Unifying Kleptographic Attacks

We present two simple backdoors that can be implemented into Maurer\u27s unified zero-knowledge protocol. Thus, we show that a high level abstraction can replace individual backdoors embedded into protocols for proving knowledge of a discrete logarithm (e.g. the Schnorr and Girault protocols), protocols for proving knowledge of an $e^{th}$-root (e.g. the Fiat-Shamir and Guillou-Quisquater protocols), protocols for proving knowledge of a discrete logarithm representation (e.g. the Okamoto protocol) and protocols for proving knowledge of an $e^{th}$-root representation

Subliminal Hash Channels

Due to their nature, subliminal channels are mostly regarded as being malicious, but due to recent legislation efforts users\u27 perception might change. Such channels can be used to subvert digital signature protocols without degrading the security of the underlying primitive. Thus, it is natural to find countermeasures and devise subliminal-free signatures. In this paper we discuss state-of-the-art countermeasures and introduce a generic method to bypass them

Threshold Kleptographic Attacks on Discrete Logarithm Based Signatures

In an $\ell$ out of $n$ threshold scheme, $\ell$ out of $n$ members must cooperate to recover a secret. A kleptographic attack is a backdoor which can be implemented in an algorithm and further used to retrieve a user\u27s secret key. We combine the notions of threshold scheme and kleptographic attack to construct the first $\ell$ out of $n$ threshold kleptographic attack on discrete logarithm based digital signatures and prove its security in the standard and random oracle models

Quasigroups and Substitution Permutation Networks: A Failed Experiment

We introduce a generalization of substitution permutation networks using quasigroups. Then, we prove that for quasigroups isotopic with a group $\mathbb{G}$, the complexity of mounting a differential attack against our generalization is the same as attacking a substitution permutation network based on $\mathbb{G}$. Although the result is negative, we believe that the design can be instructional for teaching students that failure is a natural part of research. Also, we hope to prevent others from making the same mistake by showing where such a path leads

Managing Your Kleptographic Subscription Plan

In the classical kleptographic business models, the manufacturer of a device $D$ is paid either in advance or in installments by a malicious entity to backdoor $D$. Unfortunately, these models have an inherent high risk for the manufacturer. This translates in high costs for clients. To address this issue, we introduce a subscription based business model and tackle some of the technical difficulties that arise

Reinterpreting and Improving the Cryptanalysis of the Flash Player PRNG

Constant blinding is an efficient countermeasure against just-in-time (JIT) spraying attacks. Unfortunately, this mitigation mechanism is not always implemented correctly. One such example is the constant blinding mechanism found in the Adobe Flash Player. Instead of choosing a strong mainstream pseudo-random number generator (PRNG), the Flash Player designers chose to implement a proprietary one. This led to the discovery of a vulnerability that can be exploited to recover the initial seed used by the PRNG and thus, to bypass the constant blinding mechanism. Using this vulnerability as a starting point, we show that no matter the parameters used by the previously mentioned PRNG it still remains a weak construction. A consequence of this study is an improvement of the seed recovering mechanism from previously known complexity of $\mathcal O(2^{21})$ to one of $\mathcal O(2^{11})$

Concurrent Signatures from a Variety of Keys

Concurrent signatures allow two entities to produce two ambiguous signatures that become binding once an extra piece of information (called the keystone) is released. Such a signature is developed by Chen \emph{et al.}, but it restricts signers to using the same public parameters. We describe and analyse a new concurrent signature that allows users to sign documents even if they use different underlying hard problems when generating their public parameters

The Case of Small Prime Numbers Versus the Joye-Libert Cryptosystem

In this paper we study the effect of using small prime numbers within the Joye-Libert public key encryption scheme. We introduce two novel versions and prove their security. We further show how to choose the system\u27s parameters such that the security results hold. Moreover, we provide a practical comparison between the cryptographic algorithms we introduced and the original Joye-Libert cryptosystem

Security Analysis of a Color Image Encryption Scheme Based on a Fractional‑Order Hyperchaotic System

In 2022, Hosny et al. introduce an image encryption scheme that employs a fractional-order chaotic system. Their approach uses the hyper-chaotic system to generate the system\u27s main parameter, namely a secret permutation which is dependent on the size and the sum of the pixels of the source image. According to the authors, their scheme offers adequate security (i.e. $498$ bits) for transmitting color images over unsecured channels. Nevertheless, in this paper we show that the scheme\u27s security is independent on the secret parameters used to initialize the hyper-chaotic system. More precisely, we provide a brute-force attack whose complexity is $\mathcal O(2^{10.57}(WH)^3)$ and needs $2^{9.57}WH$ oracle queries, where $W$ and $H$ are the width and the height of the encrypted image. For example, for an image of size $4000 \times 30000$ ($12$ megapixels image) we obtain a security margin of $81.11$ bits, which is six times lower than the claimed bound. To achieve this result, we present two cryptanalytic attacks, namely a chosen plaintext attack and a chosen ciphertext attack

Sherlock Holmes Zero-Knowledge Protocols

We present two simple zero knowledge interactive proofs that can be instantiated with many of the standard decisional or computational hardness assumptions. Compared with traditional zero knowledge proofs, in our protocols the verifiers starts first, by emitting a challenge, and then the prover answers the challenge