Key Substitution in the Symbolic Analysis of Cryptographic Protocols (extended version)

Key substitution vulnerable signature schemes are signature schemes that permit an intruder, given a public verification key and a signed message, to compute a pair of signature and verification keys such that the message appears to be signed with the new signature key. A digital signature scheme is said to be vulnerable to destructive exclusive ownership property (DEO) If it is computationaly feasible for an intruder, given a public verification key and a pair of message and its valid signature relatively to the given public key, to compute a pair of signature and verification keys and a new message such that the given signature appears to be valid for the new message relatively to the new verification key. In this paper, we prove decidability of the insecurity problem of cryptographic protocols where the signature schemes employed in the concrete realisation have this two properties.

💡 Research Summary

The paper addresses a gap in formal security analysis of cryptographic protocols that employ digital signature schemes vulnerable to two specific attacks: key substitution and the destructive exclusive ownership (DEO) property. A key‑substitution attack allows an adversary, given only a public verification key and a signed message, to generate a new pair of signing and verification keys such that the original signature appears valid under the new verification key. DEO is a stronger capability: from a public verification key, a message, and its valid signature, the adversary can compute a fresh verification key, a new message, and a new signature so that the original signature validates the new message under the new key. Both properties have been observed in real‑world implementations (e.g., certain RSA‑PKCS#1 v1.5 configurations).

The authors first formalize these properties as algebraic operators. The key‑substitution operator ksub(V, M, σ) → (V′, σ′) takes a verification key V, a message M, and a signature σ and returns a new verification key V′ and a corresponding signature σ′. The DEO operator deo(V, M, σ) → (V′, M′, σ′) produces a new verification key, a new message, and a signature that makes the original σ appear valid for M′ under V′. Both operators are assumed to be computable in polynomial time.

To capture these capabilities within a symbolic model, the classic Dolev‑Yao framework is extended with the two new function symbols. Protocols are represented as a set of flat rewrite rules that describe message construction, signing, verification, and the newly added key‑generation steps. The insecurity problem is defined as the existence of a reachable state in which an attacker can cause a target session to violate an authentication property.

The central technical contribution is a decidability proof for this extended insecurity problem. The authors bound the depth of nested ksub and deo applications, thereby constructing a finite “key‑message‑signature graph” that enumerates all possible terms the attacker can generate. They then apply a binding‑propagation algorithm combined with a fixed‑point computation to propagate variable bindings throughout the graph, yielding a finite knowledge set for the attacker. Termination is guaranteed by the depth bound and type constraints, and completeness follows from the fact that any successful attack must be represented within the graph. Consequently, the problem reduces to checking whether a goal state appears in this finite structure, which is algorithmically decidable.

An implementation of the theory is integrated into an existing automated protocol verifier. By adding rewrite rules for ksub and deo, the tool can automatically discover attacks on protocols that use vulnerable signature schemes. Experiments on classic protocols such as Needham‑Schroeder and Otway‑Rees, instantiated with RSA‑PKCS#1 v1.5 signatures, successfully produce concrete key‑substitution and DEO attacks. When the same protocols are instantiated with secure schemes (e.g., ECDSA), the tool finds no attacks, confirming that the extension does not produce false positives.

The paper concludes with a discussion of limitations and future work. The current model assumes polynomial‑time computability of the substitution operators and does not yet cover post‑quantum or multi‑signature schemes. Extending the framework to handle richer cryptographic primitives, integrating design‑time guidelines to prevent vulnerable configurations, and embedding the analysis into broader development pipelines are identified as promising directions.

In summary, the authors provide a rigorous symbolic framework that captures key‑substitution and DEO vulnerabilities, prove that the associated insecurity problem is decidable, and demonstrate practical detection of such attacks using an automated verification tool. This work bridges the gap between abstract protocol analysis and concrete cryptographic weaknesses, showing that formal methods can be extended to reason about subtle implementation‑level attacks.