Subversion-resilient signatures: Definitions, constructions and applications

Ateniese, Giuseppe; Magri, Bernardo; Venturi, Daniele

doi:10.1016/j.tcs.2020.03.021

Cited by 10 publications

(11 citation statements)

References 46 publications

(62 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ateniese et al show that if a digital signature scheme Σ is unique or rerandomizable then there are very efficient reverse firewalls for Σ [6]. Our firewalled signing protocol is a reverse firewall for ECDSA, which is neither unique nor rerandomizable.…”

Section: Related Workmentioning

confidence: 91%

See 1 more Smart Citation

True2F: Backdoor-Resistant Authentication Tokens

Dauterman

Corrigan-Gibbs

Mazières

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We present True2F, a system for second-factor authentication that provides the benefits of conventional authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin tokenfingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today's U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F.

show abstract

Section: Related Workmentioning

confidence: 91%

“…The innovation is that our protocol outputs unmodified ECDSA signatures, which is critical for backwards compatibility. In Section 9, we explain how our construction relates to subliminal-free [44,45,46,108,109] and subversion-resistant signature schemes [6].…”

Section: Introductionmentioning

confidence: 99%

True2F: Backdoor-Resistant Authentication Tokens

Dauterman

Corrigan-Gibbs

Mazières

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…The cryptographic reverse firewall is a generic way to prevent a tampered machine from leaking information to BB via any scheme. And the cryptographic reverse firewalls [20]- [22] mainly targeted at the protection of the public-key schemes. According to the results in [20], the improved asymmetric subversion model for signature and identification [23], [24] is further presented.…”

Section: B Related Workmentioning

confidence: 99%

On the Security of Symmetric Encryption Against Mass Surveillance

Sun

2020

IEEE Access

View full text Add to dashboard Cite

For mass surveillance, the algorithm substitution attacks (ASAs) are serious security threats to the symmetric encryption schemes. At CRYPTO 2014, Bellare, Paterson, and Rogaway (BPR) formally developed the security notions of decryptability, undetectability, and surveillance and presented a unique ciphertext symmetric encryption scheme against all possible ASAs. At FSE 2015, Degabriele, Farshim, and Poettering (DFP) relaxed the correctness of decryptability and presented an input-triggered ASA, which meets the BPR security definitions but violates the security of the BPR unique ciphertext scheme. Hence, DFP refined the security notions of detectability and subversion resistance to remove their ASA from the BPR unique ciphertext scheme. At CCS 2015, Bellare, Jaeger, and Kane (BJK) also developed the security notion of key recovery to make the input-triggered ASA infeasible. We investigate ASAs on the symmetric encryption scheme. Our contribution is twofold. (1) We propose a new trigger ASA against the symmetric encryption scheme. Our proposed ASA cannot be captured by the BJK security definitions. Comparatively, the DFP security definitions can detect our proposed ASA. In the view of ASAs, this result demonstrates that the DFP security definitions are not identical to the BJK security definitions. (2) We improve the DFP definition of subversion resistance. DFP proved that the BPR unique ciphertext scheme defeats the input-triggered ASA under their subversion resistance definition. However, we show that the BPR unique ciphertext scheme fails to meet the DFP subversion resistance definition due to our proposed ASA. Therefore, an improved definition on subversion resistance is proposed to cover all existing trigger ASAs. We prove that the BPR unique ciphertext scheme is secure under our improved definition. Therefore, we believe that our improved definition is more suitable to evaluate the ASA security of the symmetric encryption scheme.

show abstract

“…State-of-the-art literature suggests two pathways to evade ASA: 1) design of subversion-resilient algorithms and 2) detection. Subversion-resilient design of cryptography algorithms were proposed in [10], [11]. Designing subversion-resilient algorithms requires cryptanalysis of the algorithm.…”

Section: Introductionmentioning

confidence: 99%

Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Post-Quantum Signature Schemes

Chowdhury,

Mahapatra,

Soni

et al. 2022

Preprint

View full text Add to dashboard Cite

NIST is standardizing Post Quantum Cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software (algorithm subversion attacks) that weaken the implementations. We show that PQC digital signature codes can be subverted in line with previously reported flawed implementations [1], [2] that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since, all processors have built-in Hardware Performance Counters (HPCs), there exists a body of work proposing a lowcost Machine Learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improve this accuracy to 98%. We propose grey-box fuzzing as a preprocessing step to obtain inputs to aid the HPC-based method.

show abstract

Subversion-resilient signatures: Definitions, constructions and applications

Cited by 10 publications

References 46 publications

True2F: Backdoor-Resistant Authentication Tokens

True2F: Backdoor-Resistant Authentication Tokens

On the Security of Symmetric Encryption Against Mass Surveillance

Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Post-Quantum Signature Schemes

Contact Info

Product

Resources

About