Paper 2021/442

How to Backdoor a Cipher

Raluca Posteuca and Tomer Ashur

Abstract

Newly designed block ciphers are required to show resistance against known attacks, e.g., linear and differential cryptanalysis. Two widely used methods to do this are to employ an automated search tool (e.g., MILP, SAT/SMT, etc.) and/or provide a wide-trail argument. In both cases, the core of the argument consists of bounding the transition probability of the statistical property over an isolated non-linear operation, then multiply it by the number of such operations (e.g., number of active S-boxes). In this paper we show that in the case of linear cryptanalysis such strategies can sometimes lead to a gap between the claimed security and the actual one, and that this gap can be exploited by a malicious designer. We introduce RooD, a block cipher with a carefully crafted backdoor. By using the means of the wide-trail strategy, we argue the resistance of the cipher against linear and differential cryptanalysis. However, the cipher has a key-dependent iterative linear approximation over 12 rounds, holding with probability 1. This property is based on the linear hull effect although any linear trail underlying the linear hull has probability smaller than 1.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Block cipher Design0-correlation linear hullslinear hull effectKleptographybackdoorgraphy
Contact author(s)
raluca posteuca @ esat kuleuven be
tomer ashur @ esat kuleuven be
History
2021-04-06: received
Short URL
https://ia.cr/2021/442
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/442,
      author = {Raluca Posteuca and Tomer Ashur},
      title = {How to Backdoor a Cipher},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/442},
      year = {2021},
      url = {https://eprint.iacr.org/2021/442}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.