#### Abstract

The notion of key substitution security on digital signatures in the multiuser setting has been proposed by Menezes and Smart in 2004. Along with the unforgeability of signature, the key substitution security is very important since it is a critical requirement for the nonrepudiation and the authentication of the signature. Lattice-based signature is a promising candidate for post-quantum cryptography, and the unforgeability of each scheme has been relatively well studied. In this paper, we present key substitution attacks on BLISS, Lyubashevsky’s signature scheme, and GPV and thus show that these signature schemes do not provide nonrepudiation. We also suggest how to avoid key substitution attack on these schemes.

#### 1. Introduction

The classical cryptography based on factoring or discrete-logarithm problem is vulnerable to cryptanalysis by quantum computers. To prepare for a security plan after the emergence of quantum computing, NIST [1] and ETSI [2] currently try to standardize public key algorithms of three categories, namely, digital signature, public key encryption, and key exchange protocol. Among them, digital signatures are commonly used for authenticated key exchange protocol, software distribution, financial transactions, and contract management software and in other cases where it is important to detect forgery or tampering.

The established security notion for digital signature schemes is* existentially unforgeable against adaptive chosen-message attacks* introduced by Goldwasser, Micali, and Rivest [3]. Although a signature scheme secure in this scenario offers rather strong security guarantees, further requirements can be crucial in certain applications. For example, Koblitz, Menezes, and Smart [4, 5] indicate that the GMR security is not sufficient in a multiuser setting by proposing a new type of attack on digital signature scheme, which is called a key substitution attack. In the key substitution attack, an adversary is given a public key and a signature on a message under , and then he tries to produce a new public key different from , which validates the same signature on the same message under the new public key .

A serious practical danger of key substitution attacks is that they not only undermine nonrepudiation but are disable to authenticate the signer who signed the message. These are core functionalities the digital signature can offer. Nonrepudiation refers to the ability to ensure that a sender who signed a message or document cannot later deny having sign it. The US government standard for digital signatures states that nonrepudiation and authentication are main characteristics of a signature scheme [6]. In the key substitution attack, a successful attacker obtains a new public key , which validates a given signature signed by the signer. As a result, one signature is valid under two different public keys which affects these functionalities of the signature scheme. In other words, the threat of the key substitution attack is that there are two (or more) different valid public keys for the same given signature.

A typical scenario where the key substitution attack has damaging consequences is the following. Suppose that Bob has signed an important contract with Alice. When the contract was nullified by Bob, he cannot claim that he did not sign the contract with Alice if the nonrepudiation property of the digital signature scheme works properly, because Alice presents the contract signed by Bob’s signature corresponding to his public key as an evidence of his lying. However, if the signature scheme is attacked by the key substitution attack, the scheme loses its function of nonrepudiation. Then Bob insists that he has not signed the contract with Alice and the signature on the contract presented by Alice is not what he has signed. As a proof of his claim, he mounts a key substitution attack to obtain a new public key different from and shows that the contract signed by the same signature can be validated by using the public key . It means that it is hard to prove that Bob has signed a contract with Alice by using . It is serious issue to weaken the usability of the digital signature scheme in the real world. Therefore, it is crucial for the digital signature scheme to prevent the key substitution attack. It is noteworthy that the legal signer, Bob, could be a potential attacker in the key substitution attacks. For more real-world impact of the key substitution attack, we refer to [4].

In this paper, we present key substitution attacks on the lattice signature schemes based on SIS problem such as GPV signature scheme [7], Lyubashevsky’s signature scheme [8], and BLISS [9]. Note that lattice-based cryptography is a most promising candidate for post-quantum cryptography, and BLISS (Bimodal Lattice Signature Scheme) is currently one of the most compact and efficient lattice-based signature schemes that is provably secure under lattice assumptions.

We present two kinds of key substitution attacks. The first one is weak key substitution attack in which the adversary who may be a legal signer wants to ruin the properties of the digital signature schemes by obtaining new public and private key pairs. This type of attack is considered in [10, 11], and e-coupon and e-lottery were presented as concrete examples of these attacks. For instance, an electronic coupon (e-coupon) system works as follows. When issuing the e-coupon for a customer, in order to prevent illegal use of the e-coupon, it requires the customer to sign the e-coupon. Then the e-coupon is signed by the issuer and it will be issued to the customer as a legitimate buyer. Before he redeems the e-coupon at the store, he needs to show the ownership of the e-coupon by zero-knowledge proof of his secret key. Assume that a successful weak key substitution attacker Alice has a valid e-coupon and duplicates the e-coupon with the same signature under and . Then she can use the e-coupon multiple times to buy the goods because she is able to prove that she owns the e-coupons by using . Moreover, if Alice sells the copies of e-coupon with and to unauthorized users, she gets the financial benefits from it and illegal users obtain the goods using the e-coupon with at the shop.

The other is strong key substitution attack in which an adversary, not necessary to be a signer, wants to compute a new public key validating a given signature. In this case the attacker may interfere with the communication between a signer and a verifier in order to achieve his malicious goal, like the unknown key share attack proposed in [12].

In our attacks on these signature schemes, we solve linear equations for a valid new public key to pass the verification algorithm. One of the important requirements is to check if a hash value for given and is correct. On SIS-based signature schemes mentioned above, we succeed in substituting a new public key using algebraic structures depending on each signature scheme without finding the collision of hash function on the same message.

This paper is organized as follows. In Section 2, we introduce some necessary cryptographic and mathematical backgrounds, including the definitions of SIS problem and key substitution attack. In Section 3, we recall three lattice-based signature schemes, namely, GPV signature [7], Lyubashevsky’s signature [8], and BLISS [9], and present key substitution attacks on these schemes. In Section 4, we examine the effectiveness of the proposed attacks and explain how to avoid key substitution attacks on these schemes. In Section 5, we conclude our paper.

#### 2. Preliminaries

##### 2.1. Notations

We assume that all vectors are column vectors and vectors will be written in bold lower case letters. Matrices will be written in upper case letters. For vectors , let denote a matrix whose -th column is .

The norm of a vector is denoted by and we will usually avoid writing the for the norm. For a distribution , we use the notation to mean that is chosen according to the distribution . If is a set, then means that is chosen uniformly at random from . For integers , let denote the set of integers .

##### 2.2. Some Basics on Lattices

Let consist of linearly independent vectors. The -dimensional lattice generated by the basis is . A lattice is a discrete additive subgroup of . If , we say that is full-rank.

The minimum distance of a lattice is the length of its shortest nonzero vector in the norm: . We write to denote the minimum distance of a lattice in the norm. More generally, the -th minimum for is defined as the smallest such that contains linearly independent vectors of norm . If is a basis matrix of , the fundamental parallelepiped of is the set . The volume of is an invariant of the lattice which is denoted by . Minkowski’s theorem states that . The dual lattice of , denoted by , is defined as .

The following background results are borrowed from [13, Section 2]. Let a power of , , and . An ideal of is a subset of which is closed under addition and multiplication by arbitrary elements of . By mapping polynomials to the vectors of their coefficients, we can see that an ideal corresponds to a full-rank sublattice of . An ideal lattice for is a sublattice of that corresponds to a nonzero ideal of . The algebraic norm is the cardinality of and it is equal to where is regarded as a lattice. Any nonzero ideal of satisfies .

For an integer , the elements in are represented by integers in the range . Let for some positive integers . We consider two kinds of full-rank -dimensional integer lattices defined by . The first consists of those integer vectors that are orthogonal (modulo ) to the rows of A, and it is defined as . The second lattice is generated by the transposed rows of , and it is defined as for some . In terminology of coding theory, is the parity check matrix for the linear code over , and is the generator matrix for the lattice over . When is clear in the context, we can omit it and just write and .

Micciancio and Regev [14] introduced a lattice quantity called the smoothing parameter.

*Definition 1 (see [14]). *For any -dimensional lattice and positive real , the smoothing parameter is the smallest real such that .

The following lemma shows that a Gaussian sample over is distributed almost-uniformly modulo a sublattice , if .

Lemma 2 (see [14]). *Let , be -dimensional lattices, with . Then for any , any , and any , the distribution of is within statistical distance at most of uniform over .*

The following lemma also shows that the smoothing parameter of a lattice is related to the minimum distance of its dual lattice in the norm or to the -th minimum of the lattice.

Lemma 3 (see [15]). *For any -dimensional lattice and real , we have *

Lemma 4 (see [14]). *For any -dimensional lattice and real , we have *

##### 2.3. SIS Problems on Lattices

We recall the definition of the generalized Short Integer Solution (SIS) problem. This average case problem proposed by Ajtai [16] is to find a short nonzero integer solution to the homogeneous linear system for uniformly random . This is syntactically equivalent to finding an approximately short nonzero vector in . The problem was formalized as follows in [14].

*Definition 5 ( problem). *The small integer solution problem SIS (in the norm) is defined as follows: given an integer , a random matrix , and a positive real number , find a nonzero vector such that and .

By the pigeonhole principle, if , then the SIS instances are guaranteed to have a solution. We now recall a variant problem, which is to find a short solution to a random inhomogeneous system, specifically, (where both and are uniformly random).

*Definition 6 ( problem). *The inhomogeneous small integer solution problem ISIS (in the norm) is as follows: given an integer , a matrix , a syndrome , and a real , find an integer vector such that and .

##### 2.4. Probability Distributions

The continuous normal distribution over centered at with standard deviation is defined by the function . When , we write . The discrete normal distribution over an -dimensional lattice centered at some with standard deviation is defined as where the quantity is just a scaling quantity needed to make the function into a probability distribution. When , we write as , and denotes . When , we write as .

The following lemma shows the equivalence of two distributions which is used in the construction of Lyubashevsky’s signature scheme [8] and BLISS [9].

Lemma 7 (rejection sampling [9]). *Let be an arbitrary set, and let and be probability distributions. If is a family of probability distributions indexed by with property that there exists a such that , , , then the output distributions of the following two algorithms are identical:*(1)*, , output with probability .*(2)*, , output with probability .*

##### 2.5. Signatures and Key Substitution Attack

In this section we recall the definition of digital signature schemes and introduce the key substitution attack against it.

*Definition 8 (signature scheme [11]). *A signature scheme is a triple of algorithms , where, for security parameter ,(i), the key pair generation algorithm, is a probabilistic polynomial-time algorithm which outputs a private/public key pair on input of domain parameters which is an output of the setup algorithm taking a security parameter as an input;(ii), the signature generation algorithm, is a probabilistic polynomial-time algorithm which on input of message and a private key associated with domain parameters outputs a digital signature ;(iii), the signature verification algorithm, is a deterministic algorithm which on input of a message , signature , valid domain parameters , and a public key outputs 1 (= valid) or 0 (= invalid).

A digital signature scheme is* secure* if it is* correct* and* existentially unforgeable* under adaptive chosen-message attack (EUF-CMA). These properties are defined below. For simplicity, we omit the input in and and just write it as and .

*Definition 9 (correctness). *A digital signature scheme is correct if for all , all key pairs , and all messages we have

*Definition 10 (EUF-CMA). *A digital signature scheme is existentially unforgeable under adaptive chosen-message attacks if for all probabilistic polynomial-time algorithms with access to a signing oracle there is a negligible function such thatwhere is the set of queries which has accessed to the signing oracle.

We consider an additional checking algorithm to check the validity of a public key . Given the domain parameters and a candidate public key , the checking algorithm returns if and only if the is valid under the domain parameters .

*Definition 11 (key substitution attack [11]). *Given a signature scheme , a key substitution attack (with malicious signer) is a probabilistic polynomial-time algorithm which on input of valid domain parameters outputs two valid public keys and (passing the tests for and ) and a message/signature pair where and . When taking into account certificates, key substitution attack has access to a certification oracle.

A key substitution attack is called* weak* if an adversary also needs to output private keys and corresponding to and , respectively; otherwise key substitution attack is called* strong*. A digital signature scheme is* strong* (resp.,* weak*) key substitution secure if it is secure against* strong* (resp.,* weak*) key substitution attacks.

*Remark 12. *When considering the nonrepudiation property of signature schemes, it is important to note that the legal signers can be considered as attackers since the repudiation of a signature is a malicious goal of legal signers.

*Remark 13. *A more general version of key substitution attack, which is called* message and key substitution* (MKS) attack by Menezes and Smart [5], states that the adversary has generated a valid public key and a message such that the same signature is valid under public key for given valid signature on a message under the public key . In [5], Menezes and Smart regarded MKS as an attack with little meaning, since signatures by themselves have no meaning and so they cannot envision a realistic scenario where this ability can have damaging consequence.

#### 3. Key Substitution Attacks on SIS-Based Signature Schemes

In this section, we describe three SIS-based signature schemes: GPV signature scheme [7], Lyubashevsky’s signature scheme [8], and BLISS [9]. We present strong key substitution attacks on these schemes. We also provide weak key substitution attacks on these schemes where a legal signer acts as an attacker, and this implies that these signature schemes have a problem in providing nonrepudiation property, even if the certificate authority requires users to prove possession of user’s private key before issuing certificates. We note that even though our weak key substitution attack is not successful when the attacker is not the original signer, at least it can be said that there may be a problem in providing nonrepudiation with these signature schemes.

##### 3.1. Attacks on GPV Signature Scheme

*Description of GPV Signature Scheme.* First, we present key substitution attacks on GPV signature scheme designed by Gentry, Peikert, and Vaikuntanathan [7]. Before continuing, we briefly describe the key generation algorithm , signature generation algorithm , and signature verification algorithm of the GPV signature scheme. : On the given input , the algorithm samples a pair of matrices , where is a matrix of rank over and is a matrix of rank over satisfying , and , where denotes -th column vector of . The key generation algorithm also sets a collision resistant function and outputs public parameters and a pair of public key and private key . : On the given inputs , and a message , the algorithm computes and finds such that . The signing algorithm also samples satisfying and , using the short basis of induced from . The signing algorithm finally outputs as a signature of the message . : On the given inputs , the algorithm outputs 1 (= valid) if and only if

*Strong Key Substitution Attack.* We present a strong key substitution attacks on the GPV signature scheme.

Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key where is a valid signature on the message under this new public key .(1)Compute a matrix such that and the rank of the matrix is .(a)Let . In the construction of , the vector can be chosen arbitrarily such that . In particular, we select column vectors of which are linearly independent over , namely, (we may assume that ). And we set for and choose other ’s so that . Then has linearly independent column vectors over , which means the rank.(2)Set .(3)Output and as a signature on under the public key .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

*Weak Key Substitution Attack.* We now present a weak key substitution attack on the GPV signature scheme. In the proposed attack, we assume that the signer acts as an attacker to undermine the nonrepudiation property of the signature scheme and so the attacker knows .

Suppose that a valid signature on a message under the public key is given. The attacker proceeds as follows to obtain a new public key and the corresponding private key such that is a valid signature on the message under this new public key .(1)Compute a matrix such that is an eigenvector of with eigenvalue ; that is, .(a) is chosen as an invertible matrix over with eigenvector and eigenvalue 1 so that has rank . More precisely, one can construct as follows. We may assume that and . For any , we set the following. Then is invertible, , and the rank of is .(2)Set .(3)Output and as a signature on the message under the public key , and output as a private key of .

Noting that the private key corresponding to the public key satisfies , we know that is also a private key of the new public key . Thus, the attacker who knows also knows the private key of .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

Therefore, the attacker, who was the original signer, has succeeded in a weak strong key substitution attack on the GPV signature scheme.

##### 3.2. Attacks on Lyubashevsky’s Signature Scheme

*Description of Lyubashevsky’s Signature Scheme.* We describe Lyubashevsky’s signature scheme based on SIS problem [8]. : On the given input , the algorithm samples two matrices , where is a matrix of rank and . The algorithm computes satisfying . The algorithm sets an integer such that and sets so that . The key generation algorithm also sets a hash function and outputs public parameters and a pair of public key and private key . : On the given inputs , and a message , the algorithm samples an -dimensional vector from , then computes , and finally obtains by applying the rejection sampling algorithm. The signature algorithm only outputs as a signature with probability . If nothing is printed, run the algorithm again until some signature is outputted. : On the given inputs , the algorithm outputs 1 if and only if

*Strong Key Substitution Attack.* Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key such that is a valid signature on the message under the new public key .(1)Compute a matrix such that . It is easy to compute in a similar way that is described in the strong key substitution attack on the GPV signature scheme.(2)Set .(3)Output and as a signature on the message under the public key .

The validity of as a signature on the message under the new public key follows from the facts below:(i) since is a valid signature.(ii) since we have

*Weak Key Substitution Attack.* We now present a weak key substitution attack on Lyubashevsky’s signature scheme. Suppose that a valid signature on a message under the public key is given. As we have commented before, the signer is an attacker and it is assumed that the attacker knows such that . The attacker proceeds as follows to obtain a new public key such that is a valid signature on the message under the new public key .(1)Compute a matrix satisfying .(i)With high probability, we may assume that has at least two nonzero components, say and . Let and with . We also assume which occurs with overwhelming probability. Let which will be determined later. We set as follows. Then, it satisfies that . Let . The only terms of differing from are and . If , then one can choose any . If and , then set so that . If and , then set so that .(2)Set .(3)Output and as a signature on under the public key .

Note that is a valid private key corresponding to since and . Therefore, the attacker, who knows such that also knows the private key of .

Therefore, the attacker, who was the original signer, has succeeded in a weak key substitution attack on Lyubashevsky’s signature scheme.

##### 3.3. Attacks on BLISS Signature Scheme

BLISS [9] is possibly one of the most efficient lattice-based signature schemes. It has been implemented in both software and hardware and boasts implementation efficiency comparable to classical factoring and discrete-logarithm-based schemes. BLISS can be seen as a ring-based optimization of the earlier lattice-based scheme of Lyubashevsky, sharing the same “Fiat-Shamir with aborts” structure.

The security of the BLISS signature scheme is based on the hardness of the problem which is the ring variant of the SIS problem. We first describe the matrix version of BLISS signature scheme and then explain its ring version. For more detailed descriptions and definition of the problem, we refer to [9]. The scheme construction and proof work for matrix version are equally well for ring version, when instantiated with polynomials.

In this subsection, we will assume that is a prime such that and is a power of 2. For any integer , we define the quotient ring and .

Let and be the set of binary and ternary integers, respectively. We define (resp., ), the set of binary vectors (resp., ternary vectors) of length and Hamming weight (i.e., vectors with exactly out of nonzero entries). Depending on the context, we consider and as a subset of or and regard bold lower case letters as vectors or polynomials. For every integer in the range and any positive integer , can be uniquely written , where . For every integer vector , denotes . Let denote the concatenation of two vectors and .

###### 3.3.1. Matrix Version of BLISS

*Description of the Matrix Version of BLISS*. We describe the key generation algorithm , signature generation algorithm , and verification algorithm of the matrix version of the BLISS signature scheme. : On the given input , the algorithm outputs the key pair such that has a small norm, , and . The algorithm set so that . Let denote a hash function . The algorithm also outputs public parameter . : On the given inputs , , , and a message , the algorithm computes a signature of the message as follows:(1).(2).(3)Choose a random bit .(4).(5)Output with probability ; otherwise** restart**. : On the given inputs , and a signature , the algorithm accepts or rejects the signature according to the following steps:(1)If , then output .(2)If , then output .(3)Output 1 if and only if .

Note that the signer outputs the signature where is distributed according to . It can be seen from Lemma 7 by taking and where .

*Strong Key Substitution Attack.* We present a strong key substitution attack on the matrix version of BLISS signature scheme.

Suppose that a valid signature on a message under the public key is given. One proceeds as follows to obtain a new public key such that the signature is a valid signature on the message under the new public key .

To succeed in strong key substitution attack, it is enough to find a new matrix such that , which holds when . In the following we show how to find such a matrix .(1)We may assume that there exists such that is invertible modulo .(2)Let and . For each , choose uniformly at random from , and then compute .(3)Defining a matrix , we have because of step .(4)Output and as a signature on the message under the public key .

We note that the validity of as a signature on the message under can be checked as follows:(i) and since is a valid signature.(ii)The equation implies that .

The described attack succeeds unless there is no such that is invertible in . Note that the signer outputs the signature where is distributed according to by Lemma 7. Therefore it is enough to estimate the success probability of our attack for . Let and be a positive real number. Since is a nonincreasing function in , and . We thus have and . We also note that for any . Then where for parameters proposed in BLISS (). This implies that the probability that all of are noninvertible modulo is at most . Thus, the success probability of our attack is at least which is very high.

*Weak Key Substitution Attack.* We now present a weak key substitution attack on the matrix version of BLISS signature scheme.

Suppose that a valid signature on a message under the public key is given. The signer, who owns and such that , proceeds as follows to obtain a new public key and the corresponding private key such that the signature is a valid signature on the message under the new public key . To succeed in weak key substitution attack, it is sufficient to find matrices and such that and . In the following we show how to find such matrices and .(1)Compute a matrix such that and , which imply that .(a)Computing such a matrix, is easy if . We first compute a matrix such that . We then set . It is clear to see that and .(2)We set .

Since and satisfy , we have and . From the construction of , we also have and , which imply . Thus, the signer obtains a valid key pair and .

The validity of as a signature on the message under the public key can be checked as follows:(i) and since is a valid signature.(ii) from the following equations:

Therefore, the signer of the signature succeeds in a weak key substitution attack on the matrix version of BLISS signature scheme.

###### 3.3.2. Ring Version of BLISS

*Description of the Ring Version of BLISS*. We describe the key generation algorithm , signature generation algorithm , and verification algorithm of the ring version of the BLISS signature scheme. Let us define where is the number of dropped bits, and such that .

The notation means that and are sampled from the distribution .

For and an integer , define where and is a matrix in such that -th column of is the coefficient vector of polynomial for and . : On the given input , the algorithm outputs the key pair generated as follows. We note that a key pair satisfies . The algorithm sets so that . The algorithm also sets a positive integer and a constant so that 25% of the keys are accepted. Let denote a hash function . The algorithm also outputs public parameter where .(1)Choose as uniform polynomials of degree less than with exactly entries in , entries in , and other entries in where and are given densities.(2).(3)If , then** restart**.(4) (**restart** if is not invertible).(5). : On the given inputs , , , and a message , the algorithm computes a signature of the message as follows:(1).(2)