Skip to main content
SpringerLink
Log in

Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2022 (CRYPTO 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13509))

Included in the following conference series:

Abstract

Deliberately weakened ciphers are of great interest in political discussion on law enforcement, as in the constantly recurring crypto wars, and have been put in the spotlight of academics by recent progress. A paper at Eurocrypt 2021 showed a strong indication that the security of the widely-deployed stream cipher GEA-1 was deliberately and secretly weakened to 40 bits in order to fulfill European export restrictions that have been in place in the late 1990s. However, no explanation of how this could have been constructed was given. On the other hand, we have seen the MALICIOUS design framework, published at CRYPTO 2020, that allows to construct tweakable block ciphers with a backdoor, where the difficulty of recovering the backdoor relies on well-understood cryptographic assumptions. The constructed tweakable block cipher however is rather unusual and very different from, say, general-purpose ciphers like the AES.

In this paper, we pick up both topics. For GEA-1 we thoroughly explain how the weakness was constructed, solving the main open question of the work mentioned above. By generalizing MALICIOUS we – for the first time – construct backdoored tweakable block ciphers that follow modern design principles for general-purpose block ciphers, i.e., more natural-looking deliberately weakened tweakable block ciphers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    When considering all possible combinations of two of the three registers in GEA-1, the maximal observed loss was 11 bits.

  2. 2.

    We estimate the number of expected solutions to be \(s \cdot 2^{-2d+1}\), where s denotes the sample space and d the desired entropy loss. For each sample, one has to solve a linear system of dimension 64 to compute the entropy loss.

  3. 3.

    Note that we use \(\sum _{i=0}^{m}t_iX^i\) as a shorthand for the corresponding coset of \(\mathbb {F}_2[X]\).

  4. 4.

    The complexity is measured by the amount of operations that are roughly as complex as GEA-1 evaluations (for generating a keystream of size \(\le 128\) bit).

  5. 5.

    The length of each entry in the table must be large enough to avoid false key candidates. Similarly as described in [8, Section 3.1], we assume that each bitstring in the table is of size \(\ell + \dim (T_{A,C})\), where \(\ell \) is the minimum integer such that \((1-2^{-\ell })^{2^{\kappa }} \ge 0.5\).

References

  1. Albertini, A., Aumasson, J.-P., Eichlseder, M., Mendel, F., Schläffer, M.: Malicious hashing: Eve’s variant of SHA-1. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 1–19. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_1

    Chapter  Google Scholar 

  2. Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17

    Chapter  Google Scholar 

  3. Amzaleg, D., Dinur, I.: Refined cryptanalysis of the GPRS ciphers GEA-1 and GEA-2. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 57–85. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_3

    Chapter  Google Scholar 

  4. Avanzi, R.: The QARMA block cipher family. Almost MDS matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency s-boxes. IACR Trans. Symmetric Cryptol. 2017(1), 4–44 (2017)

    Google Scholar 

  5. Bannier, A., Filiol, E.: Partition-based trapdoor ciphers. IntechOpen (2017)

    Google Scholar 

  6. Beierle, C., Beyne, T., Felke, P., Leander, G.: Constructing and deconstructing intentional weaknesses in symmetric ciphers. Cryptology ePrint Archive, Report 2021/829 (2021). https://ia.cr/2021/829

  7. Beierle, C., Canteaut, A., Leander, G., Rotella, Y.: Proving resistance against invariant attacks: how to choose the round constants. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 647–678. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_22

    Chapter  Google Scholar 

  8. Beierle, C., et al.: Cryptanalysis of the GPRS encryption algorithms GEA-1 and GEA-2. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 155–183. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_6

    Chapter  Google Scholar 

  9. Bernstein, D.J., Lange, T., Niederhagen, R.: Dual EC: a standardized back door. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 256–281. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49301-4_17

    Chapter  Google Scholar 

  10. Beyne, T.: Block cipher invariants as eigenvectors of correlation matrices. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 3–31. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_1

    Chapter  Google Scholar 

  11. Beyne, T.: A geometric approach to linear cryptanalysis. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 36–66. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_2

    Chapter  Google Scholar 

  12. Bonnetain, X., Perrin, L., Tian, S.: Anomalies and vector space search: tools for S-Box analysis. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 196–223. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_8

    Chapter  Google Scholar 

  13. Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_14

    Chapter  Google Scholar 

  14. Daemen, J., Rijmen, V.: The Design of Rijndael - The Advanced Encryption Standard (AES). Information Security and Cryptography, 2nd edn. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-662-04722-4

  15. Derbez, P., Fouque, P., Jean, J., Lambin, B.: Variants of the AES key schedule for better truncated differential bounds. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 27–49. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_2

    Chapter  Google Scholar 

  16. Dunkelman, O., Perrin, L.: Adapting rigidity to symmetric cryptography: towards “unswerving” designs. In: Mehrnezhad, M., van der Merwe, T., Hao, F. (eds.) Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, pp. 69–80. ACM (2019)

    Google Scholar 

  17. Dworkin, M.: SHA-3 standard: permutation-based hash and extendable-output functions (2015)

    Google Scholar 

  18. Filiol, E.: BSEA-1 - a stream cipher backdooring technique. arXiv preprint arXiv:1903.11063 (2019)

  19. Harpes, C., Massey, J.L.: Partitioning cryptanalysis. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 13–27. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052331

    Chapter  Google Scholar 

  20. Hoffman, K., Kunze, R.A.: Linear Algebra. PHI Learning (2004)

    Google Scholar 

  21. Khoo, K., Lee, E., Peyrin, T., Sim, S.M.: Human-readable proof of the related-key security of AES-128. IACR Trans. Symmetric Cryptol. 2017(2), 59–83 (2017)

    Article  Google Scholar 

  22. Koblitz, N.: Algebraic Aspects of Cryptography, Algorithms and Computation in Mathematics, vol. 3. Springer, New York (1998). https://doi.org/10.1007/978-3-662-03642-6

  23. Van Le, T., Sparr, R., Wernsdorf, R., Desmedt, Y.: Complementation-like and cyclic properties of AES round functions. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 128–141. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447_11

    Chapter  MATH  Google Scholar 

  24. Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_12

    Chapter  Google Scholar 

  25. Lidl, R., Niederreiter, H.: Finite Fields, 2nd edn. Encyclopedia of Mathematics and its Applications, Cambridge University Press (1996)

    Book  Google Scholar 

  26. Park, S., Sung, S.H., Lee, S., Lim, J.: Improving the upper bound on the maximum differential and the maximum linear hull probability for SPN structures and AES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 247–260. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_19

    Chapter  Google Scholar 

  27. Paterson, K.G.: Imprimitive permutation groups and trapdoors in iterated block ciphers. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 201–214. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_15

    Chapter  Google Scholar 

  28. Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on web. International New York Times (2013). https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html. Accessed 30 Sept 2021

  29. Perrin, L.: Partitions in the s-box of Streebog and Kuznyechik. IACR Trans. Symmetric Cryptol. 2019(1), 302–329 (2019)

    Article  Google Scholar 

  30. Peyrin, T., Wang, H.: The MALICIOUS framework: embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_9

    Chapter  Google Scholar 

  31. Posteuca, R., Ashur, T.: How to backdoor a cipher. IACR Cryptol. ePrint Arch, p. 442 (2021)

    Google Scholar 

  32. Fips, P.U.B.: 46: Data Encryption Standard (DES). National Bureau of Standards, US Department of Commerce (1977)

    Google Scholar 

  33. Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 139–148. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052342

    Chapter  Google Scholar 

  34. Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.3) (2021). https://www.sagemath.org

  35. Schneier, B.: Applied Cryptography - Protocols, Algorithms, and Source Code in C, 2nd edn. Wiley (1996)

    Google Scholar 

  36. Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM, and Midori64. J. Cryptol. 32(4), 1383–1422 (2019)

    Article  MathSciNet  Google Scholar 

  37. Wardlaw, W.P.: Matrix representation of finite fields. Math. Mag. 67(4), 289–293 (1994)

    Article  MathSciNet  Google Scholar 

  38. Wei, Y., Ye, T., Wu, W., Pasalic, E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Trans. Symmetric Cryptol. 2018(4), 62–79 (2018)

    Article  Google Scholar 

  39. Wu, H., Bao, F., Deng, R.H., Ye, Q.-Z.: Cryptanalysis of Rijmen-Preneel trapdoor ciphers. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 126–132. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_11

    Chapter  Google Scholar 

Download references

Acknowledgments

This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197. Tim Beyne is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO).

Author information

Authors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Christof Beierle & Gregor Leander

  2. imec-COSIC, KU Leuven, Leuven, Belgium

    Tim Beyne

  3. University of Applied Sciences Emden/Leer, Emden, Germany

    Patrick Felke

Authors
  1. Christof Beierle
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tim Beyne
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick Felke
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gregor Leander
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Christof Beierle or Patrick Felke .

Editor information

Editors and Affiliations

  1. New York University, New York, NY, USA

    Yevgeniy Dodis

  2. University of Florida, Gainesville, FL, USA

    Thomas Shrimpton

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Beierle, C., Beyne, T., Felke, P., Leander, G. (2022). Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15982-4_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15981-7

  • Online ISBN: 978-3-031-15982-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation