Kleptography, introduced 20 years ago by Young and Yung [Crypto'96], considers the (in)security of malicious implementations (or instantiations) of standard cryptographic primitives that may embed a "backdoor" into the system. Remarkably, crippling subliminal attacks are possible even if the subverted cryptosystem produces output indistinguishable from a truly secure "reference implementation." Bellare, Paterson, and Rogaway [Crypto '14] recently initiated a formal study of such attacks on symmetric key encryption algorithms, demonstrating that kleptographic attacks can be mounted in broad generality against randomized components of cryptographic systems. We enlarge the scope of current work on the problem by permitting adversarial subversion of (randomized) key generation; in particular, we initiate the study of cryptography in the complete subversion model, where all relevant cryptographic primitives are subject to kleptographic attacks. We construct secure one-way permutations and trapdoor one-way permutations in this "complete subversion" model, describing a general, rigorous immunization strategy to clip the power of klep-tographic subversions. Our strategy can be viewed as a formal treatment of the folklore "nothing up my sleeve" wisdom in cryptographic practice. We also describe a related "split program" model that can directly inform practical deployment. We additionally apply our general immunization strategy to directly yield a backdoor-free PRG. This notably amplifies previous results of Dodis, Ganesh, Golovnev, Juels, and Ristenpart [Eurocrypt '15], which require an honestly generated random key. We then examine two standard applications of (trapdoor) one-way permutations in this complete subversion model and construct "higher level" primitives via black-box reductions. We showcase a digital signature scheme that preserves existential unforgeability when all algorithms (including key generation, which was not considered to be under attack before) are subject to kleptographic attacks. Additionally, we demonstrate that the classic Blum-Micali pseudorandom generator (PRG), using an "immunized" one-way permutation, yields a backdoor-free PRG. Alongside development of these secure primitives, we set down a hierarchy of kleptographic attack models which we use to organize past results and our new contributions; this taxonomy may be valuable for future work.
展开▼
机译:Kleptography,20年前介绍Young and Yung [Crypto'96],考虑了可恶意实现(或实例)的安全性,这些原因可能将“后门”嵌入到系统中。值得注意的是,即使颠覆的密码系统产生从真正安全的“参考实施”中无法区分的输出,也可以进行静扰动攻击。 Bellare,帕特森和Rogaway [加密'14]最近发起的对称密钥加密算法,攻击正式的研究,表明kleptographic攻击可以安装在广泛的通用对加密系统的随机成分。我们通过允许(随机)键生成的逆势颠覆来扩大当前问题的范围;特别是,我们在完整的Subversion模型中启动了对密码学的研究,所有相关加密基元受到Kleptography攻击的影响。我们在这个“完整的颠覆性”模型中,构建安全的单向排列和Trapdoor单向排列,描述了一般的严格免疫策略,以剪下Klep-tographic亚军的力量。我们的策略可以被视为民间传说中的正式待遇“没有我的袖子”在加密实践中的智慧。我们还描述了一个相关的“拆分程序”模型,可以直接通知实际部署。我们另外应用我们的一般免疫策略直接产生一个后卫的PRG。这显着放大了Dodis,Ganesh,Golovnev,Juels和Ristenpart [Eurocrypt '15]的先前结果,这需要诚实地生成的随机键。然后,我们在这个完整的颠覆模型中检查(Trapdoor)单向排列的两个标准应用,并通过黑盒式缩短构建“更高水平”的基元。我们展示了一种数字签名方案,当所有算法(包括之前未被视为攻击的关键生成)受到思科攻击时,可以保留存在的存在性不可变性。此外,我们证明了经典的Blum-Micali伪随机发生器(PRG),使用“免疫”单向置换,产生了无逆床的PRG。随着这些安全原语的发展,我们落下了我们用来组织过去的结果和新贡献的思考攻击模型的层次结构;这种分类学可能对未来的工作有价值。
展开▼
