CLEFIA算法的不可能差分密码分析

为研究分组密码CLEFIA抵抗不可能差分攻击的能力,使用了两类9轮不可能差分路径,给出了相关攻击结果。基于一条9轮不可能差分路径,利用轮函数中S盒差分分布表恢复密钥,攻击了11轮的CLEFIA。改进了关于14轮的CLEFIA-256的不可能差分攻击的结果,将数据复杂度降低到2104.23,时间复杂度降低到2221.5。同时,在两条不可能差分的基础上,根据轮密钥之间的关系,使用Early-abort技术和S盒差分分布表,分别给出12轮CLEFIA-128和13轮CLEFIA-128的不可能差分攻击。     

简化AES-192和AES-256的相关密钥矩形新攻击

利用AES密钥编排的弱点,检查简化AES-192和AES-256抵抗相关密钥矩形攻击的能力.发现两种新的攻击方法:基于4个相关密钥针对9轮AES-192和基于4个相关密钥针对10轮AES-256的新攻击.文中的研究结果表明:利用4个相关密钥,对9轮AES-192进行的相关密钥矩形攻击其数据复杂度约为2¹⁰¹选择明文数据量、计算复杂度约为2^174.8次加密;利用4个相关密钥,对10轮AES-256进行的相关密钥矩形攻击其数据复杂度约为2^97.5选择明文数据量、计算复杂度约为2²⁵⁴次加密.与已有的结果相比较,这些新分析在攻击9轮AES-192和10轮AES-256中所需的相关密钥数量是最少的.此外,文中还改进了FSE2007论文中针对10轮AES-192的相关密钥矩形攻击,使其所需的数据量和计算复杂度均有所降低.     

Zodiac算法的零相关-积分攻击

Zodiac算法是一种由一批韩国学者设计的分组密码算法,它是16轮平衡Feistel型的分组密码。首次从零相关-积分分析的角度评价了Zodiac算法的安全性,构造出算法的两类13轮零相关线性逼近,并据此给出了13轮零相关-积分区分器,对全轮Zodiac算法进行了零相关-积分分析,成功恢复出了144bit轮子密钥信息。结果显示:完整16 轮Zodiac-128/192/256算法的零相关-积分攻击的数据复杂度为2¹²⁰个选择明文,时间复杂度大约为2⁸²次16轮Zodiac算法加密,时间复杂度明显优于已有的积分攻击结果。     

Zodiac密码算法的多维零相关线性分析

分组密码算法Zodiac支持3种密钥长度,分别为Zodiac-128、Zodiac-192、Zodiac-256。利用零相关线性分析方法评估了Zodiac算法的安全性,首先根据算法的结构特性,构造了一些关于Zodiac算法的10轮零相关线性逼近,然后对16轮Zodiac-192进行了多维零相关分析。分析结果显示：攻击过程中一共恢复了19个字节的密钥,其数据复杂度约为2^124.40个明密文对,计算复杂度为2^181.58次16轮加密。由此可得：16轮（即全轮）192 bit密钥的Zodiac算法（Zodiac-192）对于零相关线性分析方法是不安全的。     

SKINNY-n-n算法和MANTIS算法的相关密钥分析

通过分析SKINNY算法的密钥扩展算法特性以及算法结构,给出了两类SKINNY-n-n算法的相关密钥不可能差分区分器,而后据此对19轮的SKINNY算法进行了攻击,得到了对于SKINNY-64-64和SKINNY-128-128攻击所需数据复杂度分别为2~(55)、2~(104)个选择明文,计算复杂度分别为为2~(40. 82)次19轮SKINNY-64-64加密和2~(77. 76)次19轮SKINNY-128-128加密,存储复杂度分别为2~(48)和2~(96)。此外,针对SKINNY算法族中的低延迟变体-MANTIS算法,利用其FX结构以及密钥扩展算法的Tweakey结构,首先基于α映射,给出了一类平凡相关密钥差分特征;而后找到一种1轮循环结构,借此构造了对于MANTIS_(r core)的相关密钥矩阵区分器(1≤r≤6);最后,利用现有的对于MANTIS_5的攻击结果,改进得到了一类新的相关密钥差分路径,将区分器概率提高到2~(28. 35),有效降低攻击所需复杂度。     

Camellia访问驱动Cache计时攻击研究

Camellia是NESSIE计划中128位分组密码的最终获胜者.现有的针对Camellia的Cache计时攻击大多基于时序驱动模型,需百万计的样本在几十分钟内完成.文中研究表明,由于频繁的查找表操作,Camellia对访问驱动Cache计时攻击也是脆弱的,攻击所需样本量比时序驱动要小.首先,基于访问驱动方式,给出了一种通用的针对对称密码S盒的分析模型,指出Camellia加密过程中的轮函数易泄露初始密钥和轮密钥的异或结果值,密钥扩展中的左移函数使得Camellia安全性大大降低.然后,给出了多例针对Camellia-128/192/256的访问驱动Cache计时攻击,实验结果表明:500和900个随机明文样本可恢复Camellia-128、Camellia-192/256密钥,文中的攻击可被扩展到针对已知密文条件下的解密过程或远程环境中进行实施,3000个随机明文可在局域网和校园网环境下恢复Camellia-128/192/256密钥.最后,分析了Camellia易遭受Cache计时攻击的原因,并为密码设计者提出了防御该攻击的一些有效措施.     

分组密码FBC的差分分析

FBC是一种轻量级分组密码算法,由于结构简单、软硬件实现灵活等优点成为2018年中国密码学会(CACR)举办的全国密码算法设计竞赛中晋级到第2轮的10个算法之一.FBC密码包含3个版本支持128和256两种比特长度的明文分组以及128和256两种比特长度的密钥,本文主要对分组长度128位的两个版本进行分析.我们基于SAT (Boolean satisfiability problem)模型对FBC的差分特征进行自动化搜索,得到了新的14轮差分路线,概率为2^-102.25.基于此路线我们给出了18轮FBC128-128和20轮FBC128-256差分分析,并且在分析过程中给出了复杂度估计.对于18轮FBC128-128差分分析,时间复杂度和存储复杂度分别为2^101.5和2⁵².对于20轮FBC128-256差分分析时间复杂度和存储复杂度分别为2¹⁸⁴和2⁹⁶.     

改进的10轮Kalyna-128/256中间相遇攻击

分组密码Kalyna在2015年6月被确立为乌克兰的加密标准,它的分组长度为128 bit、256 bit和512 bit,密钥长度与分组长度相等或者是分组长度的2倍,记为Kalyna-b/2b。为了保证该算法在实际环境中能安全使用,必须对其抵抗当下流行的攻击方法中的中间相遇攻击的能力进行评估。通过研究Kalyna-128/256轮密钥之间的线性关系,再结合多重集、差分枚举和相关密钥筛选等技巧构造了四条6轮中间相遇区分器链,在此区分器前端接1轮后端接3轮,再利用时空折中实现了对10轮Kalyna-128/256的中间相遇攻击,攻击所需的数据、时间和存储复杂度分别为2111△个选择明文、2238.63△次10轮加密和2222△个128 bit块。将之前10轮Kalyna-128/256中间相遇攻击最优结果的数据、时间和存储复杂度分别降低了24△倍、214.67△倍和226.8△倍。     

轻量级分组密码MIBS-80算法的Biclique分析

提出了针对轻量级分组密码算法 MIBS-80 的 Biclique 分析.利用两条独立的相关密钥差分路径,构造了4轮维度为4 的 Biclique 结构,在此基础上对密钥空间进行了划分,结合预计算技术,对每一个密钥子空间进行筛选以降低中间相遇攻击所需的计算复杂度,实施了对12 轮 MIBS-80 的密钥恢复攻击.攻击的数据复杂度为2⁵²个选择明文,计算复杂度约为2^77.13次12 轮 MIBS-80 加密,存储复杂度约为2^8.17,成功实施攻击的概率为1.与已有攻击方法相比,在存储复杂度及成功率方面具有优势.     

Rijndael-256算法的中间相遇攻击

根据Rijndael密码的算法结构,构造一个新的5轮相遇区分器：若输入状态的第一个字节可变动,而余下字节固定不变,则通过5轮加密后,算法输出的每个字节差分值均可由输入状态的第一个字节值及25个常量字节以概率2-96确定。基于该区分器,给出一种针对9轮Rijndael-256的中间相遇攻击。分析结果表明,该攻击的数据复杂度约为2128个选择明文数据量,时间复杂度约为2211.6次9轮Rijndael- 256加密。     

Impossible differential cryptanalysis of advanced encryption standard

Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2101 chosen plaintexts, demands 2201 words of memory, and performs 2228 8-round AES-256 encryptions.     

Impossible Differential Attacks on 13-Round CLEFIA-128

CLEFIA,a new 128-bit block cipher proposed by Sony Corporation,is increasingly attracting cryptanalysts’ attention.In this paper,we present two new impossible differential attacks on 13 rounds of CLEFIA-128.The proposed attacks utilize a variety of previously known techniques,in particular the hash table technique and redundancy in the key schedule of this block cipher.The first attack does not consider the whitening layers of CLEFIA,requires 2 109.5 chosen plaintexts,and has a running time equivalent to about 2 112.9 encryptions.The second attack preserves the whitening layers,requires 2 117.8 chosen plaintexts,and has a total time complexity equivalent to about 2 121.2 encryptions.     

7轮ARIA-256的不可能差分新攻击

如何针对分组密码标准ARIA给出新的安全性分析是当前的研究热点。基于ARIA的算法结构,利用中间相遇的思想设计了一个新的4轮不可能差分区分器。基于该区分器,结合ARIA算法特点,在前面加2轮,后面加1轮,构成7轮ARIA-256的新攻击。研究结果表明：攻击7轮ARIA-256所需的数据复杂度约为2120选择明文数据量,所需的时间复杂度约为2219次7轮ARIA-256加密。与已有的7轮ARIA-256不可能差分攻击结果相比较,新攻击进一步地降低了所需的数据复杂度和时间复杂度。     

New related-key rectangle attacks on reduced AES-192 and AES-256

In this paper, we examine the security of reduced AES-192 and AES-256 against related-key rectangle attacks by exploiting the weakness in the AES key schedule. We find the following two new attacks: 9-round reduced AES-192 with 4 related keys, and 10-round reduced AES-256 with 4 related keys. Our results show that related-key rectangle attack with 4 related keys on 9-round reduced AES-192 requires a data complexity of about 2¹⁰¹ chosen plaintexts and a time complexity of about 2^174.8 encryptions, and moreover, related-key rectangle attack with 4 related keys on 10-round reduced AES-256 requires a data complexity of about 2^97.5 chosen plaintexts and a time complexity of about 2²⁵⁴ encryptions. These attacks are the first known attacks on 9-round reduced AES-192 and 10-round reduced AES-256 with only 4 related keys. Furthermore, we give an improvement of the 10-round reduced AES-192 attack presented at FSE2007, which reduces both the data complexity and the time complexity. Supported by the National Natural Science Foundation of China (Grant No. 60673072), and the National Basic Research Program of China (Grant No. 2007CB311201)     

Collision attack on reduced-round Camellia

Camellia is the final winner of 128-bit block cipher in NESSIE. In this paper, we construct some efficient distinguishers between 4-round Camellia and a random permutation of the blocks space. By using collision-searching techniques, the distinguishers are used to attack on 6, 7, 8 and 9 rounds of Camellia with 128-bit key and 8, 9 and 10 rounds of Camellia with 192/256-bit key. The 128-bit key of 6 rounds Camellia can be recovered with 210 chosen plaintexts and 215 encryptions. The 128-bit key of 7 rounds Camellia can be recovered with 212 chosen plaintexts and 254.5 encryptions. The 128-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2112.1 encryptions. The 128-bit key of 9 rounds Camellia can be recovered with 2113.6 chosen plaintexts and 2121 encryptions. The 192/256-bit key of 8 rounds Camellia can be recovered with 213 chosen plaintexts and 2111.1 encryptions. The 192/256-bit key of 9 rounds Camellia can be recovered with 213 chosen plaintexts and 2175.6 encryptions. Th     

CLEFIA-128算法的不可能差分密码分析

研究13轮CLEFIA-128算法,在9轮不可能差分攻击的基础上,提出一种未使用白化密钥的不可能差分密码分析方法。猜测每个密钥,筛选满足轮函数中S盒输入输出差分对的数据对。利用轮密钥之间的关系减少密钥猜测量,并使用Early Abort技术降低计算复杂度。计算结果表明,该方法的数据复杂度和时间复杂度分别为2120和2125.5。     

Automatic search method for multiple differentials and its application on MANTIS

Rijndael is a substitution-permutation network (SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256, that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2^244.4 chosen plaintexts, 2^240.1 encryptions, and 2^181.4 blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2^214.4 chosen plaintexts, 2^241.3 encryptions, and 2^183.4 blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2^214.4 chosen plaintexts, 2^113.4 encryptions, and 2^87.4 blocks, respectively, or 2^206.6 chosen plaintexts, 2^153.6 encryptions, and 2^111.6 blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.

     

New impossible differential attacks on reduced-round Crypton

Crypton is a 128-bit block cipher which was submitted to the Advanced Encryption Standard competition. In this paper, we present two new impossible differential attacks to reduced-round Crypton. Using two new observations on the diffusion layer of Crypton, exploiting a 4-round impossible differential, and appropriately choosing three additional rounds, we mount the first impossible differential attack on 7-round Crypton. The proposed attacks require 2¹²¹ chosen plaintexts each. The first attack requires 2^125.2 encryptions. We then utilize more pre-computation and memory to reduce the time complexity to 2^116.2 encryptions in the second attack.     

概率积分及其在PUFFIN算法中的应用

积分分析是一种针对分组密码十分有效的分析方法,其通常利用密文某些位置的零和性质构造积分区分器.基于高阶差分理论,可通过研究密文与明文之间多项式的代数次数来确定密文某些位置是否平衡.从传统的积分分析出发,首次考虑常数对多项式首项系数的影响,提出了概率积分分析方法,并将其应用于PUFFIN算法的安全性分析.针对PUFFIN算法,构造了7轮概率积分区分器,比已有最好的积分区分器轮数长1轮.进一步,利用构造的概率积分区分器,对9轮PUFFIN算法进行密钥恢复攻击.该攻击可恢复92比特轮密钥,攻击的数据复杂度为2^24.8个选择明文,时间复杂度为2^35.48次9轮算法加密,存储复杂度为2²⁰个存储单元.