BLIND SIGNATURE AS A SHIELD AGAINST BACKDOORS IN SMART CARDS Текст научной статьи по специальности «Математика»

2024 Математические методы криптографии № 63

УДК 519.7 DOI 10.17223/20710410/63/3

BLIND SIGNATURE AS A SHIELD

AGAINST BACKDOORS IN SMART CARDS

L. R. Akhmetzvanova, A. A. Babueva, A. A. Bozhko

CryptoPro, Moscow, Russia

E-mail: {lah, babueva, bozhko}@cryptopro.ru

The problem of signature forgery (including signature key recovery) in the presence of backdoors in the hardware or software of functional key carriers (smart cards) is considered. A new approach to solving the problem based on using blind signature schemes is proposed. It is shown that honest-signer blindness and honest-but-curious unforgeability of the blind signature schemes imply security against backdoors in smart cards. As a concrete example, we consider a blind version of the GOST signature scheme (the blind signature scheme proposed by Camenisch) and show that this scheme is resistant to backdoors under the single assumption that GOST is secure in the standard sense.

Keywords: blind signature scheme, GOST R 34-10-2012, untrusted smart cards, backdoors.

СХЕМЫ ПОДПИСИ ВСЛЕПУЮ КАК ЗАЩИТА ОТ ЗАКЛАДОК

В СМАРТ-КАРТАХ

Л. Р. Ахметзянова, А. А. Бабуева, А. А. Божко

Крипт,оПро, г. Москва, Россия

Рассматривается задача обеспечения защиты от подделки подписи (в том числе за счёт восстановления ключа подписи) в условиях наличия закладок в аппаратном или программном обеспечении функциональных ключевых носителей (смарт-карт). Предлагается новый подход к решению задачи, основанный на использовании схем подписи вслепую. Показывается, что обеспечение схемой подписи вслепую свойств неотслеживаемости при условии честной генерации ключей и неподделываемости относительно «честного, но любопытного» нарушителя обеспечивает защиту от закладок в смарт-картах. В качестве конкретного примера рассматривается схема подписи вслепую на основе уравнения ГОСТ, предложенная Каменишем. Доказывается, что эта схема обеспечивает защиту от закладок при единственном предположении, что схема подписи ГОСТ обеспечивает свойство неподделываемости в стандартном смысле.

Ключевые слова: схема подписи вслепую, ГОСТ Р 34-10-2012, недоверенные смарт-карты, закладки.

1. Introduction

Consider an information system consisting of two components: a smart card (or token) used as a functional key storage and an application installed on a user device (desktop or handheld). The applied function of a system is to compute a signature of any document transmitted via the application with a key uploaded and stored on a smart card. The components usually interact in the following way:

1) the user opens the application, chooses the document to be signed and pushes the button "Sign";

2) the application connects to the smart card (usually by setting up a password-protected secure channel [1]) and sends it the selected document or document hash value;

3) the smart card computes the signature value of the document on its own under a stored private key and returns the computed value to the application;

4) the application verifies the received signature value and returns the signed document to the user.

The use of smart cards with unrecoverable on-board private key cryptography is considered one of the most secure approaches to key management that allows to protect against adversaries which can get physical access to key storage devices. However, it has its own disadvantages. Unlike software applications, which can be open source and therefore fully verified, self-compiled and securely installed by anyone, smart card development is a much more technically complex process that is usually carried out by companies that specialize in the field. Indeed, the signing code is often hardwired directly into smart card microchips to improve performance and, consequently, cannot be openly verified by outsiders: the users are given a readv-to-use "black-box" device. This makes it possible for unscrupulous developers to implement a malicious code.

In the paper, we address the security issues that arise when the smart card used is seen as an untrusted component and is believed to contain backdoors. In the context of systems based on ElGamal or Schnorr type signature schemes, these issues are highly crucial, since this type of signature uses one-time random values that are generated using a smart card and whose compromise immediately results in the recovery of the user's private key. For instance, malicious smart card can use low-entropv one-time values allowing an adversary (e.g., company implementing this backdoor) to perform the brute force attack and recover the user key from a correct signature.

Related work. The paper [2] is devoted to these issues. Firstly, the paper introduces two types of adversary to be considered:

External adversary: it models an honest-but-curious adversary acting on the application side; the adversary's goal is to make a new correct pair (message, signature) without interacting with a smart card or, in other words, to make a forgery. Note that this threat includes the stronger one —key recovery. Consideration of such adversaries covers the scenario where only honest user interacts with smart card through verified and trusted application, but this application is less protected from memory leaks compared to the smart card.

Remark 1. Note that this type does not cover the capabilities of active adversaries that can directly interact (e.g., using its own malicious application) with the smart card. In practice, it means that the adversary that steals the smart card cannot get access to its API, Considering only passive adversaries is justified by the fact that smart cards are usually also protected with a memorable password that should be entered by the human to get access to its API [3],

Adversary with agent: this adversary is supposed to consist of two parts. The first part is a fully active adversary on the smart card side but it can interact only with the trusted application, i.e., there is no other channel for data transmition from smart card. The second part collects the pairs (message, signature) computed by application and malicious smart card — this is the agent. Similar to the first type of adversary, the goal is to make a forgery.

In order to deal with these adversaries, the paper [2] proposed a solution for the GOST signature scheme [4] based on the usage of the interactive Schnorr zero-knowledge proof. This protocol is executed with the main signing algorithm and its purpose is to prove to the application that smart card is using the "correct" one-time value (for details see the original paper). This solution has the following two significant drawbacks:

1) it allows to protect against the semi-trusted smart card only: the crucial assumption for security is that low-level (short) arithmetic operations are implemented correctly in the smart cards. Although it is realistic assumption, there are no convenient ways to validate this on practice;

2) it is not secure if the smart card can terminate the signing process with the error on the application side. The paper [2] describes the concrete attack where the malicious smart card successfully completes the signing protocol only if certain bits of resulting signature are equal to certain bits of the signing key. One approach to protect against this attack is to delete the private signing key immediately after such errors occur. However, in practice, errors can occur not only due to the adversary's actions, but also due to technical failures, so deleting the key after each error is not a practical solution.

Our contribution. To negate the disadvantages mentioned above, we propose a new approach, the main idea of which is to use the "blind versions" of the signature schemes. The blind signature schemes firstly introduced by Chaum [5] allow one party called User to obtain a signature for an arbitrary message after interacting with another party called Signer holding a signing key in such a way that the Signer does not receive any information about either the message or the signature value (blindness property) and the User can compute only one single signature per interaction with the Signer (unforgeabilitv property).

In the context of considered signing system, the smart card executes the Signer side and the application executes the User side. Due to the blindness property, the malicious smart card learns no information about the signature during the protocol execution and, therefore, cannot "control" the signature values, e.g., covertly transmiting bits of private key through the signature values.

In this paper, we introduce two new security notions for blind signature schemes: honest-but-curious unforgeabilitv and backdoor resilience, which characterize the security of the proposed solution against external adversary and adversary with agent. We show that honest-signer blindness (where an adversary cannot affect the key generation algorithm) and standard unforgeabilitv imply backdoor resilience. Moreover, for the GOST signature scheme we propose the concrete blind signature scheme for use: the Camenisch scheme [6] that provides perfect blindness (and thus honest-signer blindness) and honest-but-curious unforgeabilitv (and thus standard unforgeabilitv), which is implied only by the unforgeabilitv of GOST, It means that the Camenisch blind signature scheme provides the security against both external adversary and adversary with agent under a single assumption that the GOST signature scheme provides standard security, i.e., is unforgeable under the chosen message attack.

The rest of the paper is organised as follows. In Section 2 we remind the definitions of conventional and blind signature schemes, the accompanying security notions are given. In Section 3 the formal definitions of honest-but-curious unforgeabilitv and backdoor resilience are introduced. Section 4 is devoted to the formal analysis and Section 5 considers the Camenish blind signature scheme in details.

2. Basic definitions

(Conventional) signature schemes. The conventional signature scheme SS is determined by three algorithms:

— (sk, pk) ^ SS.KGen(): a key generation algorithm that outputs a secret key sk and a public key pk;

— a ^ SS.Sig(sk,m): a signature generation algorithm that takes a secret key sk and a message m and returns a signature a;

— b ^ SS.Vf(pk, m, a): a (deterministic) verification algorithm that takes a public key pk, a message m, and a signature a, and returns 1 if a is valid on m under p^d 0 otherwise,

SS m

the sample of parameters and the key pair (sk, pk), the equal itv SS.Vf (pk, m, SS.Sig(sk, m)) = = 1 holds.

Blind signature schemes. The blind signature scheme BS is defined in the same way as the conventional signature scheme except for the signature generation algorithm which is replaced by the following protocol:

— (b, a) ^ (BS.Signer(sk), BS.User(pk, m)): an interactive signing protocol that is run

sk pk m

b = 1 b = 0 a

BS m

(sk, pk)

(BS.Signer(sk), BS.User(pk, m)) completes with (1, a), a =±, such that BS.Vf(pk, m, a) = 1,

In the paper, we are interested in the blind signature schemes that are based on some

BS

the SS scheme, if the KGen and Vf algorithms of these schemes coincide and for any (sk, pk), ma

Pr[(1, a) ^ (BS.Signer(sk), BS.User(pk,m))] = Pr[a ^ SS.Sig(sk,m)],

where the corresponding probability spaces are determined by the randomness used in the signing protocol and signing algorithm.

Three-move blind signature schemes. For simplicity, this paper focuses on three-move blind signature schemes. For such schemes, the signing protocol can be described as follows:

(msgs,i, states) ^ BS.Signer1(sk), (msgu,stateu) ^ BS.User1((pk,m),msgs,i), (msgs,2, b) ^ BS.Signer2(stateS,msgU,1) a ^ BS.User2(stateU,msgs,2),

where msgroie,i, ro/e G {U, S}, is the z-th message sent by the side with role ro/e during the protocol execution. The variable staterole is aimed to keep the internal state for using on the next protocol stage. Here the User performs the BS.User1 and BS.User2 functions, and the Signer performs the BS.Signer1 and BS.Signer2 functions during the protocol execution.

Security notions. Next, we describe security concepts using a game-based approach [7]. This approach uses the notion of "experiment" played between a challenger and an adversary. The adversary and challenger are modelled using consistent interactive

probabilistic algorithms. The challenger simulates the functioning of the analysed cryptographic scheme for the adversary and may provide him access to one or more oracles. The parameters of an adversary A are its computational resources (for a fixed model of computation and a method of encoding) and oracles query complexity. The query complexity usually includes the number of queries. Denote by AdvS (A) the measure of the

A

for the cryptographic scheme S,

The standard security notion for (probabilistic) signature schemes is strong unforgeabilitv under chosen message attack (sUF-CMA), The formal definition is given below. Definition 1. For an adversary A and a signature scheme SS:

Advl^CM A (A) = Pr [Exp|sF"CM a(A) ^ 1], where the Exp|SF"CMa(A) experiment is defined in the following way:

ExpSS

sUF-CMA

(A)

i: (sk, pk) <- SS.KGen()

2 : L ^ 0

3 : (m, a) <- ASign(pk)

4 : if (m, a) G L : return 0

5 : return SS.Vf(pk, m, a)

Oracle Sign(m)

a ^ SS.Sig(sk, m) L ^£u|(m,a)} return a

Remark 2. The same security notion can be applied to the blind version BS of the signature scheme SS. In this case, line 1 in the Sign oracle is replaced with the line (1,a) ^ (BS.Signer(sk), BS.User(pk,m)), It is easy to see that for such schemes sUF-CMA-SS BS

The standard notions for blind signature schemes are one-more unforgeabilitv (OMUF notion that considers a malicious user in the parallel setting) and blindness (Blind notion that considers a malicious signer), their formal definitions can be found in [8]. Note that the original definition of blindness proposed in [9] considers an honest signer that can not affect key generation process. In the paper, we consider only this weak notion and refer to it as "honest-signer blindness" (HS-Blind notion).

Honest-signer blindness. Informally, the blind signature scheme provides blindness if there is no way to link a (message, signature) pair to the certain execution of the signing protocol. In the context of strong notion, the adversary can fully control the Signer side. In the context of weaker HS-Blind notion, we assume that the key pair is generated honestly at the beginning of the experiment. The formal definition is given below.

BS

Adv

HS-Blind BS

(A) = Pr

Exp

HS-Blind, 1 BS

(A) ^ 1

Pr

Exp

HS-Blind,0 BS

(A) ^ 1

Exp

HS-Blind,b BS

(A) b G {0,1}, experiments are defined in the following way:

TP HS-Blind,b/ A\

ExpBS ' (A)_

1: (sk, pk) <- BS.KGen()

2 : bo ^ b

3 : b1 ^ 1 - b

4: b' ^ A/nii'Useri'User2 (sk, pk) 5 : return b'

Oracle 7roi(m0 ,m1)

1 : sess0 ^ init

2 : sess1 ^ init

Oracle User1(z,msg)

i : if i G {0,1} V sessi = init : return ±

2: sessi ^ open

3 : (msgj,, statei) ^ BS.User1((pk, mbi),msg)

: return msgi

Oracle User2(z,msg)

1 : if sessi = open : return ±

2 : sessj, ^ closed

3 : abi ^ BS.User2(statei; msg)

4 : if sess0 = sess1 = closed :

5 : if abo = ^ V abl = ^ : return (±, ±) 6: return (a0,a1)

7 : return e

3. New security notions for blind signatures

Here we give the formal game-based definitions of two security notions: backdoor resilience and honest-but-curious unforgeabilitv.

Backdoor resilience/Security against adversary with agent

Consider an adversary A = (A1, A2) consisting of two algorithms. An algorithm A2 denotes the part of the adversary A collecting signature values for adaptively chosen

A1

The formal definition of BDres (BaekDoor resilience) for blind signature schemes is given below (see Definition 3), We parametrize this security model by the value k which determines the number of attempts by the challenger to produce a correct signature for a message (details are described below).

Definition 3. For any adversary A = (A1, A2) and blind signature scheme BS:

AdvBSre Sfc

(A) = Pr

ExpBSreSfc (A) ^ 1

where the ExpB?reSfc(A), k G N, experiment is defined in the following way:

ExpBsDre Sk (A =(A1, A2))

(sk, pk) <- BS.KGen()

L ^ 0 lost ^ false

st ^ A1(sk, pk)

(m,a) <- Afan(pk) if ((m, a) G L) V (lost =

return 0 return BS.Vf(pk, m, a)

true) :

Oracle Szgn(m)

1 : i ^ 0

2 : do

(st, a) ^ (A1(st), BS.User(pk, m)) i ^ i + 1 until (i ^ k) V (a =±)

6 : if a =±:

7 : lost ^ true return ±

L GiU{(m,a)} : return a

At the experiment initialization stage (line 1), the challenger modeling an honest application generates a key pair (sk, pk) according to the key generation algorithm and

A1 (sk, pk) A2 pk

This stage models the trusted process of generating keys, issuing corresponding certificate and uploading key material onto the smart card.

The A2 algorithm can make queries to the challenger signing oracle Szgn that returns am

is computed during the execution of the blind signing protocol between oracle that models

A1

oracle). Here the variable st denotes the internal state of A1 that is kept from call to call. The A1 algorithm is allowed to terminate the protocol exeeution with an error ± on

m

kk challenger returns 0 as a game result (meaning that the adversary loses, see line 7 in the oracle). This simulates the scenario where the smart card has failed and is no longer used,

A2

A1

signing protocol execution iff z-th bit of sk is equal to 1, where z is a sequence number of

A2

all bits of signing key and trivially make a forgery,

A2 (m, a)

containing a signature a that has not previously been returned by the oracle Szgn in m

Honest-but-curious unforgeability/Security against external adversary

This notion considers only an honest-but-curious adversary acting on the User side,

m

oracle and obtain in return a signature a and a specific value vzew. The latter consits of all incoming messages and the values of all random parameters processed and sampled by the User side during the execution of the signing protocol. This simulates the scenario, where the adversary gets an access to the memory of trusted application. The formal definition of HBC-UF is given below.

Definition 4. For an adversary A and a blind signature scheme BS:

where the ExpBS

tt\ HBC-UF /

HBC-UF

ExpBS V)

Oracle Sign(m)

i: (sk, pk) <- BS.KGen()

2 : C ^ 0

i : (1, (a; view)) ^ (BS.Signer(sk), BS.User(pk, m)) 2: £^£u((m,a)} 3 : return a, view

3 : (m, a) <- ASign(pk)

4 : if (m, a) G L : return 0

5 : return BS.Vf(pk, m, a)

It is easy to see that for any blind signature scheme HBC-UF-seeurity implies sUF-CMA-seeuritv.

4. Security analysis

4,1, Backdoor r e s i 1 i e n e e / Security against adversary with

a g e n t

In this section, we prove that honest-signer blindness and standard unforgeability (sUF-CMA) imply backdoor resilience.

Theorem 1. Fix k G N For any adversarv A = (Ai, A2) in the BDresk model with summary time complexity at most ¿making at most q queries to the signing oracle, there exist an adversary B in the sUF-CMA model making at most q queries to the signing oracle and an adversary C in the HS-Blind model such that

AdvBSreSfc(A) ^ AdvsB^CMA(B) + q • k • AdvBsS^ind(C).

Time complexities of B and C are at most ¿and tkq correspondingly.

Remark 4. If the blind signature scheme provides perfect blindness (i.e.

Adv

HS-Blind BS

(C)

0 to any C with any time complexity), then the bound is transformed as follows:

AdvBSreSfc(A) ^ AdvBTCMA(B).

From the perspective of using conventional signature scheme SS, this inequality means that in order to provide backdoor resilience, it is enough for this signature scheme to have

BS AdvBs (B) = Advss (B)

k

arbitrarily by the application developers.

Remark 5. For clarity, the proof is carried out for three-move blind signatures, but the proof does not base on any specific features of such scheme type and can be easily adapted for any-move blind signatures.

Proof. The proof eonsits of two parts.

Part 1. Consider the consequence of several experiments, where each next experiment slightly differs from the previous one.

Game 0. Let ExpBS(A) = ExpB|reSfc(A).

Game 1. Consider the following modified experiment ExpBS(A):

ExpBs(A =(Ai, A2))

Sign(m)

1 : (sk, pk) <- BS.KGen()

2 : L ^ 0

3 : lost ^ false

4: st ^A1(sk, pk)

5 : (m, a) <- Afgn(pk)

6 : if ((m, a) G L) V (lost = true) : : return 0

8 : return BS.Vf(pk, m, a)

1 : i ^ 0

2 : do

(si, a) ^ (Ai(si), BS.User(pk, m))

if a =± :

(1, a) ^ (BS.Signer(sk), BS.User(pk, m))

6 : i ^ i + 1

7 : until (i ^ k) V (a =±)

if a =± :

lost ^ true

10 : return ±

11 : £g£U {(m, a)} : return a

ExpBs(A) differs from ExpBS(A) in additional lines 4 and 5 of the Sign oracle code. If the oracle, interacting with the agent A1 as a user, completes the signing protocol with a correct signature, then the oracle recomputes a new signature honestly executing the signing protocol on its own (without interaction with the agent). The second part of the proof is devoted to estimation of winning probability difference for ExpBS(A) and ExpBS (A) .

Game 2. Consider the next modification: the experiment ExpBS(A). Here the oracle always responses to requests of A2 with a correct honestly generated signature even in the case when A1 provokes errors k times in a row that sets the flag lost in Exp^S(A).

Exp2Bs(A =(Ai, A2))

(sk, pk) <- BS.KGen()

L ^ 0

st ^ A1(sk, pk)

(m,a) <- Afön(pk) if ((m,a) G L):

return 0 return BS.Vf (pk, m, a)

Oracle Sign(m)

1 : i ^ 0

2 : do

3 : (st, a) ^ (A1(st), BS.User(pk, m))

4 : i^ i + 1

5 : until (i ^ k) V (a =±)

6 : (1, a) ^ (BS.Signer(sk), BS.User(pk, m)) 7: L ^ LU {(m,a)}

: return a

For this experiment:

Pr[ExpBS(A) ^ 1] = Pr[ExpBS(A) ^ 1 A (lost = false)] + + Pr[ExpBS(A) ^ 1 A (lost = true)] ^ Pr[ExpBS(A) ^ 1].

V-V-'

= 0 due to line 6 of ExpgS(A)

Game 3. Note that in the ExpBS(A) experiment the agent A1 can be thrown away, since it can no longer influence the value of the signature (see the ExpBS(A2) experiment below). Note that Pr[ExpBS(A1, A2) ^ 1] = Pr[ExpBS(A2) ^ 1].

ExpBs(A2)

Oracle Sign(m)

BS.KGen()

ASign(pk)

(sk, pk)

L ^ 0 (m, a) 2 if (m, a) G L :

return 0 return BS.Vf (pk, m, a)

1 : (1, a) ^ (BS.Signer(sk), BS.User(pk, m)) 2: LGLu{(m,a)} : return a

Note that ExpBS is exactly the experiment ExpBsF^CMA, therefore Pr [ExpBS(A) ^ l] ^ (B) for B = A2.

^ ÄdvBUSF^CMA

Part 2 . To finalize the proof, we construct an adversary C breaking the blindness property. Introduce the following auxiliary experiment:

ExpB'S(C) Oracle User1(msg)

1 : if sess = init : return ±

2 : sess ^ open

3 : (msg, state) ^ BS.User1((pk, m), msg)

4 : return msg

Oracle User2(msg)

i : if sess = open : return ± 2: a ^ BS.User2(state, msg)

3 : if (a = ±) A (b = 0):

4 : (1, a) ^ (BS.Signer(sk), BS.User(pk, m)) : return a

Here an adversary can make only one query to each oracle (execute only one session). The adversary obtains a signature value generated by the oracles intacting with adversary if b = 1, and a signature computed according to the protocol otherwise. Note that if the adversary provokes an error in the session, then it always gets ± from the User2 oracle b

Using a standard technique called "hybrid argument" [10], it can be trivially shown that there exists an adversary C' such that

Pr[ExpBs(A) ^ 1] - Pr [ExpBs(A) ^ 1] = = q • k (Pr[ExpB|(C') ^ 1] - Pr[ExpB|(C') ^ 1]) .

Now let construct an adversary C using C' as a black box. The adversary C acts in the following way:

1) The adversary C obtains (sk, pk) and transmits this value to C

2) When C' makes a querv m to the Init oracle, C makes a querv (m, m) to its own Init oracle,

3) After starting sessions, the adversary C firstly executes sess0 according to the protocols:

а) it computes (msg°Si, states) ^ BS.Signer1(sk) and makes a query (0,msg°)1)

User1

б) upon receiving msgS the adversarv C computes

(msgSS2,1) ^ BS.Signer2(stateS,msgu, 1)

and makes a query (0, msgSS 2) to its own User2 oracle, receiving the e value. Note that abo =± due to the correctness property of the blind signature scheme,

4) Then the adversary C intercepts all queries of C' and simply passes th em to sess1:

а) intercepting from C' a query msg1 to the User1 oracle, C makes a query (1, msgs1 1) msgs1 1 = msg1, User1

transmits the response msg1 1 to C

б) intercepting from C' a query msg2 to the User2 oracle, C makes a query (1,msgS, 2X where msgS, 2 = msg2, to its own User2 oracle, C receives (a0,a1) and returns to C' the fist compo nent a0. Note th at (a0,a1) can be (±, ±),

5) C returns the same bit as C' returns.

i: (sk, pk) BS.KGen()

2 : b' ^^ cInit'Useri'User2 (sk, pk)

3 : return b'

Oracle Init(m) i : sess ^ init

If the C interacts with the experimentator ExpBS^Blmd'1 (ExpBS^Blmd'0), then a0 = abl (a0 = ob0). Moreover, C returns ± at stage 4 iff C' provokes error in sess1 that perfectly coincides with ExpBS. Thus,

Pr [ExpB'S (C') ^ 1] = Pr[ExpBfmind ^(C) ^ 1 Pr[Exp4B'S0(C') ^ 1] = Pr |~ExpBS^Blind' 0(C) ^ 1

Summing up,

Pr[ExpBS(AH1]- Pr[ExpBS(A)^1] = q • k (Pr [ExpB'S (C ')^1]- Pr [ExpB'S? (C' )^1])

= q • k (Pr [ExpBfmind ^(C) ^ 1 - Pr [ExpBS^a'U(C) ^ 1j J = q • k • AdvBrmmd(C).

The theorem 1 is proven, ■

4,2, Honest-but-curious unforgeabilitv/Security against

external adversary Here we define the particular class of blind signature schemes based on ElGamal signature equation that provides the honest-but-curious unforgeabilitv. Namely, for such schemes we construct the security reduction to the unforgeabilitv of the base ElGamal signature scheme. Note that all known ElGamal blind signature schemes do not provide strong unforgeabilitv [11],

At first, let us introduce the required notations. We denote the group of points of the elliptic curve over the prime field as G, the order of the prime subgroup of G as q, an elliptic curve point of order q as P and zero point as O, We denote by H the hash function that

maps binary strings to elements from Zq and assume that all field operations are performed q

ElGamal blind signature scheme

The generalized ElGamal signature scheme was introduced in [12] and further extended in [13], we denote it by GenEG scheme, A key generation algorithm in this scheme involves picking random d uniformly from Z* (secret signing key) and defining Q = dP (public verifying key), A signature for message m is a pair (r,s), where r = (kP).x mod q for

k Zq* s

equation EG:

EG(d, k, r, e, s) = 0,

e = H(m) EG

r, e, s

ElGamal blind signature scheme, denoted by GenEG-BS, was introduced in [11], A key generation and verification algorithms in GenEG-BS scheme are the same as in the base GenEG scheme. An interactive signing protocol assumes that the Signer performs ElGamal

e

not determined and can be arbitrary. The parameters of the signing protocol are the base point P, public key Q, and the message m, we denote them by par.

We impose the additional requirements on the algorithm performed by the User:

rnd

some distribution D that is independent on the values received from the Signer;

HS-Blind , 0/

— the first component of the signature r' is the ^-coordinate of the R' point, which is computed as a result of applying the function parameterized by the par value (we denote it by Llar) that takes as arguments the R point received from the Signer and rnd values. This function is linear by R for all rnd values generated according to the protocol;

— the second component of the signature s' is computed as a result of applying the function parameterized by the par value (we denote it by L2"r) that takes as argume nts the s value received from the Signer, rnd values, and point R, This function is linear by s for all rnd and R values generated according to the protocol.

We denote such a scheme by GenEG-BSL scheme. The corresponding signing protocol is illustrated in Fig, 1,

The signing protocol

Signer (d) k

User(Q, m)

U Z*

R^kP

R

rnd

v

r ^ R.x mod q

if 3! s: EG(d, k, r, e, s) = 0 find s

else : return 0

R' (R,rnd)

r' ^ R' .x mod q

e

return 1

s' ^ Lfr (s, rnd, R) return (r',s')

Fig. 1. The signing protocol in GenEG-BSL scheme

Let us show that the GenEG-BSL scheme is indeed the blind vers ion of the GenEG scheme, i.e., provides the same distribution on the signature values. The distribution on GenEG signatures is defined by the uniform distribution on k values. The distribution on GenEG-BSL signatures is defined by the distribution on k' values, where k' is such that

(k'P).x mod q = r'. The k' value is linear by k since R' value is linear by ^Md rnd values

R k'

Note that the User view in the GenEG-BSL scheme consists of the incoming messages R, s and the blinding factors rnd sampled by the User,

Now we are ready to construct the security reduction to the unforgeabilitv of the conventional ElGamal signature scheme.

Theorem 2. For any adversary A for GenEG-BSL scheme in the HBC-UF model with time complexity at most ¿making at most q queries to the signing oracle, there exist an adversary B for the conventional GenEG scheme in the sUF-CMA model with the same time complexity at most ¿making at most q queries to the signing oracle such that

A j HBC-UF ( \\ ^ A sUF-CMA AdVcenEG-BSL (A) ^ ^GenEC

(B).

e

s

Proof. Let construct the adversary 5 for the conventional GenEG scheme. The adversary B uses the adversary A as a black box. It intercepts the queries of the adversary A to the signing oracle and process them by itself using its own signing oracle in the following way.

Receiving the query m, adversary B forwards m to its own oracle and receives the signature (r', s'). Then it reconstruets R' point from the verification algorithm and selects rnd value according to the distribution V, After that, it calculates the R value using L-1 function and s value using L-1 function. It returns as an answer the signature (r',s') and the view = (R, s, rnd).

Note that B generates exactly the same distribution on signature values since GenEG-BSL scheme is the blind version of the GenEG scheme. The rnd value is chosen as in the honest

Rs

execution, since L1 and L2 functions are unambiguously invertible,

AB if A wins, then B wins, whence follows the statement of the theorem, ■

Remark 6. The same result may be formulated for the Schnorr signature scheme and its blind version defined in [5]. The proof of the theorem is conducted in the same way,

5. GOST-based blind signature scheme

We propose to use the concrete blind signature scheme in case of building the protection for GOST signature scheme [4]. This scheme was proposed in [6] in 1994 and is commonly referred to as the Camenisch scheme. We provide the definition of this scheme in terms of elliptic group notation.

The key generation algorithm is the same as in the general ElGamal signature scheme and assumes picking secret key d uniformly from Z* and defining public key Q as dP.

m

the signature (r', s') assumes checking r' = 0 and checking the equality r' = R'.x mod q, where R' = (e')-1 (s'P — r'Q), e' is equal to H(m), if H(m) = 0, and to 1 otherwise. Note that the signing protocol in Fig, 2 is defined for the case of using the elliptic curves of the prime order. Nevertheless, it can be slightly modified by adding the additional checks for use with non-prime order curves, e.g. with Edwards curves.

This scheme provides perfect blindness [6, Theorem 2], but does not provide unforgeabilitv in the strong sense. In [11] it was shown that it is vulnerable to the ROS-stvle attack, which is possible if the adversary acting as a User is given the opportunity to open 1 ^ [log q] parallel sessions of signing protocol. However, providing such strong unforgeabilitv is not required for our application, our purpose is the honest-but-curious unforgeabilitv.

Camenisch scheme is the particular case of the GenEG-BSL scheme defined in Section 4.2. Indeed, the distribution V in this scheme is a uniform distribution on Z* x Z* that is

independent on R; L1P Q ' l2P Q ' m) are defined as follows:

L1P' Q ' m)(R, (a,3)) = aR + pP, L2P Q ' m)(s, (a,3),R) = sr'r-1 + pe',

where e' = H(m), r = R.x mod q, r' = (aR + 3P).x mod q. These functions are linear

R s rnd r e

are excluded by the corresponding checks on the Signer side as in the GOST signature scheme. Therefore, the result of Theorem 2 is applied to the Camenisch scheme, which means that it provides honest-but-curious unforgeabilitv under the assumption that GOST

(d)

randl: k Z* R ^ kP r ^ R.x mod q

if r = 0 : goto randl

if e = 0: return 0

s ^ ke + dr return 1

R

User(Q, m)

if R = O : return ±

r ^ R.x mod q if r = 0 : return

u

Z*

rand2 : a, P R' ^ aR + pP if R' = O : r' ^ R' .x mod q if r' = 0 : e' ^ H(m)

if e' = 0: e' 1

e ^ ae'r(r')

-1

if sP = eR + rQ: return ±

s' ^ sr'r-1 + Pe' a ^ (r', s') return a

Fig. 2. The signing protocol in Camenisch scheme

e

s

scheme provides unforgeability. The security of the Camenisch scheme in the sUF-CMA model, in its turn, directly follows from the honest-but-curious unforgeability.

Thus, the Camenisch scheme is a blind version of the GOST scheme and can be applied in the systems realizing the GOST signature as the protection against backdoors in smart cards. It provides the security against external adversary and adversary with agent only by the security of the GOST signature scheme. Note that such solution, in contrast to the solution from [2], does not need any additional assumptions about the smart card such as correct implementation of low-level arithmetic operations and the absence of failures. Moreover, it requires less computations on the smart card side.

6. Conclusion

The paper addressed the security issues that arise in signing systems when the smart card used for key storage and signing is believed to contain backdoors. A novel approach based on blind signature schemes to protect against backdoors has been proposed. It has been proven that weak versions of standard security properties (honest-signer blindness and honest-but-curious unforgeability) of blind signature scheme imply security against backdoors in smart cards.

Moreover, the concrete solution in case of using the GOST signature scheme has been proposed. This solution is the well known Camenisch blind signature scheme that provides perfect blindness. It was shown that the target security is held under the sole assumption that the GOST signature scheme provides standard security, i.e., is unforgeable under chosen message attack.

One of the most interesting directions for future research is the security analysis of our solution with regard to a stronger external adversary —an active adversary that has an access to a smart card signing API (e.g. in a case when the smart card is not protected with a password or is connected to a malicious terminal).

This case corresponds to the standard unforgeabilitv notion of the blind signatures, where the user side is treated as a fully active adversary. There are two types of unforgeabilitv notion differing on whether the adversary can open sessions in parallel or not. In our application scenario, where the signer side is executed by low resource device, it is fairly enough to consider the adversary's capability to open sessions sequentially only (this refers to the SEQ-OMUF notion [14]).

Note that the SEQ-OMUF-seeuritv of the Camenish scheme is still an open question (as well as for the most ElGamal blind signature schemes), although there have been some positive results [14] for the Schnorr blind signature scheme,

REFERENCES

1. Alekseev E. K., Akhmetzyanova L. R., Oshkin I. B., and Smyshlyaev S. V. Obzor uvazvimostev nekotorvkh protokolov vvrabotki obshchego klvucha s autentifikatsiev na osnove parolva i printsipv postroeniva protokola SESPAKE [A review of the password authenticated key exchange protocols vulnerabilities and principles of the SESPAKE protocol construction]. Matematicheskie Voprosv Kriptografii, 2016, vol.7, iss.4, pp. 7-28. (in Russian)

2. Alekseev E. K., Akhmetzyanova L. R., BozhkoA.A., and Smyshlyaev S. V. Bezopasnava realizatsiva elektronnov podpisi s ispol'zovaniem slabodoverennogo vvchislitelva [Secure implementation of digital signature using semi-trusted computational core]. Matematicheskie Voprosv Kriptografii, 2021, vol. 12, iss.4, pp. 5-23. (in Russian)

3. Wang Y. Password protected smart card and memory stick authentication against off-line dictionary attacks. D. Critzalis, S. Furnell, and M. Theoharidou (eds.), Information Security and Privacy Research, Berlin, Heidelberg, Springer, 2012, pp. 489-500.

4. GOST R 34.10-2012. Informatsionnava tekhnologiva. Kriptograficheskava zashchita informatsii. Protsessv formirovaniva i proverki elektronnov tsifrovov podpisi. [GOST R 34.102012. Information Technology. Cryptographic Data Security. Signature and Verification Processes of Electronic Digital Signature]. Moscow, Standartinform Publ., 2012. (in Russian)

5. Chaum D. Blind signatures for untraceable payments. D. Chaum, R. L. Rivest, and A.T. Sherman (eds.) Advances in Crvptologv. Boston, MA, Springer, 1983. pp. 199-203.

6. Camenisch J. L., Piveteau J. M., and Stadler M. A. Blind signatures based on the discrete logarithm problem. LNCS, 1995, vol.950, pp.428-432.

7. Bellare M. and Rogaway P. The security of triple encryption and a framework for code-based game-plaving proofs. LNCS, 2006, vol. 4004, pp. 409-426.

8. Tessaro S. and Zhu C. Short pairing-free blind signatures with exponential security. LNCS, 2022, vol. 13276, pp. 782-811.

9. duels A., Luby M., and Ostrovsky R. Security of blind digital signatures. LNCS, 1997, vol. 1294, pp. 150-164.

10. FischlinM. and Mittelbach A. An Overview of the Hybrid Argument. Crvptologv ePrint Archive, paper 2021/088, https://eprint.iacr.org/2021/088, 2021.

11. Akhmetzyanova L., Alekseev E., Babueva A., and Smyshlyaev S. On the (im)possibility of ElGamal blind signatures. Cryptologv ePrint Archive, paper 2022/1128, https://epri.nt. iacr.org/2022/1128, 2022.

12. Harn L. and Xu Y. Design of generalised ElGamal type digital signature schemes based on discrete logarithm. Electronics Letters, 1994, vol.30, pp. 2025-2026.

13. Fersch M. The provable security of Elgamal-tvpe signature schemes. Doctoral Thesis, RuhrUniversität Bochum, 2018.

14. Kastner J., Loss J., and Xu J. On pairing-free blind signature schemes in the algebraic group model. LNCS, 2022, vol. 13178, pp. 468-497.