by-design backdooring of encryption system can we … · by-design backdooring of encryption system...
TRANSCRIPT
By-design Backdooring of Encryption SystemCan We Trust Foreign Encryption Algorithms?
Arnaud Bannier & Eric Filiol (speaker)[email protected]
ESIEAOperational Cryptology and Virology Lab (C + V )O
(ESIEA - (C + V )O lab) Black Hat Europe 2017 1 / 44
Agenda
1 Introduction: what is the issue?
2 History of known (and less known) backdoored algorithms
3 Description of BEA-1Theoretical BackgroundBEA-1 Presentation and Details
4 BEA-1 Cryptanalysis
5 Conclusion and Future Work
(ESIEA - (C + V )O lab) Black Hat Europe 2017 2 / 44
Summary of the talk
1 Introduction: what is the issue?
2 History of known (and less known) backdoored algorithms
3 Description of BEA-1
4 BEA-1 Cryptanalysis
5 Conclusion and Future Work
(ESIEA - (C + V )O lab) Black Hat Europe 2017 3 / 44
Key Question
Just imagine that if unconditionally secure systems (computer, informationsecurity) would be possible (theoretically AND practically), would it be
desirable to export them?
The answer is NO due to
National Security Issues (Intelligence, Defense, Police, Justice. . . )Strategic dominance, information assurance. . .Economic warfare & dominance (since 1989)
(ESIEA - (C + V )O lab) Black Hat Europe 2017 4 / 44
70 Years of Control
Since the end of WWII, cryptology is under control. This control hasnever weakened
UKUSA (5 eyes)/9 eyes/14 eyes SIGINT Seniors Europe. . .
International Traffic in Arms regulations (ITAR, part 121) andsubsequent regulations (Wassenaar. . . )
If cryptology is allowed/free of use, then it is under control1997 is a key year (withdrawn from ITAR) and early 2000s in Europe:the rise of connected world. The control will be far easier (computer,OS, network. . . )
Cryptology is the most critical part in security: who is controllingcryptology, is controlling everything
(ESIEA - (C + V )O lab) Black Hat Europe 2017 6 / 44
The Wassenaar Agreement
Almost all G-20 countries have a national regulation regardingcryptology (use/import/export) or at least have signed aninternational regulation
http://rechten.uvt.nl/koops/cryptolaw/
http://www.wassenaar.org/ - 42 members
Cryptology is listed in part 5b ⇒ exporting encryption algorithmswith key size greater than 56 bits (symmetric cryptology) is subject toexport control!
As a consequence, the world diffusion of encryption algorithms whosekey size ≥ 128 bits is a clear violation of the Wassenaar agreement. . . unless some sort of control has been organized/enforced.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 7 / 44
What does “Operational cryptanalysis” Means?
Intelligence/operational point of view: really breaking an encryptionsystem means
Accessing the plaintext in a time shorter than the life of theinformation (regarding its operational value)Practically speaking: a matter of hours (supercomputing time ishorribly expensive)With a reduced amount of encrypted data (a few Kb to a few Mb)Must be played a large number of times (a clever enemy changes thekey very often, encrypted traffic explodes)
Academic attacks have just. . . an academic interest!
(ESIEA - (C + V )O lab) Black Hat Europe 2017 8 / 44
Control Techniques
The control techniques depend on the target context/environment
(ESIEA - (C + V )O lab) Black Hat Europe 2017 9 / 44
Trapdoor vs Backdoors
Trapdoors are an intended and necessary feature in asymmetriccryptology
Backdoors are an undesirable feature
Implementation backdoors
Key escrowing, key management and key distribution protocolsweaknesses (refer to recent CIA leak)So called OS/software (recurrent) vulnerabilities (invoking developersincompetence is much clever)Hackers are likely to find and use them as well
(ESIEA - (C + V )O lab) Black Hat Europe 2017 10 / 44
Mathematical Backdoors
Key Principle
Put a secret flaw at the design level while the algorithm remains publicFinding the backdoor must be an intractable problem while exploitingit must be “easy”
Two kind of backdoors
“Natural weakness” known by the tester/certifier (e.g NSA case withdifferential cryptanalysis)Intended weakness put by the encryption algorithm designer
Extremely few open and public research in this area
Known existence of NSA and GCHQ research programs
Sovereignty issue: can we trust foreign encryption algorithms?
(ESIEA - (C + V )O lab) Black Hat Europe 2017 11 / 44
Aim of our Research
Try to answer to the key question
“How easy and feasible is it to design and to insert backdoors (at themathematical level) in encryption algorithms?”
Explore the different possible approaches
The present work is a first stepWe consider a particular case of backdoors here (linear partition of thedata spaces)
For more details on technical aspects, please refer to our free book
Available on https://www.intechopen.com/books/
partition-based-trapdoor-ciphers
(ESIEA - (C + V )O lab) Black Hat Europe 2017 12 / 44
Aim of our Research
Try to answer to the key question
“How easy and feasible is it to design and to insert backdoors (at themathematical level) in encryption algorithms?”
Explore the different possible approaches
The present work is a first stepWe consider a particular case of backdoors here (linear partition of thedata spaces)
For more details on technical aspects, please refer to our free book
Available on https://www.intechopen.com/books/
partition-based-trapdoor-ciphers
(ESIEA - (C + V )O lab) Black Hat Europe 2017 12 / 44
Aim of our Research
Try to answer to the key question
“How easy and feasible is it to design and to insert backdoors (at themathematical level) in encryption algorithms?”
Explore the different possible approaches
The present work is a first stepWe consider a particular case of backdoors here (linear partition of thedata spaces)
For more details on technical aspects, please refer to our free book
Available on https://www.intechopen.com/books/
partition-based-trapdoor-ciphers
(ESIEA - (C + V )O lab) Black Hat Europe 2017 12 / 44
Summary of the talk
1 Introduction: what is the issue?
2 History of known (and less known) backdoored algorithms
3 Description of BEA-1
4 BEA-1 Cryptanalysis
5 Conclusion and Future Work
(ESIEA - (C + V )O lab) Black Hat Europe 2017 13 / 44
Cryptography Industry After WWII til the 90s
In Switzerland, Crypto AG/Gretag hold more than 90 % of the worldmarket (since 1945)
Almost all countries/organizations (120 in 1995) were buyingcryptomachines for gvt, mil, diplomatic, economic needs except a veryfew (USA, France, UK...).
1995 The Hans Buehler case changed the cryptologic face of the(cryptographic) world.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 14 / 44
The Hans Buelher Case
Crypto AG’s top marketing representative arrested in Teheran in 1992.
Leaks in the Press (Berlin Club bombing, Chapur Bakhtiarassassination in Paris) by Gov. officials gave hints to Iranian govt thatcryptography was probably backdoored.
9 months in Iranian jails
Reveals the scandal: NSA, BND and others have infiltrated CryptoAG, Gretag and other companies to put trapdoors in export versionsof crypto machines systematically
The UKUSA/ANZUS countries were able to read openly most of theworld encrypted traffic during nearly 50 years
Exploited the fact that encryption algorithms were not public!
(ESIEA - (C + V )O lab) Black Hat Europe 2017 16 / 44
Backdoor Example...Among Many Others
Example drawn from a serie of a cryptomachines sold in early 90s andrigged by the NSA
Base key K (changed every day, week. . . ) and a message key Km
A Boolean function defined over Fn2 which is not correlation-immune
is used as a critical primitive
How to trap the Boolean function:
Use a message key Km = (k0m, k
1m, . . . , k
im, . . . , k
2n−1−1m ) of size 2n−1
Xor it by half to the Boolean function truth table
∀xi ∈ [0, 2n−1 − 1], f (xi )← f (xi )⊕ k im
and f (xi + 2n−1)← f (xi + 2n−1)⊕ k im
The Boolean function remains highly correlated to a few of its input
Many other tricky variants possible
(ESIEA - (C + V )O lab) Black Hat Europe 2017 18 / 44
The Bullrun Program
Goal: bypass operationally any cryptology protection
Tampering with national standards (NIST is specifically mentioned) topromote weak, or otherwise vulnerable cryptography (e.gDual EC DRBG, see further)Influencing standards committees to weaken protocols (or influencingto bar strong algorithms [Gost])Working with hardware and software vendors to weaken encryption andrandom number generatorsIdentifying and cracking vulnerable keysEstablishing a Human Intelligence division to infiltrate the globaltelecommunications industry. . .
Annual budget: 250 millions $ per year.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 19 / 44
Dual EC RDBG RSA B-Safe
Dual Elliptic Curve Deterministic Random Bit Generator(Dual EC DRBG). Used to generate random keys. ISO and ANSIstandards
Used in many environments (Blackberry, SSL/TLS)
Fixed choice of constants P and Q makes most of the backdoor (seehttp://blog.cryptographyengineering.com/2013/09/
the-many-flaws-of-dualecdrbg.html)
Shumow-Ferguson Crypto 2007
Nobody knows where Dual EC RDBG parameters came from
In SSL/TLS, NSA can recover the pre-master secret (RSAhandshake) easily
(ESIEA - (C + V )O lab) Black Hat Europe 2017 21 / 44
Dual EC RDBG RSA B-Safe: Timeline
2004 - RSA makes Dual EC DRBG the default CSPRNG in BSAFE
2005 - ISO/IEC 18031:2005 and NIST SP 800-90A include Dual EC DRBG.
2006 2007 Works suggesting the existence of a NSA backdoor (K.Gjosteen, Berry Schoenmakers and Andrey Sidorenko, Shumow/Fergusson)
June 2006 - NIST SP 800-90A (final) is published, includes Dual EC DRBG(defects pointed out by Kristian Gjsteen and al. not fixed).
June/Sep. 2013 Snowden leak about Bullrun and Dual EC DRBG
19 Sep. 2013 - RSA Security advises its customers to stop usingDual EC DRBG
Dec. 2013 - Reuters reports this is a result of a secret $10 million deal withNSA
April 2014 - NIST removes Dual EC DRBG as a cryptographic algorithm,recommending “that current users of Dual EC DRBG transition to one ofthe three remaining approved algorithms as quickly as possible”
(ESIEA - (C + V )O lab) Black Hat Europe 2017 23 / 44
Hot Issue
NIST standard meant that you could only get the FIPS 140-2validation (Cryptographic Module Validation Program) only if youused the original compromised P and Q values
FIPS 140-2 statistical test suite (now NIST STS) are THE de factoworld standard for cryptography statistical evaluation/validation
Passing successfully the tests does not mean your generator is secure
Can we still trust FIPS 140-2 tests?
Issue of statistical test simulability (Filiol, 2006): “if your statisticaltests are known, they can be simulated to bypass them”
Cryptography statistical validation should use a secret nationalprocess/set of tests
(ESIEA - (C + V )O lab) Black Hat Europe 2017 24 / 44
NSA’s Simon & Speck
June 2013: public release by the NSA of Speck and Simon, twoNSA’s families of encryption algorithms (block ciphers)
Since 2014, efforts by the NSA to standardise the Simon and Speckciphers at ISO
Sept. 2017, ISO rejects Simon and Speck standardisation under thepressure of experts from the academic community and from ISO
(ESIEA - (C + V )O lab) Black Hat Europe 2017 25 / 44
Summary of the talk
1 Introduction: what is the issue?
2 History of known (and less known) backdoored algorithms
3 Description of BEA-1Theoretical BackgroundBEA-1 Presentation and Details
4 BEA-1 Cryptanalysis
5 Conclusion and Future Work
(ESIEA - (C + V )O lab) Black Hat Europe 2017 27 / 44
Design Transformation
Start from an algorithm with backdoor EbackdoorIn BEA-1, the backdoor is essentially made of “secret” S-boxes
Use a one-way transformation S
Computing E = S(Ebackdoor ) is computationally easy (here E isBEA-1)Computing Ebackdoor from E is computationally intractable unlessyou know some secret information S ′ such that S ′ ◦ S = Identity.E exhibits all desirable cryptographic properties
BEA-1 secret S-Boxes ↔ BEA-1 public S-Boxes.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 28 / 44
Design Transformation
Start from an algorithm with backdoor EbackdoorIn BEA-1, the backdoor is essentially made of “secret” S-boxes
Use a one-way transformation S
Computing E = S(Ebackdoor ) is computationally easy (here E isBEA-1)Computing Ebackdoor from E is computationally intractable unlessyou know some secret information S ′ such that S ′ ◦ S = Identity.E exhibits all desirable cryptographic properties
BEA-1 secret S-Boxes ↔ BEA-1 public S-Boxes.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 28 / 44
Design Transformation
Start from an algorithm with backdoor EbackdoorIn BEA-1, the backdoor is essentially made of “secret” S-boxes
Use a one-way transformation S
Computing E = S(Ebackdoor ) is computationally easy (here E isBEA-1)Computing Ebackdoor from E is computationally intractable unlessyou know some secret information S ′ such that S ′ ◦ S = Identity.E exhibits all desirable cryptographic properties
BEA-1 secret S-Boxes ↔ BEA-1 public S-Boxes.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 28 / 44
Partition-based Trapdoors
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier& Filiol, 2017)
Generalization of Paterson’s work (1999)
BEA-1 is inspired from the Advanced Encryption Standard (AES)
BEA-1 is a Substitution-Permutation Network (SPN)BEA-1 stands for Backdoored Encryption Algorithm version 1
(ESIEA - (C + V )O lab) Black Hat Europe 2017 29 / 44
Partition-based Trapdoors
Based on our theoretical work (Bannier, Bodin & Filiol, 2016; Bannier& Filiol, 2017)
Generalization of Paterson’s work (1999)
BEA-1 is inspired from the Advanced Encryption Standard (AES)
BEA-1 is a Substitution-Permutation Network (SPN)BEA-1 stands for Backdoored Encryption Algorithm version 1
(ESIEA - (C + V )O lab) Black Hat Europe 2017 29 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},
001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},
010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},
011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
Definition (Linear Partition)
A partition of Fn2 made up of all the cosets of a linear subspace is said to
be linear.
Example of a linear partition over F32:
V = {000, 101} = {0, 5},001 + V = {001, 100} = {1, 4},010 + V = {010, 111} = {2, 7},011 + V = {011, 110} = {3, 6},
L(V ) = {{0, 5}, {1, 4}, {2, 7}, {3, 6}}.
F32
0
12
3
4
5 6
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 30 / 44
Linear Partitions
The 16 linear partitions over F32:
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
There are 229 755 605 linear partitions over F102 .
(ESIEA - (C + V )O lab) Black Hat Europe 2017 31 / 44
Linear Partitions
The 16 linear partitions over F32:
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
0
12
3
4
5 6
7
There are 229 755 605 linear partitions over F102 .
(ESIEA - (C + V )O lab) Black Hat Europe 2017 31 / 44
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
(ESIEA - (C + V )O lab) Black Hat Europe 2017 32 / 44
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
L(V [0])
L(V [r ])
(ESIEA - (C + V )O lab) Black Hat Europe 2017 32 / 44
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
L(V [0])
L(V [r ])
Add k [0]
Substitution
Diffusion
L(V [0])
L(W [0])
L(V [1])
...
Add k [r−1]
Add k [r ]
Substitution
Diffusion
L(V [r−1])
L(V [r−1])
L(W [r−1])
L(V [r ])
(ESIEA - (C + V )O lab) Black Hat Europe 2017 32 / 44
Partition-Based Backdoor SPN
Assumption
The SPN maps A to B, no matterwhat the round keys are.
Theoretical results :
A and B are linear,
A is transformed througheach step of the SPN in adeterministic way,
At least one S-box maps alinear partition to anotherone.
A
B
EK
L(V [0])
L(V [r ])
Add k [0]
Substitution
Diffusion
L(V [0])
L(W [0])
L(V [1])
...
Add k [r−1]
Add k [r ]
Substitution
Diffusion
L(V [r−1])
L(V [r−1])
L(W [r−1])
L(V [r ])
(ESIEA - (C + V )O lab) Black Hat Europe 2017 32 / 44
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in our free book
BEA-1 is statistically compliant with FIPS 140 (US NIST standard)and resists to linear/differential attacks.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 33 / 44
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in our free book
BEA-1 is statistically compliant with FIPS 140 (US NIST standard)and resists to linear/differential attacks.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 33 / 44
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in our free book
BEA-1 is statistically compliant with FIPS 140 (US NIST standard)and resists to linear/differential attacks.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 33 / 44
BEA-1 Key Features
Parameters
BEA-1 operates on 80-bit data blocks120-bit master key and twelve 80-bit round keys11 rounds (the last round involves two round keys)
Primitives & base functions
Key schedule & key addition (bitwise XOR)Substitution layer (involves four S-Boxes over F10
2 )Diffusion layer (ShiftRows and MixColumns operations)Linear map M : (F10
2 )4 → (F102 )4
S-Boxes, linear map M and pseudo-codes for the different functionsare given in our free book
BEA-1 is statistically compliant with FIPS 140 (US NIST standard)and resists to linear/differential attacks.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 33 / 44
Summary of the talk
1 Introduction: what is the issue?
2 History of known (and less known) backdoored algorithms
3 Description of BEA-1
4 BEA-1 Cryptanalysis
5 Conclusion and Future Work
(ESIEA - (C + V )O lab) Black Hat Europe 2017 36 / 44
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 37 / 44
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1 B1 C1 D1 A1 B1 C1 D1
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 37 / 44
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
B1
B1
C1
C1
D1
D1
A1
A1
B1
B1
C1
C1
D1
D1
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 37 / 44
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
A2
B1
B1
B2
C1
C1
C2
D1
D1
D2
A1
A1
A2
B1
B1
B2
C1
C1
C2
D1
D1
D2
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 37 / 44
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
A2
A2
B1
B1
B2
B2
C1
C1
C2
C2
D1
D1
D2
D2
A1
A1
A2
A2
B1
B1
B2
B2
C1
C1
C2
C2
D1
D1
D2
D2
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 37 / 44
Linear Partitions and the Round Function
S0 S1 S2 S3 S0 S1 S2 S3
M M
⊕A1
A1
A2
A2
A1
B1
B1
B2
B2
B1
C1
C1
C2
C2
C1
D1
D1
D2
D2
D1
A1
A1
A2
A2
A1
B1
B1
B2
B2
B1
C1
C1
C2
C2
C1
D1
D1
D2
D2
D1
Bit
Bundle
00–09
0
10–19
1
20–29
2
30–39
3
40–49
4
50–59
5
60–69
6
70–79
7
(ESIEA - (C + V )O lab) Black Hat Europe 2017 37 / 44
Principle of the Cryptanalysis
F
15 2
1 2
1 4
12 3
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
1 3
4 12
Wrong Key
1 3
4 12
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
⊕k
1 4
12 3
1 3
4 12
Wrong Key
1 3
4 12
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
F−1
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Wrong Key
1 3
4 12
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
F−1
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Wrong Key
⊕k ′
4 12
3 1
1 3
4 12
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Principle of the Cryptanalysis
F
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Right Key
F−1
⊕k
15 2
1 2
1 4
12 3
1 3
4 12
Wrong Key
F−1
⊕k ′
4 4
10 2
4 12
3 1
1 3
4 12
(ESIEA - (C + V )O lab) Black Hat Europe 2017 38 / 44
Overview of the Cryptanalysis
Find the output coset of
(A2 × B2 × C2 × D2)2.
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7
S3 S3
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110
S3 S3S0
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4
S3 S3S0 S0
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111
S3 S3S0 S0 S1
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5
S3 S3S0 S0 S1S1
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112
S3 S3S0 S0 S1S1 S2
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
Save the 215 best keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112 k11
6
S3 S3S0 S0 S1S1 S2 S2
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
According to the key schedule:
k100 = k11
0 ⊕ k114
k101 = k11
1 ⊕ k115
k102 = k11
2 ⊕ k116
k103 = k11
3 ⊕ k117
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112 k11
6
S3 S3S0 S0 S1S1 S2 S2
k100 k10
1 k102 k10
3
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Test the 215 saved keys:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
k113 k11
7k110 k11
4k111 k11
5k112 k11
6
S3 S3S0 S0 S1S1 S2 S2
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Save the best key:
(k110 , k11
1 , k112 , k11
3 , k114 , k11
5 , k116 , k11
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k100
k110
k91
k101
k111
k92
k102
k112
k93
k103
k113
k94
k104
k114
k95
k105
k115
k96
k106
k116
k97
k107
k117
M M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Observe that:
(k104 , k10
5 , k106 , k10
7 )
= M(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Test the 215 saved keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Save the 215 best keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Test the 215 saved keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Save the 215 best keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
S1
k ′105
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
Brute force:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Test the 215 saved keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
Save the 215 best keys:
(k ′104 , k ′10
5 , k ′106 , k ′10
7 )
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
S1
k ′105
S2
k ′106
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Overview of the Cryptanalysis
For each saved key,
deduce the cipher key and test it
S0
S0
S1
S1
S2
S2
S3
S3
S0
S0
S1
S1
S2
S2
S3
S3
k90
k110
k91
k111
k92
k112
k93
k113
k94
k114
k95
k115
k96
k116
k97
k117
k ′104 k ′10
5 k ′106 k ′10
7M
M
S3
k113
S3
k117
S0
k110
S0
k114
S1
k111
S1
k115
S2
k112
S2
k116
k100 k10
1 k102 k10
3
M
S0 S2 S1 S3
M
S3
k ′107
S0
k ′104
S1
k ′105
S2
k ′106
(ESIEA - (C + V )O lab) Black Hat Europe 2017 39 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024
Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)
Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)
Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Crytanalysis Summary
Probabilities for the modified cipher
S0, S1, S2: 944/1024, S3: 925/1024Round function: (944/1024)6 × (925/1024)2 ≈ 2−1
Full cipher: (2−1)11 = 2−11
If 30 000 plaintexts lie in the same coset, 30 000× 2−11 ≈ 15ciphertexts lie in the same coset on average
Complexity of the cryptanalysis
Data: 30 000 plaintext/ciphertext pairs (2× 300 Kb)Time: ≈ 10s on a laptop (Core i7, 4 cores, 2.50GHz)Probability of success > 95%
(ESIEA - (C + V )O lab) Black Hat Europe 2017 40 / 44
Summary of the talk
1 Introduction: what is the issue?
2 History of known (and less known) backdoored algorithms
3 Description of BEA-1
4 BEA-1 Cryptanalysis
5 Conclusion and Future Work
(ESIEA - (C + V )O lab) Black Hat Europe 2017 42 / 44
Conclusion
Proposition of an AES-like backdoored algorithm (80-bit block,120-bit key, 11 rounds)
The backdoor is at the design levelResistant to most known cryptanalysesBut absolutely unsuitable for actual securityIllustrates the issue of using foreign encryption algorithms which mightbe backdoored
Future work
First step in a larger research workUse of more sophisticated combinatorial structuresConsidering key space partionningOther backdoored algorithms to be published.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 43 / 44
Conclusion
Proposition of an AES-like backdoored algorithm (80-bit block,120-bit key, 11 rounds)
The backdoor is at the design levelResistant to most known cryptanalysesBut absolutely unsuitable for actual securityIllustrates the issue of using foreign encryption algorithms which mightbe backdoored
Future work
First step in a larger research workUse of more sophisticated combinatorial structuresConsidering key space partionningOther backdoored algorithms to be published.
(ESIEA - (C + V )O lab) Black Hat Europe 2017 43 / 44