Subversion-Resilient Signature Schemes

We provide a formal treatment of security of digital signatures against subversion attacks (SAs). Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g., malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms. The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and continuous fashion. Previous notions---e.g., security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO '14) for symmetric encryption---were non-adaptive and non-continuous. In this vein, we show both positive and negative results for constructing subversion-resilient signature schemes. -- Negative results. As our main negative result, we show that a broad class of randomized schemes is unavoidably insecure against SAs, even if using just a single bit of randomness. This improves upon earlier work that was only able to attack schemes with larger randomness space. When designing our attack we consider undetectability to be an explicit adversarial goal, meaning that the end-users (even the ones knowing the signing key) should not be able to detect that the signature scheme was subverted. -- Positive results. We complement the above negative results by showing that signature schemes with unique signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on stateful schemes; in contrast unique signatures are stateless, and in fact they are among the fastest and most established digital signatures available. We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT '15), i.e., an algorithm that "sanitizes" any signature given as input (using only public information). The firewall we design allows to successfully protect so-called re-randomizable signature schemes (which include unique signatures). While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might influence the way digital signature schemes are selected or adopted in standards and protocols.

[1]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[2]  Yevgeniy Dodis,et al.  Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[3]  Pratyay Mukherjee,et al.  A Tamper and Leakage Resilient von Neumann Architecture , 2015, Public Key Cryptography.

[4]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[5]  Antonio Faonio,et al.  Mind Your Coins: Fully Leakage-Resilient Signatures with Graceful Degradation , 2015, ICALP.

[6]  Yvo Desmedt,et al.  Divertible and Subliminal-Free Zero-Knowledge Proofs for Languages , 1999, Journal of Cryptology.

[7]  Vijay V. Vazirani,et al.  Trapdoor pseudo-random number generators, with applications to protocol design , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[8]  Yuval Ishai,et al.  Private Circuits II: Keeping Secrets in Tamperable Circuits , 2006, EUROCRYPT.

[9]  Ilya Mironov,et al.  Cryptographic Reverse Firewalls , 2015, EUROCRYPT.

[10]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[11]  Bruce Schneier,et al.  Surreptitiously Weakening Cryptographic Systems , 2015, IACR Cryptol. ePrint Arch..

[12]  Jacques Stern,et al.  Twin signatures: an alternative to the hash-and-sign paradigm , 2001, CCS '01.

[13]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[14]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[15]  Elaine Shi,et al.  Locally Decodable and Updatable Non-malleable Codes and Their Applications , 2015, Journal of Cryptology.

[16]  Mihir Bellare,et al.  Mass-surveillance without the State: Strongly Undetectable Algorithm-Substitution Attacks , 2015, IACR Cryptol. ePrint Arch..

[17]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[18]  Brent Waters,et al.  Realizing Hash-and-Sign Signatures under Standard Assumptions , 2009, EUROCRYPT.

[19]  Ivan Damgård,et al.  The Chaining Lemma and Its Application , 2015, ICITS.

[20]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[21]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[22]  Tibor Jager,et al.  Verifiable Random Functions from Weaker Assumptions , 2015, TCC.

[23]  Feng-Hao Liu,et al.  Tamper and Leakage Resilience in the Split-State Model , 2012, IACR Cryptol. ePrint Arch..

[24]  Glenn Greenwald,et al.  No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State , 2014 .

[25]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[26]  Marc Fischlin The Cramer-Shoup Strong-RSASignature Scheme Revisited , 2003, Public Key Cryptography.

[27]  J. Ball,et al.  Revealed: How US and UK Spy Agencies Defeat Internet Privacy and Security , 2013 .

[28]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[29]  Manoj Prabhakaran,et al.  A Rate-Optimizing Compiler for Non-malleable Codes Against Bit-Wise Tampering and Permutations , 2015, TCC.

[30]  Yuval Ishai,et al.  Circuits resilient to additive attacks with applications to secure computation , 2014, STOC.

[31]  David Cash,et al.  Cryptography Secure Against Related-Key Attacks and Tampering , 2011, IACR Cryptol. ePrint Arch..

[32]  Moses D. Liskov,et al.  On Related-Secret Pseudorandomness , 2010, TCC.

[33]  Daniele Venturi,et al.  Leakage-Resilient Signatures with Graceful Degradation , 2014, Public Key Cryptography.

[34]  Yael Tauman Kalai,et al.  Extractors and the Leftover Hash Lemma , 2011 .

[35]  Ivan Damgård,et al.  Bounded Tamper Resilience: How to Go Beyond the Algebraic Barrier , 2013, Journal of Cryptology.

[36]  Yvo Desmedt Subliminal-Free Authentication and Signature (Extended Abstract) , 1988, EUROCRYPT.

[37]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, Journal of Cryptology.

[38]  Aggelos Kiayias,et al.  Tamper Resilient Circuits: The Adversary at the Gates , 2013, IACR Cryptol. ePrint Arch..

[39]  B. Abdolmaleki Non-Malleable Codes , 2017 .

[40]  Kenneth G. Paterson,et al.  On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model , 2011, IACR Cryptol. ePrint Arch..

[41]  Yael Tauman Kalai,et al.  Securing Circuits against Constant-Rate Tampering , 2012, CRYPTO.

[42]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[43]  Yael Tauman Kalai,et al.  Securing Circuits and Protocols against 1/poly(k) Tampering Rate , 2014, TCC.

[44]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[45]  Carmit Hazay,et al.  Signature Schemes Secure Against Hard-to-Invert Leakage , 2015, Journal of Cryptology.

[46]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[47]  Hoeteck Wee Public Key Encryption against Related Key Attacks , 2012, Public Key Cryptography.

[48]  Daniel Wichs,et al.  Efficient Non-malleable Codes and Key-Derivation for Poly-size Tampering Circuits , 2014, EUROCRYPT.

[49]  Moti Yung,et al.  Malicious cryptography - exposing cryptovirology , 2004 .

[50]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[51]  Daniel J. Bernstein Proving Tight Security for Rabin-Williams Signatures , 2008, EUROCRYPT.

[52]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[53]  Shachar Lovett,et al.  Non-malleable codes from additive combinatorics , 2014, STOC.

[54]  Silvio Micali,et al.  Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering , 2004, TCC.

[55]  David Cash,et al.  Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks , 2010, CRYPTO.

[56]  Gustavus J. Simmons,et al.  The Subliminal Channel and Digital Signature , 1985, EUROCRYPT.

[57]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[58]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[59]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[60]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[61]  Yael Tauman Kalai,et al.  Cryptography with Tamperable and Leaky Memory , 2011, CRYPTO.

[62]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[63]  Daniel Wichs,et al.  Tamper Detection and Continuous Non-malleable Codes , 2015, TCC.

[64]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[65]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[66]  Tibor Jager,et al.  Waters Signatures with Optimal Security Reduction , 2012, Public Key Cryptography.

[67]  Yevgeniy Dodis,et al.  Efficient Construction of (Distributed) Verifiable Random Functions , 2003, Public Key Cryptography.

[68]  Adam O'Neill,et al.  Correlated-Input Secure Hash Functions , 2011, TCC.

[69]  Dario Fiore,et al.  Verifiable Random Functions: Relations to Identity-Based Key Encapsulation and New Constructions , 2013, Journal of Cryptology.

[70]  Yuval Ishai,et al.  Semantic Security under Related-Key Attacks and Applications , 2011, ICS.

[71]  Pooya Farshim,et al.  A More Cautious Approach to Security Against Mass Surveillance , 2015, FSE.

[72]  Kai-Min Chung,et al.  On the Impossibility of Cryptography with Tamperable Randomness , 2014, Algorithmica.

[73]  Pratyay Mukherjee,et al.  Continuous Non-malleable Codes , 2014, IACR Cryptol. ePrint Arch..

[74]  Stefan Lucks Ciphers Secure against Related-Key Attacks , 2004, FSE.

[75]  Sven Schäge,et al.  Strong Security from Probabilistic Signature Schemes , 2012, Public Key Cryptography.

[76]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[77]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[78]  Daniele Venturi,et al.  Tamper-Proof Circuits: How to Trade Leakage for Tamper-Resilience , 2011, ICALP.

[79]  Yvo Desmedt,et al.  Abuses in Cryptography and How to Fight Them , 1988, CRYPTO.

[80]  Adam L. Young,et al.  Cryptography: Malicious Cryptography – Exposing Cryptovirology , 2004 .