Backdoor attacks on black-box ciphers exploiting low-entropy plaintexts

Abstract

There has been much recent research in designing symmetric ciphers with backdoors that have either public designs or black-box designs. Current Digital Rights Management needs have resurrected the use of hidden ciphers (which were traditionally suggested by the government as black-box designs) in the form of obfuscated "white-box" algorithms. A recent backdoor proposal is the Monkey cipher which is intended to have a secret design and that can be implemented using any deterministic trapdoor one-way function. Monkey leaks information about its user's key to the designer. The primary drawback of Monkey is that it requires the designer (attacker) to obtain a sufficient number of ciphertexts all under the same symmetric key, such that each contains one known plaintext bit. In this paper a new design is proposed that eliminates the need for known plaintext entirely. Also, whereas Monkey reveals one plaintext bit of each ciphertext to the reverse-engineer (i.e., an entity that tries to learn the black-box device), our solution only leaks a bound on the message entropy to the reverse-engineer, while requiring that the designer obtain a sufficient number of ciphertexts that encrypt messages with a requisite level of redundancy. The information leakage method we use employs "data compression" as a basic tool for generating a hidden information channel. This highlights the need to only encrypt compressed strings when a block cipher with a secret design must be used. © 2003 Springer-Verlag Berlin Heidelberg.