Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key Substitution Attacks on Some Provably Secure Signature Schemes

Published byErika Gaines Modified over 6 years ago

Similar presentations

Presentation on theme: "Key Substitution Attacks on Some Provably Secure Signature Schemes"— Presentation transcript:

1 Key Substitution Attacks on Some Provably Secure Signature Schemes
Author: Chik-How Tan Source: IEICE Trans. Fundamentals, Vol.E87-A,  No.1 Jan. 2004 Speaker: Su Sheng-Yao

2 Outline Introduction Two Provably Secure Signature Scheme
Fischlin Signature Scheme Camenisch-Lysyanskaya Signature Scheme Cryptoanalysis Conclusion

3 Introduction Provable Security Provably Secure Signature Schemes
Security could be proved under standard and well-believed complexity theoretic assumptions Definition, Protocol, Proof Provably Secure Signature Schemes Key Substitution Attack U’s public key and signature s on m adversary A tries to produce a new public key s.t. s is also a valid A’s signature on m

4 Application e-lottery e-coupon (禮卷)
the gambler uses his/her secret key to sign on the e-lottery to ensure that he owns the e-lottery e-coupon (禮卷) require be signed by the buyer and later signed by the shop

5 History (1998) Goldwasser, Micali and Rivest introduced the security notion of existential unforgeability against adaptive chosen-message attacks (1999) Blake-Wilson and Menezes introduced a duplicate-signature key selection attacks (2004) Menezes and Smart analyzed the security of some signature schemes against this attack, named as key substitution attacks

6 Fischlin Signature Scheme (1/2)
Key Generation: N=pq ( p=2p’+1, so does q ) three random quadratic residues h1, h2, X ZN* Signature Generation: compute (l-bit) H(m), H(.): collision resistant hash fun. compute y=(Xh1ah2a XOR H(m))1/e mod N e: random (l+1)-bit prime a: l-bit long Public key (N, X, h1, h2) Private key (p, q) Signature (y, a, e)

7 Fischlin Signature Scheme (2/2)
Signature Verification: check e : (l+1)-bit odd integer a: l-bit ye= (Xh1a h2a XOR H(m)) mod N

8 Camenisch-Lysyanskaya Signature Scheme (1/2)
Key Generation: N=pq ( p=2p’+1, so does q ) three random quadratic residues h1, h2, X ZN* Signature Generation: compute y=(Xh1sh2m)1/e mod N e >2lm+1: random prime of length le=lm+2 s: random number st. ls=lN+lm+l Public key (N, X, h1, h2) Private key (p, q) Signature (y, s, e)

9 Camenisch-Lysyanskaya Signature Scheme (2/2)
Signature Verification: check e: 2le-1 < e < 2le ye= (Xh1s h2m) mod N

10 Cryptanalysis (1/2) Weak-key substitution attack (stronger)
produce public/private key Strong-key substitution attack public key (without knowing private key) Weak-Key Substitution Attack the same form X = yeh1-s h2-t mod N signature (y, a, e) where s=a, t=a XOR H(m) in Fischlin sheme t=m in C-L scheme

11 Cryptanalysis (2/2) choose two new primes st.
choose two random quadratic residues compute Then public key is valid with secret key and signature (y, a, e) of m

12 Conclusion Attack the two schemes by weak-key substitution attack
A signature scheme secure against existential forgery under adaptive chosen-message attack is inadequate A scheme should be against key substitution attacks or rather under multi-user setting

Download ppt "Key Substitution Attacks on Some Provably Secure Signature Schemes"

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Design and Security Analysis of Marked Blind Signature

Design and Security Analysis of Marked Blind Signature
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
8. Data Integrity Techniques

8. Data Integrity Techniques
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

Similar presentations

Ads by Google