Professional Documents
Culture Documents
ESIEA
Operational Cryptology and Virology Lab (C + V )O
1 Introduction
2 Description of BEA-1
Theoretical Background
BEA-1 Presentation and Details
3 BEA-1 Cryptanalysis
1 Introduction
2 Description of BEA-1
3 BEA-1 Cryptanalysis
1 Introduction
2 Description of BEA-1
Theoretical Background
BEA-1 Presentation and Details
3 BEA-1 Cryptanalysis
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier
& Filiol, 2017)
Generalization of Patersons work (1999)
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier
& Filiol, 2017)
Generalization of Patersons work (1999)
4 7
5 6
4 7
5 6
4 7
5 6
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6 5 6
2 1 2 1 2 1 2 1 2 1
3 0 3 0 3 0 3 0 3 0
4 7 4 7 4 7 4 7 4 7
5 6 5 6 5 6 5 6 5 6
Assumption
The SPN maps A to B, no matter
what the round keys are.
EK
B
O
(ESIEA - (C + V ) lab) RusKrypto 2017 10 / 21
Partition-Based Backdoor SPN
A L(V [0] )
Assumption
The SPN maps A to B, no matter
what the round keys are.
Theoretical results :
A and B are linear, EK
B L(V [r ] )
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
Partition-Based Backdoor SPN
A L(V [0] )
Diffusion
L(V [1] )
Theoretical results : ..
.
A and B are linear, EK L(V [r 1] )
Diffusion
L(V [r ] )
Add k [r ]
B L(V [r ] )
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
Partition-Based Backdoor SPN
A L(V [0] )
Diffusion
L(V [1] )
Theoretical results : ..
.
A and B are linear, EK L(V [r 1] )
B L(V [r ] )
(ESIEA - (C + V )O lab) RusKrypto 2017 10 / 21
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks
120-bit master key and twelve 80-bit round keys
11 rounds (the last round involves two round keys)
Parameters
BEA-1 operates on 80-bit data blocks
120-bit master key and twelve 80-bit round keys
11 rounds (the last round involves two round keys)
Parameters
BEA-1 operates on 80-bit data blocks
120-bit master key and twelve 80-bit round keys
11 rounds (the last round involves two round keys)
Parameters
BEA-1 operates on 80-bit data blocks
120-bit master key and twelve 80-bit round keys
11 rounds (the last round involves two round keys)
1 Introduction
2 Description of BEA-1
3 BEA-1 Cryptanalysis
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
S0 S1 S2 S3 S0 S1 S2 S3
M M
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
M M
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1
A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
M M
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1
A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
A2 B2 C2 D2 A2 B2 C2 D2
M M
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1
A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
A2 B2 C2 D2 A2 B2 C2 D2
A2 B2 C2 D2 A2 B2 C2 D2
M M
Bundle 0 1 2 3 4 5 6 7
Bit 0009 1019 2029 3039 4049 5059 6069 7079
A1 B1 C1 D1 A1 B1 C1 D1
A1 B1 C1 D1 A1 B1 C1 D1
S0 S1 S2 S3 S0 S1 S2 S3
A2 B2 C2 D2 A2 B2 C2 D2
A2 B2 C2 D2 A2 B2 C2 D2
M M
A1 B1 C1 D1 A1 B1 C1 D1
15 2
1 2
15 2
1 2
1 4
12 3
15 2
1 2
1 4
12 3
1 3
4 12
1 2
1 4
12 3
1 3 1 3 1 3
4 12 4 12 4 12
1 2
1 4 1 4
12 3 12 3
k k
1 3 1 3 1 3
4 12 4 12 4 12
1 2 1 2
F F 1
1 4 1 4
12 3 12 3
k k
1 3 1 3 1 3
4 12 4 12 4 12
1 2 1 2
F F 1
1 4 1 4 4 12
12 3 12 3 3 1
k k k 0
1 3 1 3 1 3
4 12 4 12 4 12
1 2 1 2 10 2
F F 1 F 1
1 4 1 4 4 12
12 3 12 3 3 1
k k k 0
1 3 1 3 1 3
4 12 4 12 4 12
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k011 , k111 , k211 , k311 , k411 , k511 , k611 , k711 )
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
S0 S1 S2 S3 S0 S1 S2 S3
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
S0 S1 S2 S3 S0 S1 S2 S3
M M
k010 k110 k210 k310 k410 k510 k610 k710
S0 S1 S2 S3 S0 S1 S2 S3
Observe that:
k09 k19 k29 k39 k49 k59 k69 k79 (k410 , k510 , k610 , k710 )
= M(k4010 , k5010 , k6010 , k7010 )
S0 S1 S2 S3 S0 S1 S2 S3
S0 S1 S2 S3 S0 S1 S2 S3
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k4010 , k5010 , k6010 , k7010 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k4010 , k5010 , k6010 , k7010 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k4010 , k5010 , k6010 , k7010 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k4010 , k5010 , k6010 , k7010 )
Brute force:
k09 k19 k29 k39 k49 k59 k69 k79 (k4010 , k5010 , k6010 , k7010 )
Test the 215 saved keys:
S0 S1 S2 S3 S0 S1 S2 S3
(k4010 , k5010 , k6010 , k7010 )
S0 S1 S2 S3 S0 S1 S2 S3
1 Introduction
2 Description of BEA-1
3 BEA-1 Cryptanalysis
Future work
First step in a larger research work
Use of more sophisticated combinatorial structures
Considering key space partionning
Other backdoored algorithms to be published. Use of zero-knowledge
cryptanalysis proof