Abstract
We present two simple backdoors that can be implemented into Maurer’s unified zero-knowledge protocol [22]. Thus, we show that a high level abstraction can replace individual backdoors embedded into protocols for proving knowledge of a discrete logarithm (e.g. the Schnorr and Girault protocols), protocols for proving knowledge of an \(e^{th}\)-root (e.g. the Fiat-Shamir and Guillou-Quisquater protocols), protocols for proving knowledge of a discrete logarithm representation (e.g. the Okamoto protocol) and protocols for proving knowledge of an \(e^{th}\)-root representation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A black-box is a device, process or system, whose inputs and outputs are known, but its internal structure or working is not known or accessible to the user (e.g. tamper proof devices).
- 2.
That implements the mechanisms to recover the keys.
- 3.
Associated with her identity.
- 4.
For systems based on discrete logarithm representations a backdoor was described in [31].
- 5.
We refer the reader to Appendix A for a definition of the concept.
- 6.
At least 2048 bits, better 3072 bits.
- 7.
At least 192 bits, better 256 bits.
- 8.
Peggy sends t, Victor sends c, Peggy sends r.
- 9.
If Peggy knows her secret she is able to detect the SETUP mechanism using its description and parameters (found by means of reverse engineering a black-box, for example).
- 10.
As in Definition 5.
- 11.
This proof can be seen as a more efficient version of a proposal made by Chaum et al. [8].
- 12.
See Remark 1.
- 13.
Not only the ones obtained using the Fiat-Shamir transform.
References
Abdalla, M., Bellare, M., Rogaway, P.: DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem. IACR Cryptology ePrint Archive 1999/7 (1999)
Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: ACM-CCS 2015, pp. 364–375. ACM (2015)
Ball, J., Borger, J., Greenwald, G.: Revealed: How US and UK Spy Agencies Defeat Internet Privacy and Security. The Guardian 6 (2013)
Bellare, M., Jaeger, J., Kane, D.: Mass-Surveillance without the state: strongly undetectable algorithm-substitution attacks. In: ACM-CCS 2015, pp. 1431–1440. ACM (2015)
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1
Bellare, M., Rogaway, P.: Minimizing the use of random oracles in authenticated encryption schemes. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 1–16. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0028457
Berndt, S., Liśkiewicz, M.: Algorithm substitution attacks from a steganographic perspective. In: ACM-CCS 2017, pp. 1649–1660. ACM (2017)
Chaum, D., Evertse, J.-H., van de Graaf, J.: An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In: Chaum, D., Price, W.L. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 127–141. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-39118-5_13
Checkoway, S., et al.: A systematic analysis of the Juniper dual EC Incident. In: ACM-CCS 2016, pp. 468–479. ACM (2016)
Checkoway, S., et al.: On the Practical Exploitability of Dual EC in TLS Implementations. In: USENIX Security Symposium, pp. 319–335. USENIX Association (2014)
Crépeau, C., Slakmon, A.: Simple backdoors for RSA key generation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 403–416. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_28
Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_5
Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_30
Feige, U., Fiat, A., Shamir, A.: Zero-Knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)
Fiat, A., Shamir, A.: How To prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A Kilobit hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_8
Gennaro, R., Krawczyk, H., Rabin, T.: Secure hashed Diffie-Hellman over Non-DDH groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 361–381. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_22
Girault, M.: An identity-based identification scheme based on discrete logarithms modulo a composite number. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46877-3_44
Gordon, D.M.: Designing and detecting trapdoors for discrete log cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 66–75. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_5
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., Brauer, W., Brinch Hansen, P., Gries, D., Luckham, D., Moler, C., Pnueli, A., Seegmüller, G., Stoer, J., Wirth, N., Günther, C.G. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11
Maimuţ, D., Teşeleanu, G.: Secretly embedding trapdoors into contract signing protocols. In: Farshim, P., Simion, E. (eds.) SecITC 2017. LNCS, vol. 10543, pp. 166–186. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69284-5_12
Maurer, U.: Unifying zero-knowledge proofs of knowledge. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 272–286. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_17
McCurley, K.: A key distribution system equivalent to factoring. J. Cryptol. 1(2), 95–105 (1988)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM (JACM) 51(2), 231–262 (2004)
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_3
Perlroth, N., Larson, J., Shane, S.: NSA Able to Foil Basic Safeguards of Privacy on Web. The New York Times, 5 (2013)
Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of Kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_2
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic Semantic Security against a Kleptographic Adversary. In: ACM-CCS 2017, pp. 907–922. ACM (2017)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Shoup, V.: Sequences of Games: A Tool for Taming Complexity in Security Proofs. IACR Cryptology ePrint Archive 2004/332 (2004)
Teşeleanu, G.: Threshold Kleptographic Attacks on Discrete Logarithm Based Signatures. IACR Cryptology ePrint Archive 2017/953 (2017)
Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_8
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_6
Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052241
Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, Indianapolis (2004)
Young, A., Yung, M.: Malicious cryptography: kleptographic aspects. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 7–18. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_2
Acknowledgements
The dissemination of this work is funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 692178. 
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Additional Preliminaries
A Additional Preliminaries
Definition 6
(Computational Diffie-Hellman -cdh). Let \(\mathbb D\) be a cyclic group of order q, d a generator of \(\mathbb D\) and let A be a probabilistic polynomial-time algorithm (PPT algorithm) that returns an element from \(\mathbb D\). We define the advantage
If \({ADV}_{\mathbb D, d}^{\textsc {cdh}}(A)\) is negligible for any PPT algorithm A, we say that the Computational Diffie-Hellman problem is hard in \(\mathbb D\).
Definition 7
(Decisional Diffie-Hellman -ddh). Let \(\mathbb D\) be a cyclic group of order q, g a generator of \(\mathbb D\). Let A be a PPT algorithm which returns 1 on input \((d^x, d^y, d^z)\) if \(d^{xy} = d^z\). We define the advantage
If \({ADV}_{\mathbb D, d}^{\textsc {ddh}}(A)\) is negligible for any PPT algorithm A, we say that the Decisional Diffie-Hellman problem is hard in \(\mathbb D\).
Definition 8
(Entropy Smoothing -es). Let \(\mathbb D\) be a cyclic group of order q, \(\mathcal {K}\) the key space and \(\mathcal {H} = \{h_i\}_{i\in \mathcal {K}}\) a family of keyed hash functions, where each \(h_i\) maps \(\mathbb D\) to \(\mathbb E\), where \(\mathbb E\) is a group. Let A be a PPT algorithm which returns 1 on input (i, y) if \(y = h_i(z)\), where z is chosen at random from \(\mathbb D\). Also, let We define the advantage
If \({ADV}_{\mathcal {H}}^{\textsc {es}}(A)\) is negligible for any PPT algorithm A, we say that \(\mathcal {H}\) is Entropy Smoothing.
Remark 7
In [13], the authors prove that the CBC-MAC, HMAC and Merkle-Damgård constructions satisfy the above definition, as long as the underlying primitives satisfy some security properties.
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Teşeleanu, G. (2018). Unifying Kleptographic Attacks. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-03638-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03637-9
Online ISBN: 978-3-030-03638-6
eBook Packages: Computer ScienceComputer Science (R0)