We seek constructions of general-purpose immunizers that take arbitrary cryptographic primitives, and transform them into ones that withstand a powerful “malicious but proud” adversary, who attempts to break security by possibly subverting the implementation of all algorithms (including the immunizer itself!), while trying not to be detected. This question is motivated by the recent evidence of cryptographic schemes being intentionally weakened, or designed together with hidden backdoors, e.g., with the scope of mass surveillance.

Our main result is a subversion-secure immunizer in the plain model, that works for a fairly large class of deterministic primitives, i.e. cryptoschemes where a secret (but tamperable) random source is used to generate the keys and the public parameters, whereas all other algorithms are deterministic. The immunizer relies on an additional independent source of public randomness, which is used to sample a public seed.

Assuming the public source is untamperable, and that the subversion of the algorithms is chosen independently of the seed, we can instantiate our immunizer from any one-way function. In case the subversion is allowed to depend on the seed, and the public source is still untamperable, we obtain an instantiation from collision-resistant hash functions. In the more challenging scenario where the public source is also tamperable, we additionally need to assume that the initial cryptographic primitive has sub-exponential security.

Previous work in the area only obtained subversion-secure immunization for very restricted classes of primitives, often in weaker models of subversion and using random oracles.

我们寻求采用任意密码原语的通用免疫程序的构造，并将其转换为可以承受强大的“恶意但引以为傲”的对手的对手，该对手试图通过破坏所有算法（包括免疫程序本身）的实现来破坏安全性。 ，同时尝试不被发现。这个问题是由于最近有证据表明加密方案被有意削弱或与隐藏的后门（例如，大规模监视的范围）一起设计而引起的。

我们的主要结果是普通模式颠覆安全immunizer，是一个相当作品大类的确定性元，即cryptoschemes其中一个秘密（但tamperable）随机源用于生成密钥以及公开参数，而所有其他算法是确定性的。免疫器依赖于公共随机性的其他独立来源，该来源用于采样公共种子。

假设公共资源不可篡改，并且算法的颠覆是独立于种子进行选择的，则我们可以从任何一种单向函数实例化免疫程序。如果允许颠覆依赖种子，并且公共资源仍然不可篡改，则可以从抗冲突哈希函数获得实例化。在更具挑战性的情况下，公共资源也是可篡改的，我们还需要假设初始密码原语具有次指数安全性。

该领域的先前工作仅针对非常有限的原始类获得了颠覆安全免疫，通常是在较弱的颠覆模型中使用随机预言机。