DOCSLIB.ORG

Kleptography and Steganography in Blockchains

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Kleptography and Steganography in Blockchains School of Computing and Communications Kleptography and Steganography in Blockchains Nasser Alsalami Under the Supervision of Professor Bingsheng Zhang and Doctor Antonios Gouglidis Submitted for the degree of Doctor of Philosophy July 2020 Abstract Despite its vast proliferation, the blockchain technology is still evolving, and witnesses continuous technical innovations to address its numerous unresolved issues. An example of these issues is the excessive electrical power consumed by some consensus protocols. Besides, although various media reports have highlighted the existence of objectionable content in blockchains, this topic has not received sufficient research. Hence, this work investigates the threat and deterrence of arbitrary-content insertion in public blockchains, which poses a legal, moral, and technical challenge. In particular, the overall aim of this work is to thoroughly study the risk of manipulating the implementation of randomized cryptographic primitives in public blockchains to mount kleptographic attacks, establish steganographic communication, and store arbitrary content. As part of our study, we present three new kleptographic attacks on two of the most commonly used digital signatures: ring signature and ECDSA. We also demonstrate our kleptographic attacks on two real cryptocurrencies: Bytecoin and Monero. Moreover, we illustrate the plausibility of hijacking public blockchains to establish steganographic channels. Particularly, we design, implement, and evaluate the first blockchain-based broadcast communication tool on top of a real-world cryptocurrency. Furthermore, we explain the detrimental consequences of kleptography and steganography on the users and the future of the blockchain technology. Namely, we show that kleptography can be used to surreptitiously steal the users' secret signing keys, which are the most valuable and guarded secret in public blockchains. After losing their keys, users of cryptocurrencies will inevitably lose their funds. In addition, we clarify that steganography can be used to establish subliminal communication and secretly store arbitrary content in public blockchains, which turns them into cheap cyberlockers. Consequently, the participation in such blockchains, which are known to store unethical content, can be criminalized, hindering the future adoption of blockchains. After discussing the adverse effects of kleptographic and steganographic attacks on blockchains, we survey all of the existing techniques that can defend against these attacks. Finally, due to the shortcomings of the available techniques, we propose four counter- measures that ensure kleptography and steganography-resistant public blockchains. Our countermeasures include two new cryptographic primitives and a generic steganography- resistant blockchain framework (SRBF). This framework presents a universal solution that deters steganography and practically achieves the right to be forgotten (RtbF) in blockchains, which represents a regulatory challenge for current immutable blockchains. i Declaration I hereby declare that the work in this thesis has not been submitted for a degree at any other university. I also certify that the work is entirely my own, and where otherwise, it is duly acknowledged and clearly cited. Signature: Nasser Alsalami - October 26, 2020 ii Acknowledgement This work would not have been completed without the help and support of many persons, to whom I would like to express my most profound appreciation. First and foremost, I would like to express my sincere and utmost gratitude to my supervisors, Prof. Bingsheng Zhang and Dr Antonios Gouglidis. Prof. Zhang's continuous guidance has greatly helped me in every step of this course. His constructive criticism and positive feedback have taught me beyond the subject of our research. Dr Gouglidis has contributed massively to the final year of my Ph.D. His generosity with his time and effort, which isbeyond description, has always inspired me to do my best. I would also like to gratefully recognize the invaluable input and professional assistance of my postgraduate appraisal monitor Dr Alistair Brown. Besides, I wish to extend my gratitude to all of my colleagues in Security Lancaster and all of the staff in the School of Computing and Communications. Words fall short for expressing my heartfelt thanks to my parents, whose love and support have motivated me throughout my studies and career. They are the role model that I strive to follow for their perfect selflessness and countless sacrifices. Moreover, I wish to thank my two kids, Ahmed and Aseela, whose innocence and playfulness have not only kept me going but made each day of this journey more joyful. They have had to stay away from their grandparents, cousins, and relatives, at times felt lonely, and had to put up with their continuously busy parents. For all of this, I sincerely thank them and hope that they can benefit from their experience during this time. Last but not least, I would like to wholeheartedly thank my wife, Arwa, who has made this work possible with her genuine altruism, unparalleled sincerity, and true love. iii Publications [AZ20]: N. Alsalami and B. Zhang. Uncontrolled randomness in blockchains: Covert \bullet bulletin board for illicit activity. In 2020 IEEE/ACM International Symposium on Quality of Service (IWQoS), June 2020. [AZ19a]: N. Alsalami and B. Zhang. SoK: A systematic study of anonymity in \bullet cryptocurrencies. In 2019 IEEE Conference on Dependable and Secure Computing (DSC), pages 1{9, Nov 2019. [AZ19b]: N. Alsalami and B. Zhang. Utilizing public blockchains for censorship \bullet circumvention and IoT communication. In 2019 IEEE Conference on Dependable and Secure Computing (DSC), pages 1{7, Nov 2019. iv Table of Contents Abstract i Declaration ii Acknowledgement iii Publications iv List of Figures ix List of Tables xi 1 Introduction 1 1.1 Overview . 1 1.2 Motivations, Aims, and Objectives . 4 1.3 Contribution . 7 1.4 Thesis Structure . 10 2 Background 12 2.1 Notations . 12 2.2 Preliminary Concepts . 13 2.2.1 Cryptocurrencies . 13 2.2.2 Cryptocurrency wallets . 14 2.2.3 Pseudo-random functions (PRF) . 15 2.2.4 Collision-resistant hash functions (CRH) . 15 2.2.5 Encryption algorithms . 16 2.2.6 Digital signatures . 17 2.2.6.1 ECDSA . 18 2.2.6.2 Ring signature . 18 2.3 Related Work . 22 v 2.3.1 Kleptography . 22 2.3.2 Steganography . 27 2.3.3 Content insertion in blockchains . 29 3 Kleptography in Blockchains 32 3.1 Kleptography . 32 3.2 Significance of Kleptography in Blockchains . 36 3.3 Kleptographic Attack on Ring Signature . 39 3.3.1 Security of kleptographic attack on ring signature . 43 3.4 Kleptographic Attacks on ECDSA . 43 3.4.1 Kleptographic attack-1 on ECDSA: synthetic randomness . 44 3.4.2 Kleptographic attack-2 on ECDSA: rejection sampling . 46 3.4.3 Security of attacks on ECDSA . 46 3.5 Kleptographic Attack Scenarios . 47 3.6 Realization of Kleptographic Attacks . 48 3.6.1 Kleptographic attack on Bytecoin . 49 3.6.2 Kleptographic attack on Monero . 53 3.6.3 Demonstration of kleptography on ECDSA . 55 3.7 Summary . 57 4 Steganography in Blockchains 58 4.1 Steganography . 58 4.2 Steganography in Blockchains . 61 4.2.1 Steganography from kleptographic attacks . 62 4.2.2 Repercussions of steganography on blockchains . 64 4.2.3 Steganographic attack scenarios . 66 4.3 Covert Broadcast Communication in Blockchains . 67 4.3.1 System requirement . 68 4.3.2 System architecture . 68 4.3.3 Skywhisper broadcast encryption . 69 4.3.4 Skywhisper wallet . 71 4.3.5 System operation . 75 4.3.6 Performance and security of Skywhisper . 76 4.4 Summary of Steganography in Blockchains . 79 5 Existing Countermeasures 81 5.1 Kleptography-Resistant Techniques . 82 5.1.1 De-randomization of algorithms . 82 5.1.2 Cascading cryptosystems . 83 5.1.3 Software integrity . 83 vi 5.1.4 Synthetically-random cryptographic primitives . 84 5.1.5 VRFs and controlled randomness . 85 5.1.6 Split-program model . 86 5.1.7 Interactive warden . 87 5.1.8 Reverse firewalls (RF) . 87 5.1.9 Self-guarding protocols . 88 5.2 Current Blockchain-Focused Techniques . 90 5.2.1 Lightweight blockchains . 90 5.2.2 Prunable blockchains . 91 5.2.3 Redactable blockchains . 92 5.2.4 Fees, filters, and self-verifying addresses . 92 5.3 Summary . 93 6 Proposed Countermeasures 95 6.1 Re-randomizable Cryptographic Primitives . 95 6.1.1 Randomizable bilinear-pairing-based ring signature (RRS) . 97 6.2 Aggregate Signatures . 100 6.3 Randomizable and Aggregatable Signature (RAS) . 102 6.4 Steganography-Resistant Blockchain Framework . 104 6.5 Summary of Countermeasures . 109 7 Conclusion and Future Work 110 7.1 Conclusion . 110 7.2 Future Work . 113 Bibliography 115 Appendix A Privacy in Cryptocurrencies 135 A.1 Tiers of Anonymity in Cryptocurrencies . 135 A.2 Privacy Techniques in Cryptocurrencies . 136 A.2.1 Pseudonymous addressing . 136 A.2.2 Ring signatures . 139 A.2.3 Mixers . 140 A.2.4 Commitments . 141 A.2.5 Non-interactive zero-knowledge proofs . 142 A.2.6 Stealth addressing . 144 A.3 Summary of Privacy in Cryptocurrencies . 144 Appendix B Case study: Bytecoin Wallet Bug 146 vii Appendix C Security Proofs 148 C.1 Security proof of Theorem 3.1 . 148 C.2 Security proof of Skywhisper (Theorem 4.1) . 150 C.3 Security proof of RRS ..............................151 C.4 Proof of Dis-aggregation of BGLSAggregateSignature . 153 C.5 Security Proof of RAS ..............................154 viii List of Figures 1.1 Thesis roadmap . 10 2.1 ECDSA signature scheme . 18 2.2 CryptoNote ring signature . 20 3.1 Kleptography/ASA . 33 3.2 Kleptographic attack example: IV replacement . 33 3.3 Kleptography security experiment on subverted signatures . 35 3.4 Generic kleptographic attack on CryptoNote. 40 3.5 Ciphertext stealing CTS (CTR mode) . 41 3.6 Pseudo-code for a generic kleptographic attack on CryptoNote . 42 3.7 Kleptographic attack-1 on ECDSA ...................... 44 3.8 Kleptographic attack-2 on ECDSA ...................... 45 3.9 Subversion attack on crypto wallets .
Load more

Recommended publications
  • Bernhard Esslinger: Cryptool – Cryptography for the Masses
    CrypTool Cryptography for the masses Prof. Bernhard Esslinger (presentation layout done with some help from Gonzalo; pictures by pixabay) Cryptography everywhere … In the digital era, we are all cryptography consumers, whether we know it or not. Whenever we use the mobile telephone, withdraw money from an ATM, go shopping to an e-commerce site using SSL, or use a messenger, we are using cryptographic services which protect the confidentiality, integrity, and authenticity of our data. The world as we know it wouldn’t exist without cryptography. Cryptography challenges education Around all of us perceived as difficult lack of understanding curricula teachers need useful tools Context of Cryptography CrypTool today: 5 products version 1.x http://www.cryptool.org/en/cryptool1 http://www.cryptool.org/en/ct2 https://github.com/jcryptool/ http://www.cryptool-online.org http://www.mysterytwisterc3.org/ CrypTool Portal: website today JCrypTool: User presentation https://github.com/jcryptool/core/wiki/jcryptool_us er_presentation/jcryptool_presentation_en.pdf CrypTool 2: Sample screen CrypTool: founded 1998 like … • Attac, Paris • Google, Menlo Park • CrypTool, Frankfurt CrypTool 1: Two warnings • legal • worrywarts besides the warnings: CT1 still made it Playful learning Serious tool CrypTool can be used to visualize many concepts of cryptology: including digital signatures, symmetric, asymmetric and hybrid encryption, protocols, cryptanalysis, etc. CrypTool 1 package Self-contained Documentation (online help, readme, CTB, presentation; programs later website) Stories CrypTool 1 Self-contained programs Flash animations The Dialogue of the Sisters The Chinese Labyrinth There are two stories included dealing with number theory and cryptography: • In "The Dialogue of the Sisters" the title-role sisters use a variant of the RSA algorithm, in order to communicate securely.
    [Show full text]
  • Cryptology with Jcryptool V1.0
    www.cryptool.org Cryptology with JCrypTool (JCT) A Practical Introduction to Cryptography and Cryptanalysis Prof Bernhard Esslinger and the CrypTool team Nov 24th, 2020 JCrypTool 1.0 Cryptology with JCrypTool Agenda Introduction to the e-learning software JCrypTool 2 Applications within JCT – a selection 22 How to participate 87 JCrypTool 1.0 Page 2 / 92 Introduction to the software JCrypTool (JCT) Overview JCrypTool – A cryptographic e-learning platform Page 4 What is cryptology? Page 5 The Default Perspective of JCT Page 6 Typical usage of JCT in the Default Perspective Page 7 The Algorithm Perspective of JCT Page 9 The Crypto Explorer Page 10 Algorithms in the Crypto Explorer view Page 11 The Analysis tools Page 13 Visuals & Games Page 14 General operation instructions Page 15 User settings Page 20 Command line parameters Page 21 JCrypTool 1.0 Page 3 / 92 JCrypTool – A cryptographic e-learning platform The project Overview . JCrypTool – abbreviated as JCT – is a free e-learning software for classical and modern cryptology. JCT is platform independent, i.e. it is executable on Windows, MacOS and Linux. It has a modern pure-plugin architecture. JCT is developed within the open-source project CrypTool (www.cryptool.org). The CrypTool project aims to explain and visualize cryptography and cryptanalysis in an easy and understandable way while still being correct from a scientific point of view. The target audience of JCT are mainly: ‐ Pupils and students ‐ Teachers and lecturers/professors ‐ Employees in awareness campaigns ‐ People interested in cryptology. As JCT is open-source software, everyone is capable of implementing his own plugins.
    [Show full text]
  • Malicious Cryptography: Kleptographic Aspects
    Malicious Cryptography: Kleptographic Aspects Adam Young1 and Moti Yung2 1 Cigital Labs [email protected] 2 Dept. of Computer Science, Columbia University [email protected] Abstract. In the last few years we have concentrated our research ef- forts on new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryp- tography. At some point during our investigation we ended up asking ourselves the following question: what if the malware (i.e., Trojan horse) resides within a cryptographic system itself? This led us to realize that in certain scenarios of black box cryptography (namely, when the code is inaccessible to scrutiny as in the case of tamper proof cryptosystems or when no one cares enough to scrutinize the code) there are attacks that employ cryptography itself against cryptographic systems in such a way that the attack possesses unique properties (i.e., special advantages that attackers have such as granting the attacker exclusive access to crucial information where the exclusive access privelege holds even if the Trojan is reverse-engineered). We called the art of designing this set of attacks “kleptography.” In this paper we demonstrate the power of kleptography by illustrating a carefully designed attack against RSA key generation. Keywords: RSA, Rabin, public key cryptography, SETUP, kleptogra- phy, random oracle, security threats, attacks, malicious cryptography. 1 Introduction Robust backdoor attacks against cryptosystems have received the attention of the cryptographic research community, but to this day have not influenced in- dustry standards and as a result the industry is not as prepared for them as it could be.
    [Show full text]
  • Tamper-Evident Digital Signatures: Protecting Certification Authorities
    Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Philippe Golle Markus Jakobsson Dept. of Computer Science Palo Alto Research Center School of Informatics Indiana Univ. at Bloomington 3333 Coyote Hill Rd Indiana Univ. at Bloomington Bloomington, IN 47405 Palo Alto, CA 94304 Bloomington, IN 47408 Abstract The threat of covert channels (also called subliminal channels) was first studied by Simmons [18, 19] and later We introduce the notion of tamper-evidence for digi- by, among others, Young and Yung [23, 24]. These authors tal signature generation in order to defend against attacks show how an attacker may leak bits of the private signing aimed at covertly leaking secret information held by cor- key in covert channels present in the randomized key gen- rupted signing nodes. This is achieved by letting observers eration or signing algorithm. For the sake of concreteness, (which need not be trusted) verify the absence of covert let us consider the RSA-PSS signature scheme (known as channels by means of techniques we introduce herein. We RSA's Probabilistic Signature Scheme [7]) as an example. call our signature schemes tamper-evident since any de- The message encoding scheme of RSA-PSS specifies that viation from the protocol is immediately detectable. We the hash of the message to be signed be concatenated with demonstrate our technique for the RSA-PSS (known as a random octet string known as a “salt”. A malicious im- RSA’s Probabilistic Signature Scheme) and DSA signature plementation of RSA-PSS may choose bits of the private schemes and show how the same technique can be ap- key for the salt, instead of a value produced by the pseudo- plied to the Schnorr and Feige-Fiat-Shamir (FFS) signature random number generator.
    [Show full text]
  • Elliptic Curve Kleptography
    IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.6, June 2010 183 Elliptic Curve Kleptography Elsayed Mohamed and Hassan Elkamchouchi Alexandria University, Alexandria, Egypt Summary This paper presents an approach to mount secretly embedded • Elliptic Curve Diffie-Hellman Problem (ECDHP) trapdoor with universal protection (SETUP) attacks on the elliptic curve discrete logarithm problem. The new approach Given a point P of order n in an elliptic curve E over a allows the attacker to obtain the secret key of a cryptographic finite field Fp and two points kP and lP where 0 ≤ k, l ≤ n device covertly. The attack demonstrates the manufacturer’s −1, the ECDHP is to find the point ( k × l × P ). This ability to embed a hidden trapdoor in cryptographic black-box problem is used in the elliptic curve Diffie-Hellman key devices used for key exchange. A contaminated device behaves exactly like an honest one while actually leaking the user’s secret exchange algorithm. key only to the attacker. The attacker can then use that secret key to decrypt all the subsequent communications. • Elliptic Curve Key Exchange Key words: Elliptic Curve Cryptography, Kleptography, Subliminal Channel, Suppose that users A and B want to agree upon a key that SETUP they will use with a symmetric-key cryptosystem. They choose an elliptic curve E defined over a finite field Fp. Users A and B now construct their public keys from a 1. Introduction randomly chosen and agreed upon point G lying on the elliptic curve E. E, Fp and G are made public.
    [Show full text]
  • Integrity, Authentication and Confidentiality in Public-Key Cryptography Houda Ferradi
    Integrity, authentication and confidentiality in public-key cryptography Houda Ferradi To cite this version: Houda Ferradi. Integrity, authentication and confidentiality in public-key cryptography. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2016. English. NNT : 2016PSLEE045. tel- 01745919 HAL Id: tel-01745919 https://tel.archives-ouvertes.fr/tel-01745919 Submitted on 28 Mar 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT de l’Université de recherche Paris Sciences et Lettres PSL Research University Préparée à l’École normale supérieure Integrity, Authentication and Confidentiality in Public-Key Cryptography École doctorale n◦386 Sciences Mathématiques de Paris Centre Spécialité Informatique COMPOSITION DU JURY M. FOUQUE Pierre-Alain Université Rennes 1 Rapporteur M. YUNG Moti Columbia University et Snapchat Rapporteur M. FERREIRA ABDALLA Michel Soutenue par Houda FERRADI CNRS, École normale supérieure le 22 septembre 2016 Membre du jury M. CORON Jean-Sébastien Université du Luxembourg Dirigée par
    [Show full text]
  • Malicious Cryptography Exposing Cryptovirology
    Malicious Cryptography Exposing Cryptovirology Adam Young Moti Yung Wiley Publishing, Inc. Malicious Cryptography Malicious Cryptography Exposing Cryptovirology Adam Young Moti Yung Wiley Publishing, Inc. Executive Publisher: Robert Ipsen Executive Editor: Carol A. Long Developmental Editor: Eileen Bien Calabro Editorial Manager: Kathryn A. Malm Production Manager: Fred Bernardi This book is printed on acid-free paper. Copyright c 2004 by Adam Young and Moti Yung. All rights reserved. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or trans- mitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clear- ance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specif- ically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials.
    [Show full text]
  • Post-Quantum Cryptography: Prime Questions = Primary Questions
    Post-Quantum Cryptography: prime questions = primary questions Áron SZABÓ Hacktivity 2015 Budapest October 9, 2015 1 E-Group, https://www.egroup.hu/ About present and future 2 E-Group, https://www.egroup.hu/ About present and future Post-Quantum Cryptography: classical computers and quantum computers mathematics of cryptographic primitives and algorithms • MD5 collisions: Flame, modified signed Windows updates implementations of cryptographic primitives and algorithms • kleptography: Dual_EC_DRBG (PRNG) • entropy: Android JCA (Bitcoin ECDSA), OpenSSL (PRNG) • usage: ECDSA (Sony PlayStation 3) SSL/TLS: ECDHE vs. RSA(PRNG vs. PFS) • code audits: TrueCrypt 3 E-Group, https://www.egroup.hu/ About present and future 4 E-Group, https://www.egroup.hu/ About present and future 5 E-Group, https://www.egroup.hu/ About present and future Post-Quantum Cryptography: classical computers and quantum computers behaviours of cryptographic primitives and algorithms • superposition: classical computer vs. quantum computers • adiabatic qc: D-Wave Systems (sold to e.g. Lockheed Martin) 6 E-Group, https://www.egroup.hu/ About security levels Post-Quantum Cryptography: classical computers and quantum computers „Imagine that it's fifteen years from now. Somebody announces that he's built a large quantum computer. RSA is dead. DSA is dead. Elliptic curves, hyperelliptic curves, class groups, whatever, dead, dead, dead. So users are going to run around screaming and say 'Oh my God, what do we do?' Well, we still have secret-key cryptography, and we still have some public-key systems. There's hash trees. There's NTRU. There's McEliece. There's multivariate-quadratic systems.” http://pqcrypto.org/ OK, but why? Shor’s algorithm (finding order of a group) and Grover’s algorithm runs faster..
    [Show full text]
  • Нацiональний Авiацiйний Унiверситет Мiнiстерство Освiти I Науки України
    Нацiональний авiацiйний унiверситет Мiнiстерство освiти i науки України Квалiфiкацiйна наукова праця на правах рукопису КОВАЛЕНКО Богдан Анатолiйович УДК 004.056.55 ДИСЕРТАЦIЯ Методи побудови та оцiнки стiйкостi клептографiчних механiзмiв у гiбридних криптосистемах Спецiальнiсть 05.13.21 – Системи захисту iнформацiї Технiчнi науки Подається на здобуття наукового ступеня кандидата технiчних наук Дисертацiя мiстить результати власних дослiджень. Використання iдей, результатiв i текстiв iнших авторiв мають посилання на вiдповiдне джерело Коваленко Б.А. Науковий керiвник: Кудiн Антон Михайлович, доктор технiчних наук, старший науковий спiвробiтник, професор кафедри Київ 2020 Анотацiя Коваленко Б.А. Методи побудови та оцiнки стiйкостi клепто- графiчних механiзмiв у гiбридних криптосистемах. – Квалiфiкацiйна наукова праця на правах рукопису. Дисертацiя на здобуття наукового ступеня кандидата технiчних наук (доктора фiлософiї) за спецiальнiстю 05.13.21 ¾Системи захисту iнформацiї¿. – Нацiональний авiацiйний унiверситет, Мiнiстерство освiти i науки України, Київ, 2020. У дисертацiї розв’язано актуальну наукову задачу розробки методу побудови криптосистем з доведеною вiдсутнiстю клептографiчної модифiкацiї, а також оцiнцi клептографiчних ризикiв криптопримiтивiв на етапi їх стандартизацiї i впровадження. Метою робити є пiдвищення рiвня захищеностi гiбридних криптосистем шляхом зменшення клептографiчних ризикiв через запропонованi методи побудови протоколiв з доведеною вiдсутнiстю клептографiчних каналiв витоку секрету, методи оцiнки ризикiв наявностi
    [Show full text]
  • Control and Cybernetics Lightweight Digital Signature with Secretly
    Control and Cybernetics vol. 42 (2013) No. 4 Lightweight digital signature with secretly embedded warning∗† by Mirosław Kutyłowski and Przemysław Kubiak Institute of Mathematics and Computer Science Wrocław University of Technology ul. Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, Poland {miroslaw.kutylowski; przemyslaw.kubiak}@pwr.wroc.pl Abstract: We show how a signatory can indicate coercion by embedding a secret message into the signature. Our scheme is prac- tical and applies to standard signature schemes unlike the recent construction of Durnoga et al. (2013). The construction follows di- rectly from kleptographic techniques due to Moti Yung and Adam Young. Keywords: coercion, digital signature, kleptography, funkspiel 1. Introduction We address the problem of coercing an owner of a signature creation device to sign a document. The idea is that the owner uses a coercion PIN and the device creates a signature, which is indistinguishable from the regular one – at least from the point of view of the coercer, but at the same time contains a secret warning. A scheme satisfying these requirements has been proposed in Durnoga et al. (2013). However, this scheme is quite inefficient in terms of computational complexity and incompatible with the signature schemes used in practice. In this note we propose a fairly simple solution to the same problem based on techniques from Young and Yung (1997) (also related to the funkspiel tech- niques, Håstad et al., 2000). It applies to any signature scheme based on the Discrete Logarithm Problem, where we compute r := gk for a k chosen at ran- dom, and either r is explicitly given or can be reconstructed from the final signature.
    [Show full text]
  • Nizks with an Untrusted CRS: Security in the Face of Parameter Subversion
    NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion Mihir Bellare1, Georg Fuchsbauer2, and Alessandra Scafuro3 1 Department of Computer Science & Engineering, University of California San Diego, USA. [email protected] 2 Inria, Ecole Normale Sup´erieure, CNRS and PSL Research University, Paris, France. [email protected]. 3 Department of Computer Science , North Carolina State University, USA. [email protected]. Abstract. Motivated by the subversion of \trusted" public parameters in mass-surveillance activities, this paper studies the security of NIZKs in the presence of a maliciously chosen common reference string. We provide definitions for subversion soundness, subversion witness indis- tinguishability and subversion zero knowledge. We then provide both negative and positive results, showing that certain combinations of goals are unachievable but giving protocols to achieve other combinations. 1 Introduction The summer of 2013 brought shocking news of mass surveillance being conducted by the NSA and its counter-parts in other countries. The documents revealed new ways in which the adversary compromises security, ways not covered by standard models and definitions in cryptography. This opens up a new research agenda, namely to formalize security goals that defend against these novel attacks, and study the achievability of these goals. This agenda is being pursued along several fronts. The front we pursue here is parameter subversion, namely the compromise of security by the malicious creation of supposedly trusted public parameters for cryptographic systems. The representative example is the Dual EC random number generator (RNG). Dual EC. Dual EC is an NSA-designed, elliptic-curve-based random number generator, standardized as NIST SP 800-90 and ANSI X9.82.
    [Show full text]
  • Kleptography Trapdoor Free Cryptographic Protocols
    Kleptography trapdoor free cryptographic protocols Bohdan Kovalenko1 and Anton Kudin2 1 National technical University of Ukraine ”KPI”, Kyiv, Ukraine, [email protected] 2 National Bank of Ukraine, [email protected] Abstract. Context. Methods of known kleptography implementations are being investigated. The article focuses mostly on SETUP design of subliminal data leakage channels. Aim. Suggest approach to develop SETUP resistant cryptosystems. Methods. The necessary conditions for SETUP implementation is building in entropy source (otherwise generated secret will be predictable). In this article it’s considered subscriber whose protocol implementation is suspected to be modified by Developer (malicious actor who is able to influence on cryptosystem implementation) to create subliminal leakage channel. Possible countermeasure is to prohibit usage own random sources for subscribers, enforce generate random values from public counters. Results. Formal model for basic SETUP scheme has been suggested. Approach to develop of SETUP resistant protocols has been described. Two basic SETUP- resistance protocols (nonce generation protocol and Diffie-Hellman key agreement protocol) have been proposed. Keywords: kleptography, SETUP, subliminal channel, secret leakage, DLP Introduction The ”kleptography” term was proposed by Adam Young and Moti Yung in 1996 [YY96]. Kleptography covers methods of implementation so-called ”back-doors” or ”subliminal channels” in cryptosystems that allow Developers to access certain secret information from customer’s cryptosystem. Developer is a kind of malicious actor who is able to make changes (illegally) into some parts of cryptosystem implementations. In general, by the level of construction, it is possible to distinguish two classes of kleptography mechanisms: embedded at the cryptosystem design stage or back-doors injection into the existing cryptosystem or protocol.
    [Show full text]