Adam L. Young

The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems

The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) and its variations on attacking black-box cryptosystems has been recently introduced. The basic definitions, issues, and examples of various setup attacks (called Kleptographic attacks) have also been presented. The goal of this work is to describe a methodological way of attacking cryptosystems which exploits certain relations between cryptosystem instances which exist within cryptosystems. We call such relations “kleptograms”. The identified kleptogram is used as the base for searching for a setup.

Sliding Encryption: A Cryptographic Tool for Mobile Agents

The technology of mobile agents, where software pieces of active control and storage (called mobile agents) travel the network and perform tasks distributively, is of growing interest as an Internet technology. Similarly, smartcard holders can be considered mobile users as they access the network at various points. Such mobile processing can be employed in large scale census applications in statistics gathering, in surveys and tallying, in reading and collecting local control information, etc.

Malicious cryptography: kleptographic aspects

In the last few years we have concentrated our research efforts on new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryptography. At some point during our investigation we ended up asking ourselves the following question: what if the malware (i.e., Trojan horse) resides within a cryptographic system itself? This led us to realize that in certain scenarios of black box cryptography (namely, when the code is inaccessible to scrutiny as in the case of tamper proof cryptosystems or when no one cares enough to scrutinize the code) there are attacks that employ cryptography itself against cryptographic systems in such a way that the attack possesses unique properties (i.e., special advantages that attackers have such as granting the attacker exclusive access to crucial information where the exclusive access privelege holds even if the Trojan is reverse-engineered). We called the art of designing this set of attacks “kleptography.” In this paper we demonstrate the power of kleptography by illustrating a carefully designed attack against RSA key generation.

A PVSS as Hard as Discrete Log and Shareholder Separability

A Publicly Verifiable Secret Sharing (PVSS)sc heme allows a prover to verifiably prove that a value with specific properties is shared among a number of parties. This verification can be performed by anyone. Stadler introduced a PVSS for proving that the discrete log of an element is shared [S96], and based the PVSS on double-decker exponentiation. Schoenmakers recently presented a PVSS scheme that is as hard to break as deciding Diffie-Hellman (DDH)[Sc h99]. He further showed how a PVSS can be used to improve on a number of applications: fair electronic cash (with anonymity revocation), universally verifiable electronic voting, and software key escrow schemes. When the solution in [Sch99] is used for sharing a key corresponding to a given public key, the double-decker exponentiation method and specific assumptions are still required. Here we improve on [Sch99] and present a PVSS for sharing discrete logs that is as hard to break as the Discrete-Log problem itself, thus weakening the assumption of [Sch99]. Our solution differs in that it can be used directly to implement the sharing of private keys (avoiding the double decker methods). The scheme can therefore be implemented with any semantically secure encryption method (paying only by a moderate increase in proof length). A major property of our PVSS is that it provides an algebraic decoupling of the recovering participants (who can be simply represented by any set of public keys)from the sharing operation. Thus, our scheme diverts from the traditional polynomial-secret-sharing-based VSS. We call this concept Separable Shareholders.

Building a cryptovirus using microsoft's cryptographic API

This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.

A subliminal channel in secret block ciphers

In this paper we present the first general purpose subliminal channel that can be built into a secret symmetric cipher by a malicious designer. Subliminal channels traditionally exploit randomness that is used in probabilistic cryptosystems. In contrast, our channel is built into a deterministic block cipher, and thus it is based on a new principle. It is a broadcast channel that assumes that the sender and the receiver know the subliminal message m s (i.e., something derived from their common key). We show that the designer can expect to be able to read m s when O(|m s |log|m s |) plaintext/ciphertext pairs are obtained. Here |m s | is the length of m s in bits. We show how to turn the channel into a narrowcast channel using a deterministic asymmetric cipher and then present an application of the narrowcast channel. In this application, the secret block cipher securely and subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public.

Finding length-3 positive Cunningham chains and their cryptographic significance

A Cunningham chain of length k is a finite set of primes p 1, p 2,...,p k such that p i+1=2p i +1, or p i+1=2p i−1 for i=1,2,3, ...,k−1. In this paper we present an algorithm that finds Cunningham chains of the form p i+1=2p i+1 for i=2,3 and a prime p 1. Such a chain of primes were recently shown to be cryptographically significant in solving the problem of Auto-Recoverable Auto-Certifiable Cryptosystems [YY98]. For this application, the primes p 1 and p 2 should be large to provide for a secure enough setting for the discrete log problem. We introduce a number of simple but useful speed-up methods, such as what we call trial remaindering and explain a heuristic algorithm to find such chains. We ran our algorithm on a Pentium 166 MHz machine. We found values for p 1, starting at a value which is 512 bits and ending at a value for p 1 which is 1,376 bits in length. We give some of these values in the appendix. The feasibility of efficiently finding such primes, in turn, enables the system in [YY98] which is a software-based public key system with key recovery (note that every cryptosystem which is suggested for actual use must be checked to insure that its computations are feasible).

Relationships between diffie-hellman and “index oracles”

The Computational Diffie-Hellman problem and its decisional variant are at the heart of many cryptographic applications. Yet, their exact computational power and their relationship to the Discrete Logarithm problem and the Decision Diffie-Hellman problem (DDH) is not fully understood in all settings. In order to extend the current understanding of the problem we introduce a new decision problem that we call the Jacobi Discrete Logarithm problem. We argue that this is a natural problem and we analyze it in groups in which Decision Diffie-Hellman (DDH) is believed to be intractable. In short, the JDL problem is to return the Jacobi symbol of the exponent x in gx. We show that JDL is random self-reducible and that it lies in between the Computational Diffie-Hellman (CDH) problem and DDH. Our analysis involves the notion of a powering oracle. Maurer and Wolf showed that a squaring oracle that returns

RSA-Based Auto-recoverable Cryptosystems

g^{u^2}

Hash to the Rescue: Space Minimization for PKI Directories

on input gu is actually equivalent to a DH oracle. It is weaker in the sense that it can be posed as a specialized DH oracle that need only respond correctly when u = v. In this paper we extend the study of the relationships between Diffie-Hellman and oracles for problems which manipulate or give partial information about the index of their input. We do so by presenting a reduction that shows that a powering oracle that responds with