Article

Correcting Subverted Random Oracles

Authors:

Alexander Russell,

Hong-Sheng ZhouAuthors Info & Claims

Advances in Cryptology – CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part II

Pages 241 - 271

https://doi.org/10.1007/978-3-319-96881-0_9

Published: 19 August 2018 Publication History

Abstract

The random oracle methodology has proven to be a powerful tool for designing and reasoning about cryptographic schemes, and can often act as an effective bridge between theory and practice. In this paper, we focus on the basic problem of correcting faulty—or adversarially corrupted—random oracles, so that they can be confidently applied for such cryptographic purposes.

We prove that a simple construction can transform a “subverted” random oracle—which disagrees with the original one at a negligible fraction of inputs—into a construction that is indifferentiable from a random function. Our results permit future designers of cryptographic primitives in typical kleptographic settings (i.e., with adversaries who may subvert the implementation of cryptographic algorithms but undetectable via blackbox testing) to use random oracles as a trusted black box, in spite of not trusting the implementation. Our analysis relies on a general rejection re-sampling lemma which is a tool of possible independent interest.

References

[1]

Abelson H et al. Keys under doormats Commun. ACM 2015 58 10 24-26

[2]

Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 364–375. ACM Press, October 2015

[3]

Bellare M and Hoang VT Oswald E and Fischlin M Resisting randomness subversion: fast deterministic and hedged public-key encryption in the standard model Advances in Cryptology - EUROCRYPT 2015 2015 Heidelberg Springer 627-656

[4]

Bellare M, Hoang VT, and Keelveedhi S Canetti R and Garay JA Instantiating random oracles via UCEs Advances in Cryptology – CRYPTO 2013 2013 Heidelberg Springer 398-415

[5]

Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: strongly undetectable algorithm-substitution attacks. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 1431–1440. ACM Press, October 2015

[6]

Bellare M, Paterson KG, and Rogaway P Garay JA and Gennaro R Security of symmetric encryption against mass surveillance Advances in Cryptology – CRYPTO 2014 2014 Heidelberg Springer 1-19

[7]

Bellare M and Rogaway P Ashby V Random oracles are practical: a paradigm for designing efficient protocols ACM CCS 93 1993 Nov. ACM Press 62-73

[8]

Bellovin SM, Blaze M, Clark S, and Landau S Going bright: wiretapping without weakening communications infrastructure IEEE Secur. Priv. 2013 11 1 62-72

[9]

Blum, M.: Designing programs that check their work. Technical report TR-88-009, International Computer Science Institure, November 1988. http://www.icsi.berkeley.edu/pubs/techreports/tr-88-009.pdf

[10]

Blum, M., Kannan, S.: Designing programs that check their work. In: 21st ACM STOC, pp. 86–97. ACM Press, May 1989

[11]

Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to numerical problems. In: 22nd ACM STOC, pp. 73–83. ACM Press, May 1990

[12]

Boldyreva A, Cash D, Fischlin M, and Warinschi B Matsui M Foundations of non-malleable hash and one-way functions Advances in Cryptology – ASIACRYPT 2009 2009 Heidelberg Springer 524-541

[13]

Boldyreva A and Fischlin M Shoup V Analysis of random oracle instantiation scenarios for OAEP and other practical schemes Advances in Cryptology – CRYPTO 2005 2005 Heidelberg Springer 412-429

[14]

Boldyreva A and Fischlin M Lai X and Chen K On the security of OAEP Advances in Cryptology – ASIACRYPT 2006 2006 Heidelberg Springer 210-225

[15]

Camenisch J, Drijvers M, and Lehmann A Katz J and Shacham H Anonymous attestation with subverted TPMs Advances in Cryptology – CRYPTO 2017 2017 Cham Springer 427-461

[16]

Canetti R Kaliski BS Towards realizing random oracles: hash functions that hide all partial information Advances in Cryptology — CRYPTO ’97 1997 Heidelberg Springer 455-469

[17]

Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001

[18]

Canetti R and Dakdouk RR Aceto L, Damgård I, Goldberg LA, Halldórsson MM, Ingólfsdóttir A, and Walukiewicz I Extractable perfectly one-way functions Automata, Languages and Programming 2008 Heidelberg Springer 449-460

[19]

Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOC, pp. 209–218. ACM Press, May 1998

[20]

Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions (preliminary version). In: 30th ACM STOC, pp. 131–140. ACM Press, May 1998

[21]

Checkoway, S., et al.: A systematic analysis of the Juniper Dual EC incident. In: Proceedings of ACM CCS 2016 (2016). http://eprint.iacr.org/2016/376

[22]

Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 319–335 (2014)

[23]

Coron J-S, Dodis Y, Malinaud C, and Puniya P Shoup V Merkle-Damgård revisited: how to construct a hash function Advances in Cryptology – CRYPTO 2005 2005 Heidelberg Springer 430-448

[24]

Coron J-S, Holenstein T, Künzler R, Patarin J, Seurin Y, and Tessaro S How to build an ideal cipher: the indifferentiability of the Feistel construction J. Cryptol. 2016 29 1 61-114

[25]

Dachman-Soled D, Katz J, and Thiruvengadam A Fischlin M and Coron J-S 10-round Feistel is indifferentiable from an ideal cipher Advances in Cryptology – EUROCRYPT 2016 2016 Heidelberg Springer 649-678

[26]

Dai Y and Steinberger J Robshaw M and Katz J Indifferentiability of 8-round Feistel networks Advances in Cryptology – CRYPTO 2016 2016 Heidelberg Springer 95-120

[27]

Degabriele JP, Farshim P, and Poettering B Leander G A more cautious approach to security against mass surveillance Fast Software Encryption 2015 Heidelberg Springer 579-598

[28]

Degabriele JP, Paterson KG, Schuldt JCN, and Woodage J Robshaw M and Katz J Backdoors in pseudorandom number generators: possibility and impossibility results Advances in Cryptology – CRYPTO 2016 2016 Heidelberg Springer 403-432

[29]

Demay G, Gaži P, Hirt M, and Maurer U Johansson T and Nguyen PQ Resource-restricted indifferentiability Advances in Cryptology – EUROCRYPT 2013 2013 Heidelberg Springer 664-683

[30]

Dodis Y, Ganesh C, Golovnev A, Juels A, and Ristenpart T Oswald E and Fischlin M A formal treatment of backdoored pseudorandom generators Advances in Cryptology – EUROCRYPT 2015 2015 Heidelberg Springer 101-126

[31]

Dodis Y, Guo S, and Katz J Coron J-S and Nielsen JB Fixing cracks in the concrete: random oracles with auxiliary input, revisited Advances in Cryptology – EUROCRYPT 2017 2017 Cham Springer 473-495

[32]

Dodis Y, Mironov I, and Stephens-Davidowitz N Robshaw M and Katz J Message transmission with reverse firewalls–secure communication on corrupted machines CRYPTO 2016 2016 Heidelberg Springer 341-372

[33]

Dodis Y and Puniya P Halevi S and Rabin T On the relation between the ideal cipher and the random oracle models Theory of Cryptography 2006 Heidelberg Springer 184-206

[34]

Dodis Y and Puniya P Naor M Feistel networks made public, and applications Advances in Cryptology - EUROCRYPT 2007 2007 Heidelberg Springer 534-554

[35]

Dziembowski S and Maurer UM Optimal randomizer efficiency in the bounded-storage model J. Cryptol. 2004 17 1 5-26

[36]

Fischlin, M., Janson, C., Mazaheri, S.: Backdoored hash functions: immunizing HMAC and HKDF. Cryptology ePrint Archive, Report 2018/362 (2018). http://eprint.iacr.org/2018/362

[37]

Katz J, Lucks S, and Thiruvengadam A Nyberg K Hash functions from defective ideal ciphers Topics in Cryptology — CT-RSA 2015 2015 Cham Springer 273-290

[38]

Kawachi A, Numayama A, Tanaka K, and Xagawa K Nguyen PQ and Pointcheval D Security of encryption schemes in weakened random oracle models Public Key Cryptography – PKC 2010 2010 Heidelberg Springer 403-419

[39]

Kiltz E, O’Neill A, and Smith A Rabin T Instantiability of RSA-OAEP under Chosen-plaintext attack Advances in Cryptology – CRYPTO 2010 2010 Heidelberg Springer 295-313

[40]

Liskov M Biham E and Youssef AM Constructing an ideal hash function from weak ideal compression functions Selected Areas in Cryptography 2007 Heidelberg Springer 358-375

[41]

Maurer U, Renner R, and Holenstein C Naor M Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology Theory of Cryptography 2004 Heidelberg Springer 21-39

[42]

Menn, J.: Exclusive: secret contract tied NSA and security industry pioneer. Reuters, December 2013

[43]

Mironov I and Stephens-Davidowitz N Oswald E and Fischlin M Cryptographic reverse firewalls Advances in Cryptology - EUROCRYPT 2015 2015 Heidelberg Springer 657-686

[44]

Myers S Pfitzmann B Efficient amplification of the security of weak pseudo-random function generators Advances in Cryptology — EUROCRYPT 2001 2001 Heidelberg Springer 358-372

[45]

Numayama A, Isshiki T, and Tanaka K Cramer R Security of digital signature schemes in weakened random oracle models Public Key Cryptography – PKC 2008 2008 Heidelberg Springer 268-287

[46]

Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on web. The New York Times (2013). http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

[47]

Ristenpart T, Shacham H, and Shrimpton T Paterson KG Careful with composition: limitations of the indifferentiability framework Advances in Cryptology – EUROCRYPT 2011 2011 Heidelberg Springer 487-506

[48]

Rubinfeld, R.A.: A mathematical theory of self-checking, self-testing and self-correcting programs. Ph.D. thesis, University of California at Berkeley, Berkeley, CA, USA (1991). UMI Order No. GAX91-26752

[49]

Russell A, Tang Q, Yung M, and Zhou H-S Cheon JH and Takagi T Cliptography: clipping the power of kleptographic attacks Advances in Cryptology – ASIACRYPT 2016 2016 Heidelberg Springer 34-64

[50]

Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Generic semantic security against a kleptographic adversary. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 17, pp. 907–922. ACM Press, October 2017

[51]

Coretti S, Dodis Y, Guo S, and Steinberger J Nielsen JB and Rijmen V Random oracles and non-uniformity Advances in Cryptology – EUROCRYPT 2018 2018 Cham Springer 227-258

[52]

Schneier, B., Fredrikson, M., Kohno, T., Ristenpart, T.: Surreptitiously weakening cryptographic systems. Cryptology ePrint Archive, Report 2015/097 (2015). http://eprint.iacr.org/2015/097

[53]

Soni P and Tessaro S Coron J-S and Nielsen JB Public-seed pseudorandom permutations Advances in Cryptology – EUROCRYPT 2017 2017 Cham Springer 412-441

[54]

Young A and Yung M Koblitz N The dark side of “black-box” cryptography, or: should we trust capstone? CRYPTO 1996 1996 Heidelberg Springer 89-103

[55]

Young A and Yung M Fumy W Kleptography: using cryptography against cryptography Advances in Cryptology — EUROCRYPT 1997 1997 Heidelberg Springer 62-74

Cited By

Cheng JWang YChen RHuang X(2024)Subverting Cryptographic Protocols from a Fine-Grained Perspective- A Case Study on 2-Party ECDSAInformation Security and Privacy10.1007/978-981-97-5028-3_19(370-390)Online publication date: 15-Jul-2024
https://dl.acm.org/doi/10.1007/978-981-97-5028-3_19
Bemmann PBerndt SChen R(2024)Subversion-Resilient Signatures Without Random OraclesApplied Cryptography and Network Security10.1007/978-3-031-54770-6_14(351-375)Online publication date: 5-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-54770-6_14
Bhattacharyya RNandi MRaychaudhuri A(2023)Subversion Resilient Hashing: Efficient Constructions and Modular Proofs for Crooked IndifferentiabilityIEEE Transactions on Information Theory10.1109/TIT.2023.323811569:5(3302-3315)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TIT.2023.3238115
Show More Cited By

Index Terms

Correcting Subverted Random Oracles

Index terms have been assigned to the content through auto-classification.

Recommendations

Secure universal designated verifier signature without random oracles

In Asiacrypt 2003, the concept of universal designated verifier signature (UDVS) was introduced by Steinfeld, Bull, Wang and Pieprzyk. In the new paradigm, any signature holder (not necessarily the signer) can designate the publicly verifiable signature ...
Certificateless Signature Scheme without Random Oracles
ISA '09: Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance

The only known construction of certificateless signature sche-mes that can be proven secure against a malicious Key Generation Center (KGC) requires the random oracle model to prove the security. In this paper, we present a certificateless signa ure ...
Signcryption with non-interactive non-repudiation without random oracles
Transactions on computational science X

Non-repudiation is a very important requirement of sign-cryption. It ensures that a sender cannot deny the fact that he has sign-crypted a message. Non-interactive non-repudiation enables a receiver to settle a repudiation dispute with the help of a ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Advances in Cryptology – CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part II

Aug 2018

805 pages

ISBN:978-3-319-96880-3

DOI:10.1007/978-3-319-96881-0

Editors:
Hovav Shacham
The University of Texas at Austin, Austin, Texas, USA
,
Alexandra Boldyreva
Georgia Institute of Technology, Atlanta, Georgia, USA

© International Association for Cryptologic Research 2018.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 19 August 2018

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Cheng JWang YChen RHuang X(2024)Subverting Cryptographic Protocols from a Fine-Grained Perspective- A Case Study on 2-Party ECDSAInformation Security and Privacy10.1007/978-981-97-5028-3_19(370-390)Online publication date: 15-Jul-2024
https://dl.acm.org/doi/10.1007/978-981-97-5028-3_19
Bemmann PBerndt SChen R(2024)Subversion-Resilient Signatures Without Random OraclesApplied Cryptography and Network Security10.1007/978-3-031-54770-6_14(351-375)Online publication date: 5-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-54770-6_14
Bhattacharyya RNandi MRaychaudhuri A(2023)Subversion Resilient Hashing: Efficient Constructions and Modular Proofs for Crooked IndifferentiabilityIEEE Transactions on Information Theory10.1109/TIT.2023.323811569:5(3302-3315)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TIT.2023.3238115
Jiang HHan JZhang ZMa ZWang H(2023)Practical Algorithm Substitution Attacks on Real-World Public-Key CryptosystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330412418(5069-5081)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3304124
Ball MDodis YGoldin E(2023)Immunizing Backdoored PRGsTheory of Cryptography10.1007/978-3-031-48621-0_6(153-182)Online publication date: 29-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-48621-0_6
Bemmann PBerndt SDiemert DEisenbarth TJager T(2023)Subversion-Resilient Authenticated Encryption Without Random OraclesApplied Cryptography and Network Security10.1007/978-3-031-33491-7_17(460-483)Online publication date: 19-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-33491-7_17
Bhattacharyya RNandi MRaychaudhuri A(2021)Crooked Indifferentiability of Enveloped XOR RevisitedProgress in Cryptology – INDOCRYPT 202110.1007/978-3-030-92518-5_4(73-92)Online publication date: 12-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92518-5_4
Bemmann PChen RJager T(2021)Subversion-Resilient Public Key Encryption with Practical WatchdogsPublic-Key Cryptography – PKC 202110.1007/978-3-030-75245-3_23(627-658)Online publication date: 10-May-2021
https://dl.acm.org/doi/10.1007/978-3-030-75245-3_23
Chen RHuang XYung M(2020)Subvert KEM to Break DEM: Practical Algorithm-Substitution Attacks on Public-Key EncryptionAdvances in Cryptology – ASIACRYPT 202010.1007/978-3-030-64834-3_4(98-128)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-64834-3_4
Ateniese GFrancati DMagri BVenturi D(2019)Public Immunization Against Complete Subversion Without Random OraclesApplied Cryptography and Network Security10.1007/978-3-030-21568-2_23(465-485)Online publication date: 5-Jun-2019
https://dl.acm.org/doi/10.1007/978-3-030-21568-2_23

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents