TY - GEN
T1 - Subversion-resilient signature schemes
AU - Ateniese, Giuseppe
AU - Magri, Bernardo
AU - Venturi, Daniele
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions - e.g., security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO '14) for symmetric encryption - were non-adaptive and non-continuous. In this vein, we show both positive and negative results for constructing subversion-resilient signature schemes. • Negative results. As our main negative result, we show that a broad class of randomized schemes is unavoidably insecure against SAs, even if using just a single bit of randomness. This improves upon earlier work that was only able to attack schemes with larger randomness space. When designing our attack we consider undetectability to be an explicit adversarial goal, meaning that the end-users (even the ones knowing the signing key) should not be able to detect that the signature scheme was subverted. • Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT '15), i.e., an algorithm that " sanitizes" any signature given as input (using only public information). The firewall we design allows to successfully protect so-called re-randomizable signature schemes (which include unique signatures). While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might inuence the way digital signature schemes are selected or adopted in standards and protocols.
AB - We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions - e.g., security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO '14) for symmetric encryption - were non-adaptive and non-continuous. In this vein, we show both positive and negative results for constructing subversion-resilient signature schemes. • Negative results. As our main negative result, we show that a broad class of randomized schemes is unavoidably insecure against SAs, even if using just a single bit of randomness. This improves upon earlier work that was only able to attack schemes with larger randomness space. When designing our attack we consider undetectability to be an explicit adversarial goal, meaning that the end-users (even the ones knowing the signing key) should not be able to detect that the signature scheme was subverted. • Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT '15), i.e., an algorithm that " sanitizes" any signature given as input (using only public information). The firewall we design allows to successfully protect so-called re-randomizable signature schemes (which include unique signatures). While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might inuence the way digital signature schemes are selected or adopted in standards and protocols.
KW - Digital signatures
KW - Malware
KW - Subversion
KW - Tampering
UR - http://www.scopus.com/inward/record.url?scp=84954121837&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84954121837&partnerID=8YFLogxK
U2 - 10.1145/2810103.2813635
DO - 10.1145/2810103.2813635
M3 - Conference contribution
AN - SCOPUS:84954121837
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 364
EP - 375
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Y2 - 12 October 2015 through 16 October 2015
ER -