Leading cryptographic experts believe a Russia-designed algorithm pitched to an international standards body contains a flaw that could potentially undermine the security of encrypted data. The Russian delegation who designed the algorithm say the flaw is a coincidence, but multiple people deciding whether the algorithm should become a standard aren't convinced.
The algorithm was discussed at a meeting in Tel Aviv in April, a working group of the International Organization for Standardization (ISO), an organization which approves or denies countries hoping to cement their cryptographic algorithms as standards. At the meeting, Russian officials weren’t very happy, according to Dr. Tomer Ashur, a researcher with KU Leuven University who represented the Belgian delegation.
Before approving the algorithm, ISO experts said they wanted to wait six more months to better understand the security implications of a newly discovered issue in the algorithm. The delay is occurring because, in January, researcher Léo Perrin published a paper about two Russian algorithms, including the one under consideration, that shared a component called an “S-Box” in cryptography. Perrin is affiliated with Inria, the French national institute for the digital sciences.
It is the S-Box part of the algorithm ISO experts wanted extra time to investigate, Ashur said.
"This is not something you can immediately use for an attack, but it may lead to an attack,” he added.
Do you know anything else about this case? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
The research has started a debate on whether the flaw of this component was intentional or not. During the meeting, the Russian cryptographers maintained that the structure was a coincidence, Ashur and Pascal Paillier, another expert who was present at the meeting, told Motherboard.
“But most of the ISO experts are not convinced by the argument,” Paillier wrote in an email to Motherboard.
When a cryptographic algorithm becomes an international standard, like the ISO’s other stamps of approval, consumers “can have confidence that [...] products are safe, reliable and of good quality,” the ISO’s website reads.
Although the security implications are only potential and not immediate or even fully understood, the dialogue around the algorithm’s implementation still highlights the concerns, worries, and paranoia around cryptography, and comes shortly after a much more serious episode in which the US National Security Agency tried to bully the ISO into approving its own encryption.
The debate is related to the S-Box shared by Streebog and Kuznyechik, two Russian-made algorithms, the latter of which Russian delegates are hoping to have approved by the ISO. Streebog is already an ISO standard, and was developed by the Center for Information Protection and Special Communications of the Federal Security Service, Russia’s main security agency. It is used to hash information; that is, create a hopefully irreversible and secure cryptographic representation of it. Kuznyechik is used for encrypting text, which could include communications.
“S-Boxes provide a lot of properties that are crucial for the security of a cipher and we therefore expect designers to carefully explain their choice,” Perrin, the researcher behind January’s paper, told Motherboard in an email, “It is all the more worrying because these properties are reminiscent of ones known to allow backdoors to be inserted in block ciphers. They are different, but look similar.”
Ashur and Paillier both said that, if exploitable, the issue could potentially allow third-party access to encrypted material. The research “has shown that the Russian standards may contain what looks like a backdoor, which, if confirmed, would allow Russia to be able to break the confidentiality of communications,” Paillier said.
Dr. Stephan Krenn, a scientist from the Austrian Institute of Technology, told Motherboard in an email that many of the ISO experts weren’t convinced of the Russian explanation because “it is highly unlikely” to end up with the problematic structure.
“We cryptographers are a paranoid bunch.”
Ashur doesn’t believe the issue is a backdoor, but added, “some people, myself included, think that it doesn't matter if it's a backdoor; it is still a concern.”
"If I had to guess, in six months no one will find a vulnerability, and we'll simply move on,” he said.
To be clear, the actual risks of this structure are unknown. Vasily Shishkin, a head of the Russian delegation, told Motherboard in an email that the research “didn’t lead to new methods of cryptanalysis and didn’t provide any vulnerabilities.”
“This is [a] quite common situation for any cryptographic algorithm—the most notable example is AES,” Shishkin, who is affiliated with Russian IT company JSC “NPK “Kryptonite”, said, referring to the widely deployed Advanced Encryption Standard algorithm.
Ashur added, “One of the points the Russians made in the meeting, [was that] other algorithms, that are even more widely used—we also have concerns of [a] similar type, and yet we don't think we should stop using them. And they're right about this point.”
Shishkin listed several reasons why his delegation wanted ISO approval. One, he said, was that “if any abroad citizen, company or governmental structure have a wish to cooperate with Russian information services they have to implement these algorithms. We hope that international standardization will make this implementation easier.”
“Russia has a brilliant crypto academia and we have some crypto solutions which we are proud of. We really hope that these solutions will enrich worldwide community,” Shishkin added.
Hirotaka Yoshida, the vice-chair of the Tel Aviv meeting, declined to comment as the standardization process is ongoing.
As for what happens between now and the six month extension, Ashur said his team will be working on trying to exploit the issue; it is interesting from a research perspective, he added. The Russian delegation will likely provide more information, and expects them to be forthcoming, he said.
“We cryptographers are a paranoid bunch,” Ashur said.
Correction: This piece previously said Perrin was a researcher at Luxembourg University. He has since moved on to Inria. The piece has been updated to reflect this.
Updated: This piece has also updated to add Ashur's KU Leuven University affiliation, and add additional comment and context from Shishkin.
Subscribe to our new cybersecurity podcast, CYBER.