Public-Key Encryption Resistant to Parameter Subversion and Its Realization from Efficiently-Embeddable Groups

Auerbach, Benedikt; Bellare, Mihir; Kiltz, Eike

doi:10.1007/978-3-319-76578-5_12

Cited by 27 publications

(18 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Subversion of pseudorandom generators is of particular importance, given the potential sabotage of the NIST Dual EC PRG [NIS07]. The problem of parameters subversion has also been considered in the context of zero-knowledge proofs [BFS16], and public-key encryption [ABK18].…”

Section: Related Workmentioning

confidence: 99%

Subversion-resilient signatures: Definitions, constructions and applications

Ateniese

Magri

Venturi

2020

Theoretical Computer Science

View full text Add to dashboard Cite

We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions-e.g., the notion of security against algorithmsubstitution attacks introduced by Bellare et al. (CRYPTO '14) for symmetric encryptionwere non-adaptive and non-continuous. In this vein, we show both positive and negative results for the goal of constructing subversion-resilient signature schemes. Negative results. We show that a broad class of randomized signature schemes is insecure against stateful SAs, even if using just a single bit of randomness. On the other hand, we establish that signature schemes with enough min-entropy are insecure against stateless SAs. The attacks we design are undetectable to the end-users (even if they know the signing key). Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. As our second positive result, we show how to construct subversion-resilient identification schemes from subversion-resilient signature schemes. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT '15), i.e., an algorithm that "sanitizes" any signature given as input (using only public information). The firewall we design allows us to successfully protect so-called re-randomizable signature schemes (which include unique signatures as a special case). As an additional contribution, we extend our model to consider multiple users and show implications and separations among the various notions we introduced. While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might influence the way digital signature schemes are selected or adopted in standards and protocols.

show abstract

Section: Related Workmentioning

confidence: 99%

Subversion-resilient signatures: Definitions, constructions and applications

Ateniese

Magri

Venturi

2020

Theoretical Computer Science

View full text Add to dashboard Cite

show abstract

“…Giacon, Heuer, and Poettering [30] proposed key-encapsulation mechanism (KEM) combiners, which can be potentially employed to prevent ASAs. Auerbach, Bellare, and Kiltz [31] studied the security of publickey encryption schemes and KEMs when public parameters they use may be subverted. Armour and Poettering [32] studied options to subvert symmetric message authentication protocols.…”

Section: B Related Workmentioning

confidence: 99%

On the Security of Symmetric Encryption Against Mass Surveillance

Sun

2020

IEEE Access

View full text Add to dashboard Cite

For mass surveillance, the algorithm substitution attacks (ASAs) are serious security threats to the symmetric encryption schemes. At CRYPTO 2014, Bellare, Paterson, and Rogaway (BPR) formally developed the security notions of decryptability, undetectability, and surveillance and presented a unique ciphertext symmetric encryption scheme against all possible ASAs. At FSE 2015, Degabriele, Farshim, and Poettering (DFP) relaxed the correctness of decryptability and presented an input-triggered ASA, which meets the BPR security definitions but violates the security of the BPR unique ciphertext scheme. Hence, DFP refined the security notions of detectability and subversion resistance to remove their ASA from the BPR unique ciphertext scheme. At CCS 2015, Bellare, Jaeger, and Kane (BJK) also developed the security notion of key recovery to make the input-triggered ASA infeasible. We investigate ASAs on the symmetric encryption scheme. Our contribution is twofold. (1) We propose a new trigger ASA against the symmetric encryption scheme. Our proposed ASA cannot be captured by the BJK security definitions. Comparatively, the DFP security definitions can detect our proposed ASA. In the view of ASAs, this result demonstrates that the DFP security definitions are not identical to the BJK security definitions. (2) We improve the DFP definition of subversion resistance. DFP proved that the BPR unique ciphertext scheme defeats the input-triggered ASA under their subversion resistance definition. However, we show that the BPR unique ciphertext scheme fails to meet the DFP subversion resistance definition due to our proposed ASA. Therefore, an improved definition on subversion resistance is proposed to cover all existing trigger ASAs. We prove that the BPR unique ciphertext scheme is secure under our improved definition. Therefore, we believe that our improved definition is more suitable to evaluate the ASA security of the symmetric encryption scheme.

show abstract

“…Commonly, the security of PKE schemes depends on some honestly generated public system parameters, e.g., security parameter, primes, elliptic curves, and common reference string [20][21][22][23][24]. In fact, public system parameters are often specified in some standards [20,23], e.g., NIST FIPS 186-4 (2013) [25,26]. It is timesaving for the implementations of PKE systems to use the public system parameters.…”

Section: Introductionmentioning

confidence: 99%

“…It is timesaving for the implementations of PKE systems to use the public system parameters. However, recent research results show that PKE schemes may suffer from parameter subversion attacks (PSA) which allow adversaries to fully control the public system parameters [20,23,[27][28][29][30][31] and hence compromise the security of the corresponding PKE schemes. For instance, the elliptic curve cryptosystem specified in NIST FIPS 186-4 standard has been analyzed to be insecure due to the malicious manipulation of the elliptic curves [23].…”

Section: Introductionmentioning

confidence: 99%

“…Beside the SOA, PKE schemes also suffer from PSA. Such an attack is initially studied in [20,21]. In [20], the security notion called indistinguishable encryptions under parameter subversion attacks (IND-PSA) is introduced to capture PSA, which guarantees that even though the public system parameter of a PKE scheme is chosen maliciously, the resulting ciphertext should be indistinguishable [20].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Selective-Opening Security for Public-Key Encryption in the Presence of Parameter Subversion

Kang

Huang

Zhang

2021

Security and Communication Networks

View full text Add to dashboard Cite

In public-key encryption (PKE), ciphertexts received by a receiver may be possibly correlated and the security of a PKE relies on honestly generated system parameters. Security against selective opening attacks (SOA) for PKE guarantees that even when an attacker has broken into a subset of honestly generated ciphertexts and opened them (i.e., seeing plaintexts and random bits), the unopened ciphertexts remain secure. While security against parameter subversion attacks (PSA) for PKE requires that even when the public system parameters are maliciously generated, a PKE scheme should be secure. In this paper, we initiate the study of PKE secure against both SOA and PSA. To capture SOA and PSA simultaneously, we formulate a new security notion called indistinguishability under selective opening attacks and parameter subversion attacks (IND-SO-PSA). Further, we define the lossy trapdoor function and all-but-many lossy trapdoor function in the presence of PSA (LTF-PSA and ABM-LTF-PSA correspondingly) and propose an instantiation with the efficiently-embeddable group (EG). Applying these new primitives, we construct a PKE scheme that is proven to be IND-SO-PSA secure.

show abstract

Public-Key Encryption Resistant to Parameter Subversion and Its Realization from Efficiently-Embeddable Groups

Cited by 27 publications

References 35 publications

Subversion-resilient signatures: Definitions, constructions and applications

Subversion-resilient signatures: Definitions, constructions and applications

On the Security of Symmetric Encryption Against Mass Surveillance

Selective-Opening Security for Public-Key Encryption in the Presence of Parameter Subversion

Contact Info

Product

Resources

About