Mathematical Backdoors in Symmetric Encryption Systems - Proposal for a Backdoored AES-like Block Cipher

TL;DR

This paper introduces BEA-1, an AES-like block cipher with a mathematical backdoor, demonstrating that such covert vulnerabilities can be embedded in cryptographic algorithms despite resistance to common cryptanalysis methods.

Contribution

It presents the design of BEA-1, a novel block cipher with an embedded mathematical backdoor, highlighting the feasibility of covert vulnerabilities in cryptographic algorithms.

Findings

BEA-1 resists linear and differential cryptanalysis.

The backdoor enables effective cryptanalysis despite strong cryptographic properties.

A challenge will be issued to test detectability of the backdoor.

Abstract

Recent years have shown that more than ever governments and intelligence agencies try to control and bypass the cryptographic means used for the protection of data. Backdooring encryption algorithms is considered as the best way to enforce cryptographic control. Until now, only implementation backdoors (at the protocol/implementation/management level) are generally considered. In this paper we propose to address the most critical issue of backdoors: mathematical backdoors or by-design backdoors, which are put directly at the mathematical design of the encryption algorithm. While the algorithm may be totally public, proving that there is a backdoor, identifying it and exploiting it, may be an intractable problem. We intend to explain that it is probably possible to design and put such backdoors. Considering a particular family (among all the possible ones), we present BEA-1, a block cipher algorithm which is similar to the AES and which contains a mathematical backdoor enabling an operational and effective cryptanalysis. The BEA-1 algorithm (80-bit block size, 120-bit key, 11 rounds) is designed to resist to linear and differential cryptanalyses. A challenge will be proposed to the cryptography community soon. Its aim is to assess whether our backdoor is easily detectable and exploitable or not.