one construction of a backdoored aes-like block cipher and ... · (esiea - (c + v)o lab) ruskrypto...
TRANSCRIPT
One Construction of a Backdoored AES-like BlockCipher and How to Break it
Arnaud Bannier & Eric [email protected]
ESIEAOperational Cryptology and Virology Lab (C + V )O
(ESIEA - (C + V )O lab) RusKrypto 2017 1 / 21
Agenda
1 Introduction
2 Description of BEA-1Theoretical BackgroundBEA-1 Presentation and Details
3 BEA-1 Cryptanalysis
4 Conclusion and Future Work
(ESIEA - (C + V )O lab) RusKrypto 2017 2 / 21
Summary of the talk
1 Introduction
2 Description of BEA-1
3 BEA-1 Cryptanalysis
4 Conclusion and Future Work
(ESIEA - (C + V )O lab) RusKrypto 2017 3 / 21
Introduction
Encryption systems have always been under export controls (ITAR,Wassenaar...). Considered as weapons and dual-use means.
Implementation backdoors
Key escrowing, key management and key distribution protocolsweaknesses (refer to recent CIA leak)Hackers are likely to find and use them as well
Mathematical backdoors
Put a secret flaw at the design level while the algorithm remains publicFinding the backdoor must be an untractable problem while exploitingit must be “easy”Historic cases: Crypto AG and Buehler’s case (1995)Extremely few open and public research in this areaKnown existence of NSA and GCHQ research programs
Sovereignty issue: can we trust foreign encryption algorithms?
(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21
Introduction
Encryption systems have always been under export controls (ITAR,Wassenaar...). Considered as weapons and dual-use means.
Implementation backdoors
Key escrowing, key management and key distribution protocolsweaknesses (refer to recent CIA leak)Hackers are likely to find and use them as well
Mathematical backdoors
Put a secret flaw at the design level while the algorithm remains publicFinding the backdoor must be an untractable problem while exploitingit must be “easy”Historic cases: Crypto AG and Buehler’s case (1995)Extremely few open and public research in this areaKnown existence of NSA and GCHQ research programs
Sovereignty issue: can we trust foreign encryption algorithms?
(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21
Introduction
Encryption systems have always been under export controls (ITAR,Wassenaar...). Considered as weapons and dual-use means.
Implementation backdoors
Key escrowing, key management and key distribution protocolsweaknesses (refer to recent CIA leak)Hackers are likely to find and use them as well
Mathematical backdoors
Put a secret flaw at the design level while the algorithm remains publicFinding the backdoor must be an untractable problem while exploitingit must be “easy”Historic cases: Crypto AG and Buehler’s case (1995)Extremely few open and public research in this areaKnown existence of NSA and GCHQ research programs
Sovereignty issue: can we trust foreign encryption algorithms?
(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21
Introduction
Encryption systems have always been under export controls (ITAR,Wassenaar...). Considered as weapons and dual-use means.
Implementation backdoors
Key escrowing, key management and key distribution protocolsweaknesses (refer to recent CIA leak)Hackers are likely to find and use them as well
Mathematical backdoors
Put a secret flaw at the design level while the algorithm remains publicFinding the backdoor must be an untractable problem while exploitingit must be “easy”Historic cases: Crypto AG and Buehler’s case (1995)Extremely few open and public research in this areaKnown existence of NSA and GCHQ research programs
Sovereignty issue: can we trust foreign encryption algorithms?
(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21
Aim of our Research
Try to answer to the key question
“How easy and feasible is it to design and to insert backdoors (at themathematical level) in encryption algorithms?”
Explore the different possible approaches
The present work is a first stepWe consider a particular case of backdoors here (linear partition of thedata spaces)
For more details on backdoors and the few existing works, please referto our ForSE 2017 paper
Available on https://arxiv.org/abs/1702.06475
(ESIEA - (C + V )O lab) RusKrypto 2017 5 / 21
Aim of our Research
Try to answer to the key question
“How easy and feasible is it to design and to insert backdoors (at themathematical level) in encryption algorithms?”
Explore the different possible approaches
The present work is a first stepWe consider a particular case of backdoors here (linear partition of thedata spaces)
For more details on backdoors and the few existing works, please referto our ForSE 2017 paper
Available on https://arxiv.org/abs/1702.06475
(ESIEA - (C + V )O lab) RusKrypto 2017 5 / 21
Aim of our Research
Try to answer to the key question
“How easy and feasible is it to design and to insert backdoors (at themathematical level) in encryption algorithms?”
Explore the different possible approaches
The present work is a first stepWe consider a particular case of backdoors here (linear partition of thedata spaces)
For more details on backdoors and the few existing works, please referto our ForSE 2017 paper
Available on https://arxiv.org/abs/1702.06475
(ESIEA - (C + V )O lab) RusKrypto 2017 5 / 21
Summary of the talk
1 Introduction
2 Description of BEA-1Theoretical BackgroundBEA-1 Presentation and Details
3 BEA-1 Cryptanalysis
4 Conclusion and Future Work
(ESIEA - (C + V )O lab) RusKrypto 2017 6 / 21
Partition-based Trapdoors
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier& Filiol, 2017)
Generalization of Paterson’s work (1999)
BEA-1 is inspired from the Advanced Encryption Standard (AES)
BEA-1 is a Substitution-Permutation Network (SPN)BEA-1 stands for Backdoored Encryption Algorithm version 1
(ESIEA - (C + V )O lab) RusKrypto 2017 7 / 21
Partition-based Trapdoors
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier& Filiol, 2017)
Generalization of Paterson’s work (1999)
BEA-1 is inspired from the Advanced Encryption Standard (AES)
BEA-1 is a Substitution-Permutation Network (SPN)BEA-1 stands for Backdoored Encryption Algorithm version 1
(ESIEA - (C + V )O lab) RusKrypto 2017 7 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},
001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},
010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},
011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21
Linear Partitions
The 16 linear partition over F32:
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
There are 229 755 605 linear partitions over F102 .
(ESIEA - (C + V )O lab) RusKrypto 2017 9 / 21
Linear Partitions
The 16 linear partition over F32:
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
There are 229 755 605 linear partitions over F102 .
(ESIEA - (C + V )O lab) RusKrypto 2017 9 / 21
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
L(V [0])
L(V [r ])
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
L(V [0])
L(V [r ])
Add k [0]
Substitution
Diffusion
L(V [0])
L(W [0])
L(V [1])
...
Add k [r−1]
Add k [r ]
Substitution
Diffusion
L(V [r−1])
L(V [r−1])
L(W [r−1])
L(V [r ])
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
L(V [0])
L(V [r ])
Add k [0]
Substitution
Diffusion
L(V [0])
L(W [0])
L(V [1])
...
Add k [r−1]
Add k [r ]
Substitution
Diffusion
L(V [r−1])
L(V [r−1])
L(W [r−1])
L(V [r ])
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in the ForSE 2017 paper
BEA-1 is statically compliant with FIPS 140 (US NIST standard) andresists to linear/differential attacks.
(ESIEA - (C + V )O lab) RusKrypto 2017 11 / 21
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in the ForSE 2017 paper
BEA-1 is statically compliant with FIPS 140 (US NIST standard) andresists to linear/differential attacks.
(ESIEA - (C + V )O lab) RusKrypto 2017 11 / 21
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in the ForSE 2017 paper
BEA-1 is statically compliant with FIPS 140 (US NIST standard) andresists to linear/differential attacks.
(ESIEA - (C + V )O lab) RusKrypto 2017 11 / 21
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in the ForSE 2017 paper
BEA-1 is statically compliant with FIPS 140 (US NIST standard) andresists to linear/differential attacks.
(ESIEA - (C + V )O lab) RusKrypto 2017 11 / 21
BEA-1 Round Function
(ESIEA - (C + V )O lab) RusKrypto 2017 12 / 21
BEA-1 Key Schedule
(ESIEA - (C + V )O lab) RusKrypto 2017 13 / 21
Summary of the talk
1 Introduction
2 Description of BEA-1
3 BEA-1 Cryptanalysis
4 Conclusion and Future Work
(ESIEA - (C + V )O lab) RusKrypto 2017 14 / 21
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) RusKrypto 2017 15 / 21
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1 B1 C1 D1 A1 B1 C1 D1
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) RusKrypto 2017 15 / 21
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
B1
B1
C1
C1
D1
D1
A1
A1
B1
B1
C1
C1
D1
D1
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) RusKrypto 2017 15 / 21
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
A2
B1
B1
B2
C1
C1
C2
D1
D1
D2
A1
A1
A2
B1
B1
B2
C1
C1
C2
D1
D1
D2
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) RusKrypto 2017 15 / 21
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
A2
A2
B1
B1
B2
B2
C1
C1
C2
C2
D1
D1
D2
D2
A1
A1
A2
A2
B1
B1
B2
B2
C1
C1
C2
C2
D1
D1
D2
D2
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) RusKrypto 2017 15 / 21
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
A2
A2
A1
B1
B1
B2
B2
B1
C1
C1
C2
C2
C1
D1
D1
D2
D2
D1
A1
A1
A2
A2
A1
B1
B1
B2
B2
B1
C1
C1
C2
C2
C1
D1
D1
D2
D2
D1
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) RusKrypto 2017 15 / 21
Principle of the Cryptanalysis
15 2
1 2
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
15 2
1 2
1 4
12 3
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
1 3
4 12
Wrong Key
1 3
4 12
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
⊕k
1 4
12 3
1 3
4 12
Wrong Key
1 3
4 12
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
F−1
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Wrong Key
1 3
4 12
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
F−1
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Wrong Key
⊕k ′
4 12
3 1
1 3
4 12
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
F−1
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Wrong Key
F−1
⊕k ′
4 4
10 2
4 12
3 1
1 3
4 12
(ESIEA - (C + V )O lab) RusKrypto 2017 16 / 21
Overview of the Cryptanalysis
Find the output coset of
(A2×B2×C2×D2)2. There are 240
possibilities.S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7
S3 S3
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110
S3 S3S0
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4
S3 S3S0 S0
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111
S3 S3S0 S0 S1
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5
S3 S3S0 S0 S1S1
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112
S3 S3S0 S0 S1S1 S2
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
At the end of this step, we keep
215 80-bit candidates from the 280
possible.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112 k11
6
S3 S3S0 S0 S1S1 S2 S2
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
According to the key schedule:
k100 = k11
0 ⊕ k114
k101 = k11
1 ⊕ k115
k102 = k11
2 ⊕ k116
k103 = k11
3 ⊕ k117
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112 k11
6
S3 S3S0 S0 S1S1 S2 S2
k100 k10
1 k102 k10
3
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112 k11
6
S3 S3S0 S0 S1S1 S2 S2
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Save the best key:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Observe that:
(k104 , k10
5 , k106 , k10
7 )
= M(k ′104 , k ′10
5 , k ′106 , k ′10
7 )S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Test the 215 saved keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Save the 215 best keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Test the 215 saved keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Save the 215 best keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
S1
k ′105
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
Brute force:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Test the 215 saved keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Save the 215 best keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
S1
k ′105
S2
k ′106
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Overview of the Cryptanalysis
For each saved key,
deduce the cipher key and test it
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
S1
k ′105
S2
k ′106
(ESIEA - (C + V )O lab) RusKrypto 2017 17 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024
Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)
Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)
Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Cryptanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) RusKrypto 2017 18 / 21
Summary of the talk
1 Introduction
2 Description of BEA-1
3 BEA-1 Cryptanalysis
4 Conclusion and Future Work
(ESIEA - (C + V )O lab) RusKrypto 2017 19 / 21
Conclusion
Proposition of an AES-like backdoored algorithm (80-bit block,120-bit key, 11 rounds)
The backdoor is at the design levelResistant to most known cryptanalysesBut absolutely unsuitable for actual securityIllustrates the issue of using foreign encryption algorithms which mightbe backdoored
Future work
First step in a larger research workUse of more sophisticated combinatorial structuresConsidering key space partionningOther backdoored algorithms to be published. Use of zero-knowledgecryptanalysis proof
(ESIEA - (C + V )O lab) RusKrypto 2017 20 / 21
Conclusion
Proposition of an AES-like backdoored algorithm (80-bit block,120-bit key, 11 rounds)
The backdoor is at the design levelResistant to most known cryptanalysesBut absolutely unsuitable for actual securityIllustrates the issue of using foreign encryption algorithms which mightbe backdoored
Future work
First step in a larger research workUse of more sophisticated combinatorial structuresConsidering key space partionningOther backdoored algorithms to be published. Use of zero-knowledgecryptanalysis proof
(ESIEA - (C + V )O lab) RusKrypto 2017 20 / 21
Conclusion
Thank you for your attention
Questions & Answers
(ESIEA - (C + V )O lab) RusKrypto 2017 21 / 21