We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions—e.g., the notion of security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO ‘14) for symmetric encryption—were non-adaptive and non-continuous.

In this vein, we show both positive and negative results for the goal of constructing subversion-resilient signature schemes.

•

Negative results. We show that a broad class of randomized signature schemes is insecure against stateful SAs, even if using just a single bit of randomness. On the other hand, we establish that signature schemes with enough min-entropy are insecure against stateless SAs. The attacks we design are undetectable to the end-users (even if they know the signing key).

•

Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet an undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. As our second positive result, we show how to construct subversion-resilient identification schemes from subversion-resilient signature schemes. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT ‘15), i.e., an algorithm that “sanitizes” any signature given as input (using only public information). The firewall we design allows us to successfully protect so-called re-randomizable signature schemes (which include unique signatures as a special case).

我们对数字签名的安全性提供了正式的处理，以防止其遭受颠覆攻击（SA）。我们的颠覆模型在多个方向上概括了先前的工作，并受到软件攻击（例如，恶意软件和缓冲区溢出攻击）的泛滥，以及爱德华·斯诺登最近关于情报机构试图暗中破坏加密算法的启示。我们提出的主要安全要求是即使在攻击者以完全自适应且连续的方式应用SA（在一定级别的允许攻击范围内）的情况下，签名方案也应保持不可伪造。先前的概念，例如，Bellare等人引入的针对算法替代攻击的安全性概念。 （CRYPTO '14）用于对称加密-是非自适应和非连续的。

在这种情况下，对于构建颠覆-弹性签名方案的目标，我们展示了正面和负面的结果。

•

负面结果。我们表明，即使仅使用一点随机性，各种各样的随机签名方案也不会对有状态的SA不安全。另一方面，我们确定具有足够的最小熵的签名方案对于无状态SA是不安全的。最终用户无法检测到我们设计的攻击（即使他们知道签名密钥）。

•

积极的结果。我们通过显示具有唯一签名的签名方案可以对所有满足不可检测性要求的攻击进行颠覆复原，从而对上述负面结果进行补充。Bellare等人也显示了类似的结果。对于对称加密，他证明了必须依赖有状态方案；相反，独特的签名是无状态的，实际上它们是现有最快，最成熟的数字签名之一。作为我们的第二个积极结果，我们展示了如何从颠覆弹性签名方案构造颠覆弹性识别方案。我们最终证明，通过使用不可篡改的密码反向防火墙（Mironov和Stephens-Davidowitz，EUROCRYPT '15），即“对文件进行消毒”的算法，可以设计出可防止随意篡改计算的签名方案。作为输入提供的任何签名（仅使用公共信息）。我们设计的防火墙使我们能够成功地保护所谓的可重新签名的签名方案（在特殊情况下包括唯一签名）。