1 Introduction

A common trend in modern cryptography is to design cryptographic schemes that come with a proof of security in a well-defined model. The proof is typically by reduction, meaning that violating the security of the scheme implies the existence of an efficient algorithm for solving some well-studied mathematical problem which is believed to be hard (e.g., factoring certain integers, or inverting a one-way function). While having such a security proof is a desirable feature, it is at least as important to make sure that the security model fits reality, as otherwise provably secure schemes are of little use in practice.

Unfortunately, security models often make idealized assumptions that are not always fulfilled in the real world. In this paper, we focus on one of those gaps, which is the discrepancy between the specification of a cryptographic scheme and its implementation. In particular, we consider the extreme case where the implementation is fully adversarial, i.e., the adversary is allowed to subvert or substitute some (or possibly all) algorithms in the original specification, with the purpose of weakening security.

The above scenario recently gained momentum due to the NSA leaks by Edward Snowden [3, 18, 21], and because of the EC_DUAL PRGFootnote 1 incident [9]. These hazards challenge modern cryptographers to design protection mechanisms withstanding subversion and tampering, as it was also highlighted by Phil Rogaway in his 2015 IACR Distinguished Lecture [22].

1.1 Background

To guarantee some form of security in such an adversarial setting, we must put some restrictions on the adversary, as otherwise, it is easy to subvert a cryptographic scheme in a way that becomes insecure (e.g., the subverted scheme could always output the secret key). A natural restriction, which is also inspired by real-world attacks, is to demand that subversion should be undetectable by honest users. In other words, the adversary’s goal is to tamper with the specification of a cryptographic scheme in such a way that the produced outputs appear indistinguishable from that of a faithful implementation, yet they allow an adversary to break security given some additional pieces of information altogether.

As it turns out, the possibility of such attacks was already uncovered more than twenty years ago by Young and Yung [29, 30], who dubbed the field kleptography (a.k.a. “cryptography against cryptography”). At Crypto 2014, Bellare, Paterson, and Rogaway [7] revisited this setting for the concrete case of symmetric encryption. In particular, on the one hand, they showed that it is possible to hide a backdoor in the encryption algorithm of any sufficiently randomized symmetric encryption scheme in such a way that the produced ciphertexts appear indistinguishable from honestly computed ones, yet knowledge of the backdoor allows the adversary to extract the secret key in full; on the other hand, they suggested that deterministic symmetric encryption schemes are secure against all subversion attacks that meet some form of undetectability. Their results were later extended in several ways [6, 10], while follow-up work studied similar questions for the case of digital signatures [1], pseudorandom generators [11, 12], non-interactive zero knowledge [5], key encapsulation [2], and hash functions [16, 25].

Complete Subversion. A common feature of the works above is that only some of the algorithms underlying a given cryptographic scheme are subject to subversion, while the others are assumed to follow the original specification faithfully. Motivated by this limitation, Russell et al. [23] put forward a new framework where the adversary is allowed to subvert all algorithms; furthermore, in order to cast undetectability, they introduced a trusted third party, a so-called watchdog, whose goal is to test whether the (possibly subverted) implementation is compliant with the original specification of a cryptographic scheme. In a nutshell, a primitive is subversion secure if there exists a universal watchdog such that either no adversary subverting all algorithms can break the security of the scheme, or, if instead, a subversion attack is successful, the watchdog can detect it with non-negligible probability.

The testing procedure executed by the watchdog is typically performed only once before the (possibly subverted) scheme is used “in the wild”. This is known as the offline watchdog model. Unfortunately, there are subversion attacks that cannot be detected in an offline fashion. Think, e.g., of a signature scheme where the signature algorithm is identical to the original specification, except that upon input of a special message (that is also hard-wired in the implementation) it compromises security (e.g., it returns the secret key). Now, assuming that the message space is large enough, an offline watchdog has a negligible chance of hitting this hidden trigger, so that the subverted implementation will pass the test phase; yet, the subverted scheme is clearly insecure (in the standard sense of unforgeability against chosen-message attacks).

To cast such attacks, [23] introduces the online watchdog model, where the watchdog is essentially allowed to additionally monitor the public interaction between users while the scheme is being used “in the wild” (on top of performing the same offline testing, as before).Footnote 2

Cliptography. The main contribution of Russell et al. [23], apart from introducing the model of complete subversion, is to propose a methodology to clip the power of subversion attacks against one-way (trapdoor) permutations. Moreover, they show how to rely on such subversion-secure one-way permutations to derive subversion-secure pseudorandom generators and digital signatures. All their results are in the random oracle model (ROM) of Bellare and Rogaway [8].

In a follow-up paper [24], the same authors show how to obtain public-key chosen-plaintext attack secure encryption resisting complete subversion, again in the ROM. This result (inherently) requires the assumption of two independent secret, but tamperable, sources of randomness. They further show that their construction can be instantiated in the standard model (i.e., without random oracles) assuming a super-constant number of independent sources.

Open Questions. The works of [23, 24] only cover a limited set of cryptographic primitives. Furthermore, the assumption of having a large number of independent sources is quite a strong one in practice [28]. Hence, the natural question:

Is it possible to protect other primitives against complete subversion, by relying on a single source of secret, but tamperable, randomness, and without assuming random oracles?

1.2 Our Contributions

In this paper, we make significant progress towards answering the above question. Our starting point is a notion of subversion-resistant immunizer \(\varPsi \), whose goal is to take an arbitrary primitive \(\varPi \) that is secure w.r.t. some game \(\mathbf {G}\), and transform it into an immunized primitive \(\varPi ^* = \varPsi (\varPi )\) (for the same cryptographic task) that is secure w.r.t. \(\mathbf {G}\) under complete subversion (in the sense of [23]). The immunizer leverages two independent random sources, which we denote by \(\mathsf {R}\) and \(\mathsf {S}\): The source \(\mathsf {R}\) is an \(m\)-bit source which is assumed to be secret, but tamperable; the source \(\mathsf {S}\) is an \(\ell \)-bit source which is assumed to be public but untamperable. The subversion \(\widetilde{\varPi }\) is allowed to depend on the seed \(s\) sampled from \(\mathsf {S}\) and used by the immunized cryptosystem (i.e., first \(s\) is sampled and made public, and then the adversary subverts \(\varPi ^*\)).

Next, we show how to construct a subversion-secure immunizer tailored to protect deterministic primitives \(\varPi \) (secure w.r.t. some game \(\mathbf {G}\)), where the latter means that the original specification of \(\varPi \) consists of a secret random \(m\)-bit source \(\mathsf {R}\) that is sampled in order to generate the public/secret keys of the scheme (via an algorithm K), and the public parameters (via an algorithm \({\mathsf {P}}\)), whereas every other algorithm \(\mathsf {F}_i\) underlying \(\varPi \) is deterministic. Our immunizer can be instantiated using any collision-resistant hash function, but for certain primitives \(\varPi \) two additional properties are required (more on this later).

Interestingly, our results allow us to protect new cryptographic primitives against complete subversion; examples include: (weak) pseudorandom functions and permutations, message authentication codes, collision/second pre-image/pre-image resistant hash functions, deterministic symmetric encryption, and more. Previously to our work, for the primitives mentioned above, it was only known how to obtain security in weaker models of subversion, or with random oracles. We refer the reader to Table 1 for a comparison of our results with state-of-the-art research in the area.

Table 1. Comparing our constructions with other results for security under subversion. We use the following abbreviations: “Pub” for public, “Sec” for secret, “CPA-SKE/CPA-PKE” for public/secret-key encryption under chosen-plaintext attacks, “PRG” for pseudorandom generator, “OWF/TDF” for one-way (trapdoor) function, “CRH” for collision-resistant hash function, “ROM” for random oracle model, “\(\forall \text { det-unp}\)” for all deterministic primitives with security w.r.t. an unpredictability game, “\(\forall \text { det-ind}^2\)” for all deterministic primitives with square security w.r.t. an indistinguishability game. The value \(\delta \) is a small constant. The green color means the source is assumed to be untamperable.
Full size table

1.3 Techniques

We turn to a high-level description of the techniques behind our results. Let be a deterministic cryptographic scheme. As explained above, algorithms \({\mathsf {P}}\) and \({\mathsf {K}}\) are responsible to generate, respectively, global public parameters \(\rho \) and a public/secret key pair \((\textit{pk},\textit{sk})\) that are taken as input by all other algorithms \(\mathsf {F}_i\).Footnote 3 Importantly, all algorithms are deterministic, except for \({\mathsf {P}}\) and \({\mathsf {K}}\) which further take as input independent random coins \(r\in \{0,1\}^m\) generated by sampling a secret, uniformly random, source \(\mathsf {R}\).

Our immunization strategy follows the design principle of “decomposition and trusted amalgamation” introduced in [24], by means of hash functions \(h_{s_1},h_{s_2}:\{0,1\}^n\rightarrow \{0,1\}^m\) with seeds \(s_1,s_2\) sampled independently from a public source \(\mathsf {S}\). More in details, we take samples \(r_1^1,\ldots ,r_k^1\) and \(r_1^2,\ldots ,r_k^2\) from the (possibly subverted) source \(\mathsf {R}\), and then we hash the amalgamated strings and , respectively, using seeds \(s_1\) and \(s_2\). Finally, the immunized parameter generation algorithm \({\mathsf {P}}^*\) runs , whereas the immunized key generation algorithm \({\mathsf {K}}^*\) runs ; the algorithms \((\mathsf {F}_i)_{i\in N}\) are not modified.

Intuitively, the above immunizer tries to sanitize the randomness used for parameters/keys generation in such a way that it is harder for an adversary to generate such values together with a backdoor. We stress that the trick of hashing the random coins for key generation was introduced by [23], although there it was applied only to immunize trapdoor permutations in the ROM, whereas we generalize their approach in such a way that it can be applied to a large class of deterministic primitives (as defined above) in the plain model.

Input Constrained/Unconstrained Games. Recall that for some primitives it is inherently impossible to obtain subversion security in the offline watchdog model. Hence, in our analysis of the above immunizer, we identify a natural property of cryptographic games which allows us to prove security in the offline watchdog model; for games not satisfying this property we instead obtain security in the online watchdog model.

More in details, a game \(\mathbf {G}\) for some primitive \(\varPi \) consists of an interaction between an adversary \(\mathsf {A}\) and a challenger \(\mathsf {C}\), where \(\mathsf {C}\) is given oracle access to the algorithms underlying \(\varPi \) in order to answer queries from \(\mathsf {A}\), and determine whether \(\mathsf {A}\) wins the game or not. We call \(\mathbf {G}\) input constrained, if the inputs \(x_i\) upon which each (deterministic) algorithm \(\mathsf {F}_i\) is queried during the game are sampled by \(\mathsf {C}\) via some public distribution \(D_i\) that is independent of the adversary. On the other hand, a game that is not input constrained is called input unconstrained. Examples of input-constrained games \(\mathbf {G}\) include, e.g., the standard security games for weak pseudorandom functions and one-way permutations. See Sect. 2.2 for more examples.

Security Proof. We prove security of the above immunizer assuming the hash functions \(h_{s_1},h_{s_2}\) are min-entropy condensers for seed-dependent sources. Intuitively, this means that given a uniform \(\ell \)-bit seed \(s\) and an \(n\)-bit input x coming from a possibly adversarial (but efficiently sampleable) source which might depend on \(s\), and with min-entropy at least \(k\), the output \(h_s(x)\) is an \(m\)-bit string whose distribution is computationally close to that of an efficiently sampleable source \(\mathsf {Y}\) with min-entropy at least \(m- d\). Such condensers were constructed by Dodis et al. [14] using sufficiently strong collision-resistant hash functions.

Fix some primitive \(\varPi \) with input-constrained game \(\mathbf {G}\). Let us start with the original subversion game, where first the seeds \(s_1,s_2\) are sampled (from the untamperable public source \(\mathsf {S}\)) and given to the adversary. Then, the attacker specifies a subversion \(\widetilde{\varPi }\) for the immunized cryptosystem; hence, the adversary interacts with the challenger, which first samples random strings \(r_1 = r_1^1||\cdots ||r_k^1\) and \(r_2 = r_1^2||\cdots ||r_k^2\), using the subverted source \(\widetilde{\mathsf {R}}\) as explained above, and then plays the game \(\mathbf {G}\) for \(\varPi \), given oracle access to the subverted algorithms . By contradiction, assume that there is an adversary \(\mathsf {A}\) that wins the subversion game, but for which no watchdog \(\mathsf {W}\) can detect the subversion. We then proceed with a sequence of hybrids, as outlined below:

  1. 1.

    In the 1st hybrid, we replace algorithms , , and , with their genuine immunized implementation , , and . One can show that any distinguisher between the original game and this hybrid can be turned into an efficient offline watchdog \(\mathsf {W}\) detecting the subversion of \(\mathsf {A}\). Thus, the two experiments are computationally close.

  2. 2.

    In the 2nd hybrid, we now generate the public parameters and the keys by running , where \(y_1,y_2\) come from the source \(\mathsf {Y}\) guaranteed by the condenser. To argue indistinguishability, assume for simplicity that the subverted source \(\widetilde{\mathsf {R}}\) is stateless.Footnote 4 First, we show that \(\widetilde{\mathsf {R}}\) has a non-trivial amount of min-entropy, as otherwise, it is again possible to construct a watchdog \(\mathsf {W}\) that detects subversion. Second, we argue that since \(\widetilde{\mathsf {R}}\) is stateless and efficiently sampleable, the strings \(r_1 = r_1^1||\cdots ||r_k^1\) and \(r_2 = r_1^2||\cdots ||r_k^2\) have min-entropy at least \(k\), so that indistinguishability of the two experiments follows by security of the min-entropy condenser. Note that the last step is possible because the public random source \(\mathsf {S}\) is untamperable, and moreover, the subverted random source \(\widetilde{\mathsf {R}}\) has non-trivial min-entropy even conditioned on \(s_1, s_2\) sampled from \(\mathsf {S}\).

  3. 3.

    Finally, in order to conclude the proof, we exploit the framework of “overcoming weak expectations” by Dodis and Yu [15], who established that for a large class of primitivesFootnote 5 there is a natural trade-off between concrete security and the capacity to withstand a certain entropy deficiency \(d\) on the distribution of the key A technical challenge here comes from the fact that this framework only applies to cryptosystems \(\varPi \) where the secret key is uniformly random (and moreover there are no public parameters, or those are generated using uniform randomness). However, we show a similar tradeoff still holds for our specific setting, at least for single-instance games where the original random source \(\mathsf {R}\) is sampled only twice (one for generating the public parameters, and one for sampling the keys).Footnote 6

1.4 Comparison with Russell et al. [23, 24]

The trick of splitting a cryptographic algorithm into several sub-components (as we do for \({\mathsf {P}},{\mathsf {K}},\mathsf {R}\)) was originally introduced in [23], and later refined in [24], under the name of “split-program” methodology. Remarkably, [24] shows that for semantically-secure public-key encryption (an inherently randomized primitive) de-coupling the encryption algorithm in a randomized component \(\mathsf {R}\) (for generating the random coins) and a deterministic component \(\textsf {Enc}\) (for computing the ciphertext) is not sufficient to defeat kleptographic attacks. For this reason, they propose a “double-splitting” technique where \(\mathsf {R}\) is further split into two (tamperable) components \(\mathsf {R}_1,\mathsf {R}_2\). In this perspective, our immunization strategy can be thought of as a form of “double splitting”, where one of the two sources is assumed to be untamperable but made public.

The fact that subversion-secure immunization in the offline watchdog model only works for input-constrained games is reminiscent of a general observation made in [23] stating that an offline watchdog can always detect the subversion of deterministic algorithms with public input distributions (see [23, Lemma 2.3]).

Finally, we would like to stress that our work only covers immunization against complete subversion in the form of algorithm-substitution attacks. In particular, the adversary always specifies an algorithm that is used for sampling the public parameters during the security game. Hence, our immunizers do not provide any guarantee in the “adversarially chosen parameters model” considered in [11, 12, 16, 23] (where the adversaries specify the malicious public parameters directly).

1.5 Further Related Work

The original attacks in the kleptographic setting extended previous work on subliminal channels by Simmons [26, 27]. This research is also intimately connected to the problem of steganography, whose goal in the context of secret communication is to hide the mere fact that messages are being exchanged [19].

Dodis et al. [12], study different immunization strategies for backdoored pseudorandom generators. While they do not consider complete subversion, as the immunizer and the PRG algorithm are assumed to be trusted, they deal with the case where a cryptographic scheme might be subverted “by design” (e.g., because it is standardized with maliciously generated public parameters).

Another line of work suggests defeating subversion attacks employing a cryptographic reverse firewall [1, 13, 20]. Such a firewall is used to re-randomize the incoming/outgoing messages of a potentially subverted primitive. The firewall itself is assumed to be trusted, and moreover, it relies on a secret, and untamperable, random source. Yet another approach consists of designing self-guarding schemes [17], which allow us to defeat subversion without relying on external parties (such as watchdogs or reverse firewalls), at the price of assuming a secure initialization phase where the primitive to protect was not under subversion.

2 Preliminaries

2.1 Notation

We use the notation . Capital letters (such as \( X \)) are used to denote random variables, caligraphic letters (such as \( \mathcal {X}\)) to denote sets, and sans serif letters (such as \(\mathsf {A}\)) to denote algorithms. All algorithms in this paper are modelled as (possibly interactive) Turing machines.

For a string , we let |x| be its length; if \(\mathcal {X}\) is a set, \(|\mathcal {X}|\) represents the number of elements in \(\mathcal {X}\). When x is chosen randomly in \(\mathcal {X}\), we write . If \(\mathsf {A}\) is an algorithm, we write to denote a run of \(\mathsf {A}\) on input x and output y; if \(\mathsf {A}\) is randomized, then y is a random variable and \(\mathsf {A}(x;r)\) denotes a run of \(\mathsf {A}\) on input x and (uniform) randomness r. An algorithm \(\mathsf {A}\) is probabilistic polynomial-time (PPT) if \(\mathsf {A}\) is randomized and for any input \(x,r\in \{0,1\}^*\) the computation of \(\mathsf {A}(x;r)\) terminates in a polynomial number of steps (in the size of the input). We denote the expected value of a random variable X as \(\mathbb {E}[X]\).

Negligible Functions. Throughout the paper, we denote by \(\lambda \in \mathbb {N}\) the security parameter. A function \(\nu :\mathbb {N}\rightarrow [0,1]\) is called negligible in the security parameter \(\lambda \) if it vanishes faster than the inverse of any polynomial in \(\lambda \), i.e. for all positive polynomials \(p(\lambda )\). We sometimes write (resp., ) to denote all negligiblie functions (resp., polynomial functions) in the security parameter.

Unpredictability and Indistinguishability. The min-entropy of a random variable \( X \in \mathcal {X}\) is , and intuitively it measures the best chance to predict \( X \) (by a computationally unbounded algorithm). For conditional distributions, unpredictability is measured by the conditional average min-entropy .

The statistical distance between two random variables \( X \in \mathcal {X}\) and \( Y \in \mathcal {Y}\), is defined as . Let \( X = \{ X _\lambda \}_{\lambda \in \mathbb {N}}\) and \( Y = \{ Y _\lambda \}_{\lambda \in \mathbb {N}}\) be two ensembles of random variables. We say that \( X \) and \( Y \) are statistically indistinguishable, denoted \( X \approx _s Y \), as a shortening for . Similarly, we say that \( X \) and \( Y \) are computationally indistinguishable, denoted \( X \approx _c Y \), if for all PPT distinguishers \(\mathsf {D}\) we have , where

An ensemble \(X = \{X_\lambda \}_{\lambda \in \mathbb {N}}\) is efficiently sampleable if there exists a PPT algorithm \(\mathsf {X}\) such that, for each \(\lambda \in \mathbb {N}\), the output of is distributed identically to \(X_\lambda \).

2.2 Abstract Games

In this work, we deal with abstract cryptographic schemes. Usually, a cryptographic scheme is just a sequence of (possibly randomized) efficient algorithms. However, for our purpose, it will be convenient to specify two special algorithms which are common to any cryptographic scheme; those are the algorithms for generating the public/secret keys and the public parameters (if any). Moreover, our focus will be on deterministic schemes (see below).

In this vein, a deterministic cryptographic scheme is a sequence of efficient algorithms , where:

  • \({\mathsf {P}}\) is a deterministic algorithm that upon input the security parameter , and random coins \(r\in \mathcal {R}\), outputs public parameters \(\rho \in \mathcal {P}\);

  • \({\mathsf {K}}\) is a deterministic algorithm that upon input the security parameter , and random coins \(r\in \mathcal {R}\),Footnote 7 outputs a pair of keys \((\textit{pk},\textit{sk})\in \mathcal {PK}\times \mathcal {SK}\);

  • The random coins for are obtained via independent calls to algorithm \(\mathsf {R}\), which outputs a uniformly random string \(r\in \mathcal {R}\) upon each invocation.

  • For each \(i\in [N]\), algorithm \(\mathsf {F}_i:\mathcal {X}_i\rightarrow \mathcal {Y}_i\) is deterministic.

We stress that the above syntax is meant to capture both secret-key and public-key primitives; in the former case the public key is simply equal to the empty string \(\textit{pk}= \varepsilon \), and \(\mathcal {PK}= \emptyset \). Further, without loss of generality, we assume that all algorithms \(\mathsf {F}_1,\ldots ,\mathsf {F}_N\) take as input both \(\rho \) and \((\textit{pk},\textit{sk})\); the key generation algorithm also receives \(\rho \) as additional input.

Typically, a cryptographic scheme must meet two properties. The first is a correctness requirement, which essentially says that \(\varPi \) correctly implements the desired functionality;Footnote 8 although we will not define correctness in general, we will later assume \(\varPi \) meets some well-defined correctness property. The second is a security requirement, which we model as an interactive process (a.k.a. game) between an adversary and a challenger.

Definition 1

(Cryptographic game). A cryptographic game is defined by a challenger \(\mathsf {C}\) and a constant \(\gamma \in [0,1)\); the game is (implicitly) parametrized by a cryptographic scheme , an adversary \(\mathsf {A}\), and the security parameter \(\lambda \in \mathbb {N}\). In an execution of the game the (efficient) challenger interacts with the (efficient) adversary \(\mathsf {A}(1^\lambda )\), and at the end the challenger outputs a decision bit \(d\in \{0,1\}\). We denote the output of the game as ; we sometimes also write for a transcript of the interaction between the adversary and the challenger, \(\mathsf {C}^\varPi \) as a shorthand for , and \(\mathbf {G}_{\varPi ,\mathsf {A},\mathsf {C}}\) for the random variable corresponding to an execution of game \(\mathbf {G}\) with scheme \(\varPi \), adversary \(\mathsf {A}\), and challenger \(\mathsf {C}\).

We say that \(\varPi \) is \((t,\epsilon )\)-secure w.r.t. game \(\mathbf {G}= (\mathsf {C},\gamma )\) if the following holds: For all probabilistic attackers \(\mathsf {A}\) running in time \(t\) we have

Moreover, whenever for all there exists such that \(\varPi \) is \((t,\epsilon )\)-secure w.r.t. game \(\mathbf {G}\), we simply say that \(\varPi \) is secure w.r.t. game \(\mathbf {G}\).

Input-Constrained Games. An important distinction will be whether the adversary is allowed or not to choose the inputs for the oracle calls made by the challenger. We call games where the latter is not possible input-constrained games.

Definition 2

(Input-constrained games). Let be a cryptographic scheme, and \(\mathbf {G}= (\mathsf {C}, \gamma )\) be a security game for \(\varPi \). We call \(\mathbf {G}\) input constrained if the following holds: For each \(i\in [N]\), there exists a public and efficiently samplable distribution \(D_i\), such that the challenger chooses the inputs to each oracle \(\mathsf {F}_i\) by sampling a fresh and independent value from \(D_i\).

In contrast, games where the above property is not met are called input unconstrained. We provide a few clarifying examples below.

  • One-Way Functions: A one-way function (OWF) is a cryptographic scheme where \(N= 1\), and is a function. Security of \(\varPi \) is characterized by a game defined as follows: (i) picks (for uniform ), samples , computes , and sends \((\rho ,y)\) to the adversary; (ii) \(\mathsf {A}\) wins iff it returns a values \(x'\in \mathcal {X}\) such that . Notice that \(\mathsf {C}_\mathrm{owf}\) needs to invoke oracle upon input \(x'\) in order to determine the decision bit d, and thus the game is input unconstrained.

  • One-Way Permutations: A one-way permutation (OWP) is a cryptographic scheme where \(N= 1\), and \(\mathsf {OWP}:\mathcal {X}\rightarrow \mathcal {X}\) is a permutation. Security of \(\varPi \) is characterized by a game \(\mathbf {G}^\mathrm{owp} = (\mathsf {C}_\mathrm{owp},0)\) defined as follows: (i) (for uniform ), samples , computes , and sends \((\rho ,y)\) to the adversary; (ii) \(\mathsf {A}\) wins iff it returns a value \(x'\in \mathcal {X}\) such that \(x' = x\). Notice that \(\mathsf {C}_\mathrm{owp}\) does not need to make any oracle call in order to determine the decision bit d, and thus the game is input constrained with public distribution \(D\) equal to the uniform distribution over the domain \(\mathcal {X}\).

  • (Weak) Pseudorandom Functions: A pseudorandom function (PRF) is a cryptographic scheme \(\varPi = (\mathsf {P}, \mathsf {R},\mathsf {R},\mathsf {PRF})\) where \(N= 1\), and is a keyed function. Security of \(\varPi \) is characterized by a game \(\mathbf {G}^\mathrm{prf} = (\mathsf {C}_\mathrm{prf},1/2)\) defined as follows: (i) \(\mathsf {C}_\mathrm{prf}\) samples a bit , picks and (where ), and sends \(\rho \) to the adversary; (ii) \(\mathsf {A}\) can ask queries of the form \(x\in \mathcal {X}\), upon which \(\mathsf {C}_\mathrm{prf}\) either replies with (in case \(b=0\)) or (in case \(b=1\)); (iii) \(\mathsf {A}\) returns a bit \(b'\) and wins iff \(b = b'\). Notice that \(\mathsf {C}_\mathrm{{prf}}\) needs to invoke oracle \(\mathsf {PRF}\) upon inputs specified by the adversary, and thus the game is input unconstrained.

    For weak PRFs the game is changed as follows: In step (ii) the queries made by the adversary are empty, and instead \(\mathsf {C}_\mathrm{{prf}}\) samples and returns (xy), where y is computed as before. Hence, the game is constrained with public distribution equal to the uniform distribution over \(\mathcal {X}\).

  • Hash Functions: A cryptographic hash function is a cryptographic scheme \(\varPi = (\mathsf {P}, \mathsf {R}, \mathsf {Hash})\) where \(N= 1\), and \(\mathsf {Hash}:\mathcal {X}\rightarrow \mathcal {Y}\) is a (typically compressing) function. Security of \(\varPi \) is characterized by a game \(\mathbf {G}^\mathrm{cr} = (\mathsf {C}_\mathrm{cr},0)\) defined as follows: (i) \(\mathsf {C}_\mathrm{cr}\) picks (for uniform ), and sends \(\rho \) to the adversary; (ii) \(\mathsf {A}\) wins iff it returns a pair of values \((x,x')\in \mathcal {X}^2\) such that and \(x\ne x'\). Notice that \(\mathsf {C}_\mathrm{cr}\) needs to invoke oracle \(\mathsf {Hash}\) upon input \(x,x'\) in order to determine the decision bit d, and thus the game is input unconstrained.

  • Secret-Key Encryption: A deterministic secret-key encryption scheme is a cryptographic scheme \(\varPi = (\mathsf {P}, \mathsf {K}, \mathsf {R}, \mathsf {Enc}, \mathsf {Dec})\) where \(N= 2\). The (deterministic) encryption algorithm takes as input the secret key \(\kappa \in \mathcal {K}\) and a message \(m\in \mathcal {M}\), and outputs a ciphertext \(c\in \mathcal {C}\). The (deterministic) decryption algorithm takes as input the secret key \(\kappa \in \mathcal {K}\) and a ciphertext \(c\in \mathcal {C}\), and outputs a message \(m\in \mathcal {M}\) (or an error symbol). Security of a deterministic encryption scheme is characterized, e.g., by a game \(\mathbf {G}^\mathrm{cca\text {-}ske} = (\mathsf {C}_\mathrm{cca\text {-}ske},1/2)\) specified as follows: (i) \(\mathsf {C}_\mathrm{cca\text {-}ske}\) picks and (where ), and sends \(\rho \) to the adversary; (ii) \(\mathsf {A}\) can specify encryption queries: Upon input a message \(m\in \mathcal {M}\), the challenger returns ; (iii) \(\mathsf {A}\) can specify decryption queries: Upon input a ciphertext \(c\in \mathcal {C}\), the challenger returns ; (iv) \(\mathsf {A}\) can specify a challenge query: Upon input \((m_0^*,m_1^*)\in \mathcal {M}^2\), the challenger returns where is a hidden bit; (v) \(\mathsf {A}\) can continue to specify encryption/decryption queries, with the restriction that \(c^*\) cannot be part of a decryption query; (vi) \(\mathsf {A}\) returns a bit \(b'\) and wins iff \(b = b'\). Notice that \(\mathsf {C}_\mathrm{cca\text {-}ske}\) needs to invoke oracles \(\mathsf {Enc}, \mathsf {Dec}\) in order to answer encryption/decryption queries, and thus the game is input unconstrained.

Single-Instance Games. As mentioned in the introduction, our results only apply to a sub-class of games where the random source \(\mathsf {R}\) is sampled only twice, in order to obtain the randomness needed for generating the public parameters and the keys. We call such games single instance.

Definition 3

(Single-instance games). Let \(\varPi = (\mathsf {P}, \mathsf {K}, \mathsf {R}, \mathsf {F}_1, \ldots , \mathsf {F}_{N})\) be a cryptographic scheme, and \(\mathbf {G}= (\mathsf {C}, \gamma )\) be a security game for \(\varPi \). We call \(\mathbf {G}\) single instance if during a game execution the challenger invokes the oracle \(\mathsf {R}\) twice, in order to obtain coins \(r_1,r_2\) that are later fed to oracles \(\mathsf {P}, \mathsf {K}\).

3 Security Model

In this section, we consider a standard-model definition for subversion security, via so-called immunizers. An immunizer is a transformation that takes as input a cryptographic scheme (for some task) and transforms it into another scheme for the same task that withstands complete subversion; the immunizer is allowed to leverage a single source of public, but untamperable, randomness. Importantly, we seek security in the standard model (i.e., without random oracles) and in a setting where the immunizer itself is subject to subversion.

We first define our model formally, in Sect. 3.1, for the case of offline watchdogs. Then, in Sect. 3.2, we discuss some definitional choices and compare our definitions with previous work in the area. In the full version, we explain how to extend our framework to the case of online watchdogs.

3.1 Subversion-Secure Immunizers

Let be a cryptographic scheme (as defined in Sect. 2.2), where we assumed that (i.e., the source \(\mathsf {R}\) is a random \(m\)-bit source). An immunizer for \(\varPi \) is a transformation \(\varPsi [\mathcal {H},\mathsf {S}]\) parameterized by a family of hash functions \(\mathcal {H}= \{h_s:\{0,1\}^n\rightarrow \{0,1\}^m\}_{s\in \{0,1\}^\ell }\) and a public random source \(\mathsf {S}\) over \(\{0,1\}^\ell \). We write for the specification of the immunized cryptosystem, where:

  • \(\mathsf {R}^* \equiv \mathsf {R}\) (i.e., the immunized scheme uses the same secret random source as the original scheme);

  • \(\mathsf {P}^*\) and \(\mathsf {K}^*\) take as input a seed \(s\in \{0,1\}^\ell \), and have \(n\)-bit random tapes;

  • \((\mathsf {F}^*_i)_{i\in N}\) take as input a seed \(s\in \{0,1\}^\ell \) plus the same inputs as the corresponding algorithm in \(\varPi \);

  • The seed \(s\) is obtained by sampling the public random source \(\mathsf {S}\) (i.e., ).

Fig. 1.
figure 1

Games defining subversion security of an immunizer \(\varPsi [\mathcal {H},\mathsf {S}]\), in the standard model. We use the notation to denote a run of the challenger \(\mathsf {C}\) with random coins \(r_1,r_2\) (that will be used as input of algorithms during the game).

Full size image

We require an immunizer \(\varPsi \) to satisfy two properties. The first property is the usual correctness requirement, meaning that the immunized primitive \(\varPi ^*\) meets the same correctness condition as that of \(\varPi \) (for every possible choice of the seed for the hash function). The second property is some flavor of security to subversion attacks. More in details, the public source \(\mathsf {S}\) is assumed to be untamperable and uniform. The adversary \(\mathsf {A}\) knows a description of the immunizer \(\varPsi \) and of the original primitive \(\varPi \), and is allowed to choose depending on the actual seed \(s\in \{0,1\}^\ell \) that is sampled from the public source \(\mathsf {S}\) during a trusted setup phase (which might be run by an external party). Finally, the adversary plays the security game for \(\varPi \), where the challenger picks \(2n/m:= 2k\) samples \((r_i^1,r_i^2)_{i\in [k]}\) from \(\widetilde{\mathsf {R}}\), amalgamates them into strings \(r_1 = r_1^1||\cdots ||r_k^1\) and \(r_2 = r_1^2||\cdots ||r_k^2\), and finally interacts with \(\mathsf {A}\) given black-box access to (i.e., to the subversion specified by the adversary using seed \(s\in \{0,1\}^\ell \)), where \(r_1\) and \(r_2\) are used as inputs for and , respectively. Note that \(\widetilde{\varPi }\) is completely arbitrary, and thus all algorithms (including the immunizer) are subject to subversion.

We define the advantage of adversary \(\mathsf {A}\) in the subversion game with primitive \(\varPi \), immunizer \(\varPsi \), and challenger \(\mathsf {C}\) as:

(1)

where the game is depicted in Fig. 1, and the probability is taken over the randomness of \(\widetilde{\mathsf {S}},\widetilde{\mathsf {R}},\mathsf {S},\mathsf {R}\), and over the coin tosses of \(\mathsf {A}\).

Fig. 2.
figure 2

Description of the detection game of an immunizer \(\varPsi [\mathcal {H},\mathsf {S}]\) with offline (left) and online (right) watchdogs, in the standard model. The auxiliary information \(\mathtt {aux}\) is taken from the subversion game (cf. Fig. 1).

Full size image

Clearly, since the subverted cryptosystem \(\widetilde{\varPi }\) specified by the adversary is completely arbitrary, it might be trivial to break security in the above setting. (E.g., consider \(\varPi \) to be a signature scheme and the corresponding subversion to have the signing algorithm return the signing key.) Hence, we need to restrict the adversary in some way. Following previous work, we will consider the adversary to be “malicious-but-proud” in the sense that in order to be successful a subversion attack should also be undetectable by the honest user. The latter is formalized by a detection game featuring an efficient algorithm, called the watchdog, whose goal is to detect whether a subversion took place. In particular, given a description of the immunizer and the original scheme, the watchdog has to distinguish the immunized cryptosystem \(\varPi ^*\) from the subversion \(\widetilde{\varPi }\) used by the adversary in the subversion game. The detect advantage of watchdog \(\mathsf {W}\) is defined as:Footnote 9

(2)

where the game is depicted in Fig. 2, and the probability is taken over the randomness of \(\widetilde{\mathsf {S}},\widetilde{\mathsf {R}},\mathsf {S},\mathsf {R}\), and over the coin tosses of \(\mathsf {W}\); the values in the auxiliary information \(\mathtt {aux}\) are taken from \(\mathbf {G}^\mathrm{\mathrm {pub}}_{\varPi ,\varPsi ,\mathsf {A},\mathsf {C}}(\lambda )\). Similarly to previous work, we assume that \(\mathsf {W}\) has rewinding black-box access to its oracles, a feature required in order to detect stateful subversion [23, Remark 2.5].

We are now ready to define subversion security of an immunizer for the offline watchdog.

Definition 4

(Subversion-resistant immunizer). Let be a cryptographic scheme, and \(\mathbf {G}= (\mathsf {C},\gamma )\) be a security game for \(\varPi \). For a constant \(c^* \ge 1\), and a family of hash functions \(\mathcal {H}= \{h_s:\{0,1\}^n\rightarrow \{0,1\}^m\}_{s\in \{0,1\}^\ell }\), we say that an immunizer \(\varPsi [\mathcal {H},\mathsf {S}]\) is -subversion-resistant with an offline watchdog if the following holds: There exists a watchdog \(\mathsf {W}\) with running time such that for all adversaries \(\mathsf {A}\) with running time for which \(\mathbf {Adv}^\mathrm{\mathrm {pub}}_{\varPi ,\varPsi ,\mathsf {A},\mathsf {C}}(\lambda ) > \epsilon ^*\), we have

Moreover, for all \(s\in \{0,1\}^\ell \), we require that the immunized cryptosystem with seed \(s\) meets the same correctness requirement as that of \(\varPi \).

Remark 1

(On subverting the immunizer). We stress that the subversion \(\widetilde{\varPi }\) should be thought of as the subversion of the immunized cryptosystem \(\varPi ^* = \varPsi (\varPi )\). In particular, since the subversion is completely arbitrary, the latter means that the adversary can tamper with (and, in fact, completely bypass) the immunizer itself.

Remark 2

(On including the seed in the auxiliary information). Note that the seed \(s\) sampled during the subversion game is part of the auxiliary information \(\mathtt {aux}\), and later given as additional input to the watchdog in the detection game.

It is easy to see that the latter is necessary. Consider, for instance, a signature scheme \(\varPi = (\mathsf {P},\mathsf {K},\mathsf {R},\mathsf {Sign},\mathsf {Vrfy})\), and let \(\varPi ^* = (\mathsf {P}^*,\mathsf {K}^*,\mathsf {R}^*,\mathsf {Sign}^*,\mathsf {Vrfy}^*) = \varPsi (\varPi )\) be the immunized version of \(\varPi \). Since the subversion \(\widetilde{\varPi }\) is allowed to depend on the seed \(s\), the adversary could instruct \(\widetilde{\mathsf {K}}\) to output a fixed verification/signature key pair \((\overline{\textit{vk}},\overline{\textit{sk}})\), known to the adversary, whenever \(\widetilde{\mathsf {K}}\) is run upon input \(s\). Now, if the watchdog \(\mathsf {W}\) would not be given as input the actual seed \(s\), the above attack would be undetectable, as \(\mathsf {W}\) has only a negligible chance of hitting the seed \(s\) while sampling the source \(\mathsf {S}\).

3.2 Discussion

On rough terms, Definition 4 says the following. There exists a universal (efficient) watchdog algorithm such that for any adversary that has advantage at least \(\epsilon ^*\) in the subversion game (cf. Eq. (1)), the probability that the watchdog detects the subversion (cf. Eq. (2)) is at least equal to the advantage of the adversary in the subversion game divided by some positive constant \(c^* \ge 1\).

We observe that there could be a substantial gap between the value of \(\epsilon ^*\) and the actual advantage of an adversary in the subversion game. In practice, we would like to obtain Definition 4 for small \(\epsilon ^*,c^*\), such that either the advantage in the subversion game is smaller than \(\epsilon ^*\), or the advantage in the detection game has a similar magnitude as that in the subversion game (which might be much larger than \(\epsilon ^*\)).

Looking ahead, the choice to state security of immunizers in the style of concrete security will allow us to lower bound the level of unpredictability in the subverted random source \(\widetilde{\mathsf {R}}\) with a concrete (rather than asymptotic) value, a feature that will be exploited by our immunizer. One might wonder why Definition 4 considers only a single parameter \(\epsilon ^*\), instead of having two distinct parameters (i.e., one parameter, say \(\epsilon ^*\), for the advantage of \(\mathsf {A}\) in breaking the scheme, and another parameter, say \(\delta ^*\), for the advantage of \(\mathsf {W}\) in detecting a subversion). While this might seem like a natural way of phrasing concrete security, it is problematic since such a definition conveys information about a single point over the range of values \(\epsilon ^*,\delta ^*\in [0,1]\). A similar issue was already observed in [10], who also suggested the approach of relating the advantage in the two games.

4 The Immunizer

4.1 Ingredients: Seed-Dependent Randomness Condensers

We recall the notion of seed-dependent randomness condenser [14]. Intuitively, this corresponds to a family of hash functions indexed by an \(\ell \)-bit seed, and mapping \(n\) into \(m\) bits. The security guarantee is that when the seed \(s\) is uniform, and the input x comes from an adversarial, efficiently sampleable, source which might depend on \(s\), and with min-entropy at least \(k\), the output of the hash function has at least \(m- d\) bits of min-entropy, for deficiency parameter \(d\ge 1\).

Definition 5

(Seed-dependent condenser). Let be a family of efficiently computable functions. We say that \(\mathcal {G}\) is a family of \((\tfrac{k}{n}\rightarrow \tfrac{m-d}{m},t, \epsilon )\)-seed-dependent condensers if for all probabilistic adversaries \(\mathsf {A}\) running in time \(t\) who take a seed and output (using more coins) a distribution of entropy \(\widetilde{\mathbb {H}}_\infty (X|S) \ge k\), the joint distribution \(( S , g_ S (X))\) is \(\epsilon \)-close to some \(( S , Y )\), where \(\widetilde{\mathbb {H}}_\infty ( Y | S ) \ge m-d\) and \( S \) is uniform over \(\{0,1\}^\ell \).

4.2 Immunizer Description

We refer the reader to Fig. 3 for a formal description of our immunizer, where we assumed that . Roughly, the immunizer sanitizes the random coins used to generate the public parameters \(\rho \) and the public/secret keys \((\textit{pk},\textit{sk})\) by first sampling and amalgamating \(r_1 = r_1^1||\cdots ||r_k^1\) and \(r_2 = r_1^2||\cdots ||r_k^2\), and then using, respectively, \(h_{s_1}(r_1)\) and \(h_{s_2}(r_2)\) as random coins for \(\mathsf {P}\) and \(\mathsf {K}\), where the seeds \(s_1,s_2\in \{0,1\}^\ell \) are sampled using the public source \(\mathsf {S}\). All other algorithms are unchanged.

Fig. 3.
figure 3

Description of our subversion-resistant immunizer; the seeds \(s_1,s_2\) are sampled from the public source \(\mathsf {S}\), and correspond to hash functions \(h_{s_1},h_{s_2}\in \mathcal {H}\) mapping \(n\)-bit strings into \(m\)-bit strings.

Full size image

4.3 Security Analysis

Here, we analyze the security of the immunizer described in Fig. 3. For input-constrained games, we obtain the following result whose proof appears in the full version. An analogous statement holds for input-unconstrained games, in the online watchdog model.

Theorem 1

Let \(\varPi = (\mathsf {P},\mathsf {K},\mathsf {R},\mathsf {F}_1,\ldots ,\mathsf {F}_N)\) be a deterministic cryptographic scheme, with \(\mathcal {R}= \{0,1\}^m\), and consider any input-constrained, single-instance game \(\mathbf {G}= (\mathsf {C},\gamma )\) for \(\varPi \). Then, for any \(n,c^* > 4\), the immunizer of Fig. 3 is -subversion-resistant with an offline watchdog, as long as is a family of -seed-dependent condensers and \(\varPi \) is either \((t,\epsilon )\)-secure w.r.t. game \(\mathbf {G}\) (in case of unpredictability games) or \(({t,\epsilon })\)-square-secure w.r.t. game \(\mathbf {G}\) (in case of indistinguishability games), for parameters , and

$$\begin{aligned} \epsilon&\le {\left\{ \begin{array}{ll} \frac{c^*-1}{c^*}\cdot \frac{\epsilon ^*}{2^{2d}} - \frac{2\epsilon _\mathrm{cond}}{2^{2d}} &{} {if} \, {\mathbf {G }} \, is \, an \, unpredictability \, game \\ \left( \frac{c^*-1}{c^*}\cdot \epsilon ^* - 2\epsilon _\mathrm{cond}\right) ^2\cdot \frac{1}{2^{2d}} &{} if \, \mathbf{G } \, is \, an \, indistinguishability \, game. \end{array}\right. } \end{aligned}$$

Remark 3

Looking ahead, the reason for which Theorem 1 does not work for all deterministic primitives is that its proof crucially relies on the “overcoming weak expectations” framework. In particular, for single-instance indistinguishability games, this theorem requires square security, and it is well known that some primitives such as pseudorandom generators and pseudorandom functions do not have good square security [4, 15].

Remark 4

The fact that our immunizer samples 2k times from the source \(\mathsf {R}\) does not contradict the assumption that \(\mathbf {G}\) is a single-instance game, as the latter condition only concerns the game \(\mathbf {G}\) for the original primitive \(\varPi \).

One can also show that the limitation of Remark 3 is inherent, in the sense that our immunizer is might be insecure for primitives that are not square friendly. Take, for instance, any PRG , where outputs directly a seed sampled from the secret source \(\mathsf {R}\), and stretches the seed to a pseudorandom output. Let be the immunized version of \(\varPi \). Now, consider the attacker \(\mathsf {A}(s)\) that plays the subversion game by specifying the subversion \(\widetilde{\varPi }\) where:

  • \(\widetilde{\mathsf {K}}\) and \(\widetilde{\mathsf {PRG}}\) are unchanged (i.e., \(\widetilde{\mathsf {K}} \equiv \mathsf {K}^*\), and \(\widetilde{\mathsf {PRG}} \equiv \mathsf {PRG}^*\));

  • \(\widetilde{\mathsf {R}}\) embeds a key \(\kappa \) for a pseudorandom function \(\mathsf {PRF}\) with one-bit output, and performs the following rejection-sampling procedure:

    • Sample a random r;

    • If , where \(\mathsf {PRG}(h_s(r)) = y\), return r;

    • Else, sample a fresh r and start again.

Intuitively, the above subversion allows \(\mathsf {A}\) to win the subversion game by simply checking whether , where y is the challenge. Moreover, this attack is undetectable as a watchdog not knowing the key \(\kappa \) has a negligible advantage in distinguishing \(\widetilde{\mathsf {R}}\) from \(\mathsf {R}^*\) (by the security of the pseudorandom function). Note that the above attack requires the adversary to choose the subversion depending on the seed.

Instantiating the Immunizer. When instantiating seed-dependent randomness condensers with state-of-the-art constructions [14, 15], we obtain the following parameters.

Corollary 1

For any cryptographic primitive \(\varPi \) that is either -secure (in case of unpredictability games) or -square-secure (in case of indistinguishability games) w.r.t. an input-constrained, single-instance game \(\mathbf {G}\), there exists an immunizer for \(\varPi \) that is -subversion-resistant for the \(\mathrm {pub}\)-model with an offline watchdog, with parameters \(n,m,\ell \in \omega (\log (\lambda ))\).

Proof

By choosing , , \(c^*=5\), and setting in Theorem 1, we need a family of seed-dependent randomness condensers that achieves , , , and entropy deficiency .

Dodis, Ristenpart, and Vadhan [14] (see also [15]) have shown that any -collision-resistant family of hash functions directly yields such a family of condensers. The statement follows.     \(\square \)

5 Conclusions

We have shown how to immunize arbitrary deterministic cryptographic primitives against complete subversion, meaning that the adversary is allowed to tamper with all the underlying algorithms, and with the immunizer itself. In the random oracle model, there is a simple immunizer that relies on a single secret, but tamperable, source of randomness [23, 24]. In the standard model, instead, we need to assume an additional independent public, and in some case untamperable, random source.

Open problems include, e.g., finding better immunizers, both in terms of computational assumptions and/or the number of assumed trusted random sources. Also, exploring alternative approaches to achieve subversion security in the plain model for larger classes of cryptographic schemes (e.g., randomized ones), while still relying on O(1) independent random sources, is an interesting direction for future research.