On the Security of Symmetric Encryption Against Mass Surveillance

For mass surveillance, the algorithm substitution attacks (ASAs) are serious security threats to the symmetric encryption schemes. At CRYPTO 2014, Bellare, Paterson, and Rogaway (BPR) formally developed the security notions of decryptability, undetectability, and surveillance and presented a unique ciphertext symmetric encryption scheme against all possible ASAs. At FSE 2015, Degabriele, Farshim, and Poettering (DFP) relaxed the correctness of decryptability and presented an input-triggered ASA, which meets the BPR security definitions but violates the security of the BPR unique ciphertext scheme. Hence, DFP refined the security notions of detectability and subversion resistance to remove their ASA from the BPR unique ciphertext scheme. At CCS 2015, Bellare, Jaeger, and Kane (BJK) also developed the security notion of key recovery to make the input-triggered ASA infeasible. We investigate ASAs on the symmetric encryption scheme. Our contribution is twofold. (1) We propose a new trigger ASA against the symmetric encryption scheme. Our proposed ASA cannot be captured by the BJK security definitions. Comparatively, the DFP security definitions can detect our proposed ASA. In the view of ASAs, this result demonstrates that the DFP security definitions are not identical to the BJK security definitions. (2) We improve the DFP definition of subversion resistance. DFP proved that the BPR unique ciphertext scheme defeats the input-triggered ASA under their subversion resistance definition. However, we show that the BPR unique ciphertext scheme fails to meet the DFP subversion resistance definition due to our proposed ASA. Therefore, an improved definition on subversion resistance is proposed to cover all existing trigger ASAs. We prove that the BPR unique ciphertext scheme is secure under our improved definition. Therefore, we believe that our improved definition is more suitable to evaluate the ASA security of the symmetric encryption scheme.


I. INTRODUCTION
A growing number of cryptographic components are provided by the third party suppliers. One example is that the TLS record layer integrated in Microsoft's Internet Explorer and Apple's Safari browsers employs the AES-CBC encryption scheme. Another example is that IPsec using the triple DES-CBC encryption scheme supports Cisco IOS-based routers or Huawei AR G3 routers to protect the confidentiality of IP packets sent over a network. In these examples, the malicious adversary has many opportunities to substitute those encryption schemes in the implementation level.
The associate editor coordinating the review of this manuscript and approving it for publication was Parul Garg.
As a scenario, the closed-source software employs a standard symmetric encryption scheme to provide the confidential protection for the data. For the algorithm substitution attack (ASA), the adversary replaces the executable code of the standard scheme with the executable code of his alternative scheme. The adversary and his alternative scheme are respectively called as the big brother (BB) and the subversion. A successful ASA can undermine the confidentiality of the data processed by the standard scheme and at the same time circumvent detection by its honest users. Figure 1 gives a brief overview of this procedure.
In [1], Bellare, Paterson, and Rogaway (BPR) explored ASAs on several well-known symmetric encryption schemes and formalized the security model of ASAs. They further VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ designed a unique ciphertext symmetric encryption scheme, which proves to be secure under the BPR security model. Later, Degabriele, Farshim, and Poettering (DFP) [2] showed that a weakened BPR security definition renders possible an input-triggered ASA on the BPR unique ciphertext scheme. They refined the BPR security model to restore the positive result of the BPR unique ciphertext scheme. In 2015, Bellare, Jaeger, and Kane (BJK) [3] presented a stateless ASA, which can break all randomized symmetric encryption schemes. They also enhanced the BPR security model [1] and showed that their security model can invalidate DFP's input-triggered ASA.

A. CONTRIBUTION
This paper aims to further investigate ASAs, its security models, and its schemes under the symmetric encryption setting. We reveal a new and efficient trigger ASA and improve the DFP security definitions owing to our proposed ASA and BPR unique ciphertext scheme. Our contribution is further summarized as follows.
(1) We propose a new ASA, which uses a public parameter as the trigger. Unlike the DFP input-triggered ASA, our proposed ASA does not require BB to input any trigger data into the encryption algorithm. On the one hand, we show that the BJK security model fails to capture our proposed ASA. That is, our proposed ASA satisfies the BJK security definitions under their strong undetectability game and key recovery game. On the other hand, the DFP security definitions under their surveillance game and detection game can detect our proposed ASA. Hence, the DFP security definitions and the BJK security definitions are not identical with respect to our proposed ASA.
(2) We improve the DFP security definition to resist ASAs. DFP defined the subversion resistance to prevent all ASAs. They proved that the BPR unique ciphertext scheme meets their security definition and is thus secure. However, we demonstrate that the scheme is instead not secure as to our proposed ASA. We therefore improve their definition. The BPR unique ciphertext scheme is secure again under our improved definition. It means that our improved definition is more suitable to evaluate the ASA security of the symmetric encryption scheme, compared with the DFP security definition.

B. RELATED WORK
In [4], [5], the subliminal channels enlightened by the prisoners' problem are regarded as an early form of ASAs. Young and Yung [6]- [8] extended the subliminal channel threat to a broader framework of kleptography. Backdoored blockciphers were examined in [9], [10]. Goh et al. [11] showed how to add key recovery to existing security protocols such as SSL/TLS and SSH without changing the protocol. Waksman and Sethumadhavan [12] dedicated to preventing the hidden backdoors in hardware components.
Snowden revealed numerous global surveillance programs [13], [14] run by the NSA (National Security Agency) and the Five Eyes Intelligence Alliance. In fact, his disclosures refueled the research over this area. Some literature [1]- [3], [15], [16] focused on studying the ASA problem on symmetric encryption schemes. Russell et al. [17] generalized ASAs by permitting adversarial subversion of (randomized) key generation. Dodis et al. [18] presented a formal treatment of backdoored pseudorandom generators (PRGs), which can be treated as a subversion. Mironov and Stephens-Davidowitz [19] presented cryptographic reverse firewalls to counter ASAs via trusted code in network perimeter. The cryptographic reverse firewall is a generic way to prevent a tampered machine from leaking information to BB via any scheme. And the cryptographic reverse firewalls [20]- [22] mainly targeted at the protection of the public-key schemes.
According to the results in [20], the improved asymmetric subversion model for signature and identification [23], [24] is further presented. The countermeasures against hardware trojans were proposed by Dziembowski et al. [25] and Ateniese et al. [26]. The hardware trojan can also be treated as an example of ASAs. Bellare et al. [27] suggested to thwart the symmetric secret key exfiltration by an enormously long key. This idea also helps to defeat ASAs. Fischlin and Mazaheri [28] put forward the self-guarding constructions for basic cryptographic primitives against ASAs. Berndt and Liśkiewicz [29] proved that successful ASAs correspond to secure stegosystems on certain channels and vice versa. Giacon et al. [30] proposed key-encapsulation mechanism (KEM) combiners, which can be potentially employed to prevent ASAs. Auerbach et al. [31] studied the security of public-key encryption schemes and KEMs when public parameters they use may be subverted. Armour and Poettering [32] studied options to subvert symmetric message authentication protocols. Yang et al. [33] showed an efficient way to undetectably subvert the well-known lattice-based encryption scheme proposed by Regev.
Baek et al. [34] presented a highly efficient ASA on the digital signature algorithm (DSA) and implemented the proposed ASA by replacing the original DSA in Libgcrypt with the subverted DSA. Due to multiple surveillants for different governments or manufacturers, Li et al. [35] initializes the analysis of security against subversion in a multi-surveillant setting. They introduced a security notion that the transmission of a real message is undetectable, which means all surveillants either think the users transmit an innocuous message by the subverted algorithms, or consider users are using non-subverted algorithms. Lv et al. [36] investigated the study of subversion attacks against cloud auditing protocol. In addition, Schneier et al. [37] categorized a broader set of potential avenues for the subversion of cryptographic systems.

II. SYMMETRIC ENCRYPTION SCHEME AND ITS ASA
This section uses the formal method to describe the symmetric encryption scheme and its ASA. Next, two crucial concepts, i.e., the correctness and the decryptability, are respectively defined in the formal sense. The correctness denotes the error rate of the encryption and decryption process without considering the ASA. Comparatively, the decryptability denotes the error rate of the encryption and decryption process under the ASA.

A. SYMBOLS AND NOTATIONS
We follow the symbols and notations in [1], [2] to discuss the symmetric encryption scheme and its subversion.
• ε denotes the empty string.
• N denotes the set of the natural numbers.
• = (K, E, D) and˜ = (K,Ẽ,L) denote the symmetric encryption scheme and its subversion. K, E, and D in are respectively the key space, the encryption algorithm, and the decryption algorithm.K,Ẽ, andL iñ are respectively the subversion key space, the subversion encryption algorithm, and the external accomplice algorithm.
• M, C, and AD respectively denote the message space, the ciphertext space, and the associated data space.
• |S| represents the size of the finite set S. • S $ ← S represents picking S at random from a set S. • y ← A(x 1 , x 2 , . . .) represents running an algorithm A (perhaps with random coins) on inputs x 1 , x 2 , . . . to deterministically obtain output y.
• Pr[X ] represents the probability of an event X .
• Pr[P : X ] represents the probability of an event X occurring after having executed a process P.
• Pr[X 1 |X 2 ] represents the conditional probability of an event X 1 occurring given that an event X 2 has occurred.

B. SYMMETRIC ENCRYPTION SCHEME
A symmetric encryption scheme is a triple = (K, E, D). K is a non-empty set of strings.
has a message space M ⊆ {0, 1} * and a ciphertext space C ⊆ {0, 1} * . To accommodate the authenticated encryption, has an associated data space AD ⊆ {0, 1} * . E may be randomized. To be more specific, E maps the secret key K ∈ K, a message M ∈ M, associated data A ∈ AD, and the current state σ to a ciphertext C ∈ C (or ⊥) and the updated state σ . That is, (C, σ ) ← E K (M , A, σ ). D is a deterministic algorithm that maps the secret key K ∈ K, a ciphertext C ∈ C, associated data A ∈ AD, and the current state σ to a message M ∈ M and the updated state σ . That is, (M , σ ) ← D K (C, A, σ ). The encryption and decryption states are always initialized to ε. To understand the state bonded with the symmetric encryption scheme, the counter-mode with zero-initialized counter [1] is a typical example and the counter value is its state.
In an unambiguous context, we may respectively write where C = [C 1 , . . . , C l ] and C 1 , . . . , C l ∈ C. And, (M , σ l ) ← D K (C, A, ε) denotes the similar process for decryption, that is, VOLUME 8, 2020 We review the notion of correctness for the symmetric encryption scheme as follows.
Definition 1 (Definition 1 in [2]): Let l, q ∈ N. A symmetric encryption scheme = (K, E, D) is said to be (q, δ 1 )correct if for all l ≤ q, any vector M = [M 1 , . . . , M l ], and any vector A = [A 1 , . . . , A l ], it holds that: is a triplẽ = (K,Ẽ,L).K is a non-empty set of strings. BB selects the subversion keyK ∈K to hide its malicious behavior. E maps the encryption key K ∈ K, the subversion keỹ K ∈K, a message M ∈ M, associated data A ∈ AD, and the current state σ to a ciphertext C ∈ C and the updated state σ . That is, (C, σ ) ←Ẽ K ,K (M , A, σ ).Ẽ may call E in a certain way.L receives the subverted C generated byẼ and aims to violate the security of . For example,L may try to recover the messages or the encryption key from the subverted ciphertexts. Here,L andẼ shareK . To implement an ASA, BB covertly replaces the executable code of E with that ofẼ. Then, BB listens to the subverted C over public channel and compromises the security of .
We do not follow the plaintext-recovery algorithmD defined in [1], [2] to describe the severity of the ASA. Instead,L is used as in [3] but only to emphasize that BB does not require the substitution of the executable code for the decryption algorithm D. Assume that (C,σ l ) ← E K ,K (M, A, ε) denotes the similar encryption process as (C, σ l ) ← E K (M, A, ε). For completeness, we restate the notion of decryptability for the subversion encryption algorithm.
Definition 2 (Definition 3 in [2]): Let l, q ∈ N. We say that a subversion˜ = (K,Ẽ,L) satisfies (q, δ 2 )decryptability with respect to a symmetric encryption scheme Practically, we distinguish two possible cases in term of Definitions 1 and 2.
Case 1. δ 1 = 0 and δ 2 = 0 for all q ∈ N. In [1]- [3], both and its decryptability with˜ are said to be perfectly correct in this case. Case 2. δ 2 = 0 but δ 2 is a negligible value for any reasonable q ∈ N. BPR required that any˜ satisfy the perfect decryptability, i.e., δ 2 = 0, and designed a unique ciphertext scheme against all existing˜ . However, DFP argued against the perfect decryptability condition and proposed an input-triggered˜ on the BPR unique ciphertext scheme when δ 2 is a negligible value. DFP proposed a security model to capture their input-triggered˜ . They further showed that the BPR unique ciphertext scheme is secure under the DFP security model. BJK [3] also did not require the perfect decryptability condition and argued that: We have dropped this condition, so that decryptability holds only to the extent that it is implied by strong undetectability, which we think is more realistic from a detection perspective.

III. ASA SECURITY MODELS
To evaluate ASAs, the formal security models are always constructed under the interaction games, which relate to the subversions. The security requirements for ASAs are defined by using these games. Here, we review the BJK security model [3] and the DFP security model [2].

A. THE BJK SECURITY MODEL
The BJK security model focuses on the security definitions of the acceptable subversions. Therefore, a symmetric encryption scheme is secure against ASAs, if there does not exist the subversion on the scheme where the subversion satisfies the BJK security definitions. In the BJK security model, associated data A is omitted. We follow this style, when the BJK security model is used.

1) STRONG UNDETECTABILITY
As shown in the left column of Fig. 2, the strong undetectability is formalized by the game SDET. The SDET is associated with a benign detection adversary SD. A random bit b and subversion keyK are first sampled. SD then has access to the encryption oracle Enc. Upon receiving (K , M ), the oracle Enc produces (C, σ ) either via E (b = 1) or viaẼ (b = 0). SD needs to determine b. The detection advantage of SD is defined as The BJK security model mainly considers the stateless E, that is, σ returned by E is always the empty string ε. Thus, E must keep stateless to achieve the strong undetectability. Otherwise, SD can determine that b = 0, if σ = ε in a reply to the Enc query.

2) KEY RECOVERY
The game KR in the right column of Fig. 2 is used to evaluate the effectiveness of key recovery.˜ wins ifL recovers the encryption key K from the ciphertexts C produced byẼ. The key recovery advantage ofL is defined as Here, a message sampler algorithm MS represents the choice of messages made by the honest user. That is, given its current state σ , MS returns the next message M to be encrypted and updates its σ . For key recovery attacks, the less they assume about MS, the stronger they are. The strongest attack should work for any MS.
An acceptable subversion˜ requires that the strong undetectability advantage Adv sdet ,˜ (SD) be negligible but the key recovery advantage Adv kr ,MS (L) not.

B. THE DFP SECURITY MODEL
The DFP security model is taking particular aim at the security definitions of detecting the subversions on symmetric encryption schemes. That is, any subversion should be efficiently identified by the benign test, once BB executes the ASA on the symmetric encryption scheme. Therefore, the subversions should fail, because BB is afraid of being detected.

1) SURVEILLANCE
As shown in the right column of Fig. 3, BB associated with the surveillance game SURV is called as B. The surveillance game SURV starts by randomly generating a bit b and subversion keyK . GivenK , B has access to the key generation oracle Key and the encryption oracle Enc. Depending on the value of b, the oracle Enc returns the ciphertexts C generated by either E (b = 1) orẼ (b = 0). B outputs a bit b as the guess of the challenge b. The surveillance advantage of B is given by

2) DETECTABILITY
The detection game DETECT is an extension of the surveillance game SURV. First, given with the subversion keyK , B runs the surveillance game SURV to subvert the encryption key K . Simultaneously, its encryption queries are recorded in a transcript T. Then, the detection test U is only given access to T, which includes K . The goal of U is to output a bit b as the guess of the random bit b. See the left column of Fig. 3 for the game DETECT. The detection advantage of U is given by (1) Clearly, DFP specified the security notion of the detectability rather than the strong undetectability. Moreover, in the BJK security model and the DFP security model, both SD and U have access to the encryption oracle Enc in a certain way. Of course, these two security models do not capture all detection methods, for example, the side-channel attacks [38], [39].

A. SUBVERSION DESCRIPTION
We are now to construct a subversion˜ for any scheme . For simplicity, we assume that the message and key are of the same size. (However, the subversion can be easily extended to cover the case, where the key has a larger size.)Ẽ and L of˜ are shown in Fig. 4. Our˜ introduces a variable pubinform, which is always available to all components of the cryptographic system. Let pubinform be independent of all cryptographic operations, i.e., encryption, decryption, and subversion encryption. The function Setcurrentpubinform(val) sets pubinform to val. The function Getcurrentpubinform() returns the current value of pubinform. Assume that pubinform has variable space {0, 1} λ . BB selects a value PUBINFORM ∈ {0, 1} λ , where Pr(pubinform = PUBINFORM when no manipulation for pubinform) is negligible. And, PUBINFORM is secretly shared byẼ andL. In our˜ , PUBINFORM is used as the trigger for leaking the encryption key K of to BB. We describeẼ andL in detail.
E. K ,K , M , A, and σ are inputs. The encryption process ofẼ is as follows.Ẽ with PUBINFORM first gets the current value of pubinform by calling Getcurrentpubinform(). If pubinform = PUBINFORM ,Ẽ computes EK (K , A, ε) as its output; otherwiseẼ behaves exactly like the desired E in .

Remark 1 (About Trigger pubinform):
Although the encryption module can be regarded as a black box to BB during the system running, BB can tamper with other unprotected public parameters of the system for the subverting purpose. For a cryptographic chip, the system clock can be taken as the trigger. In general, the system clock can be configured. Assume that the system clock uses the 16-bit pubinform to represent the current year between AD 1 and AD 65535. That is, pubinform = 0000000000000001 denotes AD 1, pubinform = 0000011111100010 denotes AD 2018, and pubinform = 0000011111100011 denotes AD 2019, etc. BB may choose PUBINFORM = 1111111111111111. This PUBINFORM means AD 65535, the largest year that pubinform can represent. To recover the encryption key K of , BB can set his chosen PUBINFORM to pubinform and call our proposedẼ. Another example is that some secure system employs 20-byte of ASCII code, i.e., pubinform, to denote the user name. As the user name is always made up of printable characters, BB can choose the non-printable characters in ASCII code as his PUBINFORM . In these examples, each pubinform is independent of the encryption, decryption, subversion encryption operations. At the same time, each Pr(pubinform = PUBINFORM when no manipulation for pubinform) can be treated as a negligible value. Clearly, BB is able to recover the encryption key K usingL. In practice, a sophisticated BB may reset pubinform to its original value after his key recovery action. It is, however, not easy for the detector without observing pubinform to figure out the existence ofẼ.

Remark 2 (State ofẼ):
In the view of BJK [3], the state-fulẼ should maintain the subversion state σ across invocations. This state σ is perhaps an integer either representing which bit of the encryption key KẼ is trying to exfiltrate, or taking a special value to indicate that exfiltration is complete and encryption process should be done as usual.
Our proposedẼ checks the current value of pubinform using Getcurrentpubinform() to determine whether K needs to be exfiltrated. However,Ẽ does not need to maintain pubinform. Hence, our proposedẼ is stateless, that is, the output σ ofẼ in the game SDET (see Fig. 2) should always be ε.

Remark 3 (Discussion on Our and DFP's ASAs):
To the best of our knowledge, DFP's ASA [2] is the only trigger ASA on symmetric encryption scheme. Other known ASAs on symmetric encryption scheme can be repaired by the BPR unique ciphertext scheme [1]. Hence, we merely focus on our and DFP's ASA. In DFP's ASA, BB randomly chooses a message M as the subversion key, i.e.,K = M . A predicate R K ,K (M , A, σ ) used inẼ takes a true value if M =K and a false value otherwise. OnceẼ receives the message M =K and checks R K ,K (K , A, σ ) = true, the encryption key K as a part of the output is returned toL. Hence, BB must manipulate the input ofẼ to obtain K . DFP further stated that: In our case the trigger is the set of inputs for which the predicate R holds. In practice, R can depend on any information that the subverted encryption algorithm may have access to, such as an IP address, a username, or some location information. Such information, in particular network addresses and routing information, can be readily available in the associated data. It is not unreasonable, and is in fact in conformance with the usual approach adopted in cryptography, to assume that big brother may be capable of influencing this information when it needs to intercept a communication.
The above argument implied that the associated data A also can be exploited as the trigger. However, if the inputs ofẼ cannot be controlled by BB, such input-triggered ASAs may fail. In fact, BJK [3] used this idea to thwart the input-triggered ASAs. That is, the game KR in Fig. 2 does not allow the encryption oracle Enc to receive any input from BB but uses the message M generated by the sampler algorithm MS. In this situation, the probability of the event M =K is negligible. Comparatively, our proposed ASA is not an input-triggered ASA. It is clear that, when BB employsẼ described in Fig. 4 to subvert the encryption key K , it does not need to input the message M or associated data A intoẼ anymore. Our proposed ASA instead exploits the publicly available pubinform as the trigger. After setting the current value of pubinform, BB callsẼ to recover the encryption key K .
Finally, the performance comparisons between DFP's ASA and our proposed ASA are summarized in Table 1.

B. SECURITY PROPERTIES
Since our proposed ASA is a new trigger ASA on the symmetric encryption schemes, we need to understanding the theoretical results of our proposed ASA. In the following, we therefore analyze our proposed ASA under the BJK security model and the DFP security model, respectively. Moreover, our proposed ASA can be used as the acid test of the validity of both the BJK security model and the DFP security model.
We firstly recall the security notion of the standard privacy [40]- [42]. For = (K, E, D), consider the game PRIV depicted in Fig. 5. The advantage of the adversary A is defined as is said to be ν-private, if for every practical A its advantage Adv PRIV (A) is bounded from above by a negligible value ν. We require to be secure in this sense, so that we can restrain our attention to subversion security in the following discussion.  Fig. 4 be (q, δ 2 )-decryptability relative to . Assume that the variable pubinform is independent of all encryption, decryption, and subversion encryption operations. Let the space of pubinform be {0, 1} λ for some λ and PUBINFORM ∈ {0, 1} λ . Assume that Pr[pubinform = PUBINFORM when no manipulation for pubinform] = δ 3 , where δ 3 is negligible. Then, δ 2 ≤ δ 1 + qδ 3 . Under the BJK security model, the detection advantage of SD is Adv sdet ,˜ (SD) ≤ q 1 δ 3 , when SD makes at most q 1 encryption queries. Moreover, the key recovery advantage ofL is Adv kr ,MS (L) = 1. Proof 1: We omit associated data in this proof. As shown in Fig. 4,Ẽ should call E K (M , ε) and return the output of E K (M , ε) except when the event pubinform = PUBINFORM happens. Consider the case that pubinform is not maliciously set by calling Setcurrentpubinform(PUBINFOM ). Let E 1 denote the event pubinform = PUBINFORM happens whenẼ makes the corresponding cryptographic operations for the message vector M as in Definition 2. We know pubinform = PUBINFORM and the cryptographic operations are independent events. Let E 1 denote the complementary event of E 1 , that is, pubinform = PUBINFORM whenẼ makes the cryptographic operations for M. According to Definition 2, we estimate the error probability of decryptability as follows.
where the bound of the term Pr[M = M |E 1 ] follows from the correctness probability of . Consider that the game SDET in Fig. 2 employs E andẼ, whereẼ is described in Fig. 4. SD plays with the encryption oracle Enc to guess the random bit b. If b = 1, SD interacts with E; otherwise SD runs withẼ. Note thatẼ calls E except in the case when pubinform = PUBINFORM . We know that SD in the game SDET never calls Setcurrentpubinform(PUBINFORM ) to set the value of pubinform. For any SD making at most q 1 encryption queries, it is easy to see that the detection advantage of SD is Consider the game KR in Fig. 2, which usesL described in Fig. 4 to recover the encryption key K . We know thatL can always set the value of pubinform by using Setcurrentpubinform(PUBINFORM ) and further query the encryption oracle Enc. Moreover, PUBINFORM is not an input ofẼ. Hence,Ẽ should compute EK (K , ε) and return the corresponding C = EK (K , ε) toL. It means thatL can recover K by computing DK (C, ε)(= DK (EK (K , ε), ε) = K ). Therefore, the key recovery advantage ofL is 1, i.e., Adv kr ,MS (L) = 1. Theorem 1 shows that our proposed ASA incurs a negligible probability of decryption error, i.e., δ 2 ≤ δ 1 + qδ 3 . Moreover, the game SDET in the BJK security model is unable to detect our proposed ASA, because Adv sdet ,˜ (SD) is negligible. However, our proposed ASA can efficiently recover the encryption key K under the game KR of the BJK security model. It is perhaps unreasonable to prevent the trigger ASAs by using the key recovery game.
We further present the security result of our proposed ASA under the DFP security model. Theorem 2: All assumptions are the same as those of Theorem 1. Let ν be the upper bound of the advantage Adv PRIV (A) defined in Eq. (2). Under the DFP security model, the detection advantage of U is Adv det ,˜ (B, U) ≥ 1 − ν − q 1 δ 1 , when B makes at most q 1 encryption queries.
Proof 2: Let us consider that the game DETECT in Fig. 3 employs E andẼ, whereẼ is described in Fig. 4. First, given the subversion keyK , B runs with the key generation oracle Key and the encryption oracle Enc, and its corresponding queries are recorded in a transcript T. To guess the random bit b, B perhaps usesL described in Fig. 4 to verify the existence ofẼ. Then, the detection test U has access to T, which includes the encryption key K and the corresponding encryption triples {M , A, C}. The goal of U is to guess the random bit b by T.
In Fig. 6, we propose a detection test U to infer its b as a guess of b. To distinguishẼ and E, the idea of the detection test U is to detect the encryption error appeared in the transcript T. U interprets the encryption key K and the encryption triples {M , A, C} from T. U then decrypts each ciphertext C in T by computing D K (C, A, σ ). If any message M is not equal to its decrypted value, U decides that b = b = 0. That is, U believes that the encryption oracle Enc runsẼ for the game. Otherwise, U infers that the oracle Enc calls E and therefore decides that b = b = 1. We estimate the detection advantage of U. According to Eq. (1), we know the detection advantage of U is expressed as  When b = 0, the encryption oracle Enc runsẼ in Fig. 3 and B should callL to obtain the encryption key K . If pubinform = PUBINFORM , the oracle Enc should output a ciphertext C which is computed by EK (K , A, ε) (not by E K (M , A, σ )). This {M , A, C = EK (K , A, ε)} is recorded in the transcript T. Therefore, if the detection test U makes a wrong guess, i.e., b = 1 but b = 0, the event M = D K (EK (K , A, ε), A, σ ) should happen. We argue that where ν is the upper bound of the advantage Adv PRIV (A) defined in Eq. (2). Suppose on the contrary that The event M = D K (EK (K , A, ε), A, σ ) tells us that U with-outK can correctly decrypt EK (K , A, ε). Therefore, U is an adversary A, who can win the game PRIV depicted in Fig. 5. And, its advantage Adv PRIV (U) is not bounded by ν. It is a contradiction. Thus, we know where q 1 is the maximum number of B's encryption queries. Moreover, combining Eq. (1) with Eqs. (3), (4), and (5), we thus get Here, we know that Pr[b = 0] = Pr[b = 1] = 1/2, because b is a random bit. Theorem 2 demonstrates that the game DETECT in the DFP security model can find out our proposed ASA because ν and q 1 δ 1 are all negligible. It implies that the BJK security model is incompatible with the DFP security model. That is, in view of detecting ASAs, the BJK security model and the DFP security model are not equivalent.

V. FLAW ON THE DFP SECURITY DEFINITION
In [2], DFP stated their security model can distinguish all ASAs including their input-triggered ASA and proved that the BPR unique ciphertext scheme is secure under their security model. However, we demonstrate that DFP security model has the flaw, because the BPR unique ciphertext scheme is insecure due to our proposed ASA. Hence, we improve DFP security model to address this flaw and use it to restore the positive result of the BPR unique ciphertext scheme. Due to fixing the flaw on the DFP security definition, our improved security model is more reasonable than DFP security model. DFP proposed the security notion of subversion resistance against their input-triggered ASA. Let us recall its definition.
Definition 3 (Definition 4 in [2]): Let˜ = (K,Ẽ,L) be a subversion relative to the symmetric encryption scheme = (K, E, D). Assume that the game SURV and the game DETECT are defined as in Fig. 3. A scheme is said to be -subversion resistant iff DFP showed that -subversion resistance is the best definition for preventing ASAs, when δ 2 in Definition 2 is negligible but is not 0. In Theorem 2 of [2], they further claimed that the BPR unique ciphertext scheme in [1] is subversion resistant in terms of Definition 3. The definition of the BPR unique ciphertext scheme can be rewritten as follows.
Definition 4 (Definition 5 in [2]): Let K , l, M and A be same as those in Definition 1. A symmetric encryption scheme = (K, E, D) is said to have unique ciphertexts if: 1. has perfect correctness and 2. for all l ∈ N, all K , all M, and all A, there exists exactly one ciphertext vector C such that: In Theorem 2 of [2], a detection test U as Fig. 7 was proposed to prove the subversion resistance of the BPR unique ciphertext scheme in Definition 4. That is to say, for the BPR unique ciphertext scheme , any subversion˜ , and any adversary B, the detection test U described in Fig. 7 achieves  However, we demonstrate that Theorem 2 in [2] is incorrect. We construct a counterexample, where our proposed ASA is mounted on the BPR unique ciphertext scheme. The surveillance game SURV in Fig. 3 is not reasonably defined, as it does not take into account the case that B directly outputs the encryption key K of the encryption algorithm E, and the surveillance game, however, is used to evaluate the surveillance security of the symmetric encryption scheme. Clearly, B should win the surveillance game, if B obtains the encryption key K after the surveillance game. Therefore, we modify the DFP surveillance game SURV to the surveillance game SURV2 as Fig. 8. In our surveillance game SURV2, B wins the surveillance game, when B correctly outputs either the random bit b or the encryption key K . We can further define the surveillance advantage of B as follows.
Here, we can see that Adv srv ,˜ (B) is 1, when BB can correctly output the encryption key K of the encryption algorithm E. Otherwise, our proposed definition is same as the corresponding DFP definition. In fact, it must be pointed out that the surveillance game SURV in the BPR model [1] also suffers from the similar flaw. In addition, the detection advantage of U is redefined by  Fig. 4 be a subversion relative to . Assume that the game SURV2 and the game DETECT2 are defined as in Fig. 8. Assume that the detection test U is as Fig. 7. We have Proof 3: Consider the game SURV2 in Fig. 8. Given the subversion keyK , B has access to the key generation oracle Key and the encryption oracle Enc. Here, the oracle Enc invokesẼ described in Fig. 4 Fig. 4, it requires the subverted ciphertext be exactly equal to the real unique ciphertext, i.e.,    This theorem shows that according to Definition 3, the detection test U as in Fig. 7 cannot exclude the subversioñ as in Fig. 4 of the BPR unique ciphertext scheme , i.e., Adv srv ,˜ (B) > Adv det ,˜ (B, U), thereby reaching a contradiction. In addition, we can modify the input-triggered ASA in Fig. 3 of [2]. That is,Ẽ returns (E(K , K , A, σ ), σ ) instead of (C||K , σ ), when the predicate R is true. And, BB with the subversion keyK can recover the encryption key K from E(K , K , A, σ ). According to Definition 3, we claim that the modified input-triggered ASA also violates the subversion resistance of the BPR unique ciphertext scheme . The proof is the same as that of Theorem 3 and is therefore omitted.
The BPR unique ciphertext scheme still does not satisfy the DFP subversion resistance definition, when its subversion is allowed to have the trigger. We therefore need to improve the DFP subversion resistance definition to capture all existing trigger ASAs. Our improved definition is presented as follows.
Definition 5 (Subversion Resistance): Let˜ = (K,Ẽ,L) be any subversion relative to the symmetric encryption scheme = (K, E, D). Assume that the game SURV2 and the game DETECT2 are defined as in Fig.8. We say is subversion resistant if: is a negligible value.

Remark 4 (Analysis of Definition 5):
When is a subversion resistant scheme, our improved definition does not strictly require Adv srv ,˜ (B) ≤ Adv det ,˜ (B, U) for any subversion˜ and any adversary B. Instead, it only requires Adv srv ,˜ (B) − Adv det ,˜ (B, U) to be negligible for any subversion˜ and any adversary B. We actually relax the DFP subversion resistance definition. Nevertheless, if Adv srv ,˜ (B) is non-negligible, our improved definition assures Adv det ,˜ (B, U) is also non-negligible. Hence, our improved definition means that the detection test U in the game DETECT2 of Fig. 8 should always be able to find the subversion behavior of B, once B has efficiently subverted .
In the following, we show that the BPR unique ciphertext scheme is subversion resistant under Definition 5.
Theorem 4: Let = (K, E, D) be the unique ciphertext symmetric encryption scheme as in Definition 4. Let = (K,Ẽ,L) be any subversion relative to . Assume that the game SURV2 and the game DETECT2 are defined as in Fig. 8. Assume that the detection test U is as Fig. 7. Proof 4: Fix a subversion˜ = (K,Ẽ,L) and the corresponding adversary B in the game SURV2 of Fig. 8. Let E 3 , E 3 , E 4 , and E 5 respectively denote the same events as in Theorem 3. Actually, E 3 , E 4 , and E 5 cover all possible surveillance cases, after B queries to the encryption oracle Enc during the game SURV2. Similar to Theorem 3, we have

VI. CONCLUSION
Our work dedicates to better understanding of how far we can extend the boundary of ASAs on symmetric encryption schemes. Our proposed ASA is valid under the game SDET of the BJK security model. Comparatively, the game DETECT in the DFP security model is able to detect our proposed ASA. In the view of cryptographic engineering, we argue that the game DETECT is more expensive than the game SDET. SD in the game SDET can only experiment with the encryption oracle Enc. However, the game DETECT needs to record all oracle Enc queries of B. We have also shown that the DFP subversion resistance definition is unreasonable and therefore improved their definition. It needs to be pointed out that the improved definition is merely suitable for detecting the trigger ASAs. We still do not know whether the improved definition can capture ASAs in [1], [3]. This problem needs to be investigated in the future. In practice, the probability of decryptability defined in Definition 2 is perhaps a small but non-negligible value. Hence, another future work is to explore new ASAs, define the security model, and design the symmetric encryption schemes under this new security assumption. In addition, we will also substitute the applied symmetric encryption algorithms under computer and network systems and evaluate the performance of our proposed ASA.