Subversion-Resilient Public Key Encryption with Practical Watchdogs

Pascal Bemmann; Sebastian Berndt; Rongmao Chen; Tibor Jager

Paper 2021/230

Subversion-Resilient Public Key Encryption with Practical Watchdogs

Pascal Bemmann, University of Wuppertal

Sebastian Berndt

, University of Lübeck

Rongmao Chen

, National University of Defense Technology

Tibor Jager

, University of Wuppertal

Abstract

Restoring the security of maliciously implemented cryptosystems has been widely considered challenging due to the fact that the subverted implementation could arbitrarily deviate from the official specification. Achieving security against adversaries that can arbitrarily subvert implementations seems to inherently require trusted component assumptions and/or architectural properties. At ASIACRYPT 2016, Russell et al. proposed an attractive model where a watchdog is used to test and approve individual components of an implementation before or during deployment. Such a detection-based strategy has been useful for designing various cryptographic schemes that are provably resilient to subversion. We consider Russell et al.'s watchdog model from a practical perspective regarding watchdog efficiency. We find that the asymptotic definitional framework while permitting strong positive theoretical results, does not yet guarantee practical watchdogs due to the fact that the running time of a watchdog is only bounded by an abstract polynomial. Hence, in the worst case, the running time of the watchdog might exceed the running time of the adversary, which seems impractical for most applications. We adopt Russell et al.'s watchdog model to the concrete security setting and design the first subversion-resilient public-key encryption scheme which allows for extremely efficient watchdogs with only linear running time. At the core of our construction is a new variant of a combiner for key encapsulation mechanisms (KEMs) by Giacon et al. (PKC'18). We combine this construction with a new subversion-resilient randomness generator that can also be checked by an efficient watchdog, even in constant time, which could be of independent interest for the design of other subversion-resilient cryptographic schemes. Our work thus shows how to apply Russell et al.'s watchdog model to design subversion-resilient cryptography with efficient watchdogs. We insist that this work does not intend to show that the watchdog model outperforms other defense approaches but to demonstrate that practical watchdogs are practically achievable. This is the full version of a work published at PKC21. We identify a subtle flaw in the proof of the previous version and show it is impossible to achieve CPA security under subversion with the proposed approach. However, the same construction can achieve one-way security under subversion.

Note: Corrected author affiliations from the previous version.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: A major revision of an IACR publication in PKC 2021
Keywords: Subversion-Resilience Watchdog Randomness Generator Public Key Encryption.
Contact author(s): bemmann @ uni-wuppertal de
s berndt @ uni-luebeck de
chromao @ nudt edu cn
jager @ uni-wuppertal de
History: 2023-10-11: last of 2 revisions; 2021-03-02: received; See all versions
Short URL: https://ia.cr/2021/230
License: CC BY

BibTeX

@misc{cryptoeprint:2021/230,
      author = {Pascal Bemmann and Sebastian Berndt and Rongmao Chen and Tibor Jager},
      title = {Subversion-Resilient Public Key Encryption with Practical Watchdogs},
      howpublished = {Cryptology ePrint Archive, Paper 2021/230},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/230}},
      url = {https://eprint.iacr.org/2021/230}
}