An Algorithm Substitution Attack on Fiat-Shamir Signatures Based on Lattice

: Many evidences have showed that some intelligence agencies (often called big brother) attempt to monitor citizens’ communication by providing coerced citizens a lot of subverted cryptographic algorithms and coercing them to adopt these algorithms. Since legalized services on large number of various applications and system architectures depend on digital signature techniques, in the context some coerced users who use double authentication preventing signatures to design some novel digital signature techniques, have some convincing dissertations to defuse requests from authorities and big brothers creating some corresponding subverted signatures. As rapid progress in quantum computers, National Security Agency advisory memorandum and announcement of National Institute of Standards and Technology procedures from standardization focus on some cryptographic algorithms which are post quantum secure. Motivated by these issues, we design an algorithm substitution attack against Fiat-Shamir family based on lattices (e.g., BLISS, BG, Ring-TESLA, PASSSign and GLP) that are proven post-quantum computational secure. We also show an efficient deterable way to eliminate big brother’s threat by leaking signing keys from signatures on two messages to be public. Security proof shows that our schemes satisfy key extraction, un-detectability and deterability. Through parameters analysis and performance evaluation, we demonstrate that our deterring sub-verted Fiat-Shamir signature is practical, which means that it can be applied to privacy and protection in some system architectures.


Introduction
Since the first computer was intruded, hackers have been developing the technology of "backdoor" which allows them to enter the system again. The main functions of the backdoor is that it has no ability to prevent the system manager from entering this system again and discover these hackers. Many techniques have been used in this "backdoor", such as intercepting postal shipping to steal and substitute networking hardware, sabotaging Internet routers, injecting malware, installing backdoors, wire-tapping undersea cables and so on [1 -3] .
In 2013, Edward Snowden brought shocking news that many ongoing surveillance programs with an underlying "backdoor" target at citizens conducting by National Security Agency (NSA) and partners from all over the world [4] . A typical example is a pseudorandom generator (PRG) named Dual_EC_ DRBG backdoored by NSA, from NIST (National Institute of Standards and Technology). After choosing a few concrete parameters employed in the PRG, an attacker or any adversary is not able to differentiate exports on PRG from any random number but can forecast following exports [5] . In this circumstances, post-Snowden cryptography attracts much of attentions in recent years.
As one of the research topics in post-Snowden cryptography, the notion of algorithm substitution attack (ASA) was formalized by Bellare et al [6] in some semantics from algorithms named symmetric encryption algorithms. The ASA method is capable of any attacker or old big brother to substitute a few of pieces of randomized encryption algorithms or signature algorithms with a modified one such that it can leak secret keys subliminally and undetectably to the adversary. Ateniese et al [7] first proposed a model of ASA on signature schemes, however, the subverted signature is generic and inefficient. Then Liu et al [8] introduced a much high efficient ASA method about one affirmatory crowd in some signature schemes. Recently, Beak et al [9] presented a much more efficient and undetectable method ASA from a classical DSA (digital signature algorithm) digital signature. At present most proposed subverted signatures only consider how to subvert signature schemes, there still needs some countermeasures to address big brother's threat, while a new proposed signatures named double authentication preventing signatures can be used to deter this kind of big brother's action.
The double authentication preventing signatures (DAPS) are a class of extraordinary digital signatures with double signatures extractability which means deterable when there exist two different signatures from messages (m 0 , p 1 ) and (m 0 , p 2 ), where p 1 ≠p 2 . When a signature is subverted and satisfies double signature extractability, the subverted signature can be deterable by revealing real signature's signing secret keys to anyone. Unlike these two ring signatures with linkability and traceability [10][11][12][13] , our DAPRS (double authentication preventing ring signatures) has stronger accountability which leads any two pairs of signatures produced by same member in a ring set to reveal his (or her) secret signing keys. As for linkable ring signatures, it allows anyone to efficiently decide whether any two pairs of signatures are produced by the same member without revealing his (or her) identity. As for traceable ring signatures, it can reveal his (or her) identity if any two signatures are produced by the same member. On the basis of the digital signatures in Refs. [14][15][16], most designed DAPS based on discrete logarithm problems and large integer factorization problems face new challenges because there exist polynomial computational complexity quantum algorithms to solve the two problems, such as Shor algorithm [17,18] . Hence, it is necessary to study some post quantum secure DAPS.
Lattice-based signature is a cutting-edge cryptographic "technology". It has several interesting properties, such as high computational efficiency, novel and powerful cryptographic functionalities/applications, strong provable security guarantees, believed "post-quantum" security and so on. Therefore, it is vital for us to study some lattice-based algorithm substitution attacks. While most efficient lattice-based signatures which are a promising post-quantum cryptography belong to Fiat-Shamir signature paradigms (e.g., BLISS [19,20] , GLP [21] , PASS-Sign [22] , Ring-TESLA [23] ) and Hash-and-sign paradigms (e.g., GGH [24] , NTRUSign [25] , GPV [25] ) at the NIST workshop on post-quantum cryptography. Lattice-based Hash-and-sign paradigm follows that a trapdoor function can be provided by a short lattice basis. Most of them are heuristic security (no actual security proofs) and are rela-tively inefficient than lattice-based Fiat-Shamir (FS) signature paradigms [26] . Furthermore most lattice-based Hash-and-sign paradigms have unique signatures which are against subversion attacks [7] . Hence we aim at algorithm substitution attacks on FS lattice signature paradigms (FS-LBS). In this paper, we present ASA against those schemes that any three consecutive subverted signatures can extract signing keys. At the same time, we provide some countermeasures against ASA by using DAPS to deter the big brother's threaten. And we show that our scheme can be applied to some practical architectures based on some concrete experiment analysis.
The remainder of this paper is organized in the following sequence. Section 1 shows some preliminaries and cryptographic knowledge. Section 2 provides some notions about deterable subverted signatures and some design requirements. Section 3 presents our concrete deterable subverted FS-LBS scheme and gives proof of key extraction, undetectability and deterability. In Section 4, we make some parameter analysis and performance evaluation. Finally, we give our conclusions.

Notations
Some basic notations have been shown in Table 1.
to a block of n integers, that means Definition 2 (Ring-LWE , , , R σ n q D [27,28] ) Given m uniformly elements , Definition 3 (Rejection sampling lemma [29][30][31][32][33] If a constant M exists, the following distribution In the following, we use the RejectionSample to represent the algorithm.

Description of Lattice Based Fiat-Shamir Type Signature Schemes
The Fiat-Shamir type signatures based on lattice consist of algorithms in the following: Key Generation: 1) Pick  a  at random.
2) Choose uniformly random 1  a s s t : 1) Select two random numbers Here 1  with tiny modulus is the subset of  .
Cryptographic Hash function H outputs a low norm subset of  .

Double Authentication Preventing Signatures
A DAPS includes four probability polynomial time (PPT) algorithms (KGen, Sign,Ver, Extract) as follows: 1) Given a security parameter  , the algorithm KGen(1 λ ) outputs public keys pk and private keys sk.
2) The algorithm Sign(sk, a, p) outputs a signature  on a pair of public/private key (pk, sk) and a subject/message pair (a, p).
3) The algorithm Ver(pk, a, p,  ) outputs either 0 for rejection or 1 for acceptance on pk, (a, p) and  .
4) The algorithm Extract outputs the private key sk on input pk, , a a p p   .

Our Deterable Subverted Signatures
We first provide the threat model in this section. Then we give formal definitions for the syntax of deterable subverted signatures. Compared with regular deterable digital signatures, these schemes need a "extraction key" for their manipulates if there exists a subversion attack. Finally we provide some security and functionality features of a deterable subverted signatures on the basis Refs. [7][8][9].

Threat Model
Since authentication services of various system models and applications depend upon digital signatures, in the context coerced users who use a DAPS to design some court convincing signatures to refuse big brothers' (or attackers') requirements, we construct a subverted signature with a deterable function by using an algorithm substitution attack on double authentication preventing signatures.

Notions of Deterable Subverted Signatures
Definition 4 A deterable subverted signature SIG for nonsubverted signature SIG includes four PPT algorithms as follows: 1) On inputting a security parameter  , this algorithm Gen outputs a subversion key subk.
2) On inputting a subversion key subk, a state l, a private key sk, and a message  , the algorithm SIG outputs a subverted signature  by an updated status l.
3) On inputting a message  , a public key pk and a subverted signature  , this algorithm Ver outputs 1 which means accept and outputs 0 which means reject. 4) On inputting a pair of colliding messages 1 2 ( , )   , a public key pk, and its corresponding non-subverted signatures 1 2 ,   , this algorithm Deter outputs the private key sk.

Security and Functionality Features
The key extraction algorithm means that anyone including big brothers and attackers can compute the signature private key from known information if he or she makes a signature on a pair of colliding messages.
Given the private key sk and its corresponding public key pair pk, the functionality undetectability means that any users can not find the detecting subversion. O  is given as follows:

Our Deterable Subverted Lattice Based Fiat-Shamir Type Signatures
This section introduces a self-enhancement or subverted attack on Fiat-Shamir type lattice signatures.
Our subverted Fiat-Shamir type lattice-based signatures (FS-LBS) are described as follows: • Subverted key generation  ( , )   z z hold. If a FS-LBS scheme is subverted, the action of the signer can be found by revealing real signer's signing secret keys to anyone. When the signing keys is vital for him, in some cases the signer will be punished or the signer will result in great economic losses, or there exist some court convincing reasons to deny big-brother or authority agency demands. Aiming at the subverted lattice-based Fiat-Shamir type signatures, we add a Deter algorithm. Our Deter algorithm makes sure that the lattice-based Fiat-Shamir type signature is against algorithm substitution attack. If 0 j  mod 2, by using ℬ's subversion keys subk 1 2 ( , , ) F   , compute signing keys as follows:  1 2 , s s by using the same method as above, so ℬ can compute the signing keys by the subverted signature algorithm FS-LBS
Theorem 2 Given subverted FS-LBS scheme FS-LBS , the detection advantage is negligible under the assumption of pseudo-random function (PRF) F.
Proof By a sequence of games, we prove the theorem. We define the events ( 1,2, ) . Game 1 As before, but we modify Game 0 to use b = 0 for answering  's queries as Game 0 and to use a uniform random string for substituting b = 1 (j = 1 mod 2) and noncomputed 1 2 ,   y y by PRF. A detailed description is given as follows.
T   . If b=0, this game responds to a valid FS-LBS scheme and j = 0,    to  after receiving every signing query on m and a reset query rt , respectively. If b = 1, this game carries on as follows: When  does some signing queries on m, j ←0, τ←0 If j = 0 mod 2 1) Pick 1 Due to Game 3, we modify this game as Game 2 in the following: While  makes some reset queries rt, Game 3 is not able to reset j and τ but it answers the adversary  's other queries by some same ways similar to Game 2.
Finally, the distribution of subverted FS-LBS scheme FS-LBS is identical to the distribution of real FS-LBS scheme except of j=0 mod 2 and j=1 mod 2, because 1

Numerical Analysis
This part first numerically makes some efficiency of our deterable subverted FS-LBS scheme in terms of storage overhead and computational overhead which are listed in Table 2 and Table 3.
As for the storage overhead, it consists of size of pair of public/secret keys and size of signature which is listed in Table 2. The communication cost is determined by the number of j. As for the computational overhead, compared with the Hash functions, the most resource-consuming operation is the multiplication over ring  . In the signing process, Ver process and Deter process, the computational overhead is listed in Table 2, where the number of multiplications over ring  is linear to the number of j. For simplicity, we denote that PM represents the polynomial point multiplications, PA represents the polynomial additions, PS represents the polynomial subtraction, RS represents polynomial Gauss sampling and H and F represent the Hash functions.
By implementation analysis in Ref. [9], we can see that there needs at most three consecutive signatures in the subverted FS-LBS which does not affect practicality of the subverted FS-LBS. So in our constructed scheme, we do not consider signature loss. Here we only analyze the security level, size of secret keys (sk), size of public keys (pk) and size of signature for some deterable subverted FS-LBS in Refs. [20,21,[29][30][31][32]. From Tables 2-3, we can see that our deterable subverted signatures have reasonable efficiency in terms of communication cost, computational overhead and storage overhead.

Implementation
The implementation is conducted with NFLlib, which is a NTT-based fast lattice cryptography library, on Intel i7-7700 CPU @ 3.60GHz and Ubuntu linux operation system. By statistics, these important algorithm operations mainly consist one polynomial addition, one polynomial multiplication and one polynomial Gaussian. Since the implementation of any Hash function is not included in NFLlib, we test the running time of three hash functions by a HMAC based on SM3 algorithm. The execution time of each cryptographic operation in different parameters is shown in Table 4. Here the execution time of these Hash functions we consider is the same.
Experimental results for proposed deterable subverted FS-LBS of each algorithm are depicted in Fig. 1. We increase the number of j from 2 to 10 for each test to see the time cost of Sign , Ver and Deter algorithm. Here procedure of subversion key generation can be considered as a random number, so we can omit its time consumption.

Conclusion
This paper first explores a novel algorithm substitution method on lattice-based Fiat-Shamir type signature schemes. Based on this, then we provide countermeasures to deterable signature subversion. Security proof shows that our construction satisfies three different security and privacy requirements. Parameter analysis demonstrates that our construction is feasible. In future, we will study our algorithm by widening range of possible schemes that is vulnerable to algorithm substitution attack or by other much more valuable methods and countermeasures on these post quantum secure signatures. In addition, some other possible work will focus on some algorithm substitution attacks on other cryptographic primitives.