Motivated by Edward Snowden’s revelations, Bellare et al. introduced the notion of Algorithm Substitution Attacks (ASAs) at CRY-PTO’14. ASAs mainly consider adversaries who could manipulate cryptographic algorithms to leak secret information. Since then, ASAs have been extensively studied against various cryptographic primitives and protocols. This work investigates ASAs on Asymmetric (Group) Message Franking (A(G)MF) which is used for tracing illegal messages over end-to-end encrypted communication channels. We introduce the ASA model for A(G)MF, highlighting the potential for attackers to leak the sender’s secret key and partial randomness of signature by substituting franking algorithm. We then propose two ASAs against Tyagi et al.’s AMF scheme (CRYPTO’19): an asymmetric attack requiring two consecutive signatures for key recovery, and a symmetric attack requiring only one signature for leaking the whole secret key. We extend these attacks to Lai et al.’s AGMF scheme (EUROCRYPT’23). Finally, we discuss some potential countermeasures to strengthen A(G)MF against such threats. Our findings underscore the potential threat of ASAs on A(G)MF, emphasizing the necessity for continued development of subversion-resistant message franking, particularly in the asymmetric setting.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Substitution Attacks on Asymmetric (Group) Message Franking

  • Yumin Chen,
  • Yi Wang,
  • Rongmao Chen

摘要

Motivated by Edward Snowden’s revelations, Bellare et al. introduced the notion of Algorithm Substitution Attacks (ASAs) at CRY-PTO’14. ASAs mainly consider adversaries who could manipulate cryptographic algorithms to leak secret information. Since then, ASAs have been extensively studied against various cryptographic primitives and protocols. This work investigates ASAs on Asymmetric (Group) Message Franking (A(G)MF) which is used for tracing illegal messages over end-to-end encrypted communication channels. We introduce the ASA model for A(G)MF, highlighting the potential for attackers to leak the sender’s secret key and partial randomness of signature by substituting franking algorithm. We then propose two ASAs against Tyagi et al.’s AMF scheme (CRYPTO’19): an asymmetric attack requiring two consecutive signatures for key recovery, and a symmetric attack requiring only one signature for leaking the whole secret key. We extend these attacks to Lai et al.’s AGMF scheme (EUROCRYPT’23). Finally, we discuss some potential countermeasures to strengthen A(G)MF against such threats. Our findings underscore the potential threat of ASAs on A(G)MF, emphasizing the necessity for continued development of subversion-resistant message franking, particularly in the asymmetric setting.