Abstract
Deliberately weakened ciphers are of great interest in political discussion on law enforcement, as in the constantly recurring crypto wars, and have been put in the spotlight of academics by recent progress. A paper at Eurocrypt 2021 showed a strong indication that the security of the widely-deployed stream cipher GEA-1 was deliberately and secretly weakened to 40 bits in order to fulfill European export restrictions that have been in place in the late 1990s. However, no explanation of how this could have been constructed was given. On the other hand, we have seen the MALICIOUS design framework, published at CRYPTO 2020, that allows to construct tweakable block ciphers with a backdoor, where the difficulty of recovering the backdoor relies on well-understood cryptographic assumptions. The constructed tweakable block cipher however is rather unusual and very different from, say, general-purpose ciphers like the AES.
In this paper, we pick up both topics. For GEA-1 we thoroughly explain how the weakness was constructed, solving the main open question of the work mentioned above. By generalizing MALICIOUS we – for the first time – construct backdoored tweakable block ciphers that follow modern design principles for general-purpose block ciphers, i.e., more natural-looking deliberately weakened tweakable block ciphers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
When considering all possible combinations of two of the three registers in GEA-1, the maximal observed loss was 11 bits.
- 2.
We estimate the number of expected solutions to be \(s \cdot 2^{-2d+1}\), where s denotes the sample space and d the desired entropy loss. For each sample, one has to solve a linear system of dimension 64 to compute the entropy loss.
- 3.
Note that we use \(\sum _{i=0}^{m}t_iX^i\) as a shorthand for the corresponding coset of \(\mathbb {F}_2[X]\).
- 4.
The complexity is measured by the amount of operations that are roughly as complex as GEA-1 evaluations (for generating a keystream of size \(\le 128\) bit).
- 5.
The length of each entry in the table must be large enough to avoid false key candidates. Similarly as described in [8, Section 3.1], we assume that each bitstring in the table is of size \(\ell + \dim (T_{A,C})\), where \(\ell \) is the minimum integer such that \((1-2^{-\ell })^{2^{\kappa }} \ge 0.5\).
References
Albertini, A., Aumasson, J.-P., Eichlseder, M., Mendel, F., Schläffer, M.: Malicious hashing: Eve’s variant of SHA-1. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 1–19. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_1
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Amzaleg, D., Dinur, I.: Refined cryptanalysis of the GPRS ciphers GEA-1 and GEA-2. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 57–85. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_3
Avanzi, R.: The QARMA block cipher family. Almost MDS matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency s-boxes. IACR Trans. Symmetric Cryptol. 2017(1), 4–44 (2017)
Bannier, A., Filiol, E.: Partition-based trapdoor ciphers. IntechOpen (2017)
Beierle, C., Beyne, T., Felke, P., Leander, G.: Constructing and deconstructing intentional weaknesses in symmetric ciphers. Cryptology ePrint Archive, Report 2021/829 (2021). https://ia.cr/2021/829
Beierle, C., Canteaut, A., Leander, G., Rotella, Y.: Proving resistance against invariant attacks: how to choose the round constants. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 647–678. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_22
Beierle, C., et al.: Cryptanalysis of the GPRS encryption algorithms GEA-1 and GEA-2. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 155–183. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_6
Bernstein, D.J., Lange, T., Niederhagen, R.: Dual EC: a standardized back door. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 256–281. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_17
Beyne, T.: Block cipher invariants as eigenvectors of correlation matrices. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 3–31. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_1
Beyne, T.: A geometric approach to linear cryptanalysis. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 36–66. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_2
Bonnetain, X., Perrin, L., Tian, S.: Anomalies and vector space search: tools for S-Box analysis. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 196–223. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_8
Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_14
Daemen, J., Rijmen, V.: The Design of Rijndael - The Advanced Encryption Standard (AES). Information Security and Cryptography, 2nd edn. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-662-04722-4
Derbez, P., Fouque, P., Jean, J., Lambin, B.: Variants of the AES key schedule for better truncated differential bounds. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 27–49. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_2
Dunkelman, O., Perrin, L.: Adapting rigidity to symmetric cryptography: towards “unswerving” designs. In: Mehrnezhad, M., van der Merwe, T., Hao, F. (eds.) Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, pp. 69–80. ACM (2019)
Dworkin, M.: SHA-3 standard: permutation-based hash and extendable-output functions (2015)
Filiol, E.: BSEA-1 - a stream cipher backdooring technique. arXiv preprint arXiv:1903.11063 (2019)
Harpes, C., Massey, J.L.: Partitioning cryptanalysis. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 13–27. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052331
Hoffman, K., Kunze, R.A.: Linear Algebra. PHI Learning (2004)
Khoo, K., Lee, E., Peyrin, T., Sim, S.M.: Human-readable proof of the related-key security of AES-128. IACR Trans. Symmetric Cryptol. 2017(2), 59–83 (2017)
Koblitz, N.: Algebraic Aspects of Cryptography, Algorithms and Computation in Mathematics, vol. 3. Springer, New York (1998). https://doi.org/10.1007/978-3-662-03642-6
Van Le, T., Sparr, R., Wernsdorf, R., Desmedt, Y.: Complementation-like and cyclic properties of AES round functions. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 128–141. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447_11
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_12
Lidl, R., Niederreiter, H.: Finite Fields, 2nd edn. Encyclopedia of Mathematics and its Applications, Cambridge University Press (1996)
Park, S., Sung, S.H., Lee, S., Lim, J.: Improving the upper bound on the maximum differential and the maximum linear hull probability for SPN structures and AES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 247–260. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_19
Paterson, K.G.: Imprimitive permutation groups and trapdoors in iterated block ciphers. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 201–214. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_15
Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on web. International New York Times (2013). https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html. Accessed 30 Sept 2021
Perrin, L.: Partitions in the s-box of Streebog and Kuznyechik. IACR Trans. Symmetric Cryptol. 2019(1), 302–329 (2019)
Peyrin, T., Wang, H.: The MALICIOUS framework: embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_9
Posteuca, R., Ashur, T.: How to backdoor a cipher. IACR Cryptol. ePrint Arch, p. 442 (2021)
Fips, P.U.B.: 46: Data Encryption Standard (DES). National Bureau of Standards, US Department of Commerce (1977)
Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 139–148. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052342
Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.3) (2021). https://www.sagemath.org
Schneier, B.: Applied Cryptography - Protocols, Algorithms, and Source Code in C, 2nd edn. Wiley (1996)
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM, and Midori64. J. Cryptol. 32(4), 1383–1422 (2019)
Wardlaw, W.P.: Matrix representation of finite fields. Math. Mag. 67(4), 289–293 (1994)
Wei, Y., Ye, T., Wu, W., Pasalic, E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Trans. Symmetric Cryptol. 2018(4), 62–79 (2018)
Wu, H., Bao, F., Deng, R.H., Ye, Q.-Z.: Cryptanalysis of Rijmen-Preneel trapdoor ciphers. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 126–132. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_11
Acknowledgments
This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197. Tim Beyne is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Beierle, C., Beyne, T., Felke, P., Leander, G. (2022). Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-15982-4_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15981-7
Online ISBN: 978-3-031-15982-4
eBook Packages: Computer ScienceComputer Science (R0)