Abstract
Given a signature sfor some message malong with a corresponding public verification key yin a key substitution attack an attacker derives another verification key $$\overline{y}$$ ≠ y—possibly along with a matching secret key—such that sis also a valid signature of mfor the verification key $$\overline{y}$$. Menezes and Smart have shown that with suitable parameter restrictions DSA and EC-DSA are immune to such attacks. Here, we show that in the presence of a malicious signer key substitution attacks against several signature schemes that are secure in the sense introduced by Menezes and Smart can be mounted. While for EC-DSA such an attack is feasible, other established signature schemes, including EC-KCDSA, can be shown to be secure in this sense.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
