The Internet is a dangerous place in the best of times. Sometimes Internet engineers find ways to mitigate the worst of these threats, and sometimes they fail. Every now and then, however, a major Internet company finds a solution that actually makes the situation worse for just about everyone. Today I want to talk about one of those cases, and how a big company like Google might be able to lead the way in fixing it.
This post is about the situation with Domain Keys Identified Mail (DKIM), a harmless little spam protocol that has somehow become a monster. My request is simple and can be summarized as follows:
Dear Google: would you mind rotating and publishing your DKIM secret keys on a periodic basis? This would make the entire Internet quite a bit more secure, by removing a strong incentive for criminals to steal and leak emails. The fix would cost you basically nothing, and would remove a powerful tool from hands of thieves.
That’s the short version. Read on for the long.
What the heck is DKIM, and how does it protect my email?
Electronic mail was created back in the days when the Internet was still the ARPANET. This was a gentler time when modern security measures — and frankly, even the notion that the Internet would need security — was a distant, science-fiction future.
The early email protocols (like SMTP) work on the honor system. Emails can arrive at your mail server directly from a sender’s mail server, or they can pass through intermediaries. In either case, when an email says it comes from your friend Alice, you trust that it comes from Alice. What possible reason would there be for anyone to lie?
The mainstream adoption of email showed that this attitude was pretty badly miscalibrated. In the space of a few years, Internet users discovered that there were plenty of people who would lie about who they were. Most of these were email spammers, who were thrilled that SMTP allowed them to impersonate just about any sender — your friend Alice, your boss, the IRS, a friendly Nigerian prince. Without a reliable mechanism to prevent that spamming, email proved hilariously vulnerable to spoofing.
To their great credit, email providers quickly realized that email without sender authenticity was basically unworkable. To actually filter emails properly, they needed to be able to verify at least which server an email had originated from. This property has a technical name; it’s called origin authenticity.
The solution to the origin authenticity, like all fixes to core Internet protocols, is kind of a band-aid. Email providers were asked to bolt on an (optional) new cryptographic extension called Domain Keys Identified Mail, or DKIM. DKIM bakes digital signatures into every email sent by a participating mail server. When a recipient mail server obtains a DKIM-signed email claiming to originate from, say, Google: it first looks up Google’s public key using the Domain Name System (DNS). The recipient can now verify a signature to ensure that the email is authentic and unmodified — the signature covers the content and most of the headers — and they can then use that knowledge as an input to spam filtering. (A related protocol called ARC offers a similar guarantee.)
Of course, this approach isn’t perfect. Since DKIM is optional, malicious intermediaries can “strip off” the DKIM signatures from a given email in an effort to convince recipients that the email was never DKIM-signed. A related protocol, DMARC, uses DNS to allow mail senders to broadcast preferences that enforce the checking of signatures on their email messages. These two protocols, when used together, should basically wipe out spoofing on the Internet.
What’s the problem with DKIM/ARC/DMARC, and what’s “deniability”?
As an anti-spam measure there’s nothing really wrong with DKIM, ARC and DMARC. The problem is that DKIM signing has an unexpected side effect that goes beyond its initial spam-filtering purpose. Put simply:
DKIM provides a life-long guarantee of email authenticity that anyone can use to cryptographically verify the authenticity of stolen emails, even years after they were sent.
This new non-repudiation feature was not part of DKIM’s design goals. The designers didn’t intend it, nobody discussed whether it was a good idea, and it seems to have largely taken them by surprise. Worse, this surprise feature has some serious implications: it makes us all more vulnerable to extortion and blackmail.
To see the problem, it helps to review the goals of DKIM.
The key design goal of DKIM was to prevent spammers from forging emails while in transit. This means that receiving servers really do need to be able to verify that an email was sent by the claimed origin mail server, even if that email transits multiple untrusted servers on the way.
However, once mail transmission is complete, the task of DKIM is complete. In short: the authenticity guarantee only needs to hold for a short period of time. Since emails generally take only a few minutes (or hours, in unusual cases) to reach their destination, the authenticity guarantee does not need to last for years, nor do these signatures need to be exposed to users. And yet here we are.
Until a few years ago, nobody thought much about this. In fact, in the early DKIM configurations were kind of a joke: mail providers chose DKIM signing keys that were trivial for motivated attackers to crack. Back in 2012 a security researcher named Zachary Harris pointed out that Google and several other companies were using using 512-bit RSA to sign DKIM. He showed that these keys could be “cracked” in a matter of hours on rented cloud hardware, and then used these keys to forge emails from Larry and Sergey.
Providers like Google reacted to the whole “Larry and Sergey” embarassment in the way you’d expect. Without giving the implications any serious thought, they quickly ramped up their keys to 1024-bit or 2048-bit RSA. This stopped the forgeries, but inadvertently turned a harmless anti-spam protocol into a life-long cryptographic authenticity stamp — one that can be used to verify the provenance of any email dump, regardless of how it reaches the verifier.
You’re crazy. Nobody uses DKIM to authenticate emails.
For better or for worse, the DKIM authenticity stamp has been widely used by the press, primarily in the context of political email hacks. It’s real, it’s important, and it’s meaningful.
The most famous example is also one of the most divisive: back in 2016, Wikileaks published a batch of stolen emails stolen from John Podesta’s Google account. Since the sourcing of these emails was murky, WikiLeaks faced a high burden in proving to readers that these messages were actually authentic. DKIM provided an elegant solution: every email presented on Wikileaks’ pages publicly states the verification status of the attached DKIM signatures, something you can see today. The site also provides a helpful resource page for journalists, explaining how DKIM proves that the emails are real.
But the Podesta emails weren’t the end of the DKIM story. In 2017, ProPublica used DKIM to verify the authenticity of emails allegedly sent to a critic by President Trump’s personal lawyer Mark Kasowitz. In 2018, the Associated Press used it once again to verify leaked emails tying a Russian lawyer to Donald Trump Jr. And it happened again this year, when the recipients of an alleged “Hunter Biden laptop” provided a single 2015 email to Rob Graham for DKIM verification, in an effort to overcome journalistic skepticism at the sourcing of their information.
Some will say that DKIM verification doesn’t matter, and that leaked emails will be believed or rejected based on their content alone. Yet multiple news organizations’ decision to rely on DKIM clearly demonstrates how wrong that assumption is. News organizations, including Wikileaks, implicitly admit that questionable sourcing of emails creates doubt: perhaps so much so that credible publication in a national news organization is impossible. DKIM short-circuits this problem, and allows anyone to leap right over that hurdle.
The Associated Press even provides a DKIM verification tool.
In short, an anti-spam protocol originally designed to provide short-lived authenticity for emails traveling between email servers has mutated — without any discussion or consent from commercial mail customers — into a tool that provides cryptographically undeniable authentication of every email in your inbox and outbox. This is an amazing resource for journalists, hackers, and blackmailers.
But it doesn’t benefit you.
So what can we do about this?
DKIM was never intended to provide long-lived authenticity for your emails. The security guarantees it provides are important, but need only exist for a period of hours (perhaps days on the outside) from the moment a mail server transmits your email. The fact that DKIM can be used to prove authenticity of stolen email from as long ago as 2015 is basically a screwup: the result of misuse and misconfiguration by mail providers who should know better.
Fortunately there’s an easy solution.
DKIM allows providers to periodically “rotate”, or replace, the keys that they use to sign outgoing emails. The frequency of this rotation is slightly limited by the caching behavior of the DNS infrastructure, but these limits aren’t very tight. Even a big provider like Google can easily replace its signing keys at least every few weeks without disrupting email transit. This sort of key replacement is good practice in any case, and it represents part of the solution.
Of course, merely replacing DKIM keypairs does nothing by itself: smart people on the Internet routinely archive DKIM public keys. This is, in fact, how a 2015 Google email was verified in 2020: the key that Google used for verifying DKIM emails during that long-ago time period (a single key was used from 2012-2016, seriously Google, this is just malpractice!) is no longer in use, but has been cached in various places on the Internet.
Solving this problem requires only a small additional element: Google needs to publish the secret key portion of its keypairs once they’ve been rotated out of service. They should post this secret key in an easily-accessible public location so that anyone can use it to forge alleged historical emails from any Google user. The public availability of Google’s signing key would make any new email leak cryptographically deniable. Since any stranger would have been able to forge a DKIM signature, DKIM signatures become largely worthless as evidence of authenticity.
(People who run their own mail servers can achieve the same thing automatically by using this awesome script.)
Google could launch the process right now by releasing its ancient 2016-era private keys. Since the secrecy of these serves literally no security purpose at this point, except for allowing third parties to verify email leaks, there’s no case for keeping these values secret at all. Just dump them.
(A paranoid reader might also consider the possibility that motivated attackers might already have stolen Google’s historical secret DKIM keys. After all, DKIM signing keys aren’t exactly the crown jewels of Google’s ecosystem, and are unlikely to receive Google’s strongest security efforts. By keeping its keys secret in that case, Google is simply creating a situation where specific actors can counterfeit emails with impunity.)
But DKIM authenticity is great! Don’t we want to be able to authenticate politicians’ leaked emails?
Modern DKIM deployments are problematic because they incentivize a specific kind of crime: theft of private emails for use in public blackmail and extortion campaigns. An accident of the past few years is that this feature has been used primarily by political actors working in a manner that many people find agreeable — either because it suits a partisan preference, or because the people who got “caught” sort of deserved it.
But bad things happen to good people too. If you build a mechanism that incentivizes crime, sooner or later you will get crimed on.
Email providers like Google have made the decision, often without asking their customers, that anyone who guesses a customer’s email password — or phishes one of a company’s employees — should be granted a cryptographically undeniable proof that they can present to anyone in order to prove that the resulting proceeds of that crime are authentic. Maybe that proof will prove unnecessary for the criminals’ purposes. But it certainly isn’t without value. Removing that proof from criminal hands is an unalloyed good.
The fact that we even have to argue about this makes me really sad.
Timestamping, better crypto, and other technical objections
Every time I mention this idea of dumping old secret keys, I get a batch of technical objections from people who make really good points but are thinking about a stronger threat model than the one we generally face.
The most common objection is that publication of secret keys only works if the signed emails were obtained after the secret keys were published. By this logic, which is accurate, any emails stolen and published before the DKIM secret key is published are not deniable. For example, if someone hacks your account and immediately publishes any email you receive in real-time, then cryptographic verifiability is still possible.
Some even pose a clever attack where recipients (or hackers who have persistent access to your email account) use a public timestamping service, such as a blockchain, to verifiably “stamp” each email they receive with the time of receipt. This allows such recipients to prove that they had the signed email before the DKIM secret key became public — and checkmate.
This is a nice theoretical hack and it’s clever, but it’s also basically irrelevant in the sense that it addresses a stronger threat model. The most critical issue with DKIM today is that DKIM signatures sit around inside your archived mailbox. This means that a hacker who breaches my Gmail account today can present DKIM signatures on emails I sent/received years ago. Publishing old DKIM secret keys would take care of this problem instantly. Fixing the theoretical “real-time hacker” scenario can wait until later.
Another objection I receive sometimes is that cryptographic authentication is a useful feature. And I agree with that, in some settings. The problem with DKIM is that no customers asked for this feature as a default in their commercial mail account. If people want to cryptographically authenticate their emails, there exists a lovely set of tools they can use for this purpose.
Finally, there’s a question of whether the DKIM deniability problem can be fixed with exciting new cryptography. As a cryptographic researcher, I’m enthusiastic about that direction. In fact: my co-authors Mike Specter and Sunoo Park and I recently wrote a paper about how a long-term fix to DKIM might work. (Mike wrote a great blog post about it.) I don’t claim that our solution is necessarily the best approach, but I’m hoping that it will inspire more work in the future.
But sometimes the best solution is the obvious one. And right now, Google as the largest commercial mail provider, could make a huge impact (and protect their customers against future leaks) by doing something very simple. It’s a mystery to me why they won’t.
and 
, which allows her to compute 
. Even better, if the attacker knows one of ![M_1](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="21" height="15"><rect fill-opacity="0"/></svg> "M_1")
or 
, she can immediately recover the other. This gives her a strong incentive to know one of the two plaintexts.
they don’t do it themselves. They instead calling out to a third party, the “random oracle” who keeps a giant table of random function inputs and outputs. At a high level, the model looks like sort of like this:
![{\bf S_{\sf broken}}](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="41" height="15"><rect fill-opacity="0"/></svg> "{\bf S_{\sf broken}}")
. Building this new scheme will mostly consist of grafting weird bells and whistles onto the algorithms of the original scheme S.
with the specific requirement that q is an integer such that 
. Here 
represents the length of the encoding of program P in bits, and k is the scheme’s adjustable security parameter (for example, k=128).
(Since Timmy and Ruth have to be paired ahead of time, it’s likely they’ll both be devices owned by the same person. Did I mention that you’ll need to buy two Apple devices to make this system work? That’s also just fine for Apple.)
queries, where N is the number of possible values your data can take on (e.g., the ages of your employees, ranging between 1 and 100 would give N=100.) This is assuming an arbitrary dataset. The results get much better if the database is “dense”, meaning every possible value occurs once.
tends to make Kellaris et al. attacks impractical, simply because they’ll take too long. Similarly, data like employee last names (encoded as a form that can be sorted and range-queries) gives you even vaster domains like 
, say, and so perhaps we could pleasantly ignore these results and spend our time on more amusing engagements.![\epsilon-](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="19" height="7"><rect fill-opacity="0"/></svg> "\epsilon-")
ADR.
. For example, if I’m trying to recover employee salaries, I don’t need them to be exact: getting them within 1% or 5% is probably good enough for my purposes. Similarly, reconstructing nearly all of the letters in your last name probably lets me guess the rest, especially if I know the distribution of common last names.
queries, where ![\epsilon](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="7" height="7"><rect fill-opacity="0"/></svg> "\epsilon")
is the error parameter.
queries, and experimentally the results are again even better than one would expect.
PAKE is that this is a shame, because PAKE — which stands for 
and the server has the salt, which is expressed as a scalar value 
. The output of the PRF function should be of the form 
, where 
is a special hash function that hashes passwords into elements of a cyclic (prime-order) group.
and then “blinds” this password by selecting a random scalar value r, and blinding the result to obtain 
. At this point, the client can send the blinded value C over to the server, secure in the understanding that (in a prime-order group), the blinding by r hides all partial information about the underlying password.
and sends the result R back to the client. If we write this out in detail, the result can be expressed as $R = H(P)^{rs}$. The client now computes the inverse of its own blinding value r and exponentiates one more time as follows: 
. This element ![R'](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="13"><rect fill-opacity="0"/></svg> "R'")
, which consists of the hash of the password exponentiated by the salt, is the output of the desired PRF function.
.svg){kind=icon}
“someone is wrong on the Internet” posts. After all, that’s what Twitter is for! But from time to time something bothers me enough that I have to make an exception. Today I wanted to write specifically about Google Chrome, how much I’ve loved it in the past, and why — due to Chrome’s new user-unfriendly 
and I’ll pick a bit 
at random, and return to you the encryption of 
, which I will denote as 
.![C^*](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="19" height="12"><rect fill-opacity="0"/></svg> "C^*")
I’ll reject your attempt. But I’ll decrypt any other ciphertext you send me, even if it’s only slightly different from 
. They “win” the game if 
.![C'](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="17" height="13"><rect fill-opacity="0"/></svg> "C'")
that contains a closely related plaintext (and that the challenger will be able and willing to meaingfully decrypt). It’s easy to see that if I could get away with this, by the rules of the game I could probably win at step (4), simply by sending 
or ![G()](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="24" height="18"><rect fill-opacity="0"/></svg> "G()")
and ![H()](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="26" height="18"><rect fill-opacity="0"/></svg> "H()")
that don’t exist in the v1.5 predecessor. (These are sometimes referred to as “mask generation functions”, which is just a fancy way of saying they’re hash functions with outputs of a custom, chosen size. Such functions can be easily built from existing hash functions like SHA256.)
![m](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="14" height="7"><rect fill-opacity="0"/></svg> "m")
and some random padding ![r](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="8" height="7"><rect fill-opacity="0"/></svg> "r")
to a padded message) and backwards — that is, it’s an easily-invertible permutation. The key to this feature is the Feistel network structure.
where 
is an RSA public key of unknown factorization and “programming” the random oracles such that 
. The intuitive idea is that an attacker who is able to learn something about the underlying message must query the functions ![M'](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="21" height="13"><rect fill-opacity="0"/></svg> "M'")
such that 
.
. We’ll also make use of two independent hash functions ![H_1, H_2](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="46" height="15"><rect fill-opacity="0"/></svg> "H_1, H_2")
.![{\sf Encrypt}](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="51" height="15"><rect fill-opacity="0"/></svg> "{\sf Encrypt}")
algorithm is randomized. This actually has to be the case, due to the definition of IND-CPA. (See ![H_1](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="18" height="15"><rect fill-opacity="0"/></svg> "H_1")
to produce the random bits that will be used for encryption. This turns a randomized encryption into a deterministic one. (This, of course, requires that both the input and the internals of ![M](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="17" height="11"><rect fill-opacity="0"/></svg> "M")
, which we’ll express as some fixed-length string of bits:![R](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="13" height="11"><rect fill-opacity="0"/></svg> "R")
from the message space of the original CPA-secure scheme.
.
. Note that here 
.
.![C = (C_1, C_2)](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="90" height="18"><rect fill-opacity="0"/></svg> "C = (C_1, C_2)")
.![C_1](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="17" height="15"><rect fill-opacity="0"/></svg> "C_1")
, which (if all is well) should give us 
.
and thus the message 
.
are valid by re-computing the randomness 
and verifying the condition 
. If this final check fails, simply output a decryption error.
. So what we really want to prove is that in order to construct a valid ciphertext the attacker must already know 
. The idea of this proof is that it should be hard for an attacker to construct such a 
. If she has called the hash function to produce this portion of the ciphertext, then she already knows those values and the decryption oracle provides her with no additional information she didn’t already have. (Alternatively, if she did not call the hash function, then her probability of making a valid 
. In this case her strategy is twofold: she can tamper with the first portion of the ciphertext and/or she can tamper with the second. But it’s easy to see that this will tend to break some portion of the decryption checks:
, she will change the recovered message into a new value that we can call 
. However this will in turn (with overwhelming probability) cause the decryptor to recover very different random coins 
than were used in the original construction of ![C_1^*](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="19" height="17"><rect fill-opacity="0"/></svg> "C_1^*")
, and thus decryption check on that piece will probably fail.
much), so I knew the piece was coming. But since many of the things I said to Levy were fairly skeptical — and most didn’t make it into the piece — I figured it might be worthwhile to say a few of them here.
![b](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="7" height="11"><rect fill-opacity="0"/></svg> "b")
at random, and return to you the encryption of ![M_b](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="21" height="14"><rect fill-opacity="0"/></svg> "M_b")
, which I will denote as ![b'](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="11" height="13"><rect fill-opacity="0"/></svg> "b'")
. They “win” the game if 
that we are now allowed to submit for decryption. We are now allowed (by the rules of the game) to submit this ciphertext, and obtain 
, which we can use to figure out 
that researchers have spent the past forty years designing. We see this every day in examples ranging from ![H(\cdot)](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="31" height="18"><rect fill-opacity="0"/></svg> "H(\cdot)")
to be considered a ‘cryptographic’ hash, it must achieve some specific security requirements. There are a number of these, but here we’ll just focus on three common ones:
, it should be time-consuming to find an input ![X](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="14" height="11"><rect fill-opacity="0"/></svg> "X")
such that 
. (There are many caveats to this, of course, but ideally the best such attack should require a time comparable to a brute-force search of whatever distribution 
such that 
.
such that 
. Note that this is a much stronger assumption than second-preimage resistance, since the attacker has complete freedom to find any two messages of its choice.
represent the secret key that we’ll use for signing. To generate the public key, we now simply hash every one of those random strings using our function 
![({\bf pk_0}, {\bf pk_1})](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="73" height="18"><rect fill-opacity="0"/></svg> "({\bf pk_0}, {\bf pk_1})")
to the entire world. For example, we can send it to our friends, embed it into a certificate, or post it on 
![i^{th}](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="17" height="14"><rect fill-opacity="0"/></svg> "i^{th}")
message bit 
, we grab the 
from the ![{\bf sk_0}](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="24" height="15"><rect fill-opacity="0"/></svg> "{\bf sk_0}")
list, and output that string as part of our signature. If the message bit ![M_i = 1](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="49" height="15"><rect fill-opacity="0"/></svg> "M_i = 1")
we copy the appropriate string 
from the 
list. Having done this for each of the message bits, we concatenate all of the strings we selected. This forms our signature.
represent the 
and computes hash 
. If ![M_i = 0](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="50" height="15"><rect fill-opacity="0"/></svg> "M_i = 0")
the result should match the corresponding element from 
. If 
.
, then I’m going to end up handing out both secret key values for that position. This can be a problem.
![N](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="15" height="11"><rect fill-opacity="0"/></svg> "N")
of them. The most obvious approach is to simply generate 
.
in our secret key. For each bit position of the message where 
. For every position where 
for our initial secret key. Rather than generating additional lists randomly, he proposed to use the hash function 
. And similarly, one can use the hash function again on that list to get the next list 
. And so on for many possible lists.![{\bf pk}](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="20" height="16"><rect fill-opacity="0"/></svg> "{\bf pk}")
. (In practice we only need 255 secret key lists, since we can treat the final secret key list as the public key.) The elegance of this approach is that given any one of the possible secret key values it’s always possible to check it against the public key, simply by hashing forward multiple times and seeing if we reach a public key element.
. For bytes with the maximal value “255” we don’t have a secret key list. That’s ok: in this case we can output an empty string, or we can output the appropriate element of 
. The verifier only holds the public key vector and (as mentioned above) simply hashes forward an appropriate number of times — depending on the message byte — to see whether the result is equal to the appropriate component of the public key.
), anyone who sees a message that signs the message “0” can easily change the corresponding byte of the message to a “1”, and update the signature to match. In fact, an attacker can increment the value of any byte(s) in the message. Without some check on this capability, this would allow very powerful forgery attacks.
![pk^{0}_1 = H(sk^{0}_1)](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="96" height="19"><rect fill-opacity="0"/></svg> "pk^{0}_1 = H(sk^{0}_1)")
, an attacker who is able to compute hash preimages can easily recover a valid secret key for that component of the signature. This attack obviously renders the scheme insecure.
. If such an attacker can find a second pre-image for the public key 
she can’t sign a different message. But she has produced a new signature. In the strong definition of signature security (
and then the sign the resulting value 
instead of the message.
such that 
has now found a valid signature on two different messages. This leads to a trivial break of 
