Questionable Encryptions

At first sight it may appear that the attack that uses multiple linked lists is needlessly complicated. Also, it might not be clear why this snatching attack is better than the original deniable password-snatching attack that copies asymmetrically encrypted login/password pairs to the disk. The reason that this attack is an improvement is due to the subtle nature of what constitutes theft. For a law enforcement officer to frisk a citizen, there must be probable cause. For the judicial system to convict a citizen, there must be proof that a crime has been committed. The Phi-Hiding password-snatching attack helps cast doubt as to whether or not thievery has occurred.

Consider the ElGamal based deniable password-snatching attack. The Trojan contains the ElGamal public key (y, g, p). For concreteness, let this be the version of ElGamal that is semantically secure against plaintext attacks. Hence, suppose thatg has orderqwhereqis prime andp= 2q+1. Let G be the prime order subgroup ofZZ∗_p that is generated by g.

Observe that it is possible to sample values y ∈ G without knowing the private key x such that y = gx _{mod p. This implies that the Trojan}

author could conceivably gift the Trojan with a public key without even knowing the corresponding private key. A defendant that claims that he or she does not know the private key could in fact be telling the truth. It is quite possible that no one knows the private key in this case. However, it is straightforward to verify that the order of y modulo p is q. Hence, it is possible to verify that y is a public key, whether someone knows the private key x for y or not.

What this means is that by observation, it is possible to witness the Trojan leak asymmetric ciphertexts in the deniable password-snatching attack, whether they can be decrypted or not. So, it is possible to prove

in some sense that sensitive data has been transmitted outside of the machine. This is not the case in the Phi-Hiding password-snatching attack. In the Phi-Hiding password-snatching attack, either pi divides φ(mi)

or not. This is not subject to debate. It is either true or it isn’t. Hence, if for alli it is the case that pi does not divide φ(mi) then the Trojan is not

asymmetrically encrypting anything at all. When this is the case, sensitive information isnotbeing transmitted outside of the host machine. Proving that the Trojan snatches passwords amounts to proving that one of the primes pi divides φ(mi). The presumed intractability of this is closely

related to the Phi-Hiding assumption. Under this scheme, it is possible for the Trojan author to deploy a Trojan in which none of the primes are Phi-Hidden. If prosecuted, the Trojan author can prove that none of the primes are Phi-Hidden by revealing the prime power decomposition of the n composites in the Trojan. We argue that the Phi-Hiding password- snatching attack is one of the best ways to snatch passwords from a fielded machine since it places the burden of proof on the prosecution in a very strong way. It is fitting to say that this Trojan satisfies the questionable encryption property, for lack of a better term. The reason that this term seems appropriate is that it is questionable as to whether the Trojan is encrypting anything at all.

A natural question to ask is whether or not the deniable password- snatching Trojan satisfies the questionable encryption property when RSA is used. Consider the case that the login/password pairs are encrypted using RSA with a deterministic padding scheme or are encrypted us- ing OAEP. Also, suppose that e is the typical value of 216 + 1 which is prime. The Trojan author can deliberately choose p and q such that

gcd(e2_{, φ(pq)) = e. Without loss of generality, let 0 = p−1 mod e and}

06= q−1 mod e. Adleman, Manders, and Miller presented a generaliza- tion of Tonelli’s algorithm to compute rth _{roots modulo a prime where}

r is a small prime [4] (see also [174]). Recall that there are r roots in the complete solution set in this case.7 This algorithm is efficient when

e is small and can be used to compute eth _{roots modulo p. When the}

factorization of n = pq is known it follows that there exists an efficient algorithm to compute eth roots modulon in this case. In OAEP the cor- rect root will be immediately apparent by verifying the OAEP checksum field that results from hashing. In RSA, the correct root will also likely be apparent by looking for padding bits, an ASCII value that appears to

be a login/password pair, and so on. With such a small value for e this approach does not exhibit the questionable encryption property.

By setting e to be significantly larger than 216_{+ 1, for example, by}

making it a 160-bit prime, the RSA cryptosystem exhibits the questionable encryption property. The reason for this is twofold. First, observe that deciding whether or not e divides φ(n) evenly is a decision problem that is intimately related to the Phi-Hiding problem. Second, when e does in fact divideφ(n) evenly, it is intractable for the malware author to perform decryption correctly. This follows from the fact that to date, there is no known algorithm for efficiently computing eth roots mod p with such a large prime e. For details the reader is referred to a section in Bach and Shallit entitled, “Computing d-th Roots” [12]. However, the questionable encryption properly need not rely on the inability of the private key holder to compute eth _{roots. To see this, consider the following alternative. The}

value e can be set to be the product of numerous small, distinct, and odd primes. As before the value e should be at least 160 bits. In this case it is possible to efficiently compute eth _{roots modulo p. However, the}

questionable encryption property still holds due to the fact that there are far too many roots for the private key holder to check. An asymmetric encryption function that exhibits the questionable encryption property is a specialized instance ofcryptocomputingsince it is possible to observe the function compute a value, but there is no way to tell if the resulting value is an asymmetric ciphertext or not.

The following are two additional ways to implement questionable en- cryptions. The first is based on the Goldwasser-Micali cryptosystem (see Appendix C.1.9). Recall that the GM cryptosystem uses a pseudosquare

y modulo n where n is the public modulus. The malware designer can choose y to be a quadratic residue modulo n instead of a pseudosquare. It is not hard to see that all of the values in a GM ciphertext will then be randomly chosen quadratic residues. Hence, the malware author will not be able to decipher anything. The author can later prove this by revealing a square root of y and also the factorization of n if the author so desires. This root serves as a witness that there is no trapdoor value for GM that reveals the plaintext. It follows that questionable encryptions can be im- plemented under the quadratic residuosity assumption. This approach is related to the computationally secure PIR of Kushilevitz and Ostrovsky [165].

The second approach is heuristic in nature. Let (y, g, p) be an ElGamal public key, letg andpbe fixed system parameters, and letGbe the group

generated byG. The valueycan be chosen by computingy=H(s). Heres

is a large randomly chosen seed and H is a random function with domain

{0,1}∗ _{(instantiated using a hash function). The range of H is equal} to G. The questionable encryption property holds under the presumed intractability of computing a triple (x, y, s) satisfying,

gx mod p=y=H(s) and y ∈G (6.3) The pair (y, s) serves as a witness that no one knows the trapdoor value associated with y. This follows from the fact that if x is also known to the malware author then a valid triple must have been found.

A questionable encryption scheme is a form of oblivious transfer and can be regarded as a variant ofall-or-nothing disclosure[38, 39]. However, these two notions differ in a couple of ways. A questionable encryption scheme can operate as an asymmetric cipher that is applied repeatedly and independently to many pieces of data, not data defined within the scope of a single protocol as is the case of all-or-nothing disclosure.

Court systems often rely on precedent in dealing with a case. The following is a way to establish a public precedent in regards to questionable encryptions. A virus writer can deploy a virus that computes questionable encryptions of sensitive data and that publishes these encryptions on the Internet. The virus can be designed so that it does not in fact encrypt anything. Once there has been a suitable amount of press coverage, the virus writer can anonymously reveal the factorization ofn. This may put many people at ease. There would likely be even more press coverage that mentions that quite surprisingly the virus does not encrypt anything at all. With any luck this occurrence will cast a substantial amount of doubt in subsequent court cases involving questionable encryptions.

A public key cryptosystem that exhibits the questionable encryption property is a general tool for malware. It makes it such that encryptions are questionable in the sense that there is no way of knowing whether or not asymmetric encryptions are really being computed. For example, the SETUP attack on RSA key generation can utilize RSA with a 160-bit primee. If it is the case thatgcd(e, φ(n)) =e, then the malware author can later reveal the factorization ofn and show that there never was a SETUP attack being performed despite the fact that the basic functionality needed to mount a SETUP attack is present.

The notion of questionable encryptions has potentially serious impli- cations for copyright law. Consider a provider that illegally transmits

copyrighted material to a recipient. For example, a recipient gives the provider a public key and the provider sends the recipient copyrighted material (e.g., MP3 music files) encrypted under the recipient’s public key.

Now consider how a questionable encryption scheme can minimize the legal risk for the recipient. Suppose that a questionable encryption scheme is used as the delivery mechanism. If the recipient gives the provider a fake public key that produces a nonce under the asymmetric encryption algorithm, then the recipient receives random numbers instead of copy- righted material and hence the provider and recipient have not violated any copyright laws. In this case the provider is providing a random num- ber generation service. If the public key is real, then the recipient has knowingly elicited copyrighted material that the provider had no right to give.

In this copyright violation scheme, only the recipient can initiate a copyright violation, and only the recipient knows if a violation is even occurring. Strictly speaking, the provider is not knowingly or willingly violating any copyright laws. The use of questionable encryptions for copyright violations therefore adds an extra hurdle to the successful pros- ecution of rogue recipients of copyrighted material.

It is natural to investigate how law enforcement bodies could try to catch copyright violators. Suppose that an undercover officer registers a real public key with the provider. If the officer later obtains copyrighted material from the provider, then strictly speaking it was the officer that enacted the copyright violation, not the provider. It seems that the officer would have to monitor another user: (1) generate a real public key, (2) register the public key with the provider, and then (3) obtain and decrypt the received ciphertext. This approach would clearly show that the recip- ient is in violation of the law. However, it is more difficult to show that the provider knowingly duplicated and transferred copyrighted material. In this regard, the notion of questionable encryptions adversely affects the enforceability of copyright laws. Recording industry groups would have a much harder time prosecuting people that use protocols like Gnutella if the underlying data delivery system were designed to use a questionable encryption algorithm.

An issue that was glossed over is the case that the copyrighted mate- rial is bulky. For example, a copyrighted file may be 2 to 3 megabytes in size. To deal with bulk data encryptions, a secure number-theoretic pseu- dorandom number generator can be used. The seed is encrypted with the

questionable encryption scheme and the pseudorandom sequence that re- sults from the seed is bitwise XORed with the plaintext. Observe that the seed is lost when the fake public key is used in the questionable encryption. Hence, the resulting ciphertext stream is polynomially indistinguishable from a random bit string with respect to the key holder and everyone else.