Security of Symmetric Encryption against Mass Surveillance

  • Mihir Bellare
  • Kenneth G. Paterson
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8616)


Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of “big brother” is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.


Encryption Scheme Encryption Algorithm Decryption Algorithm Covert Channel Symmetric Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ball, J., Borger, J., Greenwald, G.: Revealed: How US and UK Spy Agencies Defeat Internet Security and Privacy. The Guardian (September 5, 2013)Google Scholar
  2. 2.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption. In: 38th FOCS. IEEE (1997)Google Scholar
  3. 3.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol. In: ACM CCS 2002. ACM (2002)Google Scholar
  4. 4.
    Bellare, M., Paterson, K., Rogaway, P.: Security of Symmetric Encryption against Mass Surveillance. Full version of this paper. Cryptology ePrint Archive, Report 2014/438 (2014)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Encode-then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Cabuk, S., Brodley, C., Shields, C.: IP Covert Channel Detection. ACM Trans. Inf. Syst. Secur. 12(4) (2009)Google Scholar
  7. 7.
    Checkoway, S., Fredrikson, M., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the Practical Exploitability of Dual EC in TLS Implementations. In: USENIX Security Symposium (2014)Google Scholar
  8. 8.
    Gligor, V.D., Donescu, P.: Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 92–108. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Goh, E.-J., Boneh, D., Pinkas, B., Golle, P.: The Design and Implementation of Protocol-Based Hidden Key Recovery. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 165–179. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Goldwasser, S., Ostrovsky, R.: Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract). In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  12. 12.
    Halevi, S., Rogaway, P.: A Tweakable Enciphering Mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Halevi, S., Rogaway, P.: A Parallelizable Enciphering Mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Jutla, C.: Encryption Modes with Almost Free Message Integrity. Journal of Cryptology 21(4), 547–578 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Lysyanskaya, A.: Unique Signatures and Verifiable Random Functions from the DH-DDH Separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Millen, J.: 20 years of Covert Channel Modeling and Analysis. In: IEEE Symposium on Security and Privacy (1999)Google Scholar
  18. 18.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering Generic Composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  19. 19.
    Patarin, J., Goubin, L.: Asymmetric Cryptography with S-Boxes. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 369–380. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  20. 20.
    Paterson, K.G.: Imprimitive Permutation Groups and Trapdoors in Iterated Block Ciphers. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 201–214. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    Rijmen, V., Preneel, B.: A Family of Trapdoor Ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 139–148. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  22. 22.
    Rogaway, P.: Authenticated-Encryption with Associated-Data. In: ACM CCS 2002. ACM (2002)Google Scholar
  23. 23.
    Rogaway, P.: Nonce-Based Symmetric Encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–359. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Simmons, G.: The Prisoners’ Problem and the Subliminal Channel. In: CRYPTO 1983. Springer (1983)Google Scholar
  25. 25.
    Song, D., Wagner, D., Tian, X.: Timing Analysis of Keystrokes and Timing Attacks on SSH. In: USENIX Security Symposium (2001)Google Scholar
  26. 26.
    Thompson, K.: Reflections on Trusting Trust. Commun. ACM 27(8), 761–763 (1984)CrossRefGoogle Scholar
  27. 27.
    Young, A., Yung, M.: The Dark Side of “Black-Box” Cryptography, or: Should We Trust Capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)Google Scholar
  28. 28.
    Young, A., Yung, M.: Kleptography: Using cryptography against Cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  29. 29.
    Young, A., Yung, M.: Monkey: Black-Box Symmetric Ciphers Designed for MONopolizing KEYs. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, p. 122. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  30. 30.
    Young, A., Yung, M.: A Subliminal Channel in Secret Block Ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 198–211. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  31. 31.
    Young, A., Yung, M.: Backdoor Attacks on Black-Box Ciphers Exploiting Low-Entropy Plaintexts. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 297–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Kenneth G. Paterson
    • 2
  • Phillip Rogaway
    • 3
  1. 1.Dept. of Computer Science and EngineeringUniversity of California San DiegoUSA
  2. 2.Information Security GroupRoyal Holloway, University of LondonUK
  3. 3.Dept. of Computer ScienceUniversity of California DavisUSA

Personalised recommendations