{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,7]],"date-time":"2025-12-07T13:09:31Z","timestamp":1765112971352,"version":"3.37.3"},"reference-count":61,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2022,6,21]],"date-time":"2022-06-21T00:00:00Z","timestamp":1655769600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,6,21]],"date-time":"2022-06-21T00:00:00Z","timestamp":1655769600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/P009301\/1"],"award-info":[{"award-number":["EP\/P009301\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100010663","name":"H2020 European Research Council","doi-asserted-by":"publisher","award":["779391"],"award-info":[{"award-number":["779391"]}],"id":[{"id":"10.13039\/100010663","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,10]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE\u201919) and AEAD schemes (IMACC\u201919); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM\/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.\n<\/jats:p>","DOI":"10.1007\/s10207-022-00596-5","type":"journal-article","created":{"date-parts":[[2022,6,21]],"date-time":"2022-06-21T17:08:26Z","timestamp":1655831306000},"page":"1027-1050","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Algorithm substitution attacks against receivers"],"prefix":"10.1007","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1231-6120","authenticated-orcid":false,"given":"Marcel","family":"Armour","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6525-5141","authenticated-orcid":false,"given":"Bertram","family":"Poettering","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,6,21]]},"reference":[{"key":"596_CR1","doi-asserted-by":"publisher","unstructured":"Al Mansoori, F., Baek, J., Salah, K.: Subverting MAC: how authentication in mobile environment can be undermined. In 2016 IEEE conference on computer communications workshops (INFOCOM WKSHPS), pp 870\u2013874, (2016). https:\/\/doi.org\/10.1109\/INFCOMW.2016.7562200","DOI":"10.1109\/INFCOMW.2016.7562200"},{"key":"596_CR2","doi-asserted-by":"crossref","unstructured":"Armour, M., Cid, C.: Partition oracles from weak key forgeries. Cryptology ePrint Archive, Report 2021\/1296, (2021). https:\/\/eprint.iacr.org\/2021\/1296","DOI":"10.1007\/978-3-030-92548-2_3"},{"key":"596_CR3","doi-asserted-by":"publisher","first-page":"42","DOI":"10.1007\/978-3-030-92548-2_3","volume-title":"Cryptology and Network Security","author":"M Armour","year":"2021","unstructured":"Armour, M., Cid, C.: Partition oracles from weak key forgeries. In: Conti, M., Stevens, M., Krenn, S. (eds.) Cryptology and Network Security, pp. 42\u201362. Springer, Cham (2021)"},{"issue":"3","key":"596_CR4","doi-asserted-by":"publisher","first-page":"152","DOI":"10.13154\/tosc.v2019.i3.152-168","volume":"2019","author":"M Armour","year":"2019","unstructured":"Armour, M., Poettering, B.: Substitution attacks against message authentication. IACR Trans. Symm. Cryptol. 2019(3), 152\u2013168 (2019). https:\/\/doi.org\/10.13154\/tosc.v2019.i3.152-168","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"596_CR5","doi-asserted-by":"publisher","unstructured":"Armour, M., Poettering, B.: Subverting decryption in AEAD. In Martin Albrecht, (ed.), 17th IMA international conference on cryptography and coding, volume 11929 of Lecture Notes in Computer Science, pages 22\u201341. Springer, Heidelberg, (2019). https:\/\/doi.org\/10.1007\/978-3-030-35199-1_2","DOI":"10.1007\/978-3-030-35199-1_2"},{"key":"596_CR6","doi-asserted-by":"publisher","unstructured":"Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Indrajit Ray, Ninghui Li, and Christopher Kruegel, (eds.), ACM CCS 2015: 22nd conference on computer and communications security, pp 364\u2013375. ACM Press, (2015). https:\/\/doi.org\/10.1145\/2810103.2813635","DOI":"10.1145\/2810103.2813635"},{"key":"596_CR7","unstructured":"Aviram, N., Dowling, B., Komargodski, I., Paterson, K.\u00a0G.., Ronen, E., Yogev, E.: Practical (post-quantum) key combiners from one-wayness and applications to TLS. Cryptology ePrint Archive, Report 2022\/065, (2022). https:\/\/eprint.iacr.org\/2022\/065"},{"key":"596_CR8","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-57pt1r5","author":"E Barker","year":"2020","unstructured":"Barker, E.: Nist special publication 800\u201357 part 1, revision 5. Recomm. Key Manag. (2020). https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5","journal-title":"Recomm. Key Manag."},{"key":"596_CR9","doi-asserted-by":"publisher","unstructured":"Bauer, B., Farshim, P., Mazaheri, S.: Combiners for backdoored random oracles. In Hovav Shacham and Alexandra Boldyreva, (eds.), Advances in cryptology: CRYPTO\u00a02018, Part\u00a0II, volume 10992 of Lecture Notes in Computer Science, pp 272\u2013302. Springer, Heidelberg, (2018). https:\/\/doi.org\/10.1007\/978-3-319-96881-0_10","DOI":"10.1007\/978-3-319-96881-0_10"},{"key":"596_CR10","doi-asserted-by":"publisher","unstructured":"Bellare, M., Hoang, V.\u00a0T.: Resisting randomness subversion: fast deterministic and hedged public-key encryption in the standard model. In Elisabeth Oswald and Marc Fischlin, (eds.), Advances in Cryptology: EUROCRYPT\u00a02015, Part\u00a0II, volume 9057 of Lecture Notes in Computer Science, pp 627\u2013656. Springer, Heidelberg, (2015). https:\/\/doi.org\/10.1007\/978-3-662-46803-6_21","DOI":"10.1007\/978-3-662-46803-6_21"},{"key":"596_CR11","doi-asserted-by":"publisher","unstructured":"Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: strongly undetectable algorithm-substitution attacks. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, (eds.), ACM CCS 2015: 22nd conference on computer and communications security, pp 1431\u20131440. ACM Press, (2015). https:\/\/doi.org\/10.1145\/2810103.2813681","DOI":"10.1145\/2810103.2813681"},{"key":"596_CR12","doi-asserted-by":"publisher","unstructured":"Bellare, M., Kane, D., Rogaway,P.: Big-key symmetric encryption: resisting key exfiltration. In Matthew Robshaw and Jonathan Katz, (eds.), Advances in cryptology: CRYPTO\u00a02016, Part\u00a0I, volume 9814 of Lecture Notes in Computer Science, pp 373\u2013402. Springer, Heidelberg, (2016). https:\/\/doi.org\/10.1007\/978-3-662-53018-4_14","DOI":"10.1007\/978-3-662-53018-4_14"},{"key":"596_CR13","doi-asserted-by":"publisher","unstructured":"Bellare, M., Palacio, A.: Towards plaintext-aware public-key encryption without random oracles. In Pil\u00a0Joong Lee, (ed.), Advances in cryptology: ASIACRYPT\u00a02004, volume 3329 of Lecture Notes in Computer Science, pp 48\u201362. Springer, Heidelberg, (2004). https:\/\/doi.org\/10.1007\/978-3-540-30539-2_4","DOI":"10.1007\/978-3-540-30539-2_4"},{"key":"596_CR14","doi-asserted-by":"publisher","unstructured":"Bellare, M., Paterson, K.\u00a0G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In Juan\u00a0A. Garay and Rosario Gennaro, (eds.), Advances in cryptology: CRYPTO\u00a02014, Part\u00a0I, volume 8616 of Lecture Notes in Computer Science, pp 1\u201319. Springer, Heidelberg, (2014). https:\/\/doi.org\/10.1007\/978-3-662-44371-2_1","DOI":"10.1007\/978-3-662-44371-2_1"},{"key":"596_CR15","doi-asserted-by":"publisher","unstructured":"Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In Alfredo\u00a0De Santis, (ed.), Advances in cryptology: EUROCRYPT\u201994, volume 950 of Lecture Notes in Computer Science, pp 92\u2013111. Springer, Heidelberg, (1995). https:\/\/doi.org\/10.1007\/BFb0053428","DOI":"10.1007\/BFb0053428"},{"key":"596_CR16","doi-asserted-by":"publisher","unstructured":"Bemmann, P., Chen, R., Jager, T.: Subversion-resilient public key encryption with practical watchdogs. In Juan Garay, (ed.), PKC\u00a02021: 24th international conference on theory and practice of public key cryptography, Part\u00a0I, volume 12710 of Lecture Notes in Computer Science, pp 627\u2013658. Springer, Heidelberg, (2021). https:\/\/doi.org\/10.1007\/978-3-030-75245-3_23","DOI":"10.1007\/978-3-030-75245-3_23"},{"key":"596_CR17","doi-asserted-by":"publisher","unstructured":"Berndt, S., Liskiewicz, M.: Algorithm substitution attacks from a steganographic perspective. In Bhavani\u00a0M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu, (ed.), ACM CCS 2017: 24th conference on computer and communications security, pp 1649\u20131660. ACM Press, (2017). https:\/\/doi.org\/10.1145\/3133956.3133981","DOI":"10.1145\/3133956.3133981"},{"key":"596_CR18","unstructured":"Berndt, S., Wichelmann, J., Pott, C., Traving, T.-H., Eisenbarth, T.: ASAP: algorithm substitution attacks on cryptographic protocols. Cryptology ePrint Archive, Report 2020\/1452, (2020). https:\/\/eprint.iacr.org\/2020\/1452"},{"key":"596_CR19","doi-asserted-by":"crossref","unstructured":"Bhunia, S., Hsiao, M.\u00a0S., Banga, M, Narasimhan, S.: Hardware trojan attacks: threat analysis and countermeasures. In Proceedings of the IEEE, 102(8):1229\u20131247, (2014)","DOI":"10.1109\/JPROC.2014.2334493"},{"key":"596_CR20","doi-asserted-by":"publisher","unstructured":"Birkett, J., Dent, A.\u00a0W.: Relations among notions of plaintext awareness. In Ronald Cramer, (ed.), PKC\u00a02008: 11th international workshop on theory and practice in public key cryptography, volume 4939 of Lecture Notes in Computer Science, pages 47\u201364. Springer, Heidelberg, (2008). https:\/\/doi.org\/10.1007\/978-3-540-78440-1_4","DOI":"10.1007\/978-3-540-78440-1_4"},{"key":"596_CR21","doi-asserted-by":"publisher","unstructured":"Bossuat, A., Bultel, X., Fouque, P.-A., Onete, C., Merwe, T. van der.: Designing reverse firewalls for the real world. In Liqun Chen, Ninghui Li, Kaitai Liang, and Steve\u00a0A. Schneider, (eds.), ESORICS\u00a02020: 25th European symposium on research in computer security, Part\u00a0I, volume 12308 of Lecture Notes in Computer Science, pp 193\u2013213. Springer, Heidelberg, (2020). https:\/\/doi.org\/10.1007\/978-3-030-58951-6_10","DOI":"10.1007\/978-3-030-58951-6_10"},{"key":"596_CR22","doi-asserted-by":"publisher","unstructured":"Camenisch, J., Drijvers, M., Lehmann, A.: Anonymous attestation with subverted TPMs. In Jonathan Katz and Hovav Shacham, (eds.), Advances in cryptology: CRYPTO\u00a02017, Part\u00a0III, volume 10403 of Lecture Notes in Computer Science, pp 427\u2013461. Springer, Heidelberg, (2017). https:\/\/doi.org\/10.1007\/978-3-319-63697-9_15","DOI":"10.1007\/978-3-319-63697-9_15"},{"key":"596_CR23","doi-asserted-by":"publisher","unstructured":"Chen, R., Huang, X., Yung, M.: Subvert KEM to break DEM: Practical algorithm-substitution attacks on public-key encryption. In Shiho Moriai and Huaxiong Wang, (eds.), Advances in cryptology: ASIACRYPT\u00a02020, Part\u00a0II, volume 12492 of Lecture Notes in Computer Science, pp 98\u2013128. Springer, Heidelberg, (2020). https:\/\/doi.org\/10.1007\/978-3-030-64834-3_4","DOI":"10.1007\/978-3-030-64834-3_4"},{"key":"596_CR24","doi-asserted-by":"publisher","unstructured":"Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In Ueli\u00a0M. Maurer, (ed.), Advances in cryptology: EUROCRYPT\u201996, volume 1070 of Lecture Notes in Computer Science, pp 178\u2013189. Springer, Heidelberg, (1996). https:\/\/doi.org\/10.1007\/3-540-68339-9_16","DOI":"10.1007\/3-540-68339-9_16"},{"key":"596_CR25","doi-asserted-by":"publisher","unstructured":"Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Hugo Krawczyk, (ed.), Advances in cryptology: CRYPTO\u201998, volume 1462 of Lecture Notes in Computer Science, pp 13\u201325. Springer, Heidelberg, (1998). https:\/\/doi.org\/10.1007\/BFb0055717","DOI":"10.1007\/BFb0055717"},{"issue":"1","key":"596_CR26","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1137\/S0097539702403773","volume":"33","author":"R Cramer","year":"2003","unstructured":"Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167\u2013226 (2003)","journal-title":"SIAM J. Comput."},{"key":"596_CR27","doi-asserted-by":"publisher","unstructured":"Cr\u00e9peau, C., Slakmon, A.: Simple backdoors for RSA key generation. In Marc Joye, (ed.), Topics in cryptology: CT-RSA\u00a02003, volume 2612 of Lecture Notes in Computer Science, pp 403\u2013416. Springer, Heidelberg, (2003). https:\/\/doi.org\/10.1007\/3-540-36563-X_28","DOI":"10.1007\/3-540-36563-X_28"},{"key":"596_CR28","doi-asserted-by":"publisher","unstructured":"Degabriele, J.\u00a0P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In Gregor Leander, (ed.), Fast software encryption: FSE\u00a02015, volume 9054 of Lecture Notes in Computer Science, pp 579\u2013598. Springer, Heidelberg, (2015). https:\/\/doi.org\/10.1007\/978-3-662-48116-5_28","DOI":"10.1007\/978-3-662-48116-5_28"},{"key":"596_CR29","doi-asserted-by":"publisher","unstructured":"Degabriele, J.\u00a0P., Paterson, K.\u00a0G., Schuldt, J. C.\u00a0N., Woodage, J.: Backdoors in pseudorandom number generators: possibility and impossibility results. In Matthew Robshaw and Jonathan Katz, (eds.), Advances in cryptology: CRYPTO\u00a02016, Part\u00a0I, volume 9814 of Lecture Notes in Computer Science, pp 403\u2013432. Springer, Heidelberg, (2016). https:\/\/doi.org\/10.1007\/978-3-662-53018-4_15","DOI":"10.1007\/978-3-662-53018-4_15"},{"key":"596_CR30","doi-asserted-by":"publisher","unstructured":"Dent, A.\u00a0W.: The cramer-shoup encryption scheme is plaintext aware in the standard model. In Serge Vaudenay, (ed.), Advances in cryptology: EUROCRYPT\u00a02006, volume 4004 of Lecture Notes in Computer Science, pp 289\u2013307. Springer, Heidelberg, (2006). https:\/\/doi.org\/10.1007\/11761679_18","DOI":"10.1007\/11761679_18"},{"key":"596_CR31","doi-asserted-by":"publisher","unstructured":"Dodis, Y., Farshim, P., Mazaheri, S., Tessaro, S.: Towards defeating backdoored random oracles: indifferentiability with bounded adaptivity. In Rafael Pass and Krzysztof Pietrzak, (eds.), TCC\u00a02020: 18th theory of cryptography conference, Part\u00a0III, volume 12552 of Lecture Notes in Computer Science, pp 241\u2013273. Springer, Heidelberg, (2020). https:\/\/doi.org\/10.1007\/978-3-030-64381-2_9","DOI":"10.1007\/978-3-030-64381-2_9"},{"key":"596_CR32","doi-asserted-by":"publisher","unstructured":"Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In Elisabeth Oswald and Marc Fischlin, (eds.), advances in cryptology: EUROCRYPT\u00a02015, Part\u00a0I, volume 9056 of Lecture Notes in Computer Science, pp 101\u2013126. Springer, Heidelberg, (2015). https:\/\/doi.org\/10.1007\/978-3-662-46800-5_5","DOI":"10.1007\/978-3-662-46800-5_5"},{"key":"596_CR33","doi-asserted-by":"publisher","unstructured":"Dodis, Y., Mironov, I., Stephens-Davidowitz, N.: Message transmission with reverse firewalls: secure communication on corrupted machines. In Matthew Robshaw and Jonathan Katz, (eds.), Advances in cryptology: CRYPTO\u00a02016, Part\u00a0I, volume 9814 of Lecture Notes in Computer Science, pp 341\u2013372. Springer, Heidelberg, (2016). https:\/\/doi.org\/10.1007\/978-3-662-53018-4_13","DOI":"10.1007\/978-3-662-53018-4_13"},{"key":"596_CR34","doi-asserted-by":"publisher","unstructured":"Dworkin, M. J.: SP 800\u201338D: Recommendation for block cipher modes of operation: Galois\/Counter Mode (GCM) and GMAC. US National Institute of Standards and Technology (2007). https:\/\/doi.org\/10.6028\/NIST.SP.800-38D","DOI":"10.6028\/NIST.SP.800-38D"},{"key":"596_CR35","doi-asserted-by":"publisher","unstructured":"Dziembowski, S., Faust, S., Standaert, F.-X.: Private circuits III: hardware trojan-resilience via testing amplification. In Edgar\u00a0R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew\u00a0C. Myers, and Shai Halevi, (eds.), ACM CCS 2016: 23rd conference on computer and communications security, pp 142\u2013153. ACM Press, (2016). https:\/\/doi.org\/10.1145\/2976749.2978419","DOI":"10.1145\/2976749.2978419"},{"key":"596_CR36","doi-asserted-by":"publisher","unstructured":"Fischlin, M., Janson, C., Mazaheri, S.: Backdoored hash functions: immunizing HMAC and HKDF. In Steve Chong and Stephanie Delaune, (eds.), CSF 2018: IEEE 31st computer security foundations symposium, pages 105\u2013118. IEEE Computer Society Press, (2018). https:\/\/doi.org\/10.1109\/CSF.2018.00015","DOI":"10.1109\/CSF.2018.00015"},{"key":"596_CR37","doi-asserted-by":"publisher","unstructured":"Fischlin, M., Mazaheri, S.: Self-guarding cryptographic protocols against algorithm substitution attacks. In Steve Chong and Stephanie Delaune, (eds.), CSF 2018: IEEE 31st computer security foundations symposium, pages 76\u201390. IEEE Computer Society Press, (2018). https:\/\/doi.org\/10.1109\/CSF.2018.00013","DOI":"10.1109\/CSF.2018.00013"},{"key":"596_CR38","doi-asserted-by":"publisher","unstructured":"Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In Michel Abdalla and Ricardo Dahab, (eds.), PKC\u00a02018: 21st international conference on theory and practice of public key cryptography, Part\u00a0I, volume 10769 of Lecture Notes in Computer Science, pp 190\u2013218. Springer, Heidelberg, (2018). https:\/\/doi.org\/10.1007\/978-3-319-76578-5_7","DOI":"10.1007\/978-3-319-76578-5_7"},{"key":"596_CR39","doi-asserted-by":"crossref","unstructured":"Goh, E.-J., Boneh, D., Pinkas, B., Golle, P.e: The design and implementation of protocol-based hidden key recovery. In: Boyd, Colin, Mao, Wenbo (eds.), ISC 2003: 6th international conference on information security. Lecture Notes in Computer Science, 2851: 165\u2013179. Springer, Heidelberg (2003)","DOI":"10.1007\/10958513_13"},{"key":"596_CR40","unstructured":"Gollmann, D.: Computer Security (3. ed.). Wiley, 2011. URL: http:\/\/eu.wiley.com\/WileyCDA\/WileyTitle\/productCd-1118801326.html"},{"issue":"2","key":"596_CR41","doi-asserted-by":"publisher","first-page":"389","DOI":"10.46586\/tosc.v2021.i2.389-422","volume":"2021","author":"P Hodges","year":"2021","unstructured":"Hodges, P., Stebila, D.: Algorithm substitution attacks: state reset detection and asymmetric modifications. IACR Trans. Symm. Cryptol. 2021(2), 389\u2013422 (2021). https:\/\/doi.org\/10.46586\/tosc.v2021.i2.389-422","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"596_CR42","doi-asserted-by":"publisher","unstructured":"Inoue, A., Iwata, T., Minematsu, K., Poettering, B.: Cryptanalysis of OCB2: attacks on authenticity and confidentiality. In Alexandra Boldyreva and Daniele Micciancio, (eds.), Advances in cryptology: CRYPTO\u00a02019, Part\u00a0I, volume 11692 of Lecture Notes in Computer Science, pp 3\u201331. Springer, Heidelberg, (2019). https:\/\/doi.org\/10.1007\/978-3-030-26948-7_1","DOI":"10.1007\/978-3-030-26948-7_1"},{"key":"596_CR43","volume-title":"The Pleasures of Probability","author":"R Isaac","year":"2013","unstructured":"Isaac, R.: The Pleasures of Probability. Springer, Berlin (2013)"},{"key":"596_CR44","doi-asserted-by":"publisher","unstructured":"Knudsen, L.\u00a0R., Kohno, T.: Analysis of RMAC. In Thomas Johansson, (ed.), Fast Software encryption: FSE\u00a02003, volume 2887 of Lecture Notes in Computer Science, pages 182\u2013191. Springer, Heidelberg, (2003). https:\/\/doi.org\/10.1007\/978-3-540-39887-5_14","DOI":"10.1007\/978-3-540-39887-5_14"},{"key":"596_CR45","doi-asserted-by":"crossref","unstructured":"Krovetz, T., Rogaway, P.: The OCB authenticated-encryption algorithm, (2014). https:\/\/tools.ietf.org\/html\/rfc7253","DOI":"10.17487\/rfc7253"},{"key":"596_CR46","unstructured":"Len, J., Grubbs, P., Ristenpart, T.: Partitioning oracle attacks. In 30th USENIX security symposium (USENIX Security 21), pages 195\u2013212. USENIX Association, (2021). URL: https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/len"},{"key":"596_CR47","doi-asserted-by":"publisher","unstructured":"Ma, H., Zhang, R., Yang, G., Song, Z., Sun, S., Xiao, Y.: Concessive online\/offline attribute based encryption with cryptographic reverse firewalls - secure and efficient fine-grained access control on corrupted machines. In Javier L\u00f3pez, Jianying Zhou, and Miguel Soriano, (eds.), ESORICS\u00a02018: 23rd European Symposium on Research in Computer Security, Part\u00a0II, volume 11099 of Lecture Notes in Computer Science, pages 507\u2013526. Springer, Heidelberg, (2018). https:\/\/doi.org\/10.1007\/978-3-319-98989-1_25","DOI":"10.1007\/978-3-319-98989-1_25"},{"key":"596_CR48","doi-asserted-by":"publisher","unstructured":"Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In Elisabeth Oswald and Marc Fischlin, (eds.), Advances in cryptology: EUROCRYPT\u00a02015, Part\u00a0II, volume 9057 of Lecture Notes in Computer Science, pages 657\u2013686. Springer, Heidelberg, (2015). https:\/\/doi.org\/10.1007\/978-3-662-46803-6_22","DOI":"10.1007\/978-3-662-46803-6_22"},{"issue":"5","key":"596_CR49","doi-asserted-by":"publisher","first-page":"749","DOI":"10.3233\/JCS-130473","volume":"21","author":"JMG Nieto","year":"2013","unstructured":"Nieto, J.M.G., Manulis, M., Poettering, B., Rangasamy, J., Stebila, D.: Publicly verifiable ciphertexts. J. Comput. Secur. 21(5), 749\u2013778 (2013). https:\/\/doi.org\/10.3233\/JCS-130473","journal-title":"J. Comput. Secur."},{"issue":"1","key":"596_CR50","doi-asserted-by":"publisher","first-page":"121","DOI":"10.13154\/tosc.v2020.i1.121-143","volume":"2020","author":"B Poettering","year":"2020","unstructured":"Poettering, B., R\u00f6sler, P.: Combiners for AEAD. IACR Trans. Symm. Cryptol. 2020(1), 121\u2013143 (2020). https:\/\/doi.org\/10.13154\/tosc.v2020.i1.121-143","journal-title":"IACR Trans. Symm. Cryptol."},{"issue":"2","key":"596_CR51","first-page":"120","volume":"21","author":"RL Rivest","year":"1978","unstructured":"Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120\u2013126 (1978)","journal-title":"Commun. Assoc. Comput. Mach."},{"key":"596_CR52","doi-asserted-by":"publisher","unstructured":"Rogaway, P.: Authenticated-encryption with associated-data. In Vijayalakshmi Atluri, (ed.), ACM CCS 2002: 9th conference on computer and communications security, pp 98\u2013107. ACM Press, (2002). https:\/\/doi.org\/10.1145\/586110.586125","DOI":"10.1145\/586110.586125"},{"key":"596_CR53","doi-asserted-by":"publisher","unstructured":"Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In Jung\u00a0Hee Cheon and Tsuyoshi Takagi, (eds.), Advances in cryptology: ASIACRYPT\u00a02016, Part\u00a0II, volume 10032 of Lecture Notes in Computer Science, pp 34\u201364. Springer, Heidelberg, (2016). https:\/\/doi.org\/10.1007\/978-3-662-53890-6_2","DOI":"10.1007\/978-3-662-53890-6_2"},{"key":"596_CR54","unstructured":"Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Destroying steganography via amalgamation: Kleptographically CPA secure public key encryption. Cryptology ePrint Archive, Report 2016\/530, 2016. https:\/\/eprint.iacr.org\/2016\/530"},{"key":"596_CR55","doi-asserted-by":"publisher","unstructured":"Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Generic semantic security against a kleptographic adversary. In Bhavani\u00a0M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu, (eds.), ACM CCS 2017: 24th Conference on Computer and Communications Security, pp 907\u2013922. ACM Press, (2017). https:\/\/doi.org\/10.1145\/3133956.3133993","DOI":"10.1145\/3133956.3133993"},{"key":"596_CR56","doi-asserted-by":"publisher","unstructured":"Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Correcting subverted random oracles. In Hovav Shacham and Alexandra Boldyreva, (eds.), Advances in cryptology: CRYPTO\u00a02018, Part\u00a0II, volume 10992 of Lecture Notes in Computer Science, pp 241\u2013271. Springer, Heidelberg (2018). https:\/\/doi.org\/10.1007\/978-3-319-96881-0_9","DOI":"10.1007\/978-3-319-96881-0_9"},{"key":"596_CR57","unstructured":"Schneier, B., Fredrikson, M., Kohno, T., Ristenpart, T.: Surreptitiously weakening cryptographic systems. Cryptology ePrint Archive, Report 2015\/097, (2015). https:\/\/eprint.iacr.org\/2015\/097"},{"key":"596_CR58","doi-asserted-by":"crossref","unstructured":"Simmons, G.\u00a0J.:D The prisoners\u2019 problem and the subliminal channel. In David Chaum, (ed.), Advances in cryptology: CRYPTO\u201983, pp 51\u201367. Plenum Press, New York, USA, (1983)","DOI":"10.1007\/978-1-4684-4730-9_5"},{"key":"596_CR59","doi-asserted-by":"publisher","unstructured":"Wang, Y., Chen, R., Huang, X., Wang, B.: Secure anonymous communication on corrupted machines with reverse firewalls. IEEE transactions on dependable and secure computing, pp 1\u20131, (2021). https:\/\/doi.org\/10.1109\/TDSC.2021.3107463","DOI":"10.1109\/TDSC.2021.3107463"},{"key":"596_CR60","doi-asserted-by":"publisher","unstructured":"Young, A., Yung, M.: The dark side of \u201cblack-box\u201d cryptography, or: Should we trust capstone? In Neal Koblitz, (ed.), Advances in cryptology: CRYPTO\u201996, volume 1109 of Lecture Notes in Computer Science, pages 89\u2013103. Springer, Heidelberg, (1996). https:\/\/doi.org\/10.1007\/3-540-68697-5_8","DOI":"10.1007\/3-540-68697-5_8"},{"key":"596_CR61","doi-asserted-by":"publisher","unstructured":"Young, A., Yung, M.: Kleptography: Using cryptography against cryptography. In Walter Fumy, (ed.), Advances in cryptology: EUROCRYPT\u201997, volume 1233 of Lecture Notes in Computer Science, pp 62\u201374. Springer, Heidelberg, (1997). https:\/\/doi.org\/10.1007\/3-540-69053-0_6","DOI":"10.1007\/3-540-69053-0_6"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-022-00596-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-022-00596-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-022-00596-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,9,23]],"date-time":"2022-09-23T15:51:23Z","timestamp":1663948283000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-022-00596-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,6,21]]},"references-count":61,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2022,10]]}},"alternative-id":["596"],"URL":"https:\/\/doi.org\/10.1007\/s10207-022-00596-5","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2022,6,21]]},"assertion":[{"value":"21 June 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"There are no conflicts of interest for this research.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}