There’s quite a few places a backdoor can hide in a block cipher; there are constants littered around some algorithms to help with diffusion (e.g. key-schedule constants). I suppose an algorithm’s S-box construction is another place a backdoor could be snuck into.

A lot of algorithms try and prove they have nothing up their sleeve by selecting constants so that they’re above suspicion. For example Pyjamask uses the decimals of Pi for it’s key-schedule constants.

Wow. I knew we could fairly easily bakdoor new elliptic curves, but a

block cipher? I had no idea.There’s quite a few places a backdoor can hide in a block cipher; there are constants littered around some algorithms to help with diffusion (e.g. key-schedule constants). I suppose an algorithm’s S-box construction is another place a backdoor could be snuck into.

A lot of algorithms try and prove they have nothing up their sleeve by selecting constants so that they’re above suspicion. For example Pyjamask uses the decimals of Pi for it’s key-schedule constants.