KLEPTORISK AS A DISTINCT CLASS OF DIGITAL TRUST RISK
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1197Keywords:
kleptorisk; kleptography; digital trust; cryptographic backdoors; trust architecture; cybersecurity risk.Abstract
This paper introduces kleptorisk as a distinct class of digital trust risk arising from intentionally embedded, controllable weaknesses within the architecture of cryptographic and information systems. Unlike conventional cybersecurity risks, which emerge from implementation flaws or operational vulnerabilities, kleptorisk originates at the design stage and persists independently of its activation. The paper formalizes the concept of kleptorisk, defines its key properties, and distinguishes it from traditional risk categories. A compact lifecycle model is proposed, describing kleptorisk formation, legitimization, latent existence, and potential activation. Historical case studies, including Crypto AG cryptographic devices and the Dual_EC_DRBG random number generator, demonstrate that such risks can exist within formally compliant and widely deployed systems. The findings indicate that kleptorisk represents an architectural characteristic rather than an operational event. This work argues for a shift from incident-centric cybersecurity toward an architecture-centric trust analysis paradigm and outlines implications for trust management, cryptographic assurance, and the development of kleptorisk-aware security frameworks.
Downloads
References
Abelson, H., Anderson, R., Bellovin, S., Benaloh, J., Blaze, M., Diffie, W., Gilmore, J., Green, M., Landau, S., Neumann, P., Rivest, R., & Schiller, J. (2015). Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), 69–79. https://doi.org/10.1093/cybsec/tyv009
Anderson, R. (2020). Security engineering: A guide to building dependable distributed systems (3rd ed.). Wiley.
International Organization for Standardization. (2018). ISO 31000: Risk management—Guidelines. ISO.
Miller, G. (2020, February 11). The intelligence coup of the century: For decades, the CIA read the encrypted communications of allies and adversaries. The Washington Post.
National Institute of Standards and Technology. (2018). Risk management framework for information systems and organizations: A system life cycle approach for security and privacy (NIST SP 800-37 Rev. 2). https://doi.org/10.6028/NIST.SP.800-37r2
National Institute of Standards and Technology. (2012). Recommendation for random number generation using deterministic random bit generators (NIST SP 800-90A).
National Institute of Standards and Technology. (2014). Dual EC in X9.82 and SP 800-90.
Organisation for Economic Co-operation and Development. (2014). Building digital government strategies: Principles and practices. OECD Publishing. https://doi.org/10.1787/9789264223639-en
Schneier, B. (2015). Applied cryptography: Protocols, algorithms, and source code in C (20th anniversary ed.). Wiley.
Shumow, D., & Ferguson, N. (2007). On the possibility of a back door in the NIST SP800-90 Dual EC PRNG. In Advances in cryptology—CRYPTO 2007 (Rump session).
Swissinfo.ch. (2020, November 10). Swiss intelligence benefited from CIA-Crypto spying affair.
Young, A., & Yung, M. (1997). Kleptography: Using cryptography against cryptography. In Advances in cryptology—EUROCRYPT ’97 (Lecture Notes in Computer Science, Vol. 1233, pp. 62–74). Springer.
Tkach, Y. M., & Shelest, M. Y. (2025). Kleptography: From backdoor to trust policy in the digital age. Chernihiv Polytechnic National University.
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Михайло Шелест, Юлія Ткач
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
