Difference between revisions of "An informal discussion on Malicious Cryptographic Design"

From ESC2013
Jump to: navigation, search
(Created page with "=================================================================== A short discussion after Ralf-Philipp Weinmann's talk on Malicious Cryptographic Design. AB: Alex Biry...")
 
Line 1: Line 1:
===================================================================
 
 
A short discussion after [[Ralf-Philipp Weinmann]]'s talk on Malicious Cryptographic Design.
 
A short discussion after [[Ralf-Philipp Weinmann]]'s talk on Malicious Cryptographic Design.
  
 
AB: Alex Biryukov
 
AB: Alex Biryukov
 +
 
DB: Dan Bernstein
 
DB: Dan Bernstein
 +
 
CR: Christian Rechberger
 
CR: Christian Rechberger
 +
 
JPA:Jean-Philippe Aumasson
 
JPA:Jean-Philippe Aumasson
 +
 
GL: Gaetan Leurent
 
GL: Gaetan Leurent
 +
 
SL: Stefan Lucks
 
SL: Stefan Lucks
 +
 
RPW:Ralf-Philipp Weinmann
 
RPW:Ralf-Philipp Weinmann
  
Main questions:
+
'''Main questions:'''
  
Is this direction of research interesting?
+
''Is this direction of research interesting?''
  
What could be potential areas to search for new constructions?
+
''What could be potential areas to search for new constructions?''
  
Transcript
+
'''Transcript'''
  
AB: We wanted to explore how big could be an advantage of the designer of the primitive over the users of that primitive.
+
AB: We wanted to explore how big could be an advantage of the designer of the primitive over the users of that primitive. Both in terms of positive public-key like features and in terms of malicious backdoor properties.  
Both in terms of positive public-key like features and in terms of malicious backdoor properties.
 
  
JPA: RC4 could be an example of a brittle construction (i.e. one which allows plausible deniability of malicious intent).
+
JPA: RC4 could be an example of a brittle construction in terms of implementation (i.e. one which allows plausible deniability of malicious intent). See for example an implementation by Wagner-Biondi.
Probably having in mind implementation by Wagner-Biondi:
 
  
 
Speaking of bugdoors:
 
Speaking of bugdoors:

Revision as of 15:19, 22 January 2013

A short discussion after Ralf-Philipp Weinmann's talk on Malicious Cryptographic Design.

AB: Alex Biryukov

DB: Dan Bernstein

CR: Christian Rechberger

JPA:Jean-Philippe Aumasson

GL: Gaetan Leurent

SL: Stefan Lucks

RPW:Ralf-Philipp Weinmann

Main questions:

Is this direction of research interesting?

What could be potential areas to search for new constructions?

Transcript

AB: We wanted to explore how big could be an advantage of the designer of the primitive over the users of that primitive. Both in terms of positive public-key like features and in terms of malicious backdoor properties.

JPA: RC4 could be an example of a brittle construction in terms of implementation (i.e. one which allows plausible deniability of malicious intent). See for example an implementation by Wagner-Biondi.

Speaking of bugdoors: JPA: Another example is a cipher with large tables, in which malicious implementation changes a few rarely accessed elements.

DB/TL: There is a relevant article by Matt Blaze and Susan Landau on government using bugdoors instead of wiretaps.

JPA: SipHash-like design (?) CR: The more rotation constants you use in ARX, the more chance to hide something? SL: We've seen for Skein that rotation constants that cause a peak in probability are obvious (rotations by powers of 2, for example).

RPW: Is it possible to hide cube testers in large numbers of queries?

JPA: I thought about it, but couldn't find efficient way to embed cubes...(?)

CR/GL: iterative characteristics/ constant cancellations... (?) rotation constants in ChaCha (?)

AB: RK attacks (especially vulnerability to related subkeys could be an example of brittleness or malicious design. Such weakness can be exploited with a "proper" key-derivation function.)

AB: We know well how to construct ciphers with very low probabilities of characteristics, but it does not prevent those characteristics from bundling into good differentials or truncated differentials.

CR: For ciphers like AES, truncated differentials are well understood. With weak Keccak alignment, could it be easier to hide good truncated differentials?

DB: In general such backdoor constructions would require large description, seems hard to hide something in small description.

AB: What about stream ciphers, description can be fairly small, but design space can be very large