Paper 2023/764

Subversion-Resilient Authenticated Encryption without Random Oracles

Pascal Bemmann, University of Wuppertal
Sebastian Berndt, University of Lübeck
Denis Diemert, University of Wuppertal
Thomas Eisenbarth, University of Lübeck
Tibor Jager, University of Wuppertal

In 2013, the Snowden revelations have shown subversion of cryptographic implementations to be a relevant threat. Since then, the academic community has been pushing the development of models and constructions to defend against adversaries able to arbitrarily subvert cryptographic implementations. To capture these strong capabilities of adversaries, Russell, Tang, Yung, and Zhou (CCS'17) proposed CPA-secure encryption in a model that utilizes a trusted party called a watchdog testing an implementation before use to detect potential subversion. This model was used to construct subversion-resilient implementations of primitives such as random oracles by Russell, Tang, Yung, and Zhou (CRYPTO'18) or signature schemes by Chow et al. (PKC'19) but primitives aiming for a CCA-like security remained elusive in any watchdog model. In this work, we present the first subversion-resilient authenticated encryption scheme with associated data (AEAD) without making use of random oracles. At the core of our construction are subversion-resilient PRFs, which we obtain from weak PRFs in combination with the classical Naor-Reingold transformation. We revisit classical constructions based on PRFs to obtain subversion-resilient MACs, where both tagging and verification are subject to subversion, as well as subversion-resilient symmetric encryption in the form of stream ciphers. Finally, we observe that leveraging the classical Encrypt-then-MAC approach yields subversion-resilient AEAD. Our results are based on the trusted amalgamation model by Russell, Tang, Yung, and Zhou (ASIACRYPT'16) and the assumption of honest key generation.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. ACNS 2023
SubversionAuthenticated EncryptionSymmetric Cryptography
Contact author(s)
bemmann @ uni-wuppertal de
s berndt @ uni-luebeck de
diemert @ uni-wuppertal de
thomas eisenbarth @ uni-luebeck de
tibor jager @ uni-wuppertal de
2023-05-30: approved
2023-05-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Pascal Bemmann and Sebastian Berndt and Denis Diemert and Thomas Eisenbarth and Tibor Jager},
      title = {Subversion-Resilient Authenticated Encryption without Random Oracles},
      howpublished = {Cryptology ePrint Archive, Paper 2023/764},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.