Cliptography: Clipping the Power of Kleptographic Attacks

  • Alexander Russell
  • Qiang TangEmail author
  • Moti Yung
  • Hong-Sheng Zhou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)


Kleptography, introduced 20 years ago by Young and Yung [Crypto ’96], considers the (in)security of malicious implementations (or instantiations) of standard cryptographic primitives that may embed a “backdoor” into the system. Remarkably, crippling subliminal attacks are possible even if the subverted cryptosystem produces output indistinguishable from a truly secure “reference implementation.” Bellare, Paterson, and Rogaway [Crypto ’14] recently initiated a formal study of such attacks on symmetric key encryption algorithms, demonstrating that kleptographic attacks can be mounted in broad generality against randomized components of cryptographic systems.

We enlarge the scope of current work on the problem by permitting adversarial subversion of (randomized) key generation; in particular, we initiate the study of cryptography in the complete subversion model, where all relevant cryptographic primitives are subject to kleptographic attacks. We construct secure one-way permutations and trapdoor one-way permutations in this “complete subversion” model, describing a general, rigorous immunization strategy to clip the power of kleptographic subversions. Our strategy can be viewed as a formal treatment of the folklore “nothing up my sleeve” wisdom in cryptographic practice. We also describe a related “split program” model that can directly inform practical deployment. We additionally apply our general immunization strategy to directly yield a backdoor-free PRG. This notably amplifies previous results of Dodis, Ganesh, Golovnev, Juels, and Ristenpart [Eurocrypt ’15], which require an honestly generated random key.

We then examine two standard applications of (trapdoor) one-way permutations in this complete subversion model and construct “higher level” primitives via black-box reductions. We showcase a digital signature scheme that preserves existential unforgeability when all algorithms (including key generation, which was not considered to be under attack before) are subject to kleptographic attacks. Additionally, we demonstrate that the classic Blum–Micali pseudorandom generator (PRG), using an “immunized” one-way permutation, yields a backdoor-free PRG.

Alongside development of these secure primitives, we set down a hierarchy of kleptographic attack models which we use to organize past results and our new contributions; this taxonomy may be valuable for future work.


Hash Function Signature Scheme Random Oracle Pseudorandom Generator Cryptographic Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Ray, I., Li, N., Kruegel, C. (eds.), ACM CCS 15, pp. 364–375. ACM Press, October 2015Google Scholar
  2. 2.
    Bellare, M., Hoang, V.T.: Resisting randomness subversion: fast deterministic and hedged public-key encryption in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 627–656. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46803-6_21 Google Scholar
  3. 3.
    Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: Strongly undetectable algorithm-substitution attacks. In: Ray, I., Li, N., Kruegel, C. (eds.), ACM CCS 15, pp. 1431–1440. ACM Press, October 2015Google Scholar
  4. 4.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_1 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_34 CrossRefGoogle Scholar
  6. 6.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo random bits. In: 23rd FOCS, pp. 112–117. IEEE Computer Society Press, November 1982Google Scholar
  7. 7.
    Checkoway, S., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H., Fredrikson, M.: On the practical exploitability of dual EC in TLS implementations. In: Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20–22, 2014, pp. 319–335 (2014)Google Scholar
  8. 8.
    Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). doi: 10.1007/3-540-44598-6_14 CrossRefGoogle Scholar
  9. 9.
    Degabriele, J.P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 579–598. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_28 CrossRefGoogle Scholar
  10. 10.
    Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_5 Google Scholar
  11. 11.
    Dodis, Y., Mironov, I., Stephens-Davidowitz, N.: Message transmission with reverse firewalls–secure communication on corrupted machines. Cryptology ePrint Archive, Report 2015/548 (2015).
  12. 12.
    Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st ACM STOC, pp. 25–32. ACM Press, May 1989Google Scholar
  13. 13.
    Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactive zero-knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_16 CrossRefGoogle Scholar
  14. 14.
    Haitner, I., Holenstein, T.: On the (im)possibility of key dependent encryption. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 202–219. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00457-5_13 CrossRefGoogle Scholar
  15. 15.
    Hopper, N.J., Langford, J., Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_6 CrossRefGoogle Scholar
  16. 16.
    Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). doi: 10.1007/3-540-45664-3_26 CrossRefGoogle Scholar
  17. 17.
    Lysyanskaya, A.: Unique signatures and verifiable random functions from the DH-DDH separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_38 CrossRefGoogle Scholar
  18. 18.
    Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 657–686. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46803-6_22 Google Scholar
  19. 19.
    NIST. Special publication 800-90: Recommendation for random number generation using deterministic random bit generators. National Institute of Standards and Technology (2012).
  20. 20.
    Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on web. The New York Times (2013).
  21. 21.
    Rogaway, P.: The moral character of cryptographic work. Cryptology ePrint Archive, Report 2015/1162 (2015).
  22. 22.
    Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: Clipping the power of kleptographic attacks. Cryptology ePrint Archive, Report 2015/695 (2015).
  23. 23.
    Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Destroying steganography via amalgamation: Kleptographically cpa secure public key encryption. In Cryptology ePrint Archive, Report 2016/530 (2016).
  24. 24.
    Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, pp. 51–67. Springer, Heidelberg (1983)Google Scholar
  25. 25.
    Simmons, G.J.: A secure subliminal channel (?). In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 33–41. Springer, Heidelberg (1986). doi: 10.1007/3-540-39799-X_5 CrossRefGoogle Scholar
  26. 26.
  27. 27.
    Young, A., Yung, M.: The dark side of “black-box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_8 Google Scholar
  28. 28.
    Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_6 CrossRefGoogle Scholar
  29. 29.
    Young, A., Yung, M.: Monkey: black-box symmetric ciphers designed for MONopolizing KEYs. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 122–133. Springer, Heidelberg (1998). doi: 10.1007/3-540-69710-1_9 CrossRefGoogle Scholar
  30. 30.
    Young, A., Yung, M.: An elliptic curve backdoor algorithm for RSASSA. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 355–374. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74124-4_24 CrossRefGoogle Scholar
  31. 31.
    Young, A.L., Yung, M.M.: Space-efficient kleptography without random oracles. In: Furon, T., Cayre, F., Doërr, G., Bas, P. (eds.) IH 2007. LNCS, vol. 4567, pp. 112–129. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77370-2_8 CrossRefGoogle Scholar
  32. 32.
    Young, A., Yung, M.: Kleptography from standard assumptions and applications. In: Garay, J.A., Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 271–290. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15317-4_18 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Alexander Russell
    • 1
  • Qiang Tang
    • 2
    Email author
  • Moti Yung
    • 3
  • Hong-Sheng Zhou
    • 4
  1. 1.University of ConnecticutStorrsUSA
  2. 2.New Jersey Institute of TechnologyNewarkUSA
  3. 3.Snapchat Inc.Columbia UniversityNew York CityUSA
  4. 4.Virginia Commonwealth UniversityRichmondUSA

Personalised recommendations