Subliminal channels in post-quantum digital signature schemes

We analyze the digital signatures schemes submitted to NIST\u27s Post-Quantum Cryptography Standardization Project in search for subliminal channels

Subliminal Hash Channels

Due to their nature, subliminal channels are mostly regarded as being malicious, but due to recent legislation efforts users\u27 perception might change. Such channels can be used to subvert digital signature protocols without degrading the security of the underlying primitive. Thus, it is natural to find countermeasures and devise subliminal-free signatures. In this paper we discuss state-of-the-art countermeasures and introduce a generic method to bypass them

Guess my vote : a study of opacity and information flow in voting systems

With an overall theme of information flow, this thesis has two main strands. In the first part of the thesis, I review existing information flow properties, highlighting a recent definition known as opacity [25]. Intuitively, a predicate cP is opaque if for every run in which cP is true, there exists an indistinguishable run in which it is false, where a run can be regarded as a sequence of events. Hence, the observer is never able to establish the truth of cPo The predicate cP can be defined according to requirements of the system, giving opacity a great deal of flexibility and versatility. Opacity is then studied in relation to several well-known definitions for information flow. As will be shown, several of these properties can be cast as variations of opacity, while others have a relationship by implication with the opacity property [139]. This demonstrates the flexibility of opacity, at the same time establishing its distinct character. In the second part of the thesis, I investigate information flow in voting systems. Pret a Voter [36] is the main exemplar, and is compared to other schemes in the case study. I first analyse information flow in Pret a Voter and the FOO scheme [59], concentrating on the core protocols. The aim is to investigate the security requirements of each scheme, and the extent to which they can be captured using opacity. I then discuss a systems-based analysis of Pret a Voter [163], which adapts and extends an earlier analysis of the Chaum [35] and Neff [131]' [132]' [133] schemes in [92]. Although this analysis has identified several potential vulnerabilities, it cannot be regarded as systematic, and a more rigorous approach may be necessary. It is possible that a combination of the information flow and systems- based analyses might be the answer. The analysis of coercion-resistance, which is performed on Pret a Voter and the FOO scheme, may exemplify this more systematic approach. Receipt-freeness usually means that the voter is unable to construct a proof of her vote. Coercion-resistance is a stronger property in that it accounts for the possibility of interaction between the coercer and the voter during protocol execution. It appears that the opacity property is ideally suited to expressing the requirements for coercion-resistance in each scheme. A formal definition of receipt-freeness cast as a variation of opacity is proposed [138], together with suggestions on how it might be reinforced to capture coercion-resistance. In total, the thesis demonstrates the remarkable flexibility of opacity, both in expressing differing security requirements and as a tool for security analysis. This work lays the groundwork for future enhancement of the opacity framework.EThOS - Electronic Theses Online ServiceDSTL : EPSRCGBUnited Kingdo

Kleptography and steganography in blockchains

Despite its vast proliferation, the blockchain technology is still evolving, and witnesses continuous technical innovations to address its numerous unresolved issues. An example of these issues is the excessive electrical power consumed by some consensus protocols. Besides, although various media reports have highlighted the existence of objectionable content in blockchains, this topic has not received sufficient research. Hence, this work investigates the threat and deterrence of arbitrary-content insertion in public blockchains, which poses a legal, moral, and technical challenge. In particular, the overall aim of this work is to thoroughly study the risk of manipulating the implementation of randomized cryptographic primitives in public blockchains to mount kleptographic attacks, establish steganographic communication, and store arbitrary content. As part of our study, we present three new kleptographic attacks on two of the most commonly used digital signatures: ring signature and ECDSA. We also demonstrate our kleptographic attacks on two real cryptocurrencies: Bytecoin and Monero. Moreover, we illustrate the plausibility of hijacking public blockchains to establish steganographic channels. Particularly, we design, implement, and evaluate the first blockchain-based broadcast communication tool on top of a real-world cryptocurrency. Furthermore, we explain the detrimental consequences of kleptography and steganography on the users and the future of the blockchain technology. Namely, we show that kleptography can be used to surreptitiously steal the users' secret signing keys, which are the most valuable and guarded secret in public blockchains. After losing their keys, users of cryptocurrencies will inevitably lose their funds. In addition, we clarify that steganography can be used to establish subliminal communication and secretly store arbitrary content in public blockchains, which turns them into cheap cyberlockers. Consequently, the participation in such blockchains, which are known to store unethical content, can be criminalized, hindering the future adoption of blockchains. After discussing the adverse effects of kleptographic and steganographic attacks on blockchains, we survey all of the existing techniques that can defend against these attacks. Finally, due to the shortcomings of the available techniques, we propose four countermeasures that ensure kleptography and steganography-resistant public blockchains. Our countermeasures include two new cryptographic primitives and a generic steganographyresistant blockchain framework (SRBF). This framework presents a universal solution that deters steganography and practically achieves the right to be forgotten (RtbF) in blockchains, which represents a regulatory challenge for current immutable blockchains

Subverting Decryption in AEAD

This work introduces a new class of Algorithm Substitution Attack (ASA) on Symmetric Encryption Schemes. ASAs were introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance. An ASA replaces an encryption scheme with a subverted version that aims to reveal information to an adversary engaged in mass surveillance, while remaining undetected by users. Previous work posited that a particular class of AEAD scheme (satisfying certain correctness and uniqueness properties) is resilient against subversion. Many if not all real-world constructions – such as GCM, CCM and OCB – are members of this class. Our results stand in opposition to those prior results. We present a potent ASA that generically applies to any AEAD scheme, is undetectable in all previous frameworks and which achieves successful exfiltration of user keys. We give even more efficient non-generic attacks against a selection of AEAD implementations that are most used in practice. In contrast to prior work, our new class of attack targets the decryption algorithm rather than encryption. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs

Cliptography: Clipping the Power of Kleptographic Attacks

Kleptography, introduced 20 years ago by Young and Yung [Crypto ’96], considers the (in)security of malicious implementations (or instantiations) of standard cryptographic prim- itives that embed a “backdoor” into the system. Remarkably, crippling subliminal attacks are possible even if the subverted cryptosystem produces output indistinguishable from a truly secure “reference implementation.” Bellare, Paterson, and Rogaway [Crypto ’14] recently initiated a formal study of such attacks on symmetric key encryption algorithms, demonstrating a kleptographic attack can be mounted in broad generality against randomized components of cryptographic systems. We enlarge the scope of current work on the problem by permitting adversarial subversion of (randomized) key generation; in particular, we initiate the study of cryptography in the complete subversion model, where all relevant cryptographic primitives are subject to kleptographic attacks. We construct secure one-way permutations and trapdoor one-way permutations in this “complete subversion” model, describing a general, rigorous immunization strategy to clip the power of kleptographic subversions. Our strategy can be viewed as a formal treatment of the folklore “nothing up my sleeve” wisdom in cryptographic practice. We also describe a related “split program” model that can directly inform practical deployment. We additionally apply our general immunization strategy to directly yield a backdoor-free PRG. This notably amplifies previous results of Dodis, Ganesh, Golovnev, Juels, and Ristenpart [Eurocrypt ’15], which require an honestly generated random key. We then examine two standard applications of (trapdoor) one-way permutations in this complete subversion model and construct “higher level” primitives via black-box reductions. We showcase a digital signature scheme that preserves existential unforgeability when all algorithms (including key generation, which was not considered to be under attack before) are subject to kleptographic attacks. Additionally, we demonstrate that the classic Blum– Micali pseudorandom generator (PRG), using an “immunized” one-way permutation, yields a backdoor-free PRG. Alongside development of these secure primitives, we set down a hierarchy of kleptographic attack models which we use to organize past results and our new contributions; this taxonomy may be valuable for future work

Subversion-Resilient Signatures: Definitions, Constructions and Applications

We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions---e.g., the notion of security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO \u2714) for symmetric encryption---were non-adaptive and non-continuous. In this vein, we show both positive and negative results for the goal of constructing subversion-resilient signature schemes. Negative results. As our main negative result, we show that a broad class of randomized signature schemes is unavoidably insecure against SAs, even if using just a single bit of randomness. This improves upon earlier work that was only able to attack schemes with larger randomness space. When designing our new attack we consider undetectability as an explicit adversarial goal, meaning that the end-users (even the ones knowing the signing key) should not be able to detect that the signature scheme was subverted. Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. As our second positive result, we show how to construct subversion-resilient identification schemes from subversion-resilient signature schemes. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT \u2715), i.e., an algorithm that sanitizes any signature given as input (using only public information). The firewall we design allows to successfully protect so-called re-randomizable signature schemes (which include unique signatures as special case). As an additional contribution, we extend our model to consider multiple users and show implications and separations among the various notions we introduced. While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might influence the way digital signature schemes are selected or adopted in standards and protocols