Qiang Tang
Moti Yung
ABSTRACT
This tutorial will present a systematic overview of {\em kleptography}: stealing information subliminally from black-box cryptographic implementations; and {\em cliptography}: defending mechanisms that clip the power of kleptographic attacks via specification re-designs (without altering the underlying algorithms). Despite the laudatory history of development of modern cryptography, applying cryptographic tools to reliably provide security and privacy in practice is notoriously difficult. One fundamental practical challenge, guaranteeing security and privacy without explicit trust in the algorithms and implementations that underlie basic security infrastructure, remains. While the dangers of entertaining adversarial implementation of cryptographic primitives seem obvious, the ramifications of such attacks are surprisingly dire: it turns out that -- in wide generality -- adversarial implementations of cryptographic (both deterministic and randomized) algorithms may leak private information while producing output that is statistically indistinguishable from that of a faithful implementation. Such attacks were formally studied in Kleptography. Snowden revelations has shown us how security and privacy can be lost at a very large scale even when traditional cryptography seems to be used to protect Internet communication, when Kleptography was not taken into consideration. We will first explain how the above-mentioned Kleptographic attacks can be carried out in various settings. We will then introduce several simple but rigorous immunizing strategies that were inspired by folklore practical wisdoms to protect different algorithms from implementation subversion. Those strategies can be applied to ensure security of most of the fundamental cryptographic primitives such as PRG, digital signatures, public key encryptions against kleptographic attacks when they are implemented accordingly. Our new design principles may suggest new standardization methods that help reducing the threats of subverted implementation. We also hope our tutorial to stimulate a community-wise efforts to further tackle the fundamental challenge mentioned at the beginning.
Supplemental Material
- Mihir Bellare, Joseph Jaeger, and Daniel Kane. 2015. Mass-surveillance without the State: Strongly Undetectable Algorithm-Substitution Attacks ACM CCS 15, bibfieldeditorIndrajit Ray, Ninghui Li, and Christopher Kruegel: (Eds.). ACM Press, 1431--1440.Google Scholar
- Mihir Bellare, Kenneth G. Paterson, and Phillip Rogaway. 2014. Security of Symmetric Encryption against Mass Surveillance CRYPTO 2014, Part I (LNCS), bibfieldeditorJuan A. Garay and Rosario Gennaro (Eds.), Vol. Vol. 8616. Springer, Heidelberg, 1--19. https://doi.org/10.1007/978--3--662--44371--2_1Google Scholar
- Stephen Checkoway, Shaanan Cohney, Christina Garman, Matthew Green, Nadia Heninger, Jacob Maskiewicz, Eric Rescorla, Hovav Shacham, and Ralf-Philipp Weinmann 2016. A Systematic Analysis of the Juniper Dual EC Incident Proceedings of ACM CCS 2016. shownoteFull version available at http://eprint.iacr.org/2016/376.Google Scholar
- Stephen Checkoway, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, Hovav Shacham, and Matthew Fredrikson. 2014. On the Practical Exploitability of Dual EC in TLS Implementations Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014. 319--335.Google Scholar
- Jean Paul Degabriele, Kenneth G. Paterson, Jacob C. N. Schuldt, and Joanne Woodage 2016. Backdoors in Pseudorandom Number Generators: Possibility and Impossibility Results CRYPTO 2016, Part I (LNCS), bibfieldeditorMatthew Robshaw and Jonathan Katz (Eds.), Vol. Vol. 9814. Springer, Heidelberg, 403--432. https://doi.org/10.1007/978--3--662--53018--4_15Google Scholar
- Yevgeniy Dodis, Ilya Mironov, and Noah Stephens-Davidowitz. 2016. Message Transmission with Reverse Firewalls--Secure Communication on Corrupted Machines. In CRYPTO 2016, Part I (LNCS), bibfieldeditorMatthew Robshaw and Jonathan Katz (Eds.), Vol. Vol. 9814. Springer, Heidelberg, 341--372. https://doi.org/10.1007/978--3--662--53018--4_13Google ScholarDigital Library
- Nicholas J. Hopper, John Langford, and Luis von Ahn. 2002. Provably Secure Steganography. In CRYPTO 2002 (LNCS), bibfieldeditorMoti Yung (Ed.), Vol. Vol. 2442. Springer, Heidelberg, 77--92. Google ScholarCross Ref
- Jeff Larson, Nicole Perlroth, and Scott Shane. 2013. Revealed: The NSA's secret campaign to crack, undermine internet security. Pro-Publica. (2013). shownotehttp://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption.Google Scholar
- Ilya Mironov and Noah Stephens-Davidowitz 2015. Cryptographic Reverse Firewalls. In EUROCRYPT 2015, Part II (LNCS), bibfieldeditorElisabeth Oswald and Marc Fischlin (Eds.), Vol. Vol. 9057. Springer, Heidelberg, 657--686. https://doi.org/10.1007/978--3--662--46803--6_22Google ScholarCross Ref
- Nicole Perlroth, Jeff Larson, and Scott Shane. 2013. N.S.A. able to foil basic safeguards of privacy on web. The New York Times. (2013). shownotehttp://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html.Google Scholar
- Alexander Russell, Qiang Tang, Moti Yung, and Hong-Sheng Zhou. 2016. Cliptography: Clipping the Power of Kleptographic Attacks ASIACRYPT 2016, Part II (LNCS), bibfieldeditorJung Hee Cheon and Tsuyoshi Takagi (Eds.), Vol. Vol. 10032. Springer, Heidelberg, 34--64. https://doi.org/10.1007/978--3--662--53890--6_2Google Scholar
- Alexander Russell, Qiang Tang, Moti Yung, and Hong-Sheng Zhou. 2017. Generic Semantic Security against a Kleptographic Adversary Proceedings of the 24nd ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, October 30-November 4, 2017.Google Scholar
- Adam Young and Moti Yung 1996. The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? CRYPTO'96 (LNCS), bibfieldeditorNeal Koblitz (Ed.), Vol. Vol. 1109. Springer, Heidelberg, 89--103.Google Scholar
- Adam Young and Moti Yung 1997. Kleptography: Using Cryptography Against Cryptography EUROCRYPT'97 (LNCS), bibfieldeditorWalter Fumy (Ed.), Vol. Vol. 1233. Springer, Heidelberg, 62--74.Google Scholar
- Kim Zetter. 2015. Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors. (December 2015). endthebibliographyGoogle Scholar
Index Terms
- Cliptography: Post-Snowden Cryptography
Recommendations
Lattice Klepto Revisited
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications SecurityKleptography introduced by Young and Yung is about using an embedded backdoor to perform attacks on a cryptosystems. At SAC'17, Kwantet al. proposed a kleptographic backdoor on NTRU encryption scheme and thought that the backdoor can not be detected. ...
Cliptography: Clipping the Power of Kleptographic Attacks
Proceedings, Part II, of the 22nd International Conference on Advances in Cryptology --- ASIACRYPT 2016 - Volume 10032Kleptography, introduced 20 years ago by Young and Yung [Crypto '96], considers the insecurity of malicious implementations or instantiations of standard cryptographic primitives that may embed a "backdoor" into the system. Remarkably, crippling ...
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IDesign a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Comments