Practical Algorithm Substitution Attacks on Real-World Public-Key Cryptosystems

The revelations about massive surveillance have created significant interest in algorithm substitution attack (ASA), where an honest implementation of a cryptographic primitive is replaced by a subverted one which can help big brother to break cryptographic security while generating output indistinguishable from the honest output. The current known ASAs on public-key cryptography are either dedicated for a type of concrete constructions with specific internal, or restrictive when applying to the real-word cryptographic standards (Ateniese et al., ACM CCS'15; Russell et al., ACM CCS'17; Chen et al., ASIACRYPT'20). In this paper, we first present a practical undetectable substitution for a general randomized algorithm with certain structure such that the randomness can be revealed to the big brother. Then, instantiating this randomized algorithm, we present a series of ASAs on core primitives in public-key cryptography including public-key encryption, key encapsulation mechanism, key exchange, and digital signature. In particular, our ASAs are universal in the sense that they do not rely on the internal description of the underlying cryptographic algorithm. Moreover, our ASAs are also practical since they can affect not only the widely deployed cryptographic standards, but also the ongoing NIST post-quantum standards.

Automated summary

This paper discusses algorithm substitution attacks (ASAs) which replace the honest implementation of a cryptographic primitive with a subverted one to aid in breaking cryptographic security. The authors present a practical and undetectable substitution method for a general randomized algorithm, and demonstrate a series of ASAs on core primitives in public-key cryptography. These attacks are universal, as they do not rely on the internal description of the underlying cryptographic algorithm, and they have practical implications for widely deployed cryptographic standards and ongoing NIST post-quantum standards.