On the Security of Symmetric Encryption Against Mass Surveillance

Da-Zhi Sun; Yi Mu

doi:10.1109/ACCESS.2020.3025848

IEEE Access (Jan 2020)

On the Security of Symmetric Encryption Against Mass Surveillance

Da-Zhi Sun,
Yi Mu

Affiliations

Da-Zhi Sun: ORCiD; Tianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing, Tianjin University, Tianjin, China
Yi Mu: ORCiD; Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Mathematics and Informatics, Fujian Normal University, Fuzhou, China

DOI: https://doi.org/10.1109/ACCESS.2020.3025848
Journal volume & issue: Vol. 8
pp. 175625 – 175636

Abstract

Read online

For mass surveillance, the algorithm substitution attacks (ASAs) are serious security threats to the symmetric encryption schemes. At CRYPTO 2014, Bellare, Paterson, and Rogaway (BPR) formally developed the security notions of decryptability, undetectability, and surveillance and presented a unique ciphertext symmetric encryption scheme against all possible ASAs. At FSE 2015, Degabriele, Farshim, and Poettering (DFP) relaxed the correctness of decryptability and presented an input-triggered ASA, which meets the BPR security definitions but violates the security of the BPR unique ciphertext scheme. Hence, DFP refined the security notions of detectability and subversion resistance to remove their ASA from the BPR unique ciphertext scheme. At CCS 2015, Bellare, Jaeger, and Kane (BJK) also developed the security notion of key recovery to make the input-triggered ASA infeasible. We investigate ASAs on the symmetric encryption scheme. Our contribution is twofold. (1) We propose a new trigger ASA against the symmetric encryption scheme. Our proposed ASA cannot be captured by the BJK security definitions. Comparatively, the DFP security definitions can detect our proposed ASA. In the view of ASAs, this result demonstrates that the DFP security definitions are not identical to the BJK security definitions. (2) We improve the DFP definition of subversion resistance. DFP proved that the BPR unique ciphertext scheme defeats the input-triggered ASA under their subversion resistance definition. However, we show that the BPR unique ciphertext scheme fails to meet the DFP subversion resistance definition due to our proposed ASA. Therefore, an improved definition on subversion resistance is proposed to cover all existing trigger ASAs. We prove that the BPR unique ciphertext scheme is secure under our improved definition. Therefore, we believe that our improved definition is more suitable to evaluate the ASA security of the symmetric encryption scheme.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords