15

How can you put a backdoor into an encryption algorithm? Are there any techniques that can be used to reduce the time it takes to break a key?

I am looking for practical examples encryption schemes that have backdoors, because they were designed to or new techniques exposed them. It is my understanding that you can use a lack of entropy and diffusion in block ciphers which will reduce the necessary time that it takes to break a key. This is especially true with s-boxes, which can be designed to not increase the strength of the key. As for one-way algorithms, using none-primes can make it easier to reverse keys. What are other decisions that can be made to make a broken encryption algorithm?

The goal is find examples that can be used for encryption pedagogy, by collecting a sample of weak ciphers to practice on.

Goose3gg
  • 151
  • 5

3 Answers3

9

Schneier's "A Self-study Course in Block-Cipher Cryptanalysis" is an excellent resource for what you are looking for. In particular, FEAL-4 would be a promising cipher to look at as it is breakable by almost every cryptanalysis technique.

One thing you will notice when going through Schneier's course (or when looking at cryptanalysis research in general) is that a lot of times it is helpful to restrict the block cipher by decreasing the number of rounds. Decrease the number of rounds enough, and every block cipher is probably breakable. This will teach you a lot.

Once you are familiar with standard cryptanalysis techniques, it shouldn't be too hard to come up with a cipher that is breakable (where you'll know how to break it).

mikeazo
  • 39,117
  • 9
  • 118
  • 183
5

You've asked two different questions here: Q1: how to put a trapdoor in a block cipher, and Q2: examples of block ciphers that are good for learning block cipher cryptanalysis. @mikeazo has answered question Q2 well. I'm going to answer question Q1.

For an example of how to put a hidden backdoor (trapdoor) in a block cipher, see the following research paper:

Note: I'm not saying this is a good way to learn block cipher cryptanalysis.

D.W.
  • 36,982
  • 13
  • 107
  • 196
5

This manuscript by Warren Smith claims to outline an approach to having a (otherwise very good) block cipher with a trapdoor.

The idea is something like the following: Linear cryptanalysis has you make linear approximations of the S-boxes and then solve a noisy system of equations by getting lots of samples (known plaintext pairs). But this linear system of equations can apparently be solved even more easily if you know some additional (hard-to-compute) properties, like the minimum distance of its associated linear code. Furthermore, since the linear system is just an approximation of the cipher anyway, it's not unique to the cipher. That means you just need to find one linear approximation that has low enough minimum distance.

So to build a block cipher with a trapdoor (apparently), you need to work in reverse. Find a (known) linear system with low minimum distance. Find "random-looking" S-boxes for which the linear system gives a decent approximation, and use these for the actual cipher. If the S-boxes are random-looking, you would conceivably get a block cipher that is resistant to known cryptanalysis methods (e.g., linear, differential).

Anyway, this is what the paper purports to claim. I have not read it in painstaking detail, so don't take this as a full endorsement of the claims. It seems to me like the claimed results would be quite important, and yet this paper is unpublished and is barely cited. That may be an indication that there are some serious flaws, I honestly don't know.

Ella Rose
  • 19,971
  • 6
  • 56
  • 103
Mikero
  • 14,908
  • 2
  • 35
  • 58