Algorithm Substitution Attacks: State Reset Detection and Asymmetric Modiﬁcations

. In this paper, we study algorithm substitution attacks (ASAs), where an algorithm in a cryptographic scheme is substituted for a subverted version. First, we formalize and study the use of state resets to detect ASAs, and show that many published stateful ASAs are detectable with simple practical methods relying on state resets. Second, we introduce two asymmetric ASAs on symmetric encryption, which are undetectable or unexploitable even by an adversary who knows the embedded subversion key. We also generalize this result, allowing for any symmetric ASA (on any cryptographic scheme) satisfying certain properties to be transformed into an asymmetric ASA. Our work demonstrates the broad application of the techniques ﬁrst introduced by Bellare, Paterson, and Rogaway (Crypto 2014) and Bellare, Jaeger, and Kane (CCS 2015) and reinforces the need for precise deﬁnitions surrounding detectability of stateful ASAs.


Introduction
In this paper, we study Algorithm Substitution Attacks (ASAs). ASAs were first presented by Bellare, Paterson, and Rogaway [BPR14], as a specific possibility within the research area of kleptography [YY96,YY97,YY98,YY04,YY03]. In an ASA on a symmetric encryption scheme, an attacker has the following goal: replace an encryption function with a subverted version, such that, upon observing ciphertexts, the attacker is able to recover the secret key while the user is unable to detect the difference between the subverted and original encryption algorithms [BPR14]. Such an attack is certainly outside of the traditional security definitions considered in cryptography. However, revelations of the activities of nation-state intelligence agencies since 2013 [BBG13] have shown that such attacks are aligned well with both the intentions and the capabilities of these potential adversaries. Under threat of mass surveillance, it is imperative for us to study the ways in which cryptographic security may be undermined so we can best mitigate the effects.
We contribute two main improvements to the existing literature on ASAs. First, we formalize a possible method for detecting ASAs involving the manipulation of the state maintained by the subverted algorithm. We describe a model that allows a detector to force re-use of the algorithm's maintained state, as could happen when the algorithm is running on a virtual machine. This changes the detectability analysis of several published ASAs, rendering them easily detectable. Second, we describe two modifications to existing ASAs that turn them into asymmetric ASAs, which are more resilient to exploitation by another party who reverse engineers the subverted implementation.
Background. The possibility of subverting a cryptographic algorithm by changing the implementation to differ from the specification is not new. Termed kleptography, research presented an ASA against KEMs [CHY20]. More recently, Berndt et al. studied the implementation of ASAs on the TLS, WireGuard, and Signal protocols [BWP + 20].

State resets for detection of ASAs
In the literature, there has been a tendency towards ensuring that new ASAs are stateless. [BPR14], who coined the term ASA, noted that the biased-ciphertext attack they introduced was stateful. They said that, since the attack is stateful, "a reset of the state will lead to increased detection ability for an observer, but ... this increase does not appear to be enough to lead to actual detection." Improving on the results of [BPR14], [BJK15] presented their stateless ASA. They seem to interpret some of the conclusions from [BPR14] differently, saying, with reference to the previous work, "a state reset, as can happen with a reboot or cloning to create a virtual machine, leads, in their attack, to detection." They then define a notion of undetectability that necessitates statelessness, and call this strong undetectability. As a result of the interpretations and emphasis of [BJK15], as well as the fact that stateless subversions have proven more difficult to develop, later work has often acknowledged that stateless schemes are surely preferable. Authors detailing stateful subversions have spent time justifying that the amount of state that they are maintaining is small, and so more palatable for the adversary to include [BSKC19,CHY20].
This begs a question: how does an adversary against the undetectability of a subversion use state resets to detect the subversion? To our knowledge, this question has not been addressed fully in the literature. The closest example is due to Baek, Susilo, Kim, and Chow [BSKC19], who included a simple state reset oracle in their undetectability game, which resets the state to the initial null value. However, as noted by [BJK15], we also wish to consider what happens when the algorithm is running on a virtual machine, where the machine state can be cloned and re-run from the same point, potentially many times. The simple state reset oracle is therefore insufficient.

Contributions.
We present a stronger state reset oracle than that used by [BSKC19], which is able to reset the state of the ASA to any state previously used in the detection game. Under this new definition, we show that ASAs given by Ateniese, Magri, and Venturi [AMV15] (on signatures), Baek et al. [BSKC19] (on DSA signatures), and Chen, Huang, and Yung [CHY20] (on key exchange) are all easily detectable. On the other hand, we show that original biased-ciphertext ASA by [BPR14] is actually just as undetectable as the "upgraded", stateless version given by [BJK15]. Our analysis of the ASA from [BPR14] also uses the same game-playing proof framework as used in [BJK15], avoiding the "coin-injective" assumption on the encryption scheme that was necessary in [BPR14]. We present these results in Section 3.

Asymmetric ASAs
When introducing ASAs, [BPR14] also considered the possibility of an asymmetric ASA on symmetric encryption. An asymmetric ASA is one where the subverted algorithm uses an embedded key that is different from the extraction key used for key recovery; for example, the two keys could be a public-private key pair. The motivation for this comes from noticing that the embedded subversion key is not particularly protected. Instead, it is embedded in, for example, malware, distributed to the target. While we assume in this model that the target themselves will not scrutinize the code they are using, some third party might find out about the subversion, and reverse engineer the software to learn the embedded key. The subverter would have a strong incentive to prevent a third party from obtaining the same key recovery capabilities as the subverter. If the embedded key is presumed to be public knowledge, and the ASA remains undetectable, then the subverter is assured that they are the only one capable of exploiting the ASA. In an appendix, [BPR14] give the necessary definitional extensions for asymmetric ASAs, and leave the development of an asymmetric ASA as an open problem. Later works considered asymmetric ASAs in certain specific contexts, like on signature schemes and KEMs that satisfy certain conditions [CHY20,BSKC19].

Contributions.
In this paper, we will consider two different kinds of asymmetric ASAs. In a type 1 asymmetric ASA, the subversion is required to be undetectable to an adversary in possession of the embedded subversion key; we call this augmented undetectability. This is the simplest way of thinking about an asymmetric ASA, and the definition that has been used in other literature. In a type 2 asymmetric ASA, we will instead require that the subversion is only undetectable to an adversary who does not know the embedded subversion key, as in the case of a symmetric ASA, but we also require that a type 2 asymmetric ASA is secure against exploitation (in the sense that the attacker exploits the ASA) by an adversary in possession of the embedded subversion key. This less restrictive requirement is a reflection of the fact that the main goals for an asymmetric ASA (besides recovering the targeted information) are as follows: to ensure that the user of the cryptographic scheme (or some entity with the decision-making authority to halt usage of the cryptographic scheme) being attacked is unaware of the attack, and to ensure that no other entity is able to exploit the ASA to recover the targeted information. While this is accomplished by a type 1 asymmetric ASA (indeed, a type 1 ASA is also a type 2 ASA), our stipulated requirements for a type 2 asymmetric ASA will also suffice. The relaxed requirements allow for more flexibility when designing an ASA, and allows us to create an ASA whose executions take less time.
In Section 4, we modify the ASA of [BPR14] to obtain a type 1 asymmetric ASA on symmetric encryption, that is, an ASA undetectable by an adversary who is in possession of the embedded subversion key and is able to use state resets on the encryption scheme. This provides an answer to their open problem explicitly in the case of symmetric encryption. In Section 5 we modify the ASA of [BJK15] (which is itself a modification of the ASA from [BPR14]) to obtain a type 2 asymmetric ASA on symmetric encryption. To show the advantages of this ASA, we do a thorough analysis of the parameters and techniques the attacker can use in practice to recover the key. We show that our type 2 asymmetric ASA can enable key recovery in practice with a subverted encryption function which runs in less time, making it, in theory, less susceptible to detection by timing.
In order to give a better idea of how these new ASAs compare to other published ASAs, we give a comparison of some basic properties in Table 1.
Finally, in Section 6 we give a generalization of the modifications we made to the above ASAs, in order to apply our results to other cryptographic primitives and security notions. Our results allow for a large class of ASAs to be modified to create type 1 and type 2 asymmetric ASAs. These results apply to any cryptographic primitive, and in the case of the type 2 modification, any game-based notion of security. These results will make it easier for future researchers to evaluate whether their symmetric ASAs can be modified to create asymmetric ASAs.

Games and algorithms
Proofs in this paper will use the cryptographic game-playing framework [BR06]. In these games, assignment is denoted by ←, while random sampling is denoted by ←$ . We write y ←$ A(x) to denote running the probabilistic algorithm A on input x, and assigning the result to y. If we wish to specify the random coins r used in a randomized algorithm, we will write y ← A(x; r). We will use min-entropy as a measure of the randomness of an where the probability is taken over the choice of coins r. The min-entropy of A is η A . ⊥ is used to denote a null value. If G is a game, then Pr[G] indicates the probability that G returns true. We will denote game adversaries by script letters (e.g. A). An adversary A is simply an algorithm. The notation A O indicates that the adversary A has access to the oracle O for use as a subroutine. The running time of A is the worst-case execution time of A including the time it takes to execute any subroutines.

Cryptographic schemes
A cryptographic scheme Λ is a set of algorithms Λ.Alg 1 , ..., Λ.Alg u . We will be using several cryptographic schemes in this paper, including symmetric encryption and public-key encryption. We introduce these here, and other schemes as needed.
A symmetric encryption scheme SE is composed of three algorithms: SE.KeyGen, SE.Enc, and SE.Dec. SE.KeyGen randomly selects a single secret key k of length SE.klen from {0, 1} SE.klen . SE.Enc is a randomized algorithm with coins r ∈ {0, 1} SE.rlen and takes a key and a plaintext m ∈ {0, 1} SE.mlen and produces a ciphertext c ∈ {0, 1} SE.clen . SE.Dec is a deterministic algorithm, takes a key and a ciphertext, and returns a plaintext or ⊥, indicating an error.
A public-key (or asymmetric) encryption scheme PKE is similarly composed of three algorithms: PKE.KeyGen, PKE.Enc, and PKE.Dec. PKE.KeyGen randomly generates a secret key sk and a public key pk. PKE.Enc is a randomized algorithm with coins r ∈ {0, 1} PKE.rlen and takes a public key and a plaintext m ∈ {0, 1} PKE.mlen and produces a ciphertext c ∈ {0, 1} PKE.clen (note that we will consider only fixed length ciphertexts for public-key schemes). PKE.Dec is a deterministic algorithm, takes a secret key and a ciphertext, and returns a plaintext or ⊥, indicating an error.
We say that a public-key encryption scheme is δ-correct if, for all sk, pk generated from PKE.KeyGen and m, Pr[PKE.Dec(sk, PKE.Enc(pk, m)) = m] ≥ δ, where the probability is taken over the choice of coins r for the encryption function. We could define an analogous property for symmetric encryption, but we will mostly assume that such a δ value will always be 1 unless otherwise stated.
return wx Figure 1: The PRF security game.

Pseudo-random functions and random oracles
In this paper, we will make use of two standard ways of talking about functions whose output is hard to predict on new inputs. The first is the notion of a pseudo-random function (PRF). Let F : K F × {0, 1} * → W be a function, for some output set W and key space K F . Let the PRF game for F be as defined in Figure 1. For an adversary F in the PRF game for F, we define the advantage of F as Adv PRF The second way to talk about functions with unpredictable output is by using the random oracle model. This model is useful for situations in which there is no secret input to the function F, so the game in Figure 1 is no longer relevant. In this model, we replace F by a lazily-sampled random function, and provide oracle access to this function to all game adversaries. A lazily-sampled random function will return random outputs on previouslyunseen queries, and outputs consistent with previous outputs for any previously-seen queries. (In the case of b = 1 in the PRF game, the oracle O F behaves as a lazily-sampled random function.)

Algorithm substitution attacks
The main focus of this paper is on different kinds of Algorithm Substitution Attacks (ASAs), and so we define this notion here. Let Λ be a cryptographic scheme composed of algorithms Λ.Alg 1 , ..., Λ.Alg u . An ASA on Λ, denoted Sub (for subversion), specifies the following: • a subversion-key generation function Sub.KeyGen, • an index λ for the component algorithm of Λ to be subverted, and • a subverted algorithm Sub.Alg λ to replace the chosen algorithm Λ.Alg λ .
The key generation algorithm Sub.KeyGen takes no arguments and returns a pair of keys ek and xk (for embedded key and extraction key). The subverted algorithm Sub.Alg λ has the same inputs as Λ.Alg λ , represented by a tuple x, plus an embedded key ek, and a state variable τ (potentially ⊥, for stateless ASAs); Sub.Alg λ has the same outputs as Λ.Alg λ plus the updated state variable τ . For example, if Λ is a symmetric encryption scheme SE and Λ.Alg λ is SE.Enc, then we have c, τ ←$ Sub.Enc(k, m, ek, τ ). 1 The idea here is that the algorithm Sub.Alg λ is chosen by an adversary A who is trying to subvert the security of scheme Λ. A user U of Λ will unknowingly use Sub.Alg λ , which has the key ek embedded, in place of Λ.Alg λ . The adversary A will observe U's communication with other users of the scheme Λ, and violate the security of Λ by making use of the extraction key xk. Depending on the instantiation, A's specific attack goal can vary, although a common one is recovery of whatever secret key is used by U for Sub.Alg λ .
Note that we consider here only the subversion of a single algorithm of the scheme Λ. Other works have considered the case of total subversion (any or all of the algorithms are substituted), mostly in the context of countermeasures [AFMV19, RTYZ17,RTYZ16].
The two keys used by A can be the same, xk = ek. In this case, we may denote them simply by k, and we refer to this type of ASA as a symmetric ASA. In other cases, (xk, ek) will be a private key-public key pair, reflecting the fact that embedding the key ek into an Sub.Alg λ may lead to its recovery by some other party. We call such an ASA an asymmetric ASA. Note that an asymmetric ASA can be used to attack a symmetric-key primitive Λ (e.g., symmetric encryption), and vice versa. We will discuss the advantages and disadvantages of an asymmetric ASA in Section 4.
The attacker A wants to complete their attack in a way that is not detectable by U. In order to measure detectability, we allow U blackbox access to the algorithm Sub.Alg λ (with the embedded key and state implicitly provided), and calculate how well U can differentiate Sub.Alg λ from Λ.Alg λ . Formalization of the notion of detectability will be covered in the next section.
There are a few different ways that previous works have considered the subverter's influence on U after the relevant algorithm has been substituted. Bellare, Paterson, and Rogaway [BPR14] implicitly considered the attacker passive (after the substitution), only observing ciphertexts of messages that the user decided to encrypt. Degabriele, Farshim, and Poettering [DFP15] presented an "input-triggered" subversion, which relied on the subverter's ability to influence the user to encrypt some particular value, making the subverter active. Bellare, Jaeger, and Kane [BJK15], addressed this issue by requiring key recovery to occur for messages sampled from any distribution M, ruling out the attack from [DFP15] and again making the subverter passive. We follow [BJK15] and consider a passive subverter who should be able to complete their attack no matter how inputs are chosen for Sub.Alg λ .

Using State Reset to Detect ASAs
State reset detection techniques against the undetectability of stateful ASAs have been acknowledged since the work of Bellare, Paterson, and Rogaway [BPR14], but apart from Baek, Susilo, Kim, and Chow [BSKC19], the formalization of the state reset capabilities of a user U has been ignored. In their paper, [BSKC19] capture the idea of state reset with the ability of U to reset state to a null value. This is akin to wiping the memory of the program running a cryptographic algorithm, or rebooting the machine. We wish, however, to capture a stronger notion of state reset. For example, when running on a virtual machine, instead of being wiped, memory could be cloned during imaging, allowing a user to force a program to run from the same point of execution multiple times. This would allow a user to reset the state of a subverted algorithm to any previously used state.
We will define two similar games: an augmented and a non-augmented (or regular) state reset detection game. These two games differ only in that, in the augmented game, U is given the embedded key ek. Hence, the augmented game is intended primarily for asymmetric ASAs, and the non-augmented game is intended for symmetric ASAs (this is not an absolute requirement, and we will consider regular detectability of asymmetric ASAs in Section 5). This captures the difference between, for example, a nation state reverse-engineering one implementation to recover the embedded key, and a casual enduser doing black-box detection. The state reset detection games (ASRDET Sub (U) and SRDET Sub (U) respectively) are given in Figure 2, for some cryptographic scheme Λ and ASA Sub. These are distinguishability games, where U is asked to determine whether the oracle it is using is returning values according to the subverted algorithm Sub.Alg λ or the original algorithm Λ.Alg λ . All state variables used by the subverted algorithm are saved between oracle calls, and U has access to an oracle Reset which allows it to reset state to any previously saved state (but does not give U the contents of the state).
For an adversary U in the state reset detectability games, we define the advantages of U as Adv SRDET [BPR14] undetectability, with no consideration of state.
[BJK15] undetectability (strong undetectability), disallowing state. 1 2 |. Informally, we say that Sub is undetectable if the corresponding advantage is small for any efficient adversary U. Otherwise, it is detectable, and an adversary U with large advantage represents a strategy for detection. It is worth taking some time to compare our new detectability game with those in previous works. The detectability game in [BPR14] did not include state resets, and fully allowed stateful ASAs. [BJK15] considered all stateful ASAs detectable, and formalized this by providing the state directly to U (the adversary in the detectability game), hence any non-⊥ state would lead to detection. They called this "strong undetectability". We also include the definition from [BSKC19] in this comparison, since, to our knowledge, they are the only other authors to include a state reset oracle in their detection analysis. Their state reset oracle only resets the state variables to their initial values, and not to any previously used values. A hierarchy here is clear, and we illustrate this in Figure 3. The implications given can be seen by simply noting that with each game higher in the hierarchy, the adversary U in the detectability game is given more capabilities with respect to manipulation and knowledge of the state of the ASA.
In fact, in the rest of this section, we will see that for each implication in Figure 3, there is a separation, meaning no two definitions are equivalent. First, in Subsubsection 3.1.1, we will use a simple state reset to detect an ASA that is undetectable in the [BPR14] model. In Subsubsection 3.1.2, we will use our more sophisticated state reset to detect an ASA that is undetectable even with simple state resets. In Subsection 3.2, we will show that the original ASA of [BPR14], while detectable in the game of [BJK15] due to the use of state, remains undetectable in our game. Note that these are not artificial constructions, but rather existing ASAs, which are illustrating the significant differences between the definitions in Figure 3.

Detection of ASAs using state reset
In this section we will look at published ASAs against different cryptographic primitives and see that they are detectable using our notion of state reset detectability. This will demonstrate that the addition of our state reset oracle does indeed make our notion of detectability stronger than the basic definition used by [BPR14]. When we examine the result from [BSKC19], we will see that our state reset oracle also places further restrictions on ASAs wishing to achieve undetectability than their simple state reset oracle, which only resets state to a null value.

Detecting Ateniese, Magri, and Venturi's ASA using simple state reset
Ateniese, Magri, and Venturi [AMV15] describe two different symmetric algorithm substitution attacks on signature schemes. The first is virtually identical to the attack described by [BJK15]. The second is an attack on coin-extractable schemes (schemes for which the randomness used to generate the signature can be efficiently extracted from the signature itself). It works on any such scheme that makes use of at least a single bit of randomness.
Their attack on coin-extractable schemes works by having the subverted algorithm maintain the state of a stateful pseudorandom generator. Under our definition of state reset (or in fact even the simpler kind, resetting state to null values), their attack becomes detectable: in their ASA, re-use of state of the pseudorandom generator leads to re-use of the signature. We first define some notation for signature schemes. A signature scheme SIG is composed of three algorithms: SIG.KeyGen, SIG.Sign, and SIG.Ver. SIG.KeyGen randomly selects a secret private key sk and a public verification key pk as a pair from the key space K SIG . SIG.Sign is a randomized algorithm with coins r ∈ {0, 1} SIG.rlen . It takes a private key and a message m ∈ M SIG and produces a signature s ∈ S SIG . SIG.Ver is a deterministic algorithm, taking a public key, a signature, and a message, and returning a boolean value indicating whether the signature passes verification.
Let G be a stateful pseudo-random generator with output length d = SIG.rlen, i.e. it has input of some state t and outputs a pseudorandom output v of length d and new state t . Assume for simplicity that d divides |sk|. The subversion of [AMV15] is shown in Figure 4a. On each execution of Sub.Sign, this ASA encrypts the next d bits of the signing key, denoted by sk[ + 1, + d], using G as a stream cipher. This encryption is then used in place of the coins for the signature. Since the subverter can get the coins from the signature and knows the embedded key, they can recover the signing key by decrypting the recovered coins. We use the regular detectability game from Figure 2 with SIG as Λ and SIG.Sign as Λ.Alg λ to reason about the detectability of this ASA.
Detectability under SRDET can be seen as follows: The detector first calls the signing oracle once with some message m and signing key sk, and the state is then set to τ 1 = (G(k), d). The detector then calls the reset oracle with j = 0, and τ 2 is set to τ 0 = ⊥. On a second oracle call with the message m and signing key sk, τ 3 is set to (G(k), d) as before. Let s 1 and s 2 be the two signatures received. Note that the same v and values were used, and hence the samer value was used, to generate both signatures. Hence the detector will observe that s 1 = s 2 with certainty, where this would only be the case some small fraction of the time for an unsubverted scheme, yielding large detection advantage.

Detecting Baek, Susilo, Kim, and Chow's ASA using sophisticated state reset
Baek, Susilo, Kim, and Chow [BSKC19] describe a symmetric ASA against the Digital Signature Algorithm (DSA). Using what they call a small amount of state, they are able to recover the signing key from only 3 subverted signatures. In their paper, they even consider state resets in their formalism of undetectability (and appear to be the first to do so). However, their state resets only set the state back to a null value, and not any previously used state. We show that under our stronger definition allowing resets to any previous state, their subversion is easily detectable despite the small amount of state kept.
We again use the regular detectability game SRDET given in Figure 2, with SIG as Λ and SIG.Sign as Λ.Alg λ , but specify a few more details about the signature scheme SIG, since the ASA from [BSKC19] is specific to DSA signatures. Let H 1 and H 2 be cryptographic hash functions. Let G be a cyclic group of prime order q, and let g be a generator of that group.
We define x to be the signing key and y = g x be the verification key. The algorithm SIG.Sign will first sample κ ←$ Z q , and then return (r, s) ← (H 1 (g κ ), κ −1 (H 2 (m) + xr) mod q).
Let H 3 be a PRF. The ASA from [BSKC19] is shown in Figure 4b. The key idea here is that the signing algorithm will only subvert one out of every two signatures. The signatures are subverted by controlling the way the per-signature randomness κ is generated. A signature is subverted by making the randomness used in a signature dependent on the randomness used in the previous signature, in a way that can be reverse-engineered by the subverter.
Under a state reset where the state is set to initial values, j is reset to 0 and the value of σ is cleared. Then the next signature generated is always an unsubverted one. This proper sampling of randomness leads to undetectability in this case, and indeed [BSKC19] show this. However, if a detector is able to reset state to any previous value, this no longer holds, since all later signatures after the first are deterministically generated based on previous state. Observe the following attack on undetectability. The detector first calls the signing oracle twice with some message m and signing key x, and the state is set to τ 1 = (1, H 1 (g κ )) on the first call, for some randomly chosen κ. The detector then calls the reset oracle with j = 1 so that the next state τ 3 is set to prior state τ 1 = (1, H 1 (g κ )). The detector then makes a third signing oracle call with the same message m and signing key x. Let s 2 and s 3 be the s-values of the second and third signatures received, respectively. The same value ofκ was used to generate both these signatures, so the detector will observe that s 2 = s 3 with certainty, whereas this would be very unlikely in an unsubverted scheme. Therefore after observing only 3 signatures, and using one state reset to a prior state, the detector's detection advantage is extremely close to 1.

Detecting Chen, Huang, and Yung's ASA using state resets
Chen, Huang, and Yung [CHY20] describe an asymmetric ASA against a key encapsulation mechanism (KEM) which is stateful and recovers the encapsulated key using only two consecutive encapsulation ciphertexts. Their subversion works on KEMs that can be decomposed into specific sub-functions, most notably requiring that generation of the ciphertext does not require the public encapsulation key, only the coins used to generate the shared secret key. Furthermore, their attack is asymmetric, meaning it is undetectable (under their definition) even if the key embedded into the subversion is known to the detector. The subverter makes use of a corresponding private extraction key in order to exploit the subversion.
A key encapsulation scheme KEM is composed of three algorithms: KEM.KeyGen, KEM.Encaps, and KEM.Decaps. KEM.KeyGen randomly generates a secret decapsulation key sk and a public encapsulation key pk. KEM.Encaps is a randomized algorithm with coins r ∈ R KEM . It takes a public key and produces a ciphertext c ∈ C KEM , and a session key k ∈ K KEM . For the ASA from [CHY20], we require that it decomposes into three components: 2. KEM.kgen, which takes as input public key pk and randomness r, is used to generate key k ∈ K KEM .
3. KEM.cgen, which takes only the randomness r, outputs ciphertext c ∈ C KEM .
Finally, KEM.Decaps is a deterministic algorithm, takes a private key and a ciphertext, and returns a session key k or an error. Let F be a PRF which takes the embedded key ek and a value in R KEM and returns a value in R KEM . The ASA from [CHY20] is given in Figure 4c. This ASA can be used to recover the established shared key k i , i > 1, using the two consecutive ciphertexts c i−1 and c i : since c i was not the first ciphertext sent, it was generated using subverted randomness τ i . Note that because ciphertext generation does not depend on the public encapsulation key used, the same ciphertext c i−1 is generated for k i−1 with the legitimate encapsulation key and for t i−1 with the subverter's embedded key ek. Hence t i−1 can be obtained by decapsulating c i−1 using xk: t i−1 ← KEM.Decaps(xk, c i−1 ). Then τ i ← F(ek, t i−1 ). This allows one to compute k i ← KEM.kgen(pk, τ i ), the shared key corresponding to the ciphertext c i .
The detection game we use is ASRDET from Figure 2 with KEM as Λ and KEM.Encaps as Λ.Alg λ . This subversion is detectable under our definition. Observe the following attack on undetectability. The detector first calls the encapsulation oracle twice with some encapsulation key pk, and the state is set to τ 1 = τ on the first call, for some randomly chosen τ . The detector then calls the reset oracle with j = 1, and τ 3 is set to τ 3 = τ 1 = τ . The detector then makes a third encapsulation oracle call with the encapsulation key pk. Let c 2 and c 3 be the ciphertexts received from the second and third encapsulation oracle calls respectively. Note that the same value of τ was used to generate both ciphertexts. Hence the detector will observe that c 2 = c 3 with certainty, whereas this would be very unlikely in an unsubverted scheme. Thus, after observing only 3 ciphertexts, and using one state reset to a prior state, the detector's detection advantage is extremely close to 1.
Note that the detection methods for the ASA from [BSKC19] and the ASA from [CHY20] are very similar. Both of these papers purported to have "small" state, which should not be considered unreasonable in practical contexts. However, very simple state resets, as could happen even accidentally with virtual machine images, will result in guaranteed or very likely repetition of output, which is catastrophic for detection.

Undetectability of Bellare, Paterson, and Rogaway's ASA
Contrary to the results we've seen so far in this section, the original "biased ciphertext attack" ASA on symmetric encryption by [BPR14] is still undetectable in our new framework with state resets (specifically, SRDET). In fact, the majority of the proof provided by [BJK15] of the undetectability of their ASA applies directly to the ASA of [BPR14], even in the presence of the state reset oracle.
The subverted encryption algorithm used by [BPR14] is equivalent to the one given in Figure 5a, where F is a PRF which takes a key and a ciphertext of SE.Enc and returns a single bit, and s is a predetermined parameter of the subversion which bounds the number of loops the ASA will execute before returning a value. This description looks very similar to the ASA given in [BJK15]; indeed, we have essentially taken their subversion, and re-included the index-as-state technique that they removed when presenting their improvement over the ASA from [BPR14].
Theorem 1. Let U be an adversary in the regular state reset detectability game in Figure 2, SRDET Sub (U), with symmetric encryption scheme SE as Λ and SE.Enc as Λ.Alg λ , where Sub.Enc is the algorithm given in Figure 5a. If n is the number of queries that U makes to its encryption oracle and η is the min-entropy of SE.Enc, then there is an adversary The running time of F is about that of U, and F makes at most ns oracle queries.
Proof. As much of this proof is the same as that given by [BJK15], we will only include some details. We proceed by a sequence of games. Let H 0 be the regular state reset detectability game of Figure 2 with the appropriate substitutions mentioned in the theorem statement. Let H 1 be the same as H 0 but with F replaced by a lazily-sampled random function of c. Let H 2 be the same as H 1 but with the lazily-sampled random function replaced by fully random sampling of w. Let H 3 be the regular state reset detectability game where the encryption oracle simply returns c ←$ Enc(k, m), and the Reset oracle has no effect.
The first game change is standard, and proceeds exactly as described by [BJK15], for an adversary F. The second game change also proceeds identically to the description given by [BJK15]: in order to replace the lazily sampled random function with true random sampling, we must bound the probability that some value of c is repeated during the game. Call this event P . Since the number of loops for each oracle call is bounded by s, the probability of P occurring is therefore bounded by ns 2 · 2 −η ≤ n 2 s 2 · 2 −η−1 , where n is the number of queries to the oracle and η is the min-entropy of SE.Enc.
Now we have game H 2 , shown in Figure 5b. We argue that H 2 is equivalent to H 3 . In particular, we argue that the implementation of Sub.Enc in the encryption oracle of H 2 is identical to SE.Enc. To see this, note that, despite any runs of the Reset oracle, the value of k[τ ] is fixed at the start of an oracle call. Since w is sampled randomly, the decision of which c to return is independent of the state τ , and is in fact the same as simply sampling coins r and returning the resulting ciphertext c. This is precisely SE.Enc.
In H 3 , since the oracle behaviour is independent of b, we have that Pr[H 3 ] = 1 2 . Putting together all these results, we have The number of queries n is polynomially bounded, and 2 −η is negligible for most randomized schemes. The value of s can be set to a small constant without a strong effect on the success of the ASA, and we assume that 2Adv PRF The game H2 for the proof of Theorem 1. Hence we can conclude from Theorem 1 that the ASA defined in Figure 5a is undetectable under state resets, even to any prior state.

Discussion
The reader may find the results in this section to not be technically deep, and indeed they would be correct. We included significant details nonetheless in order to demonstrate precisely the implications of our model. Firstly, the simplicity of the state reset detection attacks in Subsection 3.1 raise the question of why these attacks were not considered in a formal manner previously in the literature, despite being pointed out as early as [BJK15]. Secondly, the similarity of the proof in Subsection 3.2 to the proofs of [BJK15] raises the question of why the norm of stateful schemes being considered less desirable was adopted so readily.
Perhaps there is reason not to consider such a strong notion of state reset in certain circumstances. However, the above results do show a couple things conclusively. Firstly, for researchers who avoid or discount stateful schemes, it should be made clear what detection threat model they are working in. Secondly, for researchers who develop stateful schemes, undetectability should be proven in a formal model including some version of state reset, or detection methods in such a framework should be acknowledged. As we have previously mentioned, we believe our notion of state reset is a good choice for analysis, as it formalizes the kind of resets that can occur during virtual machine cloning and rebooting, but weaker models might be justified depending on the threat model.

A Type 1 Asymmetric ASA on Symmetric Encryption
Now that we have established a good framework from which to evaluate the undetectability of stateful ASAs, we will present a simple modification to the subversion from [BPR14] to get a type 1 asymmetric ASA on a symmetric encryption scheme. Recall that a type 1 asymmetric ASA must be undetectable in the augmented state reset detectability game ASRDET of Figure 3.
In order to construct an asymmetric ASA which is undetectable against an adversary with the embedded key, we will use an additional building block: public-key encryption with ciphertexts that are indistinguishable from random. We recall the notion of ciphertext indistinguishability from random bits for public-key encryption schemes: let PKE be a public-key PKE.clen 5. return c Figure 6: The ciphertext indistinguishability-from-random game for a public-key encryption scheme PKE.
encryption scheme, and consider the game in Figure 6. In this game, adversary B is tasked with deciding whether the oracle provided to it is returning encryptions under PKE.Enc or random bits. The advantage of B is defined as Informally, we say that the scheme PKE is IND$-secure if the advantage of any efficient adversary B is small.
We present our asymmetric ASA, ASub, against a symmetric encryption scheme SE, in Figure 7. This ASA uses an IND$-secure public-key encryption scheme PKE, and a parameter s to bound the number of loops the ASA will execute before returning a value. The essence of the subversion is that the secret key to be exfiltrated is encrypted using the public-key encryption scheme, then a technique similar to that used by [BPR14] is used to leak the resulting ciphertext. The subverter can recover the key by decrypting the extracted ciphertext.
ASub.Enc(k, m, ek, τ )  In practice, the main advantage to a type 1 asymmetric ASA lies in the fact that the subverter maintains possession of all information required to complete their attack. This differs from the symmetric case, where the same key used to extract values from the target user is also embedded in the algorithm that the target user is using. There are practical situations in which it may be relevant to consider the possibility of a detector who knows ek. For example, suppose the user is aware of other subverted implementations, for which the corresponding ek is known, and wishes to test if the implementation they are using has also been subverted with the same key. In this section, we will consider the user U as being the detector with knowledge of the key ek. Indeed, if an ASA is undetectable in our augmented detection game ASRDET, then neither the user nor anyone else without the key xk is able to detect the ASA, and hence no third party is able to exploit the ASA either. In Section 5, we will consider a type 2 asymmetric ASA, which is undetectable to a user without ek, and detectable to, but nonetheless still secure against, a third party with knowledge of ek. This will more fully explore the nuance associated with the benefits of an asymmetric ASA with respect to all parties who may possibly be involved.
The main drawback of an asymmetric ASA, especially when it comes to attacking symmetric schemes, is speed. An asymmetric ASA that makes use of asymmetric cryptography will inevitably be slower than the symmetric algorithms being subverted. This exacerbates an existing issue with many ASAs that rely on coin rejection sampling, including ours: since the algorithm being subverted must be run multiple times, a detector could time the execution of the algorithm and conclude that a slower algorithm is subverted (this side-channel attack is not captured in our framework). We do note, however, that our ASA uses far fewer executions of asymmetric algorithms than symmetric ones, and moreover the asymmetric executions can be done ahead of time (but must be after the algorithm substitution has occurred). One could imagine a clever implementation of our ASA where the evaluation of PKE.Enc is spread out over many calls to ASub.Enc, amortizing the time penalty added by the use of a public-key encryption scheme.

Undetectability of our type 1 asymmetric ASA
The following theorem shows that ASub of Figure 7 is undetectable in the augmented state reset detectability game ASRDET, when modeling F as a random oracle.
Theorem 2. Let U be an adversary in the augmented state reset detectability game in Figure 2, ASRDET ASub (U), with symmetric encryption scheme SE as Λ and SE.Enc as Λ.Alg λ , where ASub.Enc is the algorithm given in Figure 7. Assume that F is an ideal hash function, which we model as a random oracle H. If n, q are the number of queries that U makes to its encryption oracle and the random oracle respectively, and η is the min-entropy of SE.Enc, then there is an adversary B against the IND$-security of PKE such that Adv ASRDET The running time of B is about that of U and B makes n queries to its own encryption oracle.
Proof. Consider the augmented state reset detectability game of Figure 2, with all the substitutions in the theorem statement, and F modeled as the random oracle H provided to the adversary U. This is shown in Figure 8, as G 0 . The oracle H only takes input c, since ek is fixed throughout the game.
We proceed by a sequence of games G 0 , ..., G 4 , as shown in Figure 8. Let G 0 be the undetectability game with the random oracle implementation. G 1 is the same as G 0 but with κ sampled randomly instead of computed as an encryption of k. G 2 and G 3 are shown in Figure 8. G 4 is the augmented state reset detectability game where the encryption oracle is replaced by an oracle that simply returns SE.Enc(k, m).
Let B be an adversary to the IND$ game for PKE. The adversary B will act as a challenger in the game G 0 with a few small changes: it will not generate a key pair itself, instead using the public key pk provided to it in the IND$ game; it will return 1 if U correctly guesses the bit b and 0 otherwise; and it will use its provided O PKE.Enc oracle in the place of PKE.Enc. This can all be done efficiently. In this way, B interpolates between games G 0 and G 1 . In particular, let b $ denote the bit from the IND$ PKE (B) game. Note that if b $ = 1, then the Enc oracle simulated by B proceeds exactly as in game G 1 , and if b $ = 0, then it proceeds exactly as in game  Figure 8. We claim that Pr[G 2 ] = Pr[G 1 ]. To see this, note that lines 1-10 of the Helper 1 function simply act as bookkeeping in order to use a single bit of κ for each encryption, and to generate a new κ once we've iterated through its bits. The index σ is used to iterate through κ and κ is re-sampled when all the bits are used. This procedure is identical to sampling a single random bit for each call, hence our equality. Notice also that this removes any dependence on the state, and so the state reset oracle no longer has any function. The only other change is the addition of a bad variable, used in the next game transition.
In game G 3 , shown in Figure 8, we replace the selection of w in the encryption oracle with true random sampling of w, regardless of whether c was input to the random oracle before. Let Col be the event where bad is set to true in game G 2 . This happens when some c previously generated by the encryption oracle or previously queried in the random oracle is obtained again during an encryption oracle query. We can bound Pr[Col] from above by considering the case where all the random oracle queries happen before the encryption oracle queries. Let η be the min-entropy of SE.Enc. Then we have that Pr[Col] ≤ ns+q 2 − q 2 · 2 −η = ((ns) 2 + 2nsq − ns) · 2 −η−1 . G 0,1,2,3,4 (U) (c, τi) ←$ Helper 0/1 (k, m, ek, τi−1)  Finally, G 4 is the detectability game where the encryption oracle is replaced by an oracle that simply returns SE. Enc(k, m). In game G 3 , since the loop condition is no longer dependent on the selection of c, the Helper 3 is identical to SE. Enc(k, m) Putting all these results together, we have as desired.
Assuming that PKE is IND$-secure and that n and q are small in comparison to 2 η , which is the case for a sufficiently randomized encryption scheme, Theorem 2 shows that the ASA given by the subversion in Figure 7 is undetectable in the augmented state reset detection game ASRDET, proving our claim that ASub is a type 1 asymmetric ASA.

Key recovery of our type 1 asymmetric ASA
The goal of the ASA presented in Figure 7 is to recover the secret key k used in the encryption algorithm SE.Enc. Some authors, such as [BJK15], have treated key recovery formally with a key recovery game. Their approach largely carries over here, and one could readily develop a theorem bounding from below the probability that the subverter can recover the secret key for our ASA. We will only outline the ideas involved to give the reader a good sense of how key recovery works.
Once the subverted algorithm is being used by a user, the subverter will attempt to recover the secret key k by observing the generated ciphertexts. These ciphertexts are generated according to a message distribution that the subverter has no control over, and hence the recovery strategy will be independent of the messages used. For our ASA, the subverter can use the following method to recover the secret key: 1. Collect ciphertexts c 1 , ..., c n .

Group ciphertexts together into consecutive groups of size PKE.clen.
3. For each ciphertext c σ in each group, compute w σ = F(ek, c σ ).
4. For each resulting group of bits, concatenate all the w σ to obtain κ and compute k = PKE.Dec(xk, κ).

Each k obtained in step 4 is a candidate for k.
We can estimate the probability of success of key recovery. We make a few simplifying assumptions; namely, that F is a good PRF, and that there is sufficient randomness in SE.Enc so that no two of the ciphertexts c 1 , ..., c n are the same. The effect of these assumptions can be quantified 2 , but we will omit those details here, and simply note that such quantification will result in 2Adv PRF F (F) + n 2 s 2 · 2 −η−1 , where η is the min-entropy of SE.Enc and F is a PRF adversary, being subtracted from the probability of key recovery. These assumptions allow us to calculate the success probability when all the w values are randomly generated, which is much simpler.
Suppose that PKE is a δ-correct public-key encryption scheme. Let n be the total number of ciphertexts intercepted by the subverter. For each group of PKE.clen ciphertexts (of which there are n /PKE.clen ), the probability that every ciphertext c in the group was chosen to successfully leak a bit (κ[σ] = F(ek, c)) is (1 − 2 −s ) PKE.clen (this is where we assume each w is random), and the probability that the group decrypts correctly is δ. Hence the probability that one of the keys k obtained in step 5 is the key k is P kr = 1 − 1 − δ(1 − 2 −s ) PKE.clen n PKE.clen . As an example, suppose PKE.clen = 400 (an IND$-secure public-key scheme with ciphertext lengths around this is given by Möller [Möl04]), n = 1600, s = 7, and δ = 1. Then P kr ≥ 0.6. The value of s can easily be increased to improve this probability, for example, if δ is lower, PKE.clen is higher, or the number of ciphertexts n that the subverter can intercept is small.

Key recovery in the presence of state resets
We note here that if the the user of the encryption scheme performs regular state resets of the type used in the detection scenario, then key recovery becomes very unlikely for this ASA. Since the entire PKE ciphertext κ must be exfiltrated before the subverter is able to decrypt it to recover k, reset of state would restart the process of key recovery. Since κ is required to be indistinguishable from random, we do not have the option of reconstructing the same κ after a state reset. With PKE.clen = 400, a state reset after every 399 encryptions would successfully thwart this ASA.
Such a defense may or may not be practical, depending on the specific implementation of the encryption scheme and the execution environment. For example, a user may not have sufficient access to an encryption scheme provided to them as a black-box to perform such state resets, and would rely on the provider of the encryption service to include such a mitigation. Furthermore, the performance impacts may be significant. Clearing sections of memory between encryptions may be a quick operation, but the ASA may decide to place state in storage instead (at increased risk of being detected from storage monitoring). Resetting to a previous virtual machine image would thwart this as well, but at increased performance cost. Such performance penalties may be mitigated by containerized implementations of cryptographic schemes. We encourage future work on the feasibility of this approach, and more generally on the use of state resets as a countermeasure to ASAs.

A Type 2 Asymmetric ASA on Symmetric Encryption
In the last section, we presented a type 1 asymmetric ASA, where no other parties besides the subverter, even if they have the embedded key ek, would be able to detect the subversion. In this section we will explore a more nuanced requirement of undetectability. In fact, we will present an asymmetric ASA that is detectable in the augmented detectability game in Figure 2, but undetectable in the regular detectability game. This is a type 2 asymmetric ASA.
To see why such an ASA may still be relevant, consider again the context of an ASA. There are three relevant parties: the subverter, the user U, and some third party V. The subverter is executing an algorithm substitution attack on U. It is critically important that U is not able to detect the ASA, since then U will stop using the subverted scheme. The subverter relies on the fact the U is not able to examine the code being used. Hence the situations in which U knows the embedded key ek, but does not already know of the subversion, are limited. With this reasoning, we can restrict ourselves to evaluating the detectability of an ASA with respect to a user U only in the regular detectability game, regardless of whether or not the ASA is symmetric or asymmetric.
On the other hand, the requirements on the third party V are different, and for a type 2 asymmetric ASA we will allow for the possibility that a sophisticated third party V is able to reverse-engineer the cryptographic scheme and obtain the key ek or outright detect the scheme in this way. Such a V may not have decision-making authority to change the scheme being used, so it may not be catastrophic for V to be able to detect the ASA. Hence requiring augmented undetectability with respect to V is not necessary. The real requirement for a type 2 asymmetric ASA is that the subverter is the only one able to take advantage of the subversion and break the security of the subverted scheme. To reflect this, we can simply require that the subverted algorithm ASub.Alg λ preserve security properties of the original algorithm Λ.Alg λ . 3 The situation described above admittedly has stronger behavioural assumptions on the involved parties than the one we covered in Section 4, where we proved that even V would not be able to detect the subversion. The reason that we wish to consider this more restricted context is that we will be able to construct a type 2 asymmetric ASA (one that satisfies the above notion of undetectability) that is less susceptible to detection via timing side channels. We will still use a repetition parameter s in the same way as in the ASA from Section 4, but key recovery will be possible with a smaller s.
Before continuing, we will define the notions of IND-CPA security for symmetric and asymmetric encryption. This is a weaker form of security than IND$ we used in Section 4 (which implicitly was in chosen-plaintext form), but it is all we will require in this section. The IND-CPA games for symmetric encryption scheme SE and public-key encryption scheme PKE are given in Figure 9.
The advantage of B at each of these games is Adv We use a "multi-challenge" IND-CPA game, where B is not limited to a single challenge ciphertext from which it has to guess. This multi-challenge game has been used, for example, by Rogaway [Rog04]. We choose to use this particular notion, as it more closely resembles our detectability games, leading to proofs that are easier to follow. Security of multi-challenge IND-CPA follows from single-challenge security using a hybrid argument.
We now present our type 2 asymmetric ASA ASub2. Let SE be a symmetric encryption scheme. Let PKE be an IND-CPA-secure public-key encryption scheme, and let F be a PRF with output space {1, ..., PKE.clen} × {0, 1}. Then ASub2, an ASA on SE is shown in Figure 10, where s is a parameter of the subversion to bound the loops as before.
ASub2.Enc(k, m, ek, τ ) The function ASub2.Enc bears many similarities to ASub.Enc from Section 4 and to the ASA of [BJK15]. In fact, the ASA ASub essentially consists of encrypting k to κ using IND$-secure publickey encryption, and then leaking κ using the same techniques as [BPR14]. The ASA ASub2, on the other hand, consists of encrypting k to κ using IND-CPA-secure public-key encryption, and then leaking κ using the same techniques as [BJK15]. We will explore some of these parallels in Section 6.
The fundamental difference between the two ASAs ASub and ASub2, as well as the reason for no longer requiring PKE to be IND$, becomes evident when we consider how an adversary V in possession of the key ek is able to interact with the scheme. Informally, the subverter is able to obtain k because anyone with ek can obtain κ, and the subverter can obtain k from κ using xk. In the case of ASub, we required PKE to be IND$ so that the adversary V would not be able to distinguish the κ they obtain by this process from random bits. Making sure to never leak the same bit of κ twice, we proved that this makes the scheme undetectable. For the ASA ASub2, even an IND$ scheme would not provide this guarantee. Re-use of the same κ for more than |κ| encryptions is required: randomization of the leaked bit of κ on each execution means that V cannot be sure all have been leaked. Therefore all (index, bit)-pairs that V receives using this decoding process that have the same index will also have the same bit with certainty, and this is unlikely in an unsubverted scheme. While not undetectable, we can still show that the subverted scheme is secure against V, implying that V is not able to recover the secret key in the same way as the subverter.
In the rest of this section, we will prove that ASub2 is a type 2 asymmetric ASA. That is, we will prove that the scheme is (1) undetectable to the user U in the regular detection game, (2) secure against the third party V, and (3) that the subverter can recover the secret key k.

Undetectability of our type 2 asymmetric ASA
We first prove undetectability of ASub2 against an adversary U in the regular state reset detectability game SRDET.
Theorem 3. Let U be an adversary in the regular state reset detectability game in Figure 2, SRDET ASub2 (U), with symmetric encryption scheme SE as Λ and SE.Enc as Λ.Alg λ , where ASub2.Enc is the algorithm given in Figure 10. If n is the number of queries that U makes to its encryption oracle, and η is the min-entropy of SE.Enc, then there is an adversary F against the PRF-security of F such that Adv SRDET ASub (U) ≤ 2Adv PRF F (F) + (ns) 2 · 2 −η−1 . The running time of F is about that of U, and F makes at most ns oracle queries. Proof. We proceed by a sequence of games. Let I 0 the regular state reset detectability game of Figure 2, with all the substitutions in the theorem statement. Let I 1 be the same as I 0 but with F replaced by lazy random sampling; this is given in Figure 11. Let I 2 be the same as I 1 but with w and σ sampled randomly instead; this is also given in Figure 11. Let I 3 be the regular state reset detectability game where the encryption oracle is replaced by an oracle that simply returns SE.Enc(k, m), and the Reset oracle removed.
Consider first games I 0 and I 1 . Similarly to the proof of Theorem 3, this is a straightforward gamehop based on indistinguishability of the PRF F, so we omit the detailed reduction. Instead, note that an adversary F in the PRF F (F) game is able to completely simulate the games I 0 and I 1 for an adversary U using the oracle provided to it in place of (c, τ ) ←$ ASub2.Enc(k, 0, ek, τ ) 5. return c Figure 12: The IND-CPA game for asymmetric ASA ASub2. Now consider games I 1 and I 2 . In game I 2 , we replace the selection of w and σ in the encryption oracle with true random sampling of w and σ, regardless of whether c was input to the random oracle before. Let Col be the event where bad is set to true in game I 2 . This happens when some c previously generated by the encryption oracle is obtained again during an encryption oracle query. We upper bound Pr[Col]: let η be the min-entropy of SE.Enc. Then we have that Pr[Col] ≤ ns 2 · 2 −η ≤ (ns) 2 · 2 −η−1 . By the Fundamental Lemma of Game-Playing [BR06], we have | Pr[ Finally, I 3 was defined as the detectability game where the encryption oracle is replaced by an oracle that simply returns SE.Enc(k, m). In game I 2 , since the loop condition is no longer dependent on the selection of c, the implementation ASub2.Enc 2 is identical to SE.Enc(k, m). Hence Pr[I 2 ] = Pr[I 3 ]. Further, note that Pr[I 3 ] = 1 2 , since the encryption oracle in I 3 is not dependent on b.
Putting all these results together, we have as desired.

Security of our type 2 asymmetric ASA
We prove here that the ASA ASub2 is secure against an adversary V who has knowledge of ek. "Secure", here, should mean in the same sense as the original symmetric encryption scheme: IND-CPA. However, we cannot apply this notion directly to ASub2, since the IND-CPA game does not provide the necessary parameters. Instead, we introduce the modified game IND-CPA on ASub2 with adversary V, shown in Figure 12. This game contains the required modifications to Figure 9 in order to include the function ASub2.Enc, as well as providing the embedded key ek to the adversary V. Assuming that SE.Enc is IND-CPA secure, we say that ASub2.Enc is secure if it is IND-CPA secure against V. If n is the number of oracle queries that V makes, then B 1 makes n queries to its own oracle, and B 2 makes at most ns queries to its own oracle. Proof. We proceed by a sequence of games. Let J 0 be the IND-CPA ASub2.Enc (V) game. Let J 1 be the same as J 0 but with κ computed as an encryption of 0 instead of as an encryption of k. Let J 2 be the same as J 1 but with c computed as an encryption of 0 instead of as an encryption of m. All of these games are shown in Figure 13. Let B 1 , defined in Figure 13, be an adversary to the IND-CPA game on PKE. Acting as a challenger, B 1 simulates the IND-CPA game on ASub2 for V, in particular using the PKE.Enc oracle and public key given to it to simulate ASub2.Enc.
Let b pke denote the bit from the IND-CPA PKE (B 1 ) game. Note that if b pke = 1, then the Enc oracle simulated by B 1 proceeds exactly as in game J 1 , and if b pke = 0, then it proceeds exactly as in game J 0 . Thus we have Pr Figure 13, be an adversary to the IND-CPA game on SE. Acting as a challenger, B 2 simulates the game J 1 for V, in particular using the SE.Enc oracle given to it to simulate ASub2.Enc 1 .
Game J 2 is given in Figure 13. The only change from J 1 is that the oracle will now always use 0 in the place of m. Putting all these results together, we have as desired.
Assuming that PKE and SE are IND-CPA-secure, this result shows that ASub2 is IND-CPA secure against an adversary V in possession of the embedded key ek.

Key recovery of our type 2 asymmetric ASA
As in Subsection 4.2, we will treat key recovery somewhat less formally than detectability, and focus on the recovery probability in the case where there is sufficient randomness in the encryption scheme SE.Enc and sufficient unpredictability in the function F to assume that all the σ and w values generated are random.
The following method for key recovery is identical to that of [BJK15], with the extra step of public-key decryption at the end: 1. Collect ciphertexts c 1 , ..., c n . Initialize κ to a string of length PKE.clen of null values.

For each ciphertext
The probability of success here can be calculated by making use of a coupon-collector problem analysis. 4 Suppose PKE is δ-correct. The probability that every ciphertext was chosen to successfully leak a bit (F(ek, c) = κ[σ]) is (1 − 2 −s ) n . Let be the length of κ. Then the probability that a given index of κ was never selected is (1 − 1/ ) n (assuming F is random). Hence the probability that at least one of the indices was never selected is at most (1 − 1/ ) n , and the probability that the full κ can be recovered is at least (1 − 2 −s ) n · (1 − (1 − 1/ ) n ). Considering any decryption failures in PKE, we have that the probability of recovery of the key k is P kr = δ · (1 − 2 −s ) n · (1 − (1 − 1/ ) n ). This is sufficient for establishing key recovery in a theoretical setting. [BJK15] give example values of s = 13, = 128, and n = 896, with key recovery probability close to 1/2. In our setting, we have PKE.clen ≈ 400, and hence we require more ciphertexts. With n = 2900, s = 13, δ = 1, = 400, we get a key recovery probability above 1/2. But this analysis does not account for other ways that key recovery could be performed. In fact, it should be clear that even in the presence of erroneous encodings (i.e. some ciphertext c is returned such that F(ek, c) = κ[σ]), the subverter may still be able to recover the correct key if there are enough ciphertexts to encode each index several times. To illustrate this better strategy, consider modifying the above strategy so that in step 2, the subverter takes the most probable value of w for each ciphertext, based on the number of times 0 or 1 was observed. This strategy will tolerate far more errors than our above analysis, while still recovering the key. It may require many ciphertexts to ensure there are large samples to draw from, but simultaneously it enables a smaller s value, since as n grows, the error rate is primarily determined by s.
We evaluated this strategy with a simulation, assuming that the probability of correctly encoding a key bit in a ciphertext is exactly 1 − 2 −s . In our case, the length of the value to leak, κ, is around 400, and with s = 2 and n = 14000, this majority-voting strategy enables key recovery in over 50% of cases.
This method of key recovery could be even further improved with the observation that the subverter could brute-force a small number of key bits. Given that the incorrectly decoded key bits are more likely to have fewer samples or closer tallies between correct and incorrect encodings, errors may be easy to identify. We will not include this possibility in our analysis.
To further illustrate the tradeoff between n and s, we plotted our simulated results on the graph in Figure 14. The graph shows the smallest n value (rounded up to the nearest 100) that results in 50% and 5% key recovery probability (with |κ| = 400) for each value of s. We could use a smaller value of |κ| here, since we do not require PKE to be IND$ for our type 2 asymmetric ASA, but using |κ| = 400 certainly provides an upper bound. The values given by the theoretical key recovery probability above are included in red for comparison; values of s lower than 13 and 11 were not able to provide key recovery probability above 50% and 5% respectively for any value of n. Of particular interest are lower values of s: experimental results show it is possible to use values s = 6 or smaller, while the theoretical probability would imply that these values of s are unusable.
The main difference between the simulation values and the theoretical approximation comes from the requirement, in the theoretical case, that all attempts to encode key bits in ciphertexts must succeed. With small s, (1 − 2 −s ) n actually gets smaller as n gets larger and dominates the key recovery estimation, whereas the key recovery probability should increase when more samples are collected. Directly calculating the complicated probability expression of key recovery without this assumption is precisely the difficulty that we are avoiding with the simulation.
Earlier, we noted that one of the advantages of this ASA over the ASA in Section 4 was better resilience to timing detection. Recall that the parameter s determines the maximum number of regular encryptions that the subverted encryption algorithm will do to return one ciphertext. Effectively, the runtime of the subverted scheme is up to s times the runtime of the unsubverted scheme. Knowing this, a large s would allow a user to detect the ASA by timing the execution of the algorithm. We have shown that the ASA ASub2 allows key recovery with s = 2, which is the smallest value we can achieve with this acceptance-rejection framework.
While we haven't included timing attacks in our formalism, it is an important area of future work. Even with s = 2, a timing attack would easily detect ASub2. It is not clear if there is any way to modify these techniques to achieve a general ASA which is resistant to timing attacks. Indeed, a value of s = 1 would be identical to unsubverted encryption, and there is no obvious way to implement a non-integer value of s. Perhaps an ASA based on acceptance-rejection techniques could have an expected value of s lower than 2, and avoid detection by timing in this manner. Of the published ASAs we evaluated in Section 3, [BSKC19] and [CHY20] avoided timing detection by using an efficient ASA, where the execution time of the subverted algorithm is approximately the same as that of the unsubverted algorithm, but at the cost of making detectable use of state under state reset attacks. This therefore leaves a gap in the literature: are there ASAs which are undetectable under state resets and timing attacks, using acceptance-rejection techniques or otherwise?

Key recovery in the presence of state resets
As for our type 1 ASA from section Section 4, regular state resets would reduce key recovery probability of the ASA in this section as it is currently written. However, in this case, it is possible to modify the scheme to maintain key recovery in the presence of state resets. Making PKE deterministic effectively removes dependence of the ASA on any state at all, since the value of κ can be recomputed without state (keeping state anyway would allow the ASA to do the work of recomputing κ only when the state is reset, mitigating some of the inefficiency of this process). If the ASA does not require state, then key recovery works just as well during state resets as without them.
If PKE was deterministic, this would also allow for the possibility of shorter PKE ciphertexts. For example, Bellare, Boldyreva, and O'Neill provide a deterministic PKE scheme which conserves plaintext length. If |κ| = |k| = 128, then key recovery would require fewer ciphertexts. For example, the simulated 50% recovery values in Figure 14 would converge to 700 instead of 2600.
Unfortunately, deterministic PKE causes difficulties for our security analysis in Subsection 5.2. Theorem 4 bounds the IND-CPA advantage against ASub2 using the IND-CPA security of PKE, which would no longer be appropriate for a deterministic PKE. To address this, we would need to instead use security notions for deterministic PKE. Bellare et al. provide security notions for deterministic PKE under the condition of high-entropy plaintexts [BBO07], which applies to our case (k is the only plaintext encrypted, and is high-entropy). An analogue to Theorem 4 would need to be proven with this new security notion in order to prove that an ASA using deterministic PKE is a type 2 asymmetric ASA.

Generalized Modifications to Obtain Asymmetric ASAs
In this section, we will explore how the techniques of Sections 4 and 5 generalize. So far, we have only considered asymmetric ASAs on symmetric encryption. Our asymmetric ASAs could be seen as modifications of existing symmetric ASAs. In this section, we will show that these modifications could be done in a much more general manner, without specifying either the cryptographic primitive or the underlying symmetric ASA.
Flexible ASAs. This generalization will apply only to a subclass of symmetric ASAs. A reader might have noticed that the techniques of [BPR14] and [BJK15] could be used to leak any value, and not just the key k. Indeed, it is this property of a symmetric ASA that will allow for a transformation into an asymmetric one.
A flexible ASA fSub of a cryptographic scheme Λ is an ASA that satisfies these additional constraints: • fSub.Alg λ takes an additional parameter µ ∈ M . We call M the space of leakable values. We will assume that M consists of all bit strings.

Figure 15:
The regular and augmented state reset detection games for flexible ASAs is on the left, and the game ASRDET$ is on the right. The augmented game includes the code in the box, while the regular one does not. The ASRDET$ game is a modification that generates a random µ on each invocation of O Alg λ instead of using the supplied value.
• The subverter A must be able to recover µ from observation of outputs of fSub.Alg λ (·, ek, τ, µ) (analogous to the requirement of key recovery). This must be possible efficiently, as a function of the length of µ We define the regular and augmented state reset detectability games SRDET fSub (U) and ASRDET fSub (U) for a flexible ASA fSub in Figure 15. These are modifications to the games in Figure 2 to include µ. The adversary U supplies the value for µ when invoking its oracle, allowing the leaked value to be related or unrelated to any secret information intended to be used in the cryptographic scheme.
We also define a game ASRDET$, shown in Figure 15, which we will use in Theorem 5. This game generates a random bit µ instead of using the value given to the oracle.
For our general treatment in this section, we will work with abstract security games. Let Λ be a cryptographic scheme. Let SEC be a cryptographic game with adversary A, which interacts with A by providing some oracles to A based on the algorithms of Λ, and specifies a value φ ∈ [0, 1]. The advantage of A at the game SEC is defined as Adv SEC Λ (A) = | Pr[SEC(A)] − φ|. This generalization encompasses the security notion of IND-CPA for symmetric encryption used in Section 5, as well as security notions such as unforgeability on signature schemes and MAC tags, and others.
As in Section 5 with the IND-CPA game, we require a modification to the SEC game when talking about subversions. Let SEC be a security game on a cryptographic primitive Λ. Let fSub be an ASA on Λ. We will assume without loss of generality that all invocations of the algorithm Λ.Alg λ occur within oracles provided to the adversary A. Define SEC on fSub to be the same as SEC but with the following modifications: • A state τ (initialized to ⊥) and embedded key ek (generated with fSub.KeyGen) are assigned at the beginning of the game, and ek is provided to the adversary A (i.e. A is invoked with ek as a parameter and its output is ignored).
• For any oracle O provided to the adversary A which invokes Λ.Alg λ , O is modified to take µ as an additional parameter. Call these oracles µ-oracles.

D O PKE.Enc
From here, we note that, as in the proof of Theorem 2, the first lines (lines 1-10 in adversary D 1 's Helper) of the implementation of Γ 1 (fSub).Alg λ in game L 1 act as bookkeeping in order to use exactly one new random bit µ at a time in fSub.Alg λ . Substituting these lines for µ ←$ {0, 1} and moving this line to the first line of the oracle call gives us precisely the game L 2 = ASRDET$ fSub (U 1 ), and Pr[L 1 ] = Pr[L 2 ].
Taken together we get as desired.
Proving Γ 2 (fSub) is a type 2 asymmetric ASA. Next we deal with both the regular undetectability and the security of Γ 2 (fSub), proving that Γ 2 (fSub) is a type 2 asymmetric ASA. The security of Γ 2 (fSub) is evaluated using the game SEC g Γ2(fSub) , and an adversary's advantage at this game is bounded by using the game SEC fSub . In this sense, we are relating the security of Γ 2 (fSub) to the security of fSub in the situation where the adversary must provide the value of µ, the "value to be leaked" by fSub. If an adversary must provide the value to be leaked, then we would expect that there is nothing more to be learned for the adversary, unless the scheme is leaking information in other ways. Thus, intuitively, what we require is that fSub is not leaking any additional information; this is codified in the game SEC fSub . This provides the intuition for our security result, and the formalization of what is required from fSub to ensure that Γ 2 (fSub) is secure.
Theorem 6. Let Λ be a cryptographic scheme. Let fSub be a flexible symmetric ASA on Λ. Let SEC be a security game on Λ. Let g be a selection function for the game SEC . Let U 1 be an adversary for the SRDET game on Γ 2 (fSub) and V 1 be an adversary for the SEC g game on Γ 2 (fSub). Then there is an adversary U 2 such that Adv SRDET Γ2(fSub) (U 1 ) = Adv SRDET fSub (U 2 ), and adversaries D 2 and V 2 such that Adv SEC g Γ2(fSub) (V 1 ) ≤ Adv SEC fSub (V 2 ) + 2Adv IND-CPA PKE (D 2 ). The running time of U 2 is about that of U 1 and U 2 makes the same number of queries to its own oracle as U 1 . The running time of D 2 is about that of V 1 , and D 2 makes the same number of queries to its own oracle as V 1 . If the number of oracle queries that V 1 makes is n, then the running time of V 2 is about that of V 1 , plus the running time of PKE.KeyGen, plus the running time of PKE.Enc times n. For each oracle in the game SEC, V 2 makes the same number of queries to its corresponding oracle as V 1 does.
Proof. For the undetectability result, we will construct the adversary U 2 directly; the construction is given in Figure 18. We claim that U 2 exactly simulates the game SRDET Γ2(fSub) for U 1 .
To see this, observe that for any query to O Γ2(fSub).Alg λ that U 1 makes, the value of µ passed to O fSub.Alg λ is an encryption of µ under PKE. Furthermore, the same encrypted µ is reused in all invocations of fSub.Alg λ unless τ i−1 = ⊥, in which case it is recomputed. This is exactly the behaviour of the SRDET Γ2(fSub) game. Hence Pr SRDET Γ2(fSub) (U 1 ) = Pr[SRDET fSub (U 2 )], giving our result.
For the security inequality, we will proceed by a sequence of games. Let K 0 be the game SEC g Γ2(fSub) (V 1 ). Let K 1 be the game SEC 0 Γ2(fSub) (V 1 ), where the 0 in the superscript represents the function that outputs 0 on all inputs. Let K 2 be the game SEC fSub (V 2 ).
Let D 2 be an adversary to the IND-CPA game for PKE that simulates games K 0 and K 1 for V 1 by using its own O PKE.Enc oracle in place of PKE.Enc. This is shown in Figure 18.
Let b PKE denote the bit from the IND-CPA PKE (D 2 ) game. Note that if b PKE = 1, then the oracle simulated by D 2 proceeds exactly as in game K 1 , since in K 1 the only value of µ passed to the Helper function is 0. If b PKE = 0, then D 2 proceeds exactly as in game  : Adversaries U 2 , D 2 , and V 2 for the proof of Theorem 6. For U 2 and V 2 , queries made by U 1 and V 1 to their oracles are answered by using the oracles provided to them as indicated. D 2 runs the indicated code to simulate the SEC g game, and any oracle query that would use Γ 2 (fSub).Alg λ (x, ek, τ, µ) is answered using the code in Helper.
Next, we will construct the adversary V 2 in the game SEC fSub directly. Suppose that the game SEC provides oracles O j for 1 ≤ j ≤ t, each with inputs labeled x and outputs labeled y as tuples. After being modified for game SEC , assume that oracles O 1 , ...O t1 for some 1 ≤ t 1 ≤ t are µ-oracles, and the rest are not. The adversary V 2 is given in Figure 18.
We claim that V 2 exactly simulates the game SEC 0 Γ2(fSub) for V 1 . The argument and construction are very similar to the symmetric detectability result. Observe that for any query to any oracle accepting a parameter µ that V 1 makes, the value of µ passed to V 2 's oracle O j is an encryption of 0 under PKE. Furthermore, the same µ is reused in all future oracle invocations. All oracles not accepting a parameter µ are provided directly to V 1 . This exactly simulates the SEC 0 Γ2(fSub) game. Hence Pr[K 1 ] = Pr SEC 0 Γ2(fSub) (V 1 ) = Pr SEC fSub (V 2 ) = Pr[K 2 ]. Combining these results, we get as desired.
For the symmetric subversions on symmetric encryption from [BPR14] and [BJK15], we can show that the quantities Adv SEC fSub and Adv ASRDET$ fSub are small for any adversary; the proofs in Section 4 and Section 5 did essentially that. Proving these advantages are small for a given flexible ASA fSub would allow one to draw conclusions about the undetectability and security of Γ 1 (fSub) and Γ 2 (fSub) using the theorems in this section.

Discussion and Future Work
In this work, we formalized the approach of using state resets to detect ASA, and showed how asymmetric ASAs can be constructed from symmetric ASAs. A key observation of our work is that many published ASAs are detectable via realistic state reset attacks (such as virtual machine snapshotting) despite having small state. As such, we encourage future threat models to incorporate this notion of state resets when evaluating the detectability of new ASAs.
We identify several topics that warrant further exploration.
Our type 1 and type 2 asymmetric ASAs have running times that are multiple times longer than the algorithms they subvert. This would make them detectable by a user or other adversary who is able to time execution of the algorithm. Furthermore, all of the published ASAs which are more efficient (in the sense of running times closer to those of the underlying algorithm) are, to our knowledge, detectable in the presence of state resets. An interesting direction for future work is modeling detection of ASAs based on running time and developing ASAs that resist both time-based detection and state reset-based detection, or proving that an ASA satisfying both is impossible. Timing attacks are but one way to model increased detection capabilities on the part of the user; other capabilities and their effects on known ASAs are also of interest.
Further improvements to our ASAs are possible. Our type 1 asymmetric ASA modification is dependent on the ability of the underlying ASA to leak single bits reliably, and this requirement could potentially be removed. Perhaps modifications could also be made on "non-flexible" ASAs. Methods to enable key recovery with fewer ciphertexts likely exist, and would be more effective in certain contexts. For example, suppose a user is changing their symmetric key too often for the ASAs in this paper to effectively leak the key, say every 300 messages (leaking a PKE-encrypted value would require at least 400 ciphertexts). Consider an ASA on symmetric encryption that leaks values in 2 stages: first, it leaks a longer encryption of a locally generated shorter key, resulting in a secret key shared with the external subverter. Next, it uses this new key to undetectably leak the targeted secret key directly, requiring interception of fewer ciphertexts. This ASA could be formulated as a generic modification to an underlying symmetric ASA, as we did in Section 6. Such an ASA could be a type 1 or type 2 asymmetric ASA depending on the exact implementation of the leaks, and, after the initial shared key is established, would recover keys more quickly than the ASAs we presented in this paper.
Further to the above, it is an open question whether a stateless type 1 asymmetric ASA exists. While we have argued that state does not lead immediately to detection, the effectiveness of a stateful ASA can be mitigated by using state resets. In fact, any ASA that requires state for key recovery can be fully countered by a state reset after every invocation of the subverted algorithm (as mentioned before, this may have significant impacts on performance). We see no straightforward way of modifying our type 1 asymmetric ASA to make it stateless. We encourage work on discovery of a stateless type 1 ASA or on an impossibility result.
We have not addressed the topic of countermeasures to ASAs significantly in this work. Several different avenues exist in the literature: deterministic algorithms [BPR14, DFP15,BJK15]; reverse firewalls using re-randomization [AMV15]; immunization methods [AFMV19], including a split-program methodology for preventing ASAs [RTYZ17, RTYZ16, TY17]; and so-called self-guarding cryptographic schemes [FM18]. All of these solutions assume some extra trusted component (for example, a trusted firewall system, a period of time where the scheme is not subverted, or an unsubvertable algorithm composition step). Each solution is able to produce significant guarantees on the scheme's resistance to ASAs. These countermeasures work against our ASAs as well, but we nonetheless encourage more work on methods to prevent ASAs which are simple and easy to implement in practice.