Key substitution attacks revisited: Taking into account malicious signers

摘要

Given a signature sfor some message malong with a corresponding public verification key yin a key substitution attack an attacker derives another verification key ≠ y—possibly along with a matching secret key—such that sis also a valid signature of mfor the verification key . Menezes and Smart have shown that with suitable parameter restrictions DSA and EC-DSA are immune to such attacks. Here, we show that in the presence of a malicious signer key substitution attacks against several signature schemes that are secure in the sense introduced by Menezes and Smart can be mounted. While for EC-DSA such an attack is feasible, other established signature schemes, including EC-KCDSA, can be shown to be secure in this sense.