By Muzamil Khan
 Snowden’s disclosure on government’s approach on Mass surveillance
 Often the surveillance adversaries attempt to reduce efficacy of cryptography
 shorten keys in DES
 Weaken standards
 Back doors (Dual_EC_DRBG)
 These attacks on the science of secure communication are quite common.
 This talk focus on a very specific attack on Symmetric Encryption.
 This talk is mainly based on Algorithm – Substitution Attacks (ASAs)
that benefits Mass Surveillance.
 ASAs are caused when subverted encryption schemes successfully surrogate /
mimic the original encryption scheme.
 The references used in this presentation:
 Bellare, M., Paterson, K. G., & Rogaway, P. (2014, August). Security of symmetric encryption against mass surveillance.
In International Cryptology Conference (pp. 1-19). Springer Berlin Heidelberg. Basic idea of ASAs:
 Degabriele, J. P., Farshim, P., & Poettering, B. (2015, March). A more cautious approach to security against mass surveillance.
In International Workshop on Fast Software Encryption (pp. 579-598). Springer Berlin Heidelberg.
 Manulis, M., Sadeghi, A. R., & Schneider, S. (Eds.). (2016). Applied Cryptography and Network Security: 14th International Conference,
ACNS 2016, Guildford, UK, June 19-22, 2016. Proceedings (Vol. 9696). Springer.
 IACR Crypto Conference Talk 2014 by Kenneth Paterson.
In both the scenarios, the original
encryption algorithm is used,
however, the schemes is altered
in subverted operation.
Message M is encrypted with key
K with some associated data A
and the completion of encryption
is determined by σ
In subverted op, the user would
receive exactly the same
ciphertext as in normal op.
Image: Crypto conference talk by Kenneth Paterson
Ẽ lets leaks the ciphertext to a
surveillance adversary BB.
 As defined in the research paper, two types of adversaries are
 Surveillance Adversary: This defines the surveillance agency such as Big Brother (BB)
who has the key K˜ but does not possess the key K and aims to tap the communication of
the users.
 Detection Adversary: This defines an ordinary user who has key K and does not possess
K˜ and aims to know whether or not Algorithm - Substitution Attack will potentially occur.
 The aim of the experiment was to see whether or not one adversary fulfill their
requirement before the other one does.
 If Surveillance Adversary has the leverage of tampering traffic before the Detection
adversary then this suggests the vulnerability in security.
User u first queries the Key space with its
ID I then receives K_i in return. Then the
user queries the encryption space with
message M and associated data A and ID i.
Ciphertext is returned and user carries
out a bit b’ that is dependent on b
Surveillance adversary queries the key
space but doesn’t get a reply. BB then
queries the encryption space to get the
ciphertext C. BB then carries out a bid b’
that is dependent on b
Image: Crypto conference talk by Kenneth Paterson
 For all Ẽ either detection adversary gets the ultimate leverage or surveillance
adversary gets the negligible leverage
 The reason: BB still does not know what the original key is.
 Therefore a good algorithm E would out win the normal subverted algorithm
Ẽ
 In stateful encryption attack
 Subverted encryption scheme Ẽ replaces IV with key K
 Initial state crucial or no subversion (random IV is picked)
 Message M (with associated data) encrypted under Ẽ
 Results ciphertext C
 Subverted decryption gets input K˜, C and A recovers key K
 IV replacement
 Key retrieval
 Stateless SE schemes are vulnerable to ASAs because of the variances in ciphertext
produced.
 Suppose there exists a Pseudorandom Function (F:{0,1}* -> {0,1}) with subverted
key K˜
 Let j be the index of K’s bits.
 Since the surveillance adversary B has key K˜ recovering K[j] would be much easier
from C
 To acquire jth bit of K, repeatedly encrypt using E, resulting in C which satisfies the
equation F(K˜,C,j)=K[j].
 User stays unaware of the subverted operation since they have no knowledge of K˜, thus
can not determine subverted ciphertext C
 Stateless and stateful SE schemes do not possess similar security
 Randomized / stateless schemes remain vulnerable to ASAs
 Solution: For any key K, message M, associated data A, and state t, there exist one
only one ciphertext.
 In this case, ciphertexts D becomes the only eligible scheme to decrypt C
correctly.
 Thus surveillance adversary B has no effect over the original algorithm
Theorem (unique ciphertext scheme):
• Let π = (K, E, D) be a unique ciphertext scheme and let π˜= (K˜, Ẽ,
D˜) be any subversion of π that is decryptable.
• Enc performed in both normal Enc world and the Subverted Enc
world11
• Ciphertext C returned from the space
• Dec performed
• M is returned for normal scheme via correctness and for
subverted scheme by decryptability
• If subverted decryption was used the two messages !=
Image: Crypto
conference talk by
Kenneth Paterson
 Set the nonce N to be a counter in both E and D to make a
doubly stateful scheme.
 Reject permanently whenever decryption fails for first time.
 Let there be a none N that works in both Encryption and Decryption
 This creates “statefullness” in both ends
 This works as a counter that let’s the let’s the decrypting algorithm to only work once.
 Disables decrypting once whole decryption is run for first time
 This let’s the algorithm reject permanently if decryption doesn’t work on the first
go
 Defensive schemes could still leak information to
surveillance adversary.
 For example, every time ciphertexts are transferred the adversary
learns something new about it -> pattern or trend
 Then they might perform statistical analysis to figure out.
Resistance of symmetric encryption
schemes against mass surveillance