### Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers

##### Abstract

Deliberately weakened ciphers are of great interest in political discussion on law enforcement, as in the constantly recurring crypto wars, and have been put in the spotlight of academics by recent progress. A paper at Eurocrypt 2021 showed a strong indication that the security of the widely-deployed stream cipher GEA-1 was deliberately and secretly weakened to 40 bits in order to fulfill European export restrictions that have been in place in the late 1990s. However, no explanation of how this could have been constructed was given. On the other hand, we have seen the MALICIOUS design framework, published at CRYPTO 2020, that allows to construct tweakable block ciphers with a backdoor, where the difficulty of recovering the backdoor relies on well-understood cryptographic assumptions. The constructed tweakable block cipher however is rather unusual and very different from, say, general-purpose ciphers like the AES. In this paper, we pick up both topics. For GEA-1 we thoroughly explain how the weakness was constructed, solving the main open question of the work mentioned above. By generalizing MALICIOUS we -- for the first time -- construct backdoored tweakable block ciphers that follow modern design principles for general-purpose block ciphers, i.e., more natural-looking deliberately weakened tweakable block ciphers.

Available format(s)
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in CRYPTO 2022
Keywords
cryptanalysis GPRS GEA-1 stream cipher tweakable block cipher LFSR malicious invariant attacks
Contact author(s)
christof beierle @ rub de
tim beyne @ esat kuleuven be
patrick felke @ hs-emden-leer de
gregor leander @ rub de
History
2022-08-10: revised
See all versions
Short URL
https://ia.cr/2021/829

CC BY

BibTeX

@misc{cryptoeprint:2021/829,
author = {Christof Beierle and Tim Beyne and Patrick Felke and Gregor Leander},
title = {Constructing and Deconstructing Intentional Weaknesses in Symmetric Ciphers},
howpublished = {Cryptology ePrint Archive, Paper 2021/829},
year = {2021},
note = {\url{https://eprint.iacr.org/2021/829}},
url = {https://eprint.iacr.org/2021/829}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.