Kleptography from Standard Assumptions and Applications

Kleptography deals with employing and generating cryptographically secure covert channels as threats to unscrutinized (e.g., tamper-proof) cryptosystems and their applications. A prototypical example is a cryptosystem (or a protocol message employing a cryptosystem) where a cryptogram field (e.g., a public key, an encrypted message, a signature value) hosts an "inner cryptographic field" that is invisible (in the sense of indistinguishability) to all but the attacker, yet it is a meaningful ciphertext to the attacker (who is the designer/producer of the cryptosystem). The technical goal of Kleptography has been to identify "inner fields" as a way to embed cryptographic values in small bandwidth channel/sub-cryptogram inside a hosting system (RSA, DH based systems, etc.) All asymmetric backdoors to date, that seamlessly embed an inner subliminal crypto field inside a hosting cryptographic value needed random oracle assumptions. This was used to make the inner value look "almost uniformly random" as part of its hosting random field. It was open whether the need for a random oracle is inherent, or, positively put: is there an algebraic cryptographic ciphertext that is embeddable inside another algebraic cryptographic field "as is"? In this work we achieve this goal for small bandwidth fields. To this end we present a new information hiding primitive that we call a "covert key exchange" that permits provably secure covert communications. Our results surpass previous work since: (1) the bandwidth that the subliminal channel needs is extremely small (bit length of a single compressed elliptic curve point), (2) the error probability of the exchange is negligible, and (3) our results are in the standard model. We use this protocol to implement the first kleptographic (i.e., asymmetric) backdoor in the standard model in RSA key generation and point at other applications. Key properties of the covert key exchange are that (1) both Alice's message to Bob and their shared secret appear to all efficient algorithms as uniformly random strings from {0, 1}k+1 and {0, 1}M, respectively (this is needed for the embedding), and (2) the fastest adversaries of the exchange run in time exponential in k, based on current knowledge (they have to solve DL over e-curves). We achieve this in the standard model based on the ECDDH assumption over a twisted pair of e-curves.

[1]  Dieter Gollmann,et al.  Computer Security – ESORICS 2004 , 2004, Lecture Notes in Computer Science.

[2]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[3]  Kazuo Ohta,et al.  Advances in Cryptology — ASIACRYPT’98 , 2002, Lecture Notes in Computer Science.

[4]  Bodo Möller,et al.  A Public-Key Encryption Scheme with Pseudo-random Ciphertexts , 2004, ESORICS.

[5]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[6]  Claude Crépeau,et al.  Simple Backdoors for RSA Key Generation , 2003, CT-RSA.

[7]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[8]  Zbigniew Golebiewski,et al.  Stealing Secrets with SSL/TLS and SSH - Kleptographic Attacks , 2006, CANS.

[9]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[10]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[11]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[12]  Yvo Desmedt,et al.  Abuses in Cryptography and How to Fight Them , 1988, CRYPTO.

[13]  Burton S. Kaliski,et al.  Elliptic curves and cryptography: a pseudorandom bit generator and other tools , 1988 .

[14]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[15]  Burton S. Kaliski,et al.  A Pseudo-Random Bit Generator Based on Elliptic Logarithms , 1986, CRYPTO.

[16]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[17]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[18]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[19]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[20]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[21]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[22]  Moti Yung,et al.  A Space Efficient Backdoor in RSA and Its Applications , 2005, Selected Areas in Cryptography.

[23]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[24]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[25]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[26]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[27]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[28]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[29]  Burton S. Kaliski,et al.  One-way permutations on elliptic curves , 2004, Journal of Cryptology.

[30]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[31]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[32]  Hugo Krawczyk,et al.  Secure Hashed Diffie-Hellman over Non-DDH Groups , 2004, EUROCRYPT.

[33]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[34]  Gustavus J. Simmons,et al.  Subliminal channels; past and present , 2010, Eur. Trans. Telecommun..

[35]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[36]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[37]  Olivier Chevassut,et al.  The Twist-AUgmented Technique for Key Exchange , 2006, Public Key Cryptography.

[38]  Benny Pinkas,et al.  The Design and Implementation of Protocol-Based Hidden Key Recovery , 2003, ISC.

[39]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[40]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[41]  Moti Yung,et al.  Space-Efficient Kleptography Without Random Oracles , 2007, Information Hiding.