Key Substitution Attacks on Lattice Signature Schemes Based on SIS Problem

The notion of key substitution security on digital signatures in the multiuser setting has been proposed by Menezes and Smart in 2004. Along with the unforgeability of signature, the key substitution security is very important since it is a critical requirement for the nonrepudiation and the authentication of the signature. Lattice-based signature is a promising candidate for post-quantum cryptography, and the unforgeability of each scheme has been relatively well studied. In this paper, we present key substitution attacks on BLISS, Lyubashevsky’s signature scheme, and GPV and thus show that these signature schemes do not provide nonrepudiation. We also suggest how to avoid key substitution attack on these schemes.


Introduction
The classical cryptography based on factoring or discretelogarithm problem is vulnerable to cryptanalysis by quantum computers.To prepare for a security plan after the emergence of quantum computing, NIST [1] and ETSI [2] currently try to standardize public key algorithms of three categories, namely, digital signature, public key encryption, and key exchange protocol.Among them, digital signatures are commonly used for authenticated key exchange protocol, software distribution, financial transactions, and contract management software and in other cases where it is important to detect forgery or tampering.
The established security notion for digital signature schemes is existentially unforgeable against adaptive chosenmessage attacks introduced by Goldwasser, Micali, and Rivest [3].Although a signature scheme secure in this scenario offers rather strong security guarantees, further requirements can be crucial in certain applications.For example, Koblitz, Menezes, and Smart [4,5] indicate that the GMR security is not sufficient in a multiuser setting by proposing a new type of attack on digital signature scheme, which is called a key substitution attack.In the key substitution attack, an adversary is given a public key pk and a signature sig on a message  under pk, and then he tries to produce a new public key pk 耠 different from pk, which validates the same signature sig on the same message  under the new public key pk 耠 .
A serious practical danger of key substitution attacks is that they not only undermine nonrepudiation but are disable to authenticate the signer who signed the message.These are core functionalities the digital signature can offer.Nonrepudiation refers to the ability to ensure that a sender who signed a message or document cannot later deny having sign it.The US government standard for digital signatures states that nonrepudiation and authentication are main characteristics of a signature scheme [6].In the key substitution attack, a successful attacker obtains a new public key pk 耠 , which validates a given signature signed by the signer.As a result, one signature is valid under two different public keys which affects these functionalities of the signature scheme.In other words, the threat of the key substitution attack is that there are two (or more) different valid public keys for the same given signature.
A typical scenario where the key substitution attack has damaging consequences is the following.Suppose that Bob has signed an important contract with Alice.When the contract was nullified by Bob, he cannot claim that he did not sign the contract with Alice if the nonrepudiation property of the digital signature scheme works properly, because Alice presents the contract signed by Bob's signature corresponding to his public key pk Bob as an evidence of his lying.However, if the signature scheme is attacked by the key substitution attack, the scheme loses its function of nonrepudiation.Then Bob insists that he has not signed the contract with Alice and the signature on the contract presented by Alice is not what he has signed.As a proof of his claim, he mounts a key substitution attack to obtain a new public key pk 耠 different from pk Bob and shows that the contract signed by the same signature can be validated by using the public key pk 耠 .It means that it is hard to prove that Bob has signed a contract with Alice by using pk Bob .It is serious issue to weaken the usability of the digital signature scheme in the real world.Therefore, it is crucial for the digital signature scheme to prevent the key substitution attack.It is noteworthy that the legal signer, Bob, could be a potential attacker in the key substitution attacks.For more real-world impact of the key substitution attack, we refer to [4].
In this paper, we present key substitution attacks on the lattice signature schemes based on SIS problem such as GPV signature scheme [7], Lyubashevsky's signature scheme [8], and BLISS [9].Note that lattice-based cryptography is a most promising candidate for post-quantum cryptography, and BLISS (Bimodal Lattice Signature Scheme) is currently one of the most compact and efficient lattice-based signature schemes that is provably secure under lattice assumptions.
We present two kinds of key substitution attacks.The first one is weak key substitution attack in which the adversary who may be a legal signer wants to ruin the properties of the digital signature schemes by obtaining new public and private key pairs.This type of attack is considered in [10,11], and ecoupon and e-lottery were presented as concrete examples of these attacks.For instance, an electronic coupon (e-coupon) system works as follows.When issuing the e-coupon for a customer, in order to prevent illegal use of the e-coupon, it requires the customer to sign the e-coupon.Then the ecoupon is signed by the issuer and it will be issued to the customer as a legitimate buyer.Before he redeems the ecoupon at the store, he needs to show the ownership of the e-coupon by zero-knowledge proof of his secret key.Assume that a successful weak key substitution attacker Alice has a valid e-coupon and duplicates the e-coupon with the same signature under pk 耠 and sk 耠 .Then she can use the e-coupon multiple times to buy the goods because she is able to prove that she owns the e-coupons by using sk 耠 .Moreover, if Alice sells the copies of e-coupon with pk 耠 and sk 耠 to unauthorized users, she gets the financial benefits from it and illegal users obtain the goods using the e-coupon with sk 耠 at the shop.
The other is strong key substitution attack in which an adversary, not necessary to be a signer, wants to compute a new public key validating a given signature.In this case the attacker may interfere with the communication between a signer and a verifier in order to achieve his malicious goal, like the unknown key share attack proposed in [12].
In our attacks on these signature schemes, we solve linear equations for a valid new public key pk 耠 to pass the verification algorithm.One of the important requirements is to check if a hash value for given sig and pk 耠 is correct.On SIS-based signature schemes mentioned above, we succeed in substituting a new public key pk 耠 using algebraic structures depending on each signature scheme without finding the collision of hash function on the same message.
This paper is organized as follows.In Section 2, we introduce some necessary cryptographic and mathematical backgrounds, including the definitions of SIS problem and key substitution attack.In Section 3, we recall three latticebased signature schemes, namely, GPV signature [7], Lyubashevsky's signature [8], and BLISS [9], and present key substitution attacks on these schemes.In Section 4, we examine the effectiveness of the proposed attacks and explain how to avoid key substitution attacks on these schemes.In Section 5, we conclude our paper.

Preliminaries
2.1.Notations.We assume that all vectors are column vectors and vectors will be written in bold lower case letters.Matrices will be written in upper case letters.For vectors b The ℓ 푝 norm of a vector k is denoted by ‖k‖ 푝 and we will usually avoid writing the  for the ℓ 2 norm.For a distribution D, we use the notation  ← D to mean that  is chosen according to the distribution D. If  is a set, then  $ ←   means that  is chosen uniformly at random from .For integers  ≥ , let [, ] denote the set of integers {,  + 1, . . ., }.

Some Basics on Lattices
If  = , we say that L is full-rank.
The minimum distance  1 (L) of a lattice L is the length of its shortest nonzero vector in the ℓ 2 norm:  1 (L) = min x∈L\{0} ‖x‖.We write  ∞ 1 (L) to denote the minimum distance of a lattice L in the ℓ ∞ norm.More generally, the th minimum  푘 (L) for  ≤  is defined as the smallest  such that L contains ≥  linearly independent vectors of norm ≤ .
The volume det( 푇 ) of P() is an invariant of the lattice L which is denoted by det(L).Minkowski's theorem states that  1 (L) ≤ √ det(L) 1/푛 .The dual lattice of L, denoted by L * , is defined as The following background results are borrowed from [13, Section 2].Let  a power of 2, Φ() =  푛 + 1, and R = Z[]/Φ().An ideal  of R is a subset of R which is closed under addition and multiplication by arbitrary elements of R. By mapping polynomials to the vectors of their coefficients, we can see that an ideal  ̸ = 0 corresponds to a full-rank sublattice of Z 푛 .An ideal lattice for Φ() is a sublattice of Z 푛 that corresponds to a nonzero ideal  of R. The algebraic norm N() is the cardinality of R/ and it is equal to det() where  is regarded as a lattice.Any nonzero ideal  of R satisfies  푛 () =  1 ().
For an integer , the elements in Z 푞 are represented by integers in the range [−( − 1)/2, ( − 1)/2).Let  ∈ Z 푛×푚 푞 for Security and Communication Networks 3 some positive integers , , .We consider two kinds of fullrank -dimensional integer lattices defined by .The first consists of those integer vectors that are orthogonal (modulo ) to the rows of A, and it is defined as L ⊥ () = {e ∈ Z 푚 : e ≡ 0 mod }.The second lattice is generated by the transposed rows of , and it is defined as L() = {y ∈ Z 푚 : y ≡  푇 s mod  for some s ∈ Z 푛 }.In terminology of coding theory,  is the parity check matrix for the linear code {e ∈ Z 푚 : e ≡ 0 mod } over Z 푞 , and  푇 is the generator matrix for the lattice {y ∈ Z 푚 푞 : y ≡  푇 s mod } over Z 푞 .When  is clear in the context, we can omit it and just write L and L ⊥ .
Micciancio and Regev [14] introduced a lattice quantity called the smoothing parameter.
The following lemma also shows that the smoothing parameter of a lattice is related to the minimum distance of its dual lattice in the ℓ ∞ norm or to the -th minimum of the lattice.

SIS Problems on Lattices.
We recall the definition of the generalized Short Integer Solution (SIS) problem.This average case problem proposed by Ajtai [16] is to find a short nonzero integer solution e ∈ Z 푚 to the homogeneous linear system e ≡ 0 mod  for uniformly random  ∈ Z 푛×푚 푞 .This is syntactically equivalent to finding an approximately short nonzero vector in L ⊥ ().The problem was formalized as follows in [14].
By the pigeonhole principle, if  ≥ √ 푛/푚 , then the SIS instances are guaranteed to have a solution.We now recall a variant problem, which is to find a short solution to a random inhomogeneous system, specifically, e ≡ u mod  (where both  and u are uniformly random).

Probability Distributions.
The continuous normal distribution over R 푚 centered at k with standard deviation  is defined by the function The discrete normal distribution over an -dimensional lattice L centered at some k ∈ L with standard deviation  is defined as is just a scaling quantity needed to make the function into a probability distribution.When L = Z 푚 , we write  푚 L,k,휎 as  푚 k,휎 , and  푚 휎 denotes  푚 k=0,휎 .When  = 1, we write  1  휎 as  휎 .The following lemma shows the equivalence of two distributions which is used in the construction of Lyubashevsky's signature scheme [8] and BLISS [9].Lemma 7 (rejection sampling [9]).Let  be an arbitrary set, and let ℎ :  → R and  : Z 푚 → R be probability distributions.If  V : Z 푚 → R is a family of probability distributions indexed by V ∈  with property that there exists a  ∈ R such that ∀V ∈ , ∀z ∈ Z 푚 ,  ⋅  V (z) ≥ (z), then the output distributions of the following two algorithms are identical: (2) V ← ℎ, z ← , output (z, V) with probability 1/.

Signatures and Key Substitution Attack.
In this section we recall the definition of digital signature schemes and introduce the key substitution attack against it.
Definition 8 (signature scheme [11]).A signature scheme S is a triple of algorithms (KeyGen, Sign, Verify), where, for security parameter , (i) KeyGen(1 휅 ), the key pair generation algorithm, is a probabilistic polynomial-time algorithm which outputs a private/public key pair (sk, pk) on input of domain parameters pp which is an output of the setup algorithm taking a security parameter  as an input; (ii) Sign(pp, sk, ), the signature generation algorithm, is a probabilistic polynomial-time algorithm which on input of message  and a private key sk associated with domain parameters pp outputs a digital signature sig; (iii) Verify(pp, pk, , sig), the signature verification algorithm, is a deterministic algorithm which on input of Security and Communication Networks a message , signature sig, valid domain parameters pp, and a public key pk outputs 1 (= valid) or 0 (= invalid).
A digital signature scheme is secure if it is correct and existentially unforgeable under adaptive chosen-message attack (EUF-CMA).These properties are defined below.For simplicity, we omit the input pp in Sign and Verify and just write it as Sign(sk, ) and Verify(pk, , sig).Definition 9 (correctness).A digital signature scheme (KeyGen, Sign, Verify) is correct if for all  ∈ N, all key pairs (sk, pk) ∈ KeyGen(1 휅 ), and all messages  we have Pr [Verify (pk, , Sign (sk, )) = 1] = 1. ( Definition 10 (EUF-CMA).A digital signature scheme (KeyGen, Sign, Verify) is existentially unforgeable under adaptive chosen-message attacks if for all probabilistic polynomial-time algorithms A with access to a signing oracle Sign(sk, ⋅) there is a negligible function where  is the set of queries which A has accessed to the signing oracle.
We consider an additional checking algorithm Check to check the validity of a public key pk.Given the domain parameters pp and a candidate public key pk, the checking algorithm Check(pp, pk) returns 1 if and only if the pk is valid under the domain parameters pp.
Definition 11 (key substitution attack [11]).Given a signature scheme S, a key substitution attack (with malicious signer) is a probabilistic polynomial-time algorithm A which on input of valid domain parameters pp outputs two valid public keys pk and pk 耠 (passing the tests for KeyGen(pp, pk) and Check(pp, pk 耠 )) and a message/signature pair (, sig) where Verify(pp, pk, , sig) = 1 and Verify(pp, pk 耠 , , sig) = 1.When taking into account certificates, key substitution attack has access to a certification oracle.
A key substitution attack is called weak if an adversary also needs to output private keys sk and sk 耠 corresponding to pk and pk 耠 , respectively; otherwise key substitution attack is called strong.A digital signature scheme is strong (resp., weak) key substitution secure if it is secure against strong (resp., weak) key substitution attacks.
Remark 12.When considering the nonrepudiation property of signature schemes, it is important to note that the legal signers can be considered as attackers since the repudiation of a signature is a malicious goal of legal signers.

Remark 13.
A more general version of key substitution attack, which is called message and key substitution (MKS) attack by Menezes and Smart [5], states that the adversary has generated a valid public key pk 耠 ̸ = pk and a message  耠 ̸ =  such that the same signature sig is valid under public key pk 耠 for given valid signature sig on a message  under the public key pk.In [5], Menezes and Smart regarded MKS as an attack with little meaning, since signatures by themselves have no meaning and so they cannot envision a realistic scenario where this ability can have damaging consequence.

Key Substitution Attacks on SIS-Based Signature Schemes
In this section, we describe three SIS-based signature schemes: GPV signature scheme [7], Lyubashevsky's signature scheme [8], and BLISS [9].We present strong key substitution attacks on these schemes.We also provide weak key substitution attacks on these schemes where a legal signer acts as an attacker, and this implies that these signature schemes have a problem in providing nonrepudiation property, even if the certificate authority requires users to prove possession of user's private key before issuing certificates.We note that even though our weak key substitution attack is not successful when the attacker is not the original signer, at least it can be said that there may be a problem in providing nonrepudiation with these signature schemes.

Attacks on GPV Signature Scheme
Description of GPV Signature Scheme.First, we present key substitution attacks on GPV signature scheme designed by Gentry, Peikert, and Vaikuntanathan [7].Before continuing, we briefly describe the key generation algorithm KeyGen.GPV, signature generation algorithm Sign.GPV, and signature verification algorithm Verify.GPV of the GPV signature scheme.
KeyGen.GPV(1 휅 ): On the given input 1 휅 , the algorithm samples a pair of matrices (, ), where  ∈ Z 푛×푚 푞 is a matrix of rank  over Z 푞 and  ∈ Z 푚×푚 is a matrix of rank  over R satisfying  ≡ 0 mod , and max 1≤푖≤푚 ‖t 푖 ‖ ≤ , where t 푖 denotes -th column vector of .The key generation algorithm also sets a collision resistant function  : {0, 1} * → Z 푛 푞 and outputs public parameters pp =  and a pair of public key and private key (pk = , sk = ).
Sign.GPV(pp, sk,  ∈ {0, 1} * ): On the given inputs pp, sk, and a message , the algorithm computes y = () ∈ Z 푛 푞 and finds c ∈ Z 푚 such that c ≡ y mod .The signing algorithm also samples z ←  L  ⊥ ,훽,−푐 satisfying z ≡ 0 mod  and ‖z + c‖ ≤ √, using the short basis of L 퐴 ⊥ induced from sk = .The signing algorithm finally outputs sig 휇 = z + c ∈ Z 푚 as a signature of the message .
Verify.GPV(pk, pp, , sig 휇 ): On the given inputs pk, pp, , sig 휇 , the algorithm outputs 1 (= valid) if and only if      sig 휇      ≤ √ and  ⋅ sig 휇 ≡  () mod . (5) Strong Key Substitution Attack.We present a strong key substitution attacks on the GPV signature scheme.Suppose that a valid signature sig 휇 ∈ Z 푚 on a message  ∈ {0, 1} * under the public key pk =  ∈ Z 푛×푚 푞 is given.One proceeds as follows to obtain a new public key pk 耠 where sig 휇 is a valid signature on the message  under this new public key pk 耠 .
(3) Output pk 耠 =  耠 and sig 휇 as a signature on  under the public key pk 耠 .
The validity of sig 휇 as a signature on the message  under the new public key pk 耠 follows from the facts below: Weak Key Substitution Attack.We now present a weak key substitution attack on the GPV signature scheme.In the proposed attack, we assume that the signer acts as an attacker to undermine the nonrepudiation property of the signature scheme and so the attacker knows sk = .
Suppose that a valid signature sig 휇 ∈ Z 푚 on a message  ∈ {0, 1} * under the public key pk =  ∈ Z 푛×푚 푞 is given.The attacker proceeds as follows to obtain a new public key pk 耠 and the corresponding private key sk 耠 such that sig 휇 is a valid signature on the message  under this new public key pk 耠 .
(3) Output pk 耠 =  耠 and sig 휇 as a signature on the message  under the public key pk 耠 , and output  as a private key of pk 耠 .
Noting that the private key sk =  corresponding to the public key pk =  satisfies  耠 ⋅  ≡  ⋅  ⋅  ≡ 0 mod , we know that  is also a private key of the new public key pk 耠 =  耠 .Thus, the attacker who knows sk also knows the private key sk 耠 of pk 耠 .The validity of sig 휇 as a signature on the message  under the new public key pk 耠 follows from the facts below: (i) ‖sig 휇 ‖ < √ since sig 휇 is a valid signature.
(ii)  耠 ⋅ sig 휇 ≡ () mod  since we have Therefore, the attacker, who was the original signer, has succeeded in a weak strong key substitution attack on the GPV signature scheme.

Attacks on Lyubashevsky's Signature Scheme
Description of Lyubashevsky's Signature Scheme.We describe Lyubashevsky's signature scheme based on SIS problem [8].Sign.LYU(pp, sk,  ∈ {0, 1} * ): On the given inputs pp, sk, and a message , the algorithm samples an dimensional vector y from  푚 휎 , then computes c = (y, ), and finally obtains z ≡ c + y mod  by applying the rejection sampling algorithm.The signature algorithm only outputs (z, c) as a signature with probability min{D 푚 휎 /D 푚 푆c,휎 , 1}.If nothing is printed, run the algorithm again until some signature is outputted.Verify.LYU(pp, pk, , sig = (z, c)): On the given inputs pp, sk, , sig 휇 , the algorithm outputs 1 if and only if ‖z‖ ≤  2 and c =  (z − c mod , ) . ( Strong Key Substitution Attack.Suppose that a valid signature sig 휇 = (z, c) ∈ Z 푚 푞 × Z 푘 푞 on a message  ∈ {0, 1} * under the public key pk =  ∈ Z 푛×푘 푞 is given.One proceeds as follows to obtain a new public key pk 耠 such that sig 휇 is a valid signature on the message  under the new public key pk 耠 .
(1) Compute a matrix  ∈ Z 푛×푘 푞 such that  ⋅ c ≡ 0 mod .It is easy to compute  in a similar way that is described in the strong key substitution attack on the GPV signature scheme.
(3) Output pk 耠 =  耠 and sig 휇 as a signature on the message  under the public key pk 耠 .
The validity of sig 휇 = (z, c) ∈ Z 푚 푞 × Z 푘 푞 as a signature on the message  under the new public key pk 耠 follows from the facts below:  Weak Key Substitution Attack.We now present a weak key substitution attack on Lyubashevsky's signature scheme.Suppose that a valid signature sig 휇 = (z, c) ∈ Z 푚 푞 × Z 푘 푞 on a message  ∈ {0, 1} * under the public key pk =  ∈ Z 푛×푘 푞 is given.As we have commented before, the signer is an attacker and it is assumed that the attacker knows sk =  such that  ≡  mod .The attacker proceeds as follows to obtain a new public key pk 耠 such that sig 휇 is a valid signature on the message  under the new public key pk 耠 .
(3) Output pk 耠 =  耠 and sig 휇 as a signature on  under the public key pk 耠 .
Note that sk 耠 =  +  耠 is a valid private key corresponding to pk 耠 =  耠 since  耠 ≡ ( +  ⋅  耠 ) ≡  ⋅ ( +  耠 ) mod  and  +  耠 ∈ [−, ] 푚×푘 .Therefore, the attacker, who knows sk =  such that  ≡  mod  also knows the private key sk 耠 =  +  耠 of pk 耠 .The validity of sig 휇 = (z, c) ∈ Z 푚 푞 × Z 푘 푞 as a signature on the message  under the new public key pk 耠 follows from the facts below:  Therefore, the attacker, who was the original signer, has succeeded in a weak key substitution attack on Lyubashevsky's signature scheme.[9] is possibly one of the most efficient lattice-based signature schemes.It has been implemented in both software and hardware and boasts implementation efficiency comparable to classical factoring and discrete-logarithm-based schemes.BLISS can be seen as a ring-based optimization of the earlier latticebased scheme of Lyubashevsky, sharing the same "Fiat-Shamir with aborts" structure.

Attacks on BLISS Signature Scheme. BLISS
The security of the BLISS signature scheme is based on the hardness of the R-SIS 푞,푛,푚,훽 problem which is the ring variant of the SIS problem.We first describe the matrix version of BLISS signature scheme and then explain its ring version.For more detailed descriptions and definition of the R-SIS 푞,푛,푚,훽 problem, we refer to [9].The scheme construction and proof work for matrix version are equally well for ring version, when instantiated with polynomials.
In this subsection, we will assume that  is a prime such that  ≡ 1 (mod 2) and  is a power of 2. For any integer , we define the quotient ring R 푞 = Z 푞 []/( 푛 + 1) and R 2푞 = Z 2푞 []/( 푛 + 1).
Let B = {0, 1} and T = {−1,0, 1} be the set of binary and ternary integers, respectively.We define B 푛 휔 (resp., T 푛 휔 ), the set of binary vectors (resp., ternary vectors) of length  and Hamming weight  (i.e., vectors with exactly  out of  nonzero entries).Depending on the context, we consider B 푛 휔 and T 푛 휔 as a subset of Z 푛 2푞 or R 2푞 and regard bold lower case letters as vectors or polynomials.For every integer  in the range [−, ) and any positive integer ,  can be uniquely written

Matrix Version of BLISS
Description of the Matrix Version of BLISS.We describe the key generation algorithm KeyGen.mBLISS,signature generation algorithm Sign.mBLISS, and verification algorithm Verify.mBLISS of the matrix version of the BLISS signature scheme.
Note that the signer outputs the signature (z, c) where z is distributed according to  푚 휎 .It can be seen from Lemma 7 by taking Strong Key Substitution Attack.We present a strong key substitution attack on the matrix version of BLISS signature scheme.
Suppose that a valid signature on a message  ∈ {0, 1} * under the public key pk =  ∈ Z 푛×푚 2푞 is given.One proceeds as follows to obtain a new public key pk 耠 such that the signature sig 휇 = (z, c) is a valid signature on the message  under the new public key pk 耠 .
To succeed in strong key substitution attack, it is enough to find a new matrix  耠 ∈ Z 푛×푚 2푞 such that c = ( 耠 z+c mod 2, ), which holds when  耠 z ≡ z mod 2.In the following we show how to find such a matrix  耠 .
(4) Output pk 耠 =  耠 and sig 휇 = (z, c) as a signature on the message  under the public key pk 耠 .
We note that the validity of sig 휇 = (z, c) as a signature on the message  under pk 耠 =  耠 can be checked as follows: (i) ‖z‖ 2 ≤  2 and ‖z‖ ∞ < /4 since sig 휇 is a valid signature.
Weak Key Substitution Attack.We now present a weak key substitution attack on the matrix version of BLISS signature scheme.Suppose that a valid signature on a message  ∈ {0, 1} * under the public key pk =  ∈ Z 푛×푚 2푞 is given.The signer, who owns pk =  and sk =  such that  ≡  푛 mod 2, proceeds as follows to obtain a new public key pk 耠 =  耠 and the corresponding private key sk 耠 =  耠 such that the signature sig 휇 = (z, c) is a valid signature on the message  under the new public key pk 耠 .To succeed in weak key substitution attack, it is sufficient to find matrices  耠 and  耠 such that  耠 z ≡ z mod 2 and  耠  耠 ≡  푛 mod 2.
In the following we show how to find such matrices  耠 and  耠 .
(a) Computing such a matrix,  is easy if z ̸ ≡ 0 mod .We first compute a matrix  ∈ Z 푛×푛 푞 such that  ⋅ z ≡ 0 mod .We then set  = 2 +  푛 mod 2.It is clear to see that  ≡  푛 mod 2 and z ≡ z mod .
The validity of sig 휇 = (z, c) as a signature on the message  under the public key pk 耠 =  耠 can be checked as follows: (i) ‖z‖ 2 ≤  2 and ‖z‖ ∞ ≤ /4 since sig 휇 is a valid signature.
(ii) c = ( 耠 z + c mod 2, ) from the following equations: Therefore, the signer of the signature sig 휇 = (z, c) succeeds in a weak key substitution attack on the matrix version of BLISS signature scheme.
Strong Key Substitution Attack.Suppose that a valid signature on a message  ∈ {0, 1} * under the public key  = (a 1 ,  − 2) ∈ R 2푞 × R 2푞 is given.One proceeds as follows to obtain a new public key pk 耠 where the signature sig 휇 is a valid signature on the message  under the new public key pk 耠 .
Since we want to find  耠 = (a 耠 1 ,  − 2) satisfying the equation where ( − 2) ≡ 1 mod 2, it suffices to find a 耠 1 ∈ R 2푞 such that a 耠 1 z 1 ≡ a 1 z 1 mod 2.To find such a polynomial a 耠 1 , we consider the greatest common divisor of two polynomials z 1 and  푛 + 1.Let g 푞 () be the gcd of z 1 and  푛 + 1 modulo , and let g 2 () be the gcd of z 1 and  푛 + 1 modulo 2. Since  ≡ 1 mod 2, the polynomial  푛 + 1 is completely factorized as a product of distinct linear polynomials modulo ; that is, Since  is a power of two, we also have  푛 + 1 ≡ ( + 1) 푛 mod 2.
In both cases, the validity of sig 휇 = (z 1 , z † 2 , c) as a signature on the message  under the public key pk 耠 can be checked as follows: Thus, we have c = (⌊ ⋅ a As described, our attack succeeds when z 1 is noninvertible in R 2 or z 1 is noninvertible in R 푞 .Note that the signer outputs the signature (z 1 , z † 2 , c) where z 1 is distributed according to  푛 휎 by Lemma 7. Therefore it is enough to estimate the success probability of our attack for z 1 ←  푛 휎 .To compute success probability of our attack, we first consider the case that z 1 is noninvertible in R 2 .Recall that, by Lemma 2, if  ≥  휖 (2Z 푛 ), the distribution of ( 푛 휎 mod 2Z 푛 ) is within statistical distance at most 2 of uniform over (Z 푛 mod 2Z 푛 ).Noting that (2Z 푛 ) * = (1/2)Z 푛 and  ∞ 1 ((2Z 푛 ) * ) = 1/2, by Lemma 3, we have Therefore, if  ≥ 2√ln(2/(1 + 1/))/, then the distribution of ( 푛 휎 mod 2Z 푛 ) is uniform over Z 푛 /2Z 푛 ≅ Z 푛 2 within statistical distance at most 2.Hence, for z 1 () ←  푛 휎 , the probability that z 1 () is not invertible in R 2 is greater than or equal to 1/2 − 2.This is summarized in the following theorem.

Attack Possibility and Its Defense
4.1.Possibility of Key Substitution Attacks.In general, there are two ways for the certificate authority to register a new user as the owner of a public key.One is that the certificate authority (CA) requires users to prove possession of user's private key before issuing certificates using zero-knowledge proof.The other is that CA only checks whether the public key is different from any previously issued one.
Clearly, if CA only checks freshness of public keys to issue certificates, by our strong key substitution attacks, GPV signature scheme, Lyubashevsky's signature scheme, and BLISS do not the nonrepudiation property.
Thus, a simple and natural way to prevent strong key substitution attack is to require that CA issues certificate only after checking the possession of private key using zeroknowledge proofs.The problem with this solution is that all known approaches for lattice-based zero-knowledge proofs are not practical.The first zero-knowledge proofs in the lattice setting were introduced by Kawachi et al. and Ling et al. [17,18].If one would like to have 128 bits of quantum security, one of the most basic application [19] requires 400KB of total proof size and more complicated applications need more megabytes.Baum and Lyubashevsky [20] give a new approach for constructing amortized zero-knowledge proofs of knowledge of short solutions over polynomial rings.When the number of relations is as small as the security parameter, their proof is practical.However, as the number of samples increases, the protocol has the same efficiency as the previous works.Still, it seems that more researches on the lattice-based zero-knowledge proofs need to be done to design efficient lattice-based authentication systems.
Even if CA issues certificates using zero-knowledge proof, in order to provide the nonrepudiation property, it requires that the underlying signature scheme be secure under the weak key substitution attack since any malicious signer can be a successful weak key substitution attacker and repudiates his/her valid signature in the system.Our weak key substitution attacks on GPV signature scheme, Lyubashevsky's signature scheme, and BLISS show that these schemes cannot provide nonrepudiation of the signatures.

How to Prevent Key Substitution Attacks.
Another way to prevent key substitution attack is to modify signature schemes to resist this attack.Menezes and Smart [5] took such an approach and suggested a method, we call it MS conversion, that converts a signature scheme Σ into a new signature scheme MS-Σ by prepend the signer's public key to the message in some unambiguous way prior to signing (for example, a field of fixed length may be reserved for the public key).By using formatted messages specific to each public key, the goal of the key substitution attack against Σ is converted to compute (pk 耠 , pk 耠 ‖ , sig) from a valid triple (pk, pk ‖ , sig), which was regarded as meaningless by Menezes and Smart [5] since it belongs to message key substitution (MKS) attacks against MS-Σ.
However, we note that MS conversion is not enough to guarantee the original meaning of KS security without considering MKS security.The specific MKS attack of computing (pk 耠 , pk 耠 ‖ , sig) indicates that anyone can use it to claim that the signature sig on the message  is signed by the user with the public key pk 耠 , which is exactly the goal of key substitution attack.Therefore, it is important to check the infeasibility of computing (pk 耠 , pk 耠 ‖ , sig) from a valid triple (pk, pk ‖ , sig) in the MS conversions to guarantee the security against key substitution attacks.Form our analysis, it is straightforward to prove that MS-Lyubashevsky's signature scheme and MS-BLISS signature scheme are secure against key substitution attacks if the hash function  is collision resistant.
Unlike these Fiat-Shamir type signature schemes as Lyubashevsky's signature scheme and BLISS, we see that the collision resistance of the hash function  is not enough for the MKS security of MS-GPV signature scheme.The MKS security of MS-GPV scheme introduces the following new problem: given a (, sig 휇 , ) such that  ⋅ sig 휇 ≡ ( ‖ ) mod , compute a new  耠 satisfying  耠 ⋅ sig 휇 ≡ ( 耠 ‖ ) mod .One can solve this new problem as follows: for a given (, sig 휇 , ), (24) Step 3. Output  耠 =  푌 ⋅  mod .
It is clear to see that  耠 ⋅ sig 휇 ≡ ( 耠 ‖ ) mod .The hardness of this new problem has not been studied for the parameters of the GPV signature.It seems somewhat heuristic, but it needs more research to assess the hardness of the problem and we expect that it is easier than the classical computational problems such as the collision resistance of a hash function or SIS problem.
Table 1 summarizes the results of our key substitution attacks on three signature schemes and MS conversion.

Conclusion
In this paper, we present strong/weak key substitution attacks on GPV signature scheme, Lyubashevsky's signature scheme, and BLISS.These attacks draw concerns in practice since they make the digital signature scheme to disable the functionalities of nonrepudiation and authentication.And we suggest using the MS conversion [5] which binds the signer's public key and the message being signed on Lyubashevsky's signature scheme and BLISS.Also, we point out that it is necessary to prove the security against message and key substitution (MKS) attacks for the MS conversion of digital signature in order to guarantee the security against key substitution attacks.