi-user setting,” Designs, Codes and Cryptography. An International Journal, vol. 33, no. 3, pp. 261–274, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
National Institute of Standards and Technology, Digital Signature Standard, vol. 186, FIPS Publication, 1994.
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 14th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, Victoria, Canada, May 2008.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Advances in Cryptology—EUROCRYPT 2012. EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pp. 738–755, Springer, 2012.
View at: Publisher Site | Google Scholar
L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice signatures and bimodal Gaussians,” in Advances in cryptology—{CRYPTO} 2013. Part I, vol. 8042 of Lecture Notes in Comput. Sci., pp. 40–56, Springer, Heidelberg, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
C.-H. Tan, “Key substitution attacks on provably secure short signature schemes,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E88-A, no. 2, pp. 611-612, 2005.
View at: Publisher Site | Google Scholar
J.-M. Bohli, S. Röhrich, and R. Steinwandt, “Key substitution attacks revisited: Taking into account malicious signers,” International Journal of Information Security, vol. 5, no. 1, pp. 30–36, 2006.
View at: Publisher Site | Google Scholar
S. Blake-Wilson and A. Menezes, “Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol,” in Public Key Cryptography, vol. 1560 of Lecture Notes in Computer Science, pp. 154–170, Springer Berlin Heidelberg, Berlin, Heidelberg, 1999.
View at: Publisher Site | Google Scholar
D. Stehlé and R. Steinfeld, “Making NTRU as secure as worst-case problems over ideal lattices,” in Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. 6632 of Advances in Cryptology - EUROCRYPT 2011, pp. 27–47, Tallinn, Estonia, 2011.
View at: Google Scholar | MathSciNet
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
C. Peikert, “Limits on the hardness of lattice problems in l_p norms,” in Proceedings of the IEEE Conference on Computational Complexity, vol. 17, pp. 300–351, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
M. Ajtai, “Generating hard instances of lattice problems,” in Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC '96), pp. 99–108, Philadelphia, Pa, USA, May 1996.
View at: Publisher Site | Google Scholar
A. Kawachi, K. Tanaka, and K. Xagawa, “Concurrently secure identification schemes based on the worst-case hardness of lattice problems,” in Advances in cryptology---{ASIACRYPT} 2008, vol. 5350 of Lecture Notes in Comput. Sci., pp. 372–389, Springer, Berlin, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
S. Ling, K. Nguyen, D. Stehle, and H. Wang, “Improved zero-knowledge proofs of knowledge for the ISIS problem, and Applications,” in Public-key cryptography—{PKC} 2013, vol. 7778 of Lecture Notes in Comput. Sci., pp. 107–124, Springer, Heidelberg, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
V. Lyubashevsky, D. Micciancio, C. Peikert, and A. Rosen, “SWIFFT: A modest proposal for FFT hashing,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 5086, pp. 54–72, 2008.
View at: Google Scholar
C. Baum and V. Lyubashevsky, “Simple amortized proofs of shortness for linear relations over polynomial rings,” Cryptology ePrint Archive, Report 2017, p. 759, 2017.
View at: Google Scholar

Copyright

Copyright © 2018 Youngjoo An et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1547

Downloads

1016

Citations