Key Substitution Attacks on Lattice Signature Schemes Based on SIS Problem

Abstract

The notion of key substitution security on digital signatures in the multiuser setting has been proposed by Menezes and Smart in 2004. Along with the unforgeability of signature, the key substitution security is very important since it is a critical requirement for the nonrepudiation and the authentication of the signature. Lattice-based signature is a promising candidate for post-quantum cryptography, and the unforgeability of each scheme has been relatively well studied. In this paper, we present key substitution attacks on BLISS, Lyubashevsky's signature scheme, and GPV and thus show that these signature schemes do not provide nonrepudiation. We also suggest how to avoid key substitution attack on these schemes.