02 Filiol PDF

One Construction of a Backdoored AES-like Block
Cipher and How to Break it
Arnaud Bannier & Eric Filiol

filiol@esiea.fr
ESIEA
Operational Cryptology and Virology Lab (C + V )O
(ESIEA - (C + V )O lab) RusKrypto 2017 1 / 21

Agenda
1 Introduction
2 Description of BEA-1
Theoretical Background
BEA-1 Presentation and Details
3 BEA-1 Cryptanalysis
4 Conclusion and Future Work

Summary of the talk
1 Introduction

Introduction
Encryption systems have always been under export controls (ITAR,

Wassenaar...). Considered as weapons and dual-use means.

Introduction

Implementation backdoors
Key escrowing, key management and key distribution protocols
weaknesses (refer to recent CIA leak)
Hackers are likely to find and use them as well

Introduction

Mathematical backdoors
Put a secret flaw at the design level while the algorithm remains public
Finding the backdoor must be an untractable problem while exploiting
it must be easy
Historic cases: Crypto AG and Buehlers case (1995)
Extremely few open and public research in this area
Known existence of NSA and GCHQ research programs

Introduction

Mathematical backdoors
Put a secret flaw at the design level while the algorithm remains public
Finding the backdoor must be an untractable problem while exploiting
it must be easy
Historic cases: Crypto AG and Buehlers case (1995)
Extremely few open and public research in this area
Known existence of NSA and GCHQ research programs
Sovereignty issue: can we trust foreign encryption algorithms?

Aim of our Research
Try to answer to the key question

How easy and feasible is it to design and to insert backdoors (at the
mathematical level) in encryption algorithms?

Aim of our Research

Explore the different possible approaches
The present work is a first step
We consider a particular case of backdoors here (linear partition of the
data spaces)

Aim of our Research

Explore the different possible approaches
The present work is a first step
We consider a particular case of backdoors here (linear partition of the
data spaces)
For more details on backdoors and the few existing works, please refer
to our ForSE 2017 paper
Available on https://arxiv.org/abs/1702.06475

Summary of the talk
1 Introduction
Theoretical Background
BEA-1 Presentation and Details

Partition-based Trapdoors
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier
& Filiol, 2017)
Generalization of Patersons work (1999)

Partition-based Trapdoors
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier
& Filiol, 2017)
Generalization of Patersons work (1999)
BEA-1 is inspired from the Advanced Encryption Standard (AES)

BEA-1 is a Substitution-Permutation Network (SPN)
BEA-1 stands for Backdoored Encryption Algorithm version 1

Linear Partitions
Definition (Linear Partition)

A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.

Linear Partitions

be linear.
Example of a linear partition over F32 : F32

2 1
3 0
4 7
5 6

Linear Partitions

be linear.

V = {000, 101} = {0, 5}, 2 1
3 0
4 7
5 6

Linear Partitions

be linear.

V = {000, 101} = {0, 5}, 2 1
001 + V = {001, 100} = {1, 4}, 3 0
4 7
5 6

Linear Partitions

be linear.

V = {000, 101} = {0, 5}, 2 1
001 + V = {001, 100} = {1, 4}, 3 0
010 + V = {010, 111} = {2, 7},
4 7
5 6

Linear Partitions

be linear.

V = {000, 101} = {0, 5}, 2 1
001 + V = {001, 100} = {1, 4}, 3 0
010 + V = {010, 111} = {2, 7},
011 + V = {011, 110} = {3, 6}, 4 7
5 6

Linear Partitions

be linear.

V = {000, 101} = {0, 5}, 2 1
001 + V = {001, 100} = {1, 4}, 3 0
010 + V = {010, 111} = {2, 7},
011 + V = {011, 110} = {3, 6}, 4 7
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}. 5 6

Linear Partitions
The 16 linear partition over F32 :
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6

Linear Partitions
The 16 linear partition over F32 :
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
There are 229 755 605 linear partitions over F10

2 .

Partition-Based Backdoor SPN
A
Assumption
The SPN maps A to B, no matter
what the round keys are.
EK
B
O
(ESIEA - (C + V ) lab) RusKrypto 2017 10 / 21
A L(V [0] )
Assumption
The SPN maps A to B, no matter
what the round keys are.
Theoretical results :
A and B are linear, EK
B L(V [r ] )
A L(V [0] )
Assumption Add k [0]

L(V [0] )
The SPN maps A to B, no matter Substitution
what the round keys are. L(W [0] )
Diffusion
L(V [1] )
Theoretical results : ..
.
A and B are linear, EK L(V [r 1] )
A is transformed through Add k [r 1]

L(V [r 1] )
each step of the SPN in a
Substitution
deterministic way, L(W [r 1] )
Diffusion
L(V [r ] )
Add k [r ]
B L(V [r ] )
A L(V [0] )
Assumption Add k [0]

L(V [0] )
The SPN maps A to B, no matter Substitution
what the round keys are. L(W [0] )
Diffusion
L(V [1] )
Theoretical results : ..
.
A and B are linear, EK L(V [r 1] )
A is transformed through Add k [r 1]

L(V [r 1] )
each step of the SPN in a
Substitution
deterministic way, L(W [r 1] )
At least one S-box maps a Diffusion

L(V [r ] )
linear partition to another
one. Add k [r ]
B L(V [r ] )
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks
120-bit master key and twelve 80-bit round keys
11 rounds (the last round involves two round keys)

BEA-1 Key Features
Parameters
Primitives & base functions

Key schedule & key addition (bitwise XOR)
Substitution layer (involves four S-Boxes over F10
2 )
Diffusion layer (ShiftRows and MixColumns operations)
Linear map M : (F10 4
2 ) (F2 )
10 4

BEA-1 Key Features
Parameters

2 )
2 ) (F2 )
10 4
S-Boxes, linear map M and pseudo-codes for the different functions

are given in the ForSE 2017 paper

BEA-1 Key Features
Parameters

2 )
2 ) (F2 )
10 4
S-Boxes, linear map M and pseudo-codes for the different functions

are given in the ForSE 2017 paper
BEA-1 is statically compliant with FIPS 140 (US NIST standard) and
resists to linear/differential attacks.

BEA-1 Round Function

BEA-1 Key Schedule

Summary of the talk
1 Introduction

Linear Partitions and the Round Function
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
S0 S1 S2 S3 S0 S1 S2 S3
M M

Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
M M

Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1

A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
M M

Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1

A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
A2 B2 C2 D2 A2 B2 C2 D2
M M

Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1

A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
A2 B2 C2 D2 A2 B2 C2 D2
A2 B2 C2 D2 A2 B2 C2 D2
M M

Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1

A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
A2 B2 C2 D2 A2 B2 C2 D2
A2 B2 C2 D2 A2 B2 C2 D2
M M
A1 B1 C1 D1 A1 B1 C1 D1

Principle of the Cryptanalysis
15 2
1 2

15 2
1 2
1 4
12 3

15 2
1 2
1 4
12 3
1 3
4 12

Right Key Wrong Key
15 2
1 2
1 4
12 3
1 3 1 3 1 3
4 12 4 12 4 12

Right Key Wrong Key
15 2
1 2
1 4 1 4
12 3 12 3
k k
1 3 1 3 1 3
4 12 4 12 4 12

Right Key Wrong Key
15 2 15 2
1 2 1 2
F F 1
1 4 1 4
12 3 12 3
k k
1 3 1 3 1 3
4 12 4 12 4 12

Right Key Wrong Key
15 2 15 2
1 2 1 2
F F 1
1 4 1 4 4 12
12 3 12 3 3 1
k k k 0
1 3 1 3 1 3
4 12 4 12 4 12

Right Key Wrong Key
15 2 15 2 4 4
1 2 1 2 10 2
F F 1 F 1
1 4 1 4 4 12
12 3 12 3 3 1
k k k 0
1 3 1 3 1 3
4 12 4 12 4 12

Overview of the Cryptanalysis
Find the output coset of

k09 k19 k29 k39 k49 k59 k69 k79 (A2 B2 C2 D2 )2 . There are 240
possibilities.
S0 S1 S2 S3 S0 S1 S2 S3
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Save the 215 best keys:

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
At the end of this step, we keep
S0 S1 S2 S3 S0 S1 S2 S3 215 80-bit candidates from the 280
possible.
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
possible.
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
possible.
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
possible.
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
possible.
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
possible.
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )

(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
possible.
k011 k111 k211 k311 k411 k511 k611 k711

According to the key schedule:

k09 k19 k29 k39 k49 k59 k69 k79 k010 = k011 k411
k110 = k111 k511
S0 S1 S2 S3 S0 S1 S2 S3
k210 = k211 k611
k310 = k311 k711
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711


S0 S1 S2 S3 S0 S1 S2 S3
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Save the best key:

S0 S1 S2 S3 S0 S1 S2 S3
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Observe that:
k09 k19 k29 k39 k49 k59 k69 k79 (k410 , k510 , k610 , k710 )
= M(k4010 , k5010 , k6010 , k7010 )
S0 S1 S2 S3 S0 S1 S2 S3
M k4010 k5010 k6010 k7010
k010 k110 k210 k310 M

S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

k09 k19 k29 k39 k49 k59 k69 k79
S0 S1 S2 S3 S0 S1 S2 S3
M k4010 k5010 k6010 k7010
k010 k110 k210 k310 M

S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k4010 , k5010 , k6010 , k7010 )
S0 S1 S2 S3 S0 S1 S2 S3
(k4010 , k5010 , k6010 , k7010 )

(k4010 , k5010 , k6010 , k7010 )
M k4010 k5010 k6010 k7010
k010 k110 k210 k310 M

S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k4010 , k5010 , k6010 , k7010 )
S0 S1 S2 S3 S0 S1 S2 S3
(k4010 , k5010 , k6010 , k7010 )

(k4010 , k5010 , k6010 , k7010 )
M k4010 k5010 k6010 k7010
k010 k110 k210 k310 M

S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k4010 , k5010 , k6010 , k7010 )
S0 S1 S2 S3 S0 S1 S2 S3
(k4010 , k5010 , k6010 , k7010 )

(k4010 , k5010 , k6010 , k7010 )
M k4010 k5010 k6010 k7010
k010 k110 k210 k310 M

S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

For each saved key,

k09 k19 k29 k39 k49 k59 k69 k79 deduce the cipher key and test it
S0 S1 S2 S3 S0 S1 S2 S3
M k4010 k5010 k6010 k7010
k010 k110 k210 k310 M

S0 S1 S2 S3 S0 S1 S2 S3
k011 k111 k211 k311 k411 k511 k611 k711

Cryptanalysis Summary
Probabilities for the modified cipher

S0 , S1 , S2 : 944/1024, S3 : 925/1024


S0 , S1 , S2 : 944/1024, S3 : 925/1024
Round function: (944/1024)6 (925/1024)2 21


S0 , S1 , S2 : 944/1024, S3 : 925/1024
Round function: (944/1024)6 (925/1024)2 21
Full cipher: (21 )11 = 211


S0 , S1 , S2 : 944/1024, S3 : 925/1024
Round function: (944/1024)6 (925/1024)2 21
Full cipher: (21 )11 = 211
If 30 000 plaintexts lie in the same coset, 30 000 211 15
ciphertexts lie in the same coset on average


S0 , S1 , S2 : 944/1024, S3 : 925/1024
Round function: (944/1024)6 (925/1024)2 21
Full cipher: (21 )11 = 211
Complexity of the cryptanalysis

Data: 30 000 plaintext/ciphertext pairs (2 300 Kb)


S0 , S1 , S2 : 944/1024, S3 : 925/1024
Round function: (944/1024)6 (925/1024)2 21
Full cipher: (21 )11 = 211

Time: 10s on a laptop (Core i7, 4 cores, 2.50GHz)


S0 , S1 , S2 : 944/1024, S3 : 925/1024
Round function: (944/1024)6 (925/1024)2 21
Full cipher: (21 )11 = 211

Time: 10s on a laptop (Core i7, 4 cores, 2.50GHz)
Probability of success > 95%

Summary of the talk
1 Introduction

Conclusion
Proposition of an AES-like backdoored algorithm (80-bit block,

120-bit key, 11 rounds)
The backdoor is at the design level
Resistant to most known cryptanalyses
But absolutely unsuitable for actual security
Illustrates the issue of using foreign encryption algorithms which might
be backdoored

Conclusion
Proposition of an AES-like backdoored algorithm (80-bit block,

120-bit key, 11 rounds)
The backdoor is at the design level
Resistant to most known cryptanalyses
But absolutely unsuitable for actual security
Illustrates the issue of using foreign encryption algorithms which might
be backdoored
Future work
First step in a larger research work
Use of more sophisticated combinatorial structures
Considering key space partionning
Other backdoored algorithms to be published. Use of zero-knowledge
cryptanalysis proof

Conclusion
Thank you for your attention

Questions & Answers

02 Filiol PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02 Filiol PDF

Uploaded by

Copyright:

Available Formats

One Construction of a Backdoored AES-like Block

Cipher and How to Break it

Arnaud Bannier & Eric Filiol

(ESIEA - (C + V )O lab) RusKrypto 2017 1 / 21

4 Conclusion and Future Work

(ESIEA - (C + V )O lab) RusKrypto 2017 2 / 21

4 Conclusion and Future Work

(ESIEA - (C + V )O lab) RusKrypto 2017 3 / 21

Encryption systems have always been under export controls (ITAR,

(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21

Encryption systems have always been under export controls (ITAR,

(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21

Encryption systems have always been under export controls (ITAR,

(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21

Encryption systems have always been under export controls (ITAR,

(ESIEA - (C + V )O lab) RusKrypto 2017 4 / 21

Try to answer to the key question

(ESIEA - (C + V )O lab) RusKrypto 2017 5 / 21

Try to answer to the key question

(ESIEA - (C + V )O lab) RusKrypto 2017 5 / 21

Try to answer to the key question

(ESIEA - (C + V )O lab) RusKrypto 2017 5 / 21

4 Conclusion and Future Work

(ESIEA - (C + V )O lab) RusKrypto 2017 6 / 21

(ESIEA - (C + V )O lab) RusKrypto 2017 7 / 21

BEA-1 is inspired from the Advanced Encryption Standard (AES)

(ESIEA - (C + V )O lab) RusKrypto 2017 7 / 21

Definition (Linear Partition)

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

Definition (Linear Partition)

Example of a linear partition over F32 : F32

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

Definition (Linear Partition)

Example of a linear partition over F32 : F32

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

Definition (Linear Partition)

Example of a linear partition over F32 : F32

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

Definition (Linear Partition)

Example of a linear partition over F32 : F32

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

Definition (Linear Partition)

Example of a linear partition over F32 : F32

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

Definition (Linear Partition)

Example of a linear partition over F32 : F32

L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}. 5 6

(ESIEA - (C + V )O lab) RusKrypto 2017 8 / 21

The 16 linear partition over F32 :

(ESIEA - (C + V )O lab) RusKrypto 2017 9 / 21

The 16 linear partition over F32 :

There are 229 755 605 linear partitions over F10

(ESIEA - (C + V )O lab) RusKrypto 2017 9 / 21

Assumption Add k [0]

A is transformed through Add k [r 1]

Assumption Add k [0]

A is transformed through Add k [r 1]

At least one S-box maps a Diffusion

(ESIEA - (C + V )O lab) RusKrypto 2017 11 / 21

Primitives & base functions

(ESIEA - (C + V )O lab) RusKrypto 2017 11 / 21

Primitives & base functions

S-Boxes, linear map M and pseudo-codes for the different functions