International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers

Christof Beierle , Ruhr University Bochum, Bochum, Germany
Tim Beyne , imec-COSIC, KU Leuven, Leuven, Belgium
Patrick Felke , University of Applied Sciences, Emden/Leer, Germany
Gregor Leander , Ruhr University Bochum, Bochum, Germany
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2022
Abstract: Deliberately weakened ciphers are of great interest in political discussion on law enforcement, as in the constantly recurring crypto wars, and have been put in the spotlight of academics by recent progress. A paper at Eurocrypt 2021 showed a strong indication that the security of the widely-deployed stream cipher GEA-1 was deliberately and secretly weakened to 40 bits in order to fulfill European export restrictions that have been in place in the late 1990s. However, no explanation of how this could have been constructed was given. On the other hand, we have seen the MALICIOUS design framework, published at CRYPTO 2020, that allows to construct tweakable block ciphers with a backdoor, where the difficulty of recovering the backdoor relies on well-understood cryptographic assumptions. The constructed tweakable block cipher however is rather unusual and very different from, say, general-purpose ciphers like the AES. In this paper, we pick up both topics. For GEA-1 we thoroughly explain how the weakness was constructed, solving the main open question of the work mentioned above. By generalizing MALICIOUS we - for the first time - construct backdoored tweakable block ciphers that follow modern design principles for general-purpose block ciphers, i.e., more natural-looking deliberately weakened tweakable block ciphers.
Video from CRYPTO 2022
  title={Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers},
  author={Christof Beierle and Tim Beyne and Patrick Felke and Gregor Leander},