Subverting Decryption in AEAD

Abstract

This work introduces a new class of Algorithm Substitution Attack (ASA) on Symmetric Encryption Schemes. ASAs were introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance. An ASA replaces an encryption scheme with a subverted version that aims to reveal information to an adversary engaged in mass surveillance, while remaining undetected by users. Previous work posited that a particular class of AEAD scheme (satisfying certain correctness and uniqueness properties) is resilient against subversion. Many if not all real-world constructions – such as GCM, CCM and OCB – are members of this class. Our results stand in opposition to those prior results. We present a potent ASA that generically applies to any AEAD scheme, is undetectable in all previous frameworks and which achieves successful exfiltration of user keys. We give even more efficient non-generic attacks against a selection of AEAD implementations that are most used in practice. In contrast to prior work, our new class of attack targets the decryption algorithm rather than encryption. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.

The research of Armour was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/P009301/1). The research of Poettering was supported by the European Union’s Horizon 2020 project FutureTPM (779391). The full version of this article is available at https://eprint.iacr.org/2019/987 [3].

A Pseudo-Random Functions and Permutations

We recall standard notions of pseudo-random functions and permutations.

Definition 4

A keyed pseudo-random function (PRF) for range R is an efficiently computable function \(F :{\{0,1\}}^\ell \times {\{0,1\}}^*\rightarrow R\) taking a key \(L \in {\{0,1\}}^\ell \) and input \(s \in {\{0,1\}}^*\) to return an output \(F(L, s) \in R\). Consider game \(\mathsf {PRF}_{F}(\mathcal {F})\) in Fig. 7 associated to F and adversary \(\mathcal {F}\). Let

be the prf advantage of adversary \(\mathcal {F}\) against function F. Intuitively, the function is pseudo-random if the prf advantage of any realistic adversary is negligible.

Definition 5

A keyed length-preserving pseudo-random permutation (lp-PRP) is an efficiently computable function E where \(E :{\{0,1\}}^\ell \times {\{0,1\}}^*\rightarrow {\{0,1\}}^*\) takes a key \(L \in {\{0,1\}}^\ell \) and input \(s \in {\{0,1\}}^*\) to return an output \(E(L, s) \in {\{0,1\}}^ {|s |}\). We require that any keyed instance of E is a permutation on \({\{0,1\}}^n\) for all \(n\in \mathbb {N}\) and also that its inverse \(E^{-1}\) is efficiently computable. Consider game \(\mathsf {PRP}_{E}(\mathcal {F})\) in Fig. 7 associated to E and adversary \(\mathcal {F}\). Let

be the prp advantage of adversary \(\mathcal {F}\) against function E. Intuitively, the permutation is pseudo-random if the prp advantage of any realistic adversary is negligible.

Fig. 7.

Game to define prf and prp advantage of \(\mathcal {F}\) with respect to F, E.