Paper 2023/749

Note on Subversion-Resilient Key Exchange

Magnus Ringerud, Norwegian University of Science and Technology

In this work, we set out to create a subversion resilient authenticated key exchange protocol. The first step was to design a meaningful security model for this primitive, and our goal was to avoid using building blocks like reverse firewalls and public watchdogs. We wanted to exclude these kinds of tools because we desired that our protocols to be self contained in the sense that we could prove security without relying on some outside, tamper-proof party. To define the model, we began by extending models for regular authenticated key exchange, as we wanted our model to retain all the properties from regular AKE. While trying to design protocols that would be secure in this model, we discovered that security depended on more than just the protocol, but also on engineering questions like how keys are stored and accessed in memory. Moreover, even if we assume that we can find solutions to these engineering challenges, other problems arise when trying to develop a secure protocol, partly because it's hard to define what secure means in this setting.It is in particular not clear how a subverted algorithm should affect the freshness predicate inherited from trivial attacks in regular AKE. The attack variety is large, and it is not intuitive how one should treat or classify the different attacks. In the end, we were unable to find a satisfying solution for our model, and hence we could not prove any meaningful security of the protocols we studied. This work is a summary of our attempt, and the challenges we faced before concluding it.

Available format(s)
Cryptographic protocols
Publication info
Authenticated key exchangesubversion-resilient protocolsreverse firewallsunique signatures
Contact author(s)
magnus ringerud @ ntnu no
2023-05-25: approved
2023-05-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Magnus Ringerud},
      title = {Note on Subversion-Resilient Key Exchange},
      howpublished = {Cryptology ePrint Archive, Paper 2023/749},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.