Paper 2021/829

Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers

Christof Beierle, Ruhr University Bochum, Bochum, Germany
Tim Beyne, imec-COSIC, KU Leuven, Leuven, Belgium
Patrick Felke, University of Applied Sciences, Emden/Leer, Germany
Gregor Leander, Ruhr University Bochum, Bochum, Germany

Deliberately weakened ciphers are of great interest in political discussion on law enforcement, as in the constantly recurring crypto wars, and have been put in the spotlight of academics by recent progress. A paper at Eurocrypt 2021 showed a strong indication that the security of the widely-deployed stream cipher GEA-1 was deliberately and secretly weakened to 40 bits in order to fulfill European export restrictions that have been in place in the late 1990s. However, no explanation of how this could have been constructed was given. On the other hand, we have seen the MALICIOUS design framework, published at CRYPTO 2020, that allows to construct tweakable block ciphers with a backdoor, where the difficulty of recovering the backdoor relies on well-understood cryptographic assumptions. The constructed tweakable block cipher however is rather unusual and very different from, say, general-purpose ciphers like the AES. In this paper, we pick up both topics. For GEA-1 we thoroughly explain how the weakness was constructed, solving the main open question of the work mentioned above. By generalizing MALICIOUS we -- for the first time -- construct backdoored tweakable block ciphers that follow modern design principles for general-purpose block ciphers, i.e., more natural-looking deliberately weakened tweakable block ciphers.

Available format(s)
Secret-key cryptography
Publication info
A minor revision of an IACR publication in CRYPTO 2022
cryptanalysis GPRS GEA-1 stream cipher tweakable block cipher LFSR malicious invariant attacks
Contact author(s)
christof beierle @ rub de
tim beyne @ esat kuleuven be
patrick felke @ hs-emden-leer de
gregor leander @ rub de
2022-08-10: revised
2021-06-21: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christof Beierle and Tim Beyne and Patrick Felke and Gregor Leander},
      title = {Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2021/829},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.