Key Substitution in the Symbolic Analysis of Cryptographic Protocols (extended version)

TL;DR

This paper investigates the decidability of insecurity in cryptographic protocols that use signature schemes vulnerable to key substitution and destructive exclusive ownership, providing formal proofs of their security properties.

Contribution

It formally proves the decidability of insecurity problems for protocols employing key substitution and DEO vulnerable signature schemes.

Findings

Decidability of insecurity for protocols with vulnerable signature schemes.

Formal proof techniques for cryptographic protocol analysis.

Insights into the security limitations of certain signature schemes.

Abstract

Key substitution vulnerable signature schemes are signature schemes that permit an intruder, given a public verification key and a signed message, to compute a pair of signature and verification keys such that the message appears to be signed with the new signature key. A digital signature scheme is said to be vulnerable to destructive exclusive ownership property (DEO) If it is computationaly feasible for an intruder, given a public verification key and a pair of message and its valid signature relatively to the given public key, to compute a pair of signature and verification keys and a new message such that the given signature appears to be valid for the new message relatively to the new verification key. In this paper, we prove decidability of the insecurity problem of cryptographic protocols where the signature schemes employed in the concrete realisation have this two properties.