Filters








1,036 Hits in 2.7 sec

Algorithm Substitution Attacks: State Reset Detection and Asymmetric Modifications

Philip Hodges, Douglas Stebila
2021 IACR Transactions on Symmetric Cryptology  
In this paper, we study algorithm substitution attacks (ASAs), where an algorithm in a cryptographic scheme is substituted for a subverted version.  ...  Suppose that PKE is a δ-correct public-key encryption scheme. Let n be the total number of ciphertexts intercepted by the subverter.  ...  A signature is subverted by making the randomness used in a signature dependent on the randomness used in the previous signature, in a way that can be reverse-engineered by the subverter.  ... 
doi:10.46586/tosc.v2021.i2.389-422 fatcat:3p5txsxlgrfr3a3cbsnc36vkym

Substitution Attacks against Message Authentication

Marcel Armour, Bertram Poettering
2019 IACR Transactions on Symmetric Cryptology  
While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols.  ...  As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly  ...  Note that the Vfy oracle in UDT and the Tag oracle in UDV are redundant. Effects of Subversion on Correctness and Unforgeability.  ... 
doi:10.13154/tosc.v2019.i3.152-168 dblp:journals/tosc/ArmourP19 fatcat:4dxyuijnz5fkdlyv3journqvka

Substitution Attacks against Message Authentication

Marcel Armour, Bertram Poettering
2019 IACR Transactions on Symmetric Cryptology  
While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols.  ...  As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly  ...  Note that the Vfy oracle in UDT and the Tag oracle in UDV are redundant. Effects of Subversion on Correctness and Unforgeability.  ... 
doi:10.46586/tosc.v2019.i3.152-168 fatcat:2rf3eunfebgivbl6png52jcz3y

Subverting Decryption in AEAD

M. Armour, B. Poettering
2020 Zenodo  
Previous work posited that a particular class of AEAD scheme (satisfying certain correctness and uniqueness properties) is resilient against subversion.  ...  An ASA replaces an encryption scheme with a subverted version that aims to reveal information to an adversary engaged in mass surveillance, while remaining undetected by users.  ...  The members of this class are deterministic and satisfy certain technical correctness and uniqueness properties. See Appendix A for definitions of pseudo-random functions and permutations.  ... 
doi:10.5281/zenodo.3951943 fatcat:ecqgag7y2rhqpk42bk2u27tpem

A More Cautious Approach to Security Against Mass Surveillance [chapter]

Jean Paul Degabriele, Pooya Farshim, Bertram Poettering
2015 Lecture Notes in Computer Science  
The subverted encryption algorithm E may be randomized, stateful, or both.  ...  For instance BPR use this to show that any randomized encryption scheme can be subverted in an undetectable manner.  ...  The class of games that we consider here correspond to those that have black-box access to the encryption procedure with respect to a random unknown key.  ... 
doi:10.1007/978-3-662-48116-5_28 fatcat:dzxl6vs3rjalxbvxlsxnfjj3zu

Subversion-Resilient Signature Schemes

Giuseppe Ateniese, Bernardo Magri, Daniele Venturi
2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15  
Correctness of a signature scheme says that verifying honestly generated signatures always works (with overwhelming probability over the randomness of all involved algorithms).  ...  For each chosen subversion in the class, the adversary can access an oracle that answers (polynomially many) signature queries using the subverted signature algorithm.  ...  if both signatures match then with a high probability the target oracle is the real signining oracle.  ... 
doi:10.1145/2810103.2813635 dblp:conf/ccs/AtenieseMV15 fatcat:rzrzfdsncjairgvhf5shlkugqq

On the Security of Symmetric Encryption Against Mass Surveillance

Da-Zhi Sun, Yi Mu
2020 IEEE Access  
Here, the oracle Enc invokesẼ described in Fig. 4 or E described in Definition 4, when the random bit b is 0 or 1.  ...  A random bit b and subversion keyK are first sampled. SD then has access to the encryption oracle Enc. Upon receiving (K, M ), the oracle Enc produces (C, σ) either via E (b = 1) or viaẼ (b = 0).  ... 
doi:10.1109/access.2020.3025848 fatcat:hquck6yddbc5rmllfolrjrk7p4

Security of Symmetric Encryption against Mass Surveillance [chapter]

Mihir Bellare, Kenneth G. Paterson, Phillip Rogaway
2014 Lecture Notes in Computer Science  
The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.  ...  The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one.  ...  Correctness.  ... 
doi:10.1007/978-3-662-44371-2_1 fatcat:k7wqqsx3mffyvkooo7ttgoairy

Mass-surveillance without the State

Mihir Bellare, Joseph Jaeger, Daniel Kane
2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15  
First, while prior attacks only broke a sub-class of randomized schemes having a property called coin injectivity, our attacks break all randomized schemes.  ...  The April 2017 update of this paper corrects that error.  ...  In both, (v c , t c ) is picked at random. However, in I 2 , if it turns out that c was already seen, then the game corrects, resetting (v c , t c ) to its prior value.  ... 
doi:10.1145/2810103.2813681 dblp:conf/ccs/BellareJK15 fatcat:jjkpgu7zdngvzdana2st7cavti

Cliptography: Clipping the Power of Kleptographic Attacks [chapter]

Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou
2016 Lecture Notes in Computer Science  
Remarkably, crippling subliminal theft is possible even if the subverted cryptosystem produces output indistinguishable from a secure "reference implementation."  ...  This notably contrasts with previous results of Dodis, Ganesh, Golovnev, Juels, and Ristenpart [Eurocrypt '15], which require an honestly generated random key.  ...  Assume a hash function h SPEC is modeled as a random oracle, and h is a (potentially subverted) implementation.  ... 
doi:10.1007/978-3-662-53890-6_2 fatcat:mu5echv27fgthjgwgzbpk4wmwi

Security of Linear Secret-Sharing Schemes Against Mass Surveillance [chapter]

Irene Giacomelli, Ruxandra F. Olimid, Samuel Ranellucci
2015 Lecture Notes in Computer Science  
The subverted scheme is correct. Since S is a valid vector of shares, reconstruction and privacy hold from construction. Theorem 3. Let Π = (Sh, Rec) be a LSSS with γ − l ≥ 2 (this assures t ≥ 2).  ...  The advantage of B to detect an ASA is defined as: Remark 2 . 2 The inequality γ > l always holds from the correctness of reconstruction and the usage of randomness (d > 0).For the rest of the paper,  ...  We construct Π * = (Sh * , Rec * ) multi-input LSSS that cannot be subverted without violating detectability. Let PRG be a pseudo-random generator that maps a seed in F to an element in F d . Proof.  ... 
doi:10.1007/978-3-319-26823-1_4 fatcat:dmj2a2t4w5dt7ekk2kevsldzx4

Hidden credential retrieval from a reusable password

Xavier Boyen
2009 Proceedings of the 4th International Symposium on Information, Computer, and Communications Security - ASIACCS '09  
We also quantify the concrete security of our approach in terms of online and offline password guesses made by outsiders and insiders, in the random-oracle model.  ...  Both constructions can be proven secure in the random-oracle model from suitable complexity assumptions.  ...  Let then H : {0, 1} n → G × be a cryptographic hash function, which is to be viewed as a random oracle.  ... 
doi:10.1145/1533057.1533089 dblp:conf/ccs/Boyen09 fatcat:kuke57bvmfas5dllbizrjw2gqq

Sonic

Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn
2019 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security - CCS '19  
in the quantum random oracle model [21] remains an open problem.  ...  Schemes that use these techniques [2, 9, 23] are typically made non-interactive in the random oracle model, as opposed to the quantum random oracle model, and designing efficient zeroknowledge protocols  ... 
doi:10.1145/3319535.3339817 dblp:conf/ccs/MallerBKM19 fatcat:7lgvfqmkwjb4dbhlpua4qg5k5y

Message-Locked Encryption for Lock-Dependent Messages [chapter]

Martín Abadi, Dan Boneh, Ilya Mironov, Ananth Raghunathan, Gil Segev
2013 Lecture Notes in Computer Science  
We design a fully randomized scheme that supports an equality-testing algorithm defined on the ciphertexts.  ...  Definition 4. 1 ( 1 Real-or-random encryption oracle).  ...  The functions will be modeled in the proof of security as random oracles. RO is used to break circularity and FS denotes the random oracle required to implement Fiat-Shamir.  ... 
doi:10.1007/978-3-642-40041-4_21 fatcat:pfjow4homfeonjpk22nirffx5u

Fundamental problems in provable security and cryptography

A. W Dent
2006 Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences  
We also present a new approach to one of the more controversial aspects of provable security: the random oracle model.  ...  This interpretation of the random oracle model is correct up to a point.  ...  queries are correct.  ... 
doi:10.1098/rsta.2006.1895 pmid:17090456 fatcat:kbia7avak5dvpl5tgh7h66eosu
« Previous Showing results 1 — 15 out of 1,036 results