How to construct random functions
Journal of the ACM (JACM)
How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
On the power of cascade ciphers
ACM Transactions on Computer Systems (TOCS)
The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone?
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
Fast Key Exchange with Elliptic Curve Systems
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Tamper resistance: a cautionary note
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Kleptography: using cryptography against cryptography
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
A subliminal channel in secret block ciphers
SAC'04 Proceedings of the 11th international conference on Selected Areas in Cryptography
Hi-index | 0.00 |
We consider the problem of designing a black-box symmetric cipher that leaks information subliminally and exclusively to the designer. We show how to construct a cipher which we call 'Monkey' that leaks one key bit per output block to the designer of the system (in any mode). This key bit is leaked only if a particular plaintext bit is known to the designer (known bit/message attack which is typically available in plain ASCII). The attack is of kleptographic nature as it gives a unique advantage to the designer while using strong (e.g., externally supplied) keys. The basic new difficulty with the design of spoofable block ciphers is that it is a deterministic function (previous attacks exploited randomness in key generation or message encryption/signature), and the fact that we do not want easy (statistical) observability of the spoofing (e.g., the variability of ciphertexts should be noticeable when keys change etc.). We distinguish between three entities: the designer, the reverse-engineer and the user. We show a design methodology that assures that: (1) if the device is not reverse-engineered, the attack is secure (namely, the cipher is good) and undetectable, (2) if the device is reverse-engineered, then the reverse-engineer learns at most one plaintext bit from every ciphertext (but no past/future keys), and (3) the designer learns one plaintext bit and one key bit from each ciphertext block (say in ECB mode). The method is therefore highly robust against reverse-engineering.