Skip navigation

Practical algorithm substitution attack on extractable signatures

Practical algorithm substitution attack on extractable signatures

Zhao, Yi, Liang, Kaitai, Zhao, Yanqi, Yang, Bo, Ming, Yang and Panaousis, Emmanouil ORCID: 0000-0001-7306-4062 (2022) Practical algorithm substitution attack on extractable signatures. Designs, Codes and Cryptography, 90. pp. 921-937. ISSN 0925-1022 (Print), 1573-7586 (Online) (doi:

35784_PANAOUSIS_Practical_algorithm_substitution.pdf - Accepted Version

Download (466kB) | Preview


An algorithm substitution attack (ASA) can undermine the security of cryptographic primitives by subverting the original implementation. An ASA succeeds when it extracts secrets without being detected. To launch an ASA on signature schemes, existing studies often needed to collect signatures with successive indices to extract the signing key. However, collection with successive indices requires uninterrupted surveillance of the communication channel and a low transmission loss rate in practice. This hinders the practical implementation of current ASAs, thus causing users to misbelieve that the threat incurred by ASA is only theoretical and far from reality. In this study, we first classify a group of schemes called extractable signatures that achieve traditional security (unforgeability) by reductions ending with key extraction, thus demonstrating that there is a generic and practical approach for ASA with this class of signatures. Further, we present the implementation of ASAs in which only two signatures and no further requirements are needed for the extraction of widely used discrete log-based signatures such as DSA, Schnorr, and modified ElGamal signature schemes. Our attack presents a realistic threat to current signature applications, which can also be implemented in open and unstable environments such as vehicular ad hoc networks. Finally, we prove that the proposed ASA is undetectable against polynomial time detectors and physical timing analysis.

Item Type: Article
Uncontrolled Keywords: algorithm substitution attack; extractable signatures; discrete log; arbitrary collection
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science
Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Last Modified: 06 Mar 2023 01:38

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics