Article

The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone?

Authors:

Moti YungAuthors Info & Claims

CRYPTO '96: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology

Pages 89 - 103

Published: 18 August 1996 Publication History

Abstract

The use of cryptographic devices as "black boxes", namely trusting their internal designs, has been suggested and in fact Capstone technology is offered as a next generation hardware-protectcd escrow encryption technology. Software cryptographic servers and programs are being offered as well, for use as library functions, as cryptography gets more and more prevalent in computing environments. The question we address in this paper is how the usage of cryptography as a black box exposes users to various threats and attacks that are undetectable in a black-box environment. We present the SETUP (Secretly Embedded Trapdoor with Universal Protection) mechanism, which can be embedded in a cryptographic black-box device. It enables an attacker (the manufacturer) to get the user's secret (from some stage of the output process of the dcvice) in an unnoticeable fashion, yet protects against attacks by others and against, reverse engineering (thus, maintaining the relative advantage of the actual attacker). We also show how the SETUP can, in fact, be employed for the design of "aubo-escrowing key" systems. We present embeddings of SElUPs in RSA, El-Gamal, DSA, and private key systems (Kerberos). We implemented an RSA key-generation based SETUP that performs favorably when compared to PGP, a readily available RSA implementation. We also relate message-based SETUPs and subliminal channel attacks. Finally, we reflect on the potential implications of "trust management" in the context of the design and production of cryptosystems.

References

[1]

W. Alexi, B. Chor, O. Goldreich and C, Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. In SIAM Journal of Computing, volume 17, n. 2, pages 194-209, April 1988.

[2]

G. E. Andrews. "Number Theory," page 100, 1971. Dover Publications Inc.

[3]

E. Bach. How To Generate Factored Random Numbers. In SIAM Journal of Computing, volume 17, n. 2, April 1988.

[4]

M. Blaze, J. Feigenbaum and F.T. Leighton. Masterkey Cryptosystems, CRYPTO 95 Rump session, Aug. 1995.

[5]

Yvo Desmedt. Abuses in Cryptography and How to Fight Them. In Advances in Cryptology--CRYPTO '88, pages 375-389, Berlin, 1990. Springer-Verlag.

[6]

W. Diffie, Personal Commiinication.

[7]

Proposed Federal Information Processing Standard for Digital Signature Standard (DSS). In volume 56, n. 169 of Federal Register, pages 42980-42982, 1991.

[8]

T. ElGamal. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology--CRYPTO '84, pages 10-18, Berlin, 1985. Springer-Verlag.

[9]

Matthew B. Hastings, private communication.

[10]

J. Killian and F.T. Leighton. Fair Cryptosystems Revisited. In Advances in Cryptology--CRYPTO '95, pages 208-221, Berlin, l995. Springer-Verlag.

[11]

J. Lacy, D. Mitchell, W. Schell. CryptoLib: Cryptography in Software. AT&T Bell Laboratories, section 2.2.1.

[12]

D. Mitchell, M. Blaze. truerand.c, AT&T Laboratories, 1995.

[13]

B. C. Neuman, T. Ts'o. Kerberos: An Authentication Service for Computer Networks. In IEEE Communications Magazine, pages 33-38, Sept. 1994.

[14]

M. Rabin. A Public-key and Signature Scheme as Secure as Factoring, MIT Tech. Report, 1978.

[15]

R. Rivest, A. Shamir, L. Adleman. A method for obtaining Digital Signatures and Public-Key Cryptosystems. In Communications of the ACM, volume 21, n. 2, pages 120-126, 1978.

[16]

G. J. Simmons The Subliminal Channel and Digital Signatures. In Advances in Cryptology--EUROCRYPT '84, pages 51-57, Berlin, 1985. Springer-Verlag.

[17]

G. J. Simmons. Subliminal Channels: Past and Present. In European Trans. on Telecommunication, 5(4), 1994, PAGES 459-473.

[18]

K. Thompson. In Reflections on Trusting Trust. In Communications of the ACM, volume 27, n. 8, August 1984.

[19]

D. Wheeler, R. Needham. Tiny Encryption Algorithm (TEA). In Fast Software Encryption: second internation workshop, volume 1008 of Lecture Notes in computer science, Dec. 1994. Springer.

[20]

Phil Zimmerman. PGP User's Guide, 4 Dec. 1992.

Cited By

Austrin PChung KMahmoody MPass RSeth K(2017)On the Impossibility of Cryptography with Tamperable RandomnessAlgorithmica10.1007/s00453-016-0219-779:4(1052-1101)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1007/s00453-016-0219-7
Wüller SKühnel MMeyer UPérez-González FBas PIgnatenko TCayre F(2016)Information Hiding in the RSA ModulusProceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security10.1145/2909827.2930804(159-167)Online publication date: 20-Jun-2016
https://dl.acm.org/doi/10.1145/2909827.2930804
Bellare MFuchsbauer GScafuro A(2016)NIZKs with an Untrusted CRSProceedings, Part II, of the 22nd International Conference on Advances in Cryptology --- ASIACRYPT 2016 - Volume 1003210.1007/978-3-662-53890-6_26(777-804)Online publication date: 4-Dec-2016
https://dl.acm.org/doi/10.1007/978-3-662-53890-6_26
Show More Cited By

The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone?

Recommendations

Black-box limitations in cryptography
Towards Practical Black-Box Accountable Authority IBE: Weak Black-Box Traceability With Short Ciphertexts and Private Keys

At Crypto'07, Goyal introduced the concept of Accountable Authority Identity-Based Encryption (A-IBE) as a convenient tool to reduce the amount of trust in authorities in Identity-Based Encryption. In this model, if the Private Key Generator (PKG) ...
Black-box constructions of signature schemes in the bounded leakage setting

To simplify the certificate management procedures in public key infrastructure, Shamir introduced the concept of identity-based cryptography. However, it suffers from the key escrow problem. To solve the problem, Al-Riyami and Paterson introduced the ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

CRYPTO '96: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology

August 1996

415 pages

ISBN:3540615121

Editor:
Neal Koblitz

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 18 August 1996

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Austrin PChung KMahmoody MPass RSeth K(2017)On the Impossibility of Cryptography with Tamperable RandomnessAlgorithmica10.1007/s00453-016-0219-779:4(1052-1101)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1007/s00453-016-0219-7
Wüller SKühnel MMeyer UPérez-González FBas PIgnatenko TCayre F(2016)Information Hiding in the RSA ModulusProceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security10.1145/2909827.2930804(159-167)Online publication date: 20-Jun-2016
https://dl.acm.org/doi/10.1145/2909827.2930804
Bellare MFuchsbauer GScafuro A(2016)NIZKs with an Untrusted CRSProceedings, Part II, of the 22nd International Conference on Advances in Cryptology --- ASIACRYPT 2016 - Volume 1003210.1007/978-3-662-53890-6_26(777-804)Online publication date: 4-Dec-2016
https://dl.acm.org/doi/10.1007/978-3-662-53890-6_26
Russell ATang QYung MZhou H(2016)CliptographyProceedings, Part II, of the 22nd International Conference on Advances in Cryptology --- ASIACRYPT 2016 - Volume 1003210.1007/978-3-662-53890-6_2(34-64)Online publication date: 4-Dec-2016
https://dl.acm.org/doi/10.1007/978-3-662-53890-6_2
Bellare MJaeger JKane DRay ILi NKruegel C(2015)Mass-surveillance without the StateProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813681(1431-1440)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813681
Ateniese GMagri BVenturi DRay ILi NKruegel C(2015)Subversion-Resilient Signature SchemesProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813635(364-375)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813635
Young AYung M(2015)Cryptography as an Attack TechnologyLNCS Essays on The New Codebreakers - Volume 910010.1007/978-3-662-49301-4_16(243-255)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-662-49301-4_16
Ryan PPeacock T(2010)A threat analysis of prêt à voterTowards Trustworthy Elections10.5555/2167913.2167925(200-215)Online publication date: 1-Jan-2010
https://dl.acm.org/doi/10.5555/2167913.2167925
Young AYung M(2010)Kleptography from standard assumptions and applicationsProceedings of the 7th international conference on Security and cryptography for networks10.5555/1885535.1885562(271-290)Online publication date: 13-Sep-2010
https://dl.acm.org/doi/10.5555/1885535.1885562
Gallais JGroßschädl JHanley NKasper MMedwed MRegazzoni FSchmidt JTillich SWójcik M(2010)Hardware trojans for inducing or amplifying side-channel leakage of cryptographic softwareProceedings of the Second international conference on Trusted Systems10.1007/978-3-642-25283-9_17(253-270)Online publication date: 13-Dec-2010
https://dl.acm.org/doi/10.1007/978-3-642-25283-9_17
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten