Key Substitution in the Symbolic Analysis of Cryptographic Protocols

Key substitution vulnerable signature schemes are signature schemes that permit an intruder, given a public verification key and a signed message, to compute a pair of signature and verification keys such that the message appears to be signed with the new signature key. Schemes vulnerable to this attack thus permit an active intruder to claim to be the issuer of a signed message. A digital signature scheme is said to be vulnerable to destructive exclusive ownership property (DEO) If it is computationaly feasible for an intruder, given a public verification key and a pair of message and its valid signature relatively to the given public key (m, s), to compute a pair of signature and verification keys and a new message m such that s is a valid signature of m relatively to the new verification key. In this paper, we investigate and solve positively the problem of the decidability of symbolic cryptographic protocol analysis when the signature schemes employed in the concrete realisation have this two properties.