Abstract
With the advent of Malicious (Peyrin and Wang, Crypto’20), the question of a cipher with an intentional weakness which is only known to its designer has gained its momentum. In their work, the authors discuss how an otherwise secure cipher can be broken by its designer with the help of a secret backdoor (which is not known to the user/attacker). The contribution of Malicious is to propose a cipher-level construction with a backdoor, where it is computationally infeasible to retrieve the backdoor entry despite knowing how the mechanism works.
In this work, we revisit the work done by Peyrin and Wang in a greater depth. We discuss the relevant aspects with more clarity, thereby addressing some of the important issues connected to a backdoor construction. The main contribution, however, comes as a new proof-of-concept block cipher with an innate backdoor, named ZUGZWANG. Unlike Malicious, which needs new/experimental concepts like partially non-linear layer; our cipher entirely relies on concepts which are well-established for decades (such as, using a one-way function as a Feistel cipher’s state-update), and also offers several advantages over Malicious (easy to visualise, succeeds with probability 1, and so on). Having known the secret backdoor entry, one can recover the secret key with only 1 plaintext query to our cipher; but it is secure otherwise.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
It is also worth pointing out that problem is partly exacerbated due to the absence of any cryptanalytic result in the introducing paper [4].
- 3.
In this case, the designers are a group of researchers from the American government’s National Security Agency (NSA), possibly hinting at a government-level initiative in the background.
- 4.
Depending on the hash output size and the state size of the encryption algorithm, we may need to pad/truncate.
- 5.
- 6.
It is a German word (translates to ‘a compulsion to move’), used in context of Chess to describe wherein all the available moves for a player make the situation worse.
- 7.
As it has a backdoor, any practical application of ZUGZWANG is not recommended (to be used mostly, if not only, as an interesting proof-of-concept).
- 8.
For instance, one may look at the “politically correct” backdoor: https://www.kb.cert.org/vuls/id/247371.
- 9.
This is noted in [9, Section 1]: “There are two categories of backdoors. The first one is the backdoor implemented in a security product at the protocol or key-management level, which is generally considered in practice.”.
- 10.
It may be hard to spot the backdoor for someone who does not know beforehand, but here it does not matter as the designers have already made it public.
- 11.
As per [9, Section 2.1], the attacker/eavesdropper Eve is considered within the Malicious framework.
- 12.
If the released key is encrypted with another key, that means the cipher designer and the user have to know the other key beforehand. In that case, they can simply use any cipher (with the other key) to communicate the key released through the backdoor instead, thus completely cutting off the need for a backdoor.
- 13.
For instance, some of the public-key ciphers (including RSA) are now known to be vulnerable against quantum computers, but those attacks were not known when those ciphers were designed. In a less restricted sense, the quantum attacks can be considered as backdoors to those ciphers.
- 14.
There is practically no way to encrypt this key, at least within the realm of symmetric-key cryptography; as this would require exchange of another secret key between Alice and Derek. This invalidates the need for a backdoor in the first place.
- 15.
For instance, Alice can check if the XOR of two consecutive cipher outputs equals to the key. Given the backdoor mechanism is public, she already knows exactly what to look out for.
- 16.
Possibly something similar is laid out by Peyrin: https://thomaspeyrin.github.io/web/assets/docs/invited/TII_CRC_21_slides.pdf, Slide 63.
- 17.
- 18.
- 19.
One may compare with the government-issued (closed-source) applications to trace COVID-19 to some extent, though there is no separate recipient (Derek = Bob) and there is no secret key to recover.
- 20.
- 21.
We use the same term, ‘ZUGZWANG ’, to indicate the overall construction idea as well as the concrete instance.
References
Albrecht, M., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. Cryptology ePrint Archive, Report 2016/687 (2016). https://eprint.iacr.org/2016/687
Baksi, A., Bhasin, S., Breier, J., Khairallah, M., Peyrin, T.: Protecting block ciphers against differential fault attacks without re-keying (extended version). Cryptology ePrint Archive, Report 2018/085 (2018). https://eprint.iacr.org/2018/085
Baksi, A., Bhattacharjee, A., Breier, J., Isobe, T., Nandi, M.: Big brother is watching you: a closer look at backdoor construction. Cryptology ePrint Archive, Paper 2022/953 (2022). https://eprint.iacr.org/2022/953
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The Simon and speck families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). https://eprint.iacr.org/2013/404
Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A white-box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-44993-5_1
Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_17
Liu, F., Isobe, T., Meier, W.: Cryptanalysis of full LowMC and LowMC-M with algebraic techniques. Cryptology ePrint Archive, Paper 2020/1034 (2020). https://eprint.iacr.org/2020/1034
Nohl, K., Evans, D., Starbug, Plötz, H.: Reverse-engineering a cryptographic RFID tag. In: van Oorschot, P.C. (ed.) Proceedings of the 17th USENIX Security Symposium, July 28–August 1, 2008, San Jose, CA, USA, pp. 185–194. USENIX Association (2008). https://www.usenix.org/events/sec08/tech/full_papers/nohl/nohl.pdf
Peyrin, T., Wang, H.: The malicious framework: Embedding backdoors into tweakable block ciphers. Cryptology ePrint Archive, Report 2020/986 (2020). https://eprint.iacr.org/2020/986
Ravi, P., Deb, S., Baksi, A., Chattopadhyay, A., Bhasin, S., Mendelson, A.: On threat of hardware trojan to post-quantum lattice-based schemes: a key recovery attack on saber and beyond. In: Batina, L., Picek, S., Mondal, M. (eds.) SPACE 2021. LNCS, vol. 13162, pp. 81–103. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95085-9_5
Shamir, A.: How to share a secret. Commun. ACM. 22, 612–613 (1979). https://dl.acm.org/doi/10.1145/359168.359176
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Baksi, A., Bhattacharjee, A., Breier, J., Isobe, T., Nandi, M. (2022). Big Brother Is Watching You: A Closer Look at Backdoor Construction. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2022. Lecture Notes in Computer Science, vol 13783. Springer, Cham. https://doi.org/10.1007/978-3-031-22829-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-22829-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22828-5
Online ISBN: 978-3-031-22829-2
eBook Packages: Computer ScienceComputer Science (R0)