 Okay, welcome to this talk about practical algorithm substitution attack on public encryption for ISOcrypto2020. I'm Romo Cheng and this is a joint work with Xin Yihuan and Motien. Part of this work was done while I was visiting Kozik in KU Luven. Motor cryptography has been a tremendous success partially due to the Prover Circuit technique. No level robustness of Prover Security closely relies on implicit and common assumption which says that the implemented cryptography algorithms in reality should behave in a way specified by the specifications. Unfortunately, in the real world, such an assumption may turn out to be invalid due to a variety of reasons such as software or hardware bugs and even malicious tampering attacks. In particular, attackers such as manufacturers and supply chain intermediaries may be able to modify the algorithm implementation to leak private information stacily from the cryptosystems. In fact, such a kind of threat was identified as cryptography by Yong and Yan over 20 years ago. While some cryptographers seem to have to dismiss this attack as far-fetched at a time, there's not a revelation of actual deployments of such attacks in 2013, so Yong and Yan's idea was really prescient and since then it had reattracted real-life attention of the research community. In crypto 2014, Bairui, Patterson, and Rockaway formalized a new notion called algorithm substitution attack, which was defined broadly against symmetric encryption. In this attack model, the encryption algorithm is replaced by an altered version which is embedded with a backdoor key created by the adversary. Here we use rather highlight the subverted algorithm. Such a substitution is said to be undetectable if the detector who knows the secret key cannot distinguish the legitimate algorithm from the subverted algorithm in a black box testing. And the goal of the attacker is to gain the ability to recover the secret key from sequential server tests produced by the subverted algorithm with the help of the backdoor key. Here is a concrete substitution attack against a symmetric encryption algorithm. The subverted encryption algorithm as in pull the secret key, the message, and some associate data, and also the backdoor key. The subverted algorithm also maintains a global counter to indicate which bits of the secret key is trying to leak in each round. And the procedure of the subverted algorithm is almost the same as the legitimate one is that it will repeat sampling the renderings until the resulting server tests represent the secret key bit under the random function. Note that such a difference is undetectable to the legitimate users who has only a black box assess. To recover the secret key bit by bit, the attacker could use the backdoor key to execute the random function by taking as input a couple of subverted server tests. There have been several following work about substitution attacks with different settings and against different primitives. Specifically, a general result by a band on this key which shows that there exists universal substitution attacks which can work with no knowledge on the internal implementation of the cryptography primitive and are applicable to any randomized algorithms with sufficiently large beam entropy. So they also gave a log-rhythmic up bound which says that no universal and consistent substitution attack is able to embed more than no key bits of information into a single server test. Still K denotes the bit length of the secret key involved in the encryption algorithm or the sampling algorithm and the goal of the attack is to recover the secret key from the subverted algorithms. In this work, we termed to another fundamental cryptography primitives that public encryption with the goal of better understanding the impact of substitution attacks on public encryption algorithm. Note that a major difference from symmetric key primitives such as symmetric key encryption and digital signature, public key encryption algorithms does not involve the secret key. And such the best possible goal for substitution attacks on public key encryption algorithm is to recover the plan test. For legitimate users, this seems somewhat positive as different from the fixed secret key, the plan test is usually much longer and far as across various encryption sessions. And such the adversary needs to collect much more cyber tests to recover the whole plan test successfully. Therefore, the current bit-by-bit substitution attacks while applicable to public key encryption algorithm are quite inefficient. And this over-servation and the importance of better understanding of the impacts of substitution attack motivates us to ask the following concrete question, do there exist efficient and robust substitution attacks on public key encryption algorithm? A safe attack is more robust if its internal state depends on such a small history. This is because for cryptography algorithms, some limited dependence on the past such as the state of pseudo-random generators is natural, while long history dependence is not that typical and creates more complicated state management. Not that previous universal substitution attacks need to maintain a global state to indicate it with a bit of secret key to leak in each run, and such a state will persist for a much longer time if the attack goal is to leak the plan test. So in this work, we provide an affirmative answer to these questions by proposing a practical substitution attack that is genetically applicable to a wide range of public key encryption schemes, demonstrating that a substitution attack on public key encryption could be much more dangerous than previously thought. Our idea is initially inspired by the observation that almost all primary public key encryption construction adopt hybrid encryption. That's a public key crypto system, which is also known as the key encapsulation mechanism or CAM for short, is used to encapsulate the so-called session key, which is subsequently used to encrypt the plan test by a symmetric encryption algorithm, which is known as the data encapsulation mechanism or CAM for short. So for such kind of hybrid encryption, the session key is usually much shorter than the plan test. So therefore, we tend to consider the possibility of substituting the underlying CAM of public key encryption algorithm, so that the attacker is able to recover the session key to break the dam, and later after recover the plan test. However, this does not immediately get much efficiencies improvement in server-tint public key encryption, as the CAM still produce fresh session keys in between various encryption invocations. Hence, we take a step further by considering the feasibility of a more efficient substitution attack that could successfully recover a session key from a constant number of server-tint server tests. To the end, we formalize an asymmetric attack model for CAMs and identify a general structural weakness in existing CAM constructions. This can enable us to mount a much more efficient substitution attack on CAMs. In our attack, the attacker could recover a session key from only two server tests, and such the state required by the attack is much smaller than the previous universal attack. We also gave several instantiations of subtervals CAMs, and below I will further elaborate on our results. As first we call the simplifying test of CAM. Informally, a CAM is defined by a tuple of algorithms. The key generation algorithm gen here generates the public secret key pal, and the encapsulation algorithms takes as input public key an output session key k with the key server test ck. From the encapsulation algorithms, we will use the secret key to decrypt the key server test ck for the session key k. So our asymmetric attack model for CAM is defined by the following three algorithms. The attacker runs the subversion key generation algorithm which will output a subversion key pal. And the public subversion key psk is hardwired in the subversion key algorithm, while a secret subversion key ssk is hold by the attack. This asymmetric setting is different from previous symmetric attack model, while only a vector key is used by the attacker. And the subversion and encapsulation algorithm takes as input a public key as well as the embedded public subversion key and outputs the key with the subverted key server test. And for stateful attack, this algorithm will also maintain some internal state which is updated in each round. And the key recover algorithms take as input the public key on the secret subversion key and the subverted key server test ck and an associate server test set c and outputs the session key k. This algorithm is run by the attack to recover the session key. Our asymmetric attack model mainly differed from previous symmetric attack model in that the session key recovery requires a secret subversion key that is different from the embedded public subversion key. As the attacking ability in our attack is exclusive to the attacker, which means that even users are made in the public subversion key by reverse engineering the subverted device, he is still not able to attack other subverted systems. So in our model, we formalize three properties for substitution attacks on cam. First, the subverted server test should be still decryptable to the legitimate user who has the secret key but not the secret subversion key. The session key recovery ability keeps the ability of the attacker to recover the session key from the subverted server test. Note that here the recovery algorithms may need to take as input some associate data or associate server test. Since due to information, static reliance, it may be impossible for the attacker to recover the session key, the whole session key, given the subverted server test only. And the last notion called undetectability denotes the inability of ordinary users to distinguish the subverted encapsulation algorithm from the legitimate one in a black box testing. As we will show later, these properties significantly restrict the manners for attack to subverted algorithm. One may also note that the notion of decryptability could be viewed as the base form of undetectability. As if the subverted server test could not be correctly decrypted, the user will see that decryptability, not that the algorithm is subverted. Let's move on to our proposed attack. Here we only take the case of simplified CAM as an example. Given the logarithmic upper bound of universal subversion attacks, we tend to consider non-black box attacks on CAM for better efficiency. Let us look into the procedure of encapsulation algorithm which could be viewed as a composed of a randomized component and a deterministic component. The randomized part, which is generally known as shielded random generator, will produce a randomness which is fed into the deterministic component that also takes as input the public key and output session key with the key sub test. We found that many popular CAM construction in fact produce several tests which only depend on internal random coins while it's independent of the public key. As a result, such kinds of key sub tests are universally decryptable with any valid secret key. And precisely, for fixed randomness, a key sub test will be always the same regardless of the public key use. However, if we use different secret keys to decrypt a key sub test, we will have different session key. I am going to give a simple example for easy understanding. This is a very simple CAM from Algama encryption scheme. The randomness space is Jp star while both the key space and the cyber test space are the group G. As we know the key sub test of Algama is the group element that depends on the freshly generated randomness R only. For different public keys, here we use h1, h2, h3 and the corresponding secret key is alpha 1, alpha 2, and alpha 3. The session key will be different which is decryptable using the corresponding secret key. So, in the following we will show how such structural property enables a very efficient substitution of attacks on CAMs. Let's consider the life circle of a public key encryption algorithm. In an ongoing encryption system, the underlying key calculation algorithm will be run repeatedly to produce fresh session keys. Let the random coin run generated in different sessions should be independent from each other. Our code attack idea is to modify the randomness generation inside the encapsulation algorithm. The attacker runs the legitimate key generation algorithm for the session key pale and do the following. Let's begin with the first server tier randomness R2 here. In the server tier algorithm, instead of running the randomness generator, the random coin R2 here is derived by hushing the output of the deterministic component de-encapped. That takes as inputs the public server key and the previous randomness R1. Note that the husk function key K is fixed as part of the embedded server key by the anniversary. Due to the universal decryptability of CAM, the attacker is able to recompute R2 by rounding the cap to decrypt the key server test C1 using the secret server key. Finally, the session key K2 could be recovered from previous server test C1 by the attacker who knows the corresponding secret server key SSK. So in this way, our attack enables the attacker to recover the session key of a server tier server test with the help of the previous server test, and our attack only requires a small state of previous session random coin. So all these together indicate that our attack is very efficient and robust. Below I will briefly show that the attack is undetectable. In the detection game, depending on the flip single coin, the detector is provided with the access to either the legitimate calculation oracle on a server tier 1, and his goal is to guess the coin by making queries to the oracle in the black box manner. Supposedly the detector makes Q queries in total to the encapsulation oracle in the detection game, and we modify the server tier oracle in game 0 step by step and await a game sequence. In the first modified game, the generation of randomities R2 is slightly modified in let the intermediate value T1 is randomly picked from the key space, and due to the security of CAN, it's easy to see that this CAN is indistinguishable from game 0 from the view of the detector. In the following game, we straightforwardly pick R2 from the randomity space instead of computing the hash function. We saw that if the underlying hash function is entropy smoothing, hashing, such a modification is also indistinguishable from the detector. So not that in this game the server tier oracle actually is the same as the legitimate one in generating the response to the second query by the detector. So we modify all the following queries in the server tier oracle in the same way. Finally, we will have the game, while the server tier oracle will be exactly the legitimate one, and thus in this game the encapsulation oracle behaves honestly regardless of the free coin. Let the detection advantage of the detector in this game is negligible, thus we come to the conclusion that the detector cannot distinguish the legitimate algorithm from the server tier one. So our attack in the curve of a wide range of CAMs, including the generic construction from a hash pool system and concrete CAMs derived from popular public key encryption schemes such as the creamer soup scheme, the colossal water death method scheme, and the whole hand killed scheme. I would like to remark that there are some constructions that are not susceptible to our attack as they do not solve our identified structural weakness, and we provide more details about these constructions in our full paper. Okay, so this is the conclusion of my talk. Our work shows that substitution attacks on public key encryption algorithms are far more effective and dangerous than previously believed. It is also noting that our attack could be viewed as a general extension of Yong and Yan's cryptography attacks in the substitution attack model. Also, our approaches might shed some light on identifying non-black box structural weakness of our compost cryptography primitives that make them subvertable to more dangerous attacks that surpasses the low risk up bound of universal attacks. Our work might also increase the awareness of research communities in designing new security and encryption mechanisms against substitution attacks. Okay, that's all. Thank you.