Practical Algorithm Substitution Attacks on Real-World Public-Key Cryptosystems.

The revelations about massive surveillance have created significant interest in algorithm substitution attack (ASA), where an honest implementation of a cryptographic primitive is replaced by a subverted one which can help "big brother" to break cryptographic security while generating output indistinguishable from the honest output. The current known ASAs on public-key cryptography are either dedicated for a type of concrete constructions with specific internal, or restrictive when applying to the real-word cryptographic standards (Ateniese et al., ACM CCS'15; Russell et al., ACM CCS'17; Chen et al., ASIACRYPT'20). In this paper, we first present a practical undetectable substitution for a general randomized algorithm with certain structure such that the randomness can be revealed to the big brother. Then, instantiating this randomized algorithm, we present a series of ASAs on core primitives in public-key cryptography including public-key encryption, key encapsulation mechanism, key exchange, and digital signature. In particular, our ASAs are universal in the sense that they do not rely on the internal description of the underlying cryptographic algorithm. Moreover, our ASAs are also practical since they can affect not only the widely deployed cryptographic standards, but also the ongoing NIST post-quantum standards.