韩国加密标准的安全性分析

SEED是韩国的数据加密标准,设计者称用线性密码分析攻击SEED的复杂度为2^335.4,而用本文构造的15轮线性逼近攻击SEED的复杂度为2³²⁸.为了说明SEED抵抗差分密码分析的能力,设计者首先对SEED的变体SEED^*做差分密码分析,指出9轮SEED*对差分密码分析是安全的;利用SEED^*的扩散置换和盒子的特性,本文构造SEED^*的9轮截断差分,因此10轮SEED^*对截断差分密码分析是不免疫的.本文的结果虽然对SEED的实际应用构成不了威胁,但是显示了SEED的安全性并没有设计者所称的那样安全.     

低轮FOX分组密码的碰撞-积分攻击

FOX是最近推出的系列分组密码,它的设计思想基于可证安全的研究结果,且在各种平台上的性能优良.本文利用碰撞攻击和积分攻击相结合的技术分析FOX的安全性,结果显示碰撞-积分攻击比积分攻击有效,攻击对4轮FOX64的计算复杂度是2^45.4,对5轮FOX64的计算复杂度是2^109.4,对6轮FOX64的计算复杂度是2^173.4,对7轮FOX64的计算复杂度是2^237.4,且攻击所需数据量均为2⁹;也就是说4轮FOX64/64、5轮FOX64/128、6轮FOX64/192和7轮FOX64/256对本文攻击是不免疫的.     

SERPENT和SAFER密码算法的能量攻击

SERPENT和SAFER是AES的两个候选算法,本文使用能量攻击方法对它们进行了深入分析,结果表明:对于256、192和128比特密钥的SERPENT算法,能量攻击平均需分别进行2¹⁵⁹、2¹¹⁹和2⁷⁹次试验.虽然所需的试验次数实际没法达到,但是此攻击方法大大地降低了SERPENT的密钥规模,并且发现对于能量攻击,SERPENT有许多弱密钥.经过深入分析和穷尽搜索可知:能量攻击可以获取SAFER的种子密钥.文中还给出了两种抵抗能量攻击的SERPENT的改进密钥方案以及设计密钥方案时需注意的问题.     

3D密码的7轮子空间迹区分器

子空间迹攻击是一种新型分组密码分析方法,该文对使用了类AES密码新结构的3D密码子空间性质进行研究。首先利用3D密码的3轮明确子空间迹,结合子空间的交集性质,首次构造出3D密码的7轮子空间迹不可能差分区分器,数据复杂度为2^193.1个选择明文,时间复杂度为2^202.3次查表操作,成功率为60.6%;“n倍”性质指子空间的全部明文对经过一轮加密,差分属于同一子空间的密文对个数为n的倍数。利用该性质,构造了3D密码的7轮结构区分器,数据复杂度为2^{1 28}个选择明文,时间复杂度为2^129.6次查表操作,存储复杂度为2^{1 28} Byte,成功率大于99.99%。     

积分攻击改进——随机线性区分与密钥恢复攻击

在4轮AES的积分攻击和碰撞攻击的基础上，提出了一种利用明文和中间状态的某些分组之间线性偏差分布的不均匀性的针对4轮SP结构分组密码的随机线性区分攻击。进一步结合预计算，提出了对4轮AES类分组密码的密钥恢复攻击。对LED-64算法给出了具体区分攻击和密钥恢复攻击的结果。其中，对于1-Step的LED-64算法，在数据复杂度为2⁸，计算复杂度为2¹⁶次基本运算的条件下，区分成功的概率是85%；对于2-Step的LED-64算法，相关密钥条件下的密钥恢复攻击的计算复杂度为2¹⁴次基本运算，数据复杂度为2⁸，预计算存储复杂度为2³⁸个半字节。     

对三维多层快速多极子方法中不变项计算的优化

本文首先研究了三维MLFMA中不变项的内在性质.它们分别是:α_mlm'l具有平移不变性,V_s和V_f在角谱空间中共轭对称,使用Galerkin法时 _sparse为对称矩阵并且V_s和V_f相等.这些性质可用于优化不变项的计算,使α m_lm'_l的计算复杂度从O(M_l(6³-3³))降到O(7³-3³)甚至O((7³-3³)/8),而V_s和V_f的复杂度则从O(K_LN)降至O(K_LN/4),A_ji的从O(N)到O(N/2).数值结果表明了优化的有效性.     

CIKS-128分组算法的相关密钥-差分攻击

分析研究了CIKS-128分组密码算法在相关密钥-差分攻击下的安全性.利用DDP结构和非线性函数的差分信息泄漏规律构造了一条高概率相关密钥-差分特征,并给出攻击算法,恢复出了192bit密钥;在此基础上,对剩余64bit密钥进行穷举攻击,恢复出了算法的全部256bit密钥.攻击所需的计算复杂度为2⁷⁷次CIKS-128算法加密,数据复杂度为2⁷⁷个相关密钥-选择明文,存储复杂度为2^25.4字节存储空间.分析结果表明,CIKS-128算法在相关密钥-差分攻击条件下是不安全的.     

Cobra-H64/128算法的相关密钥-差分攻击

本文研究了Cobra-H64/128分组密码算法在相关密钥-差分攻击下的安全性.针对Cobra-H64算法,利用新构造的相关密钥-差分路径和CP逆变换存在的信息泄露规律给出攻击算法1,恢复出了全部128bit密钥,相应的计算复杂度为2^40.5次Cobra-H64算法加密,数据复杂度为2^40.5个选择明文,存储复杂度为2^22bit,成功率约为1;针对Cobra-H128算法,利用新构造的相关密钥-差分路径给出攻击算法2,恢复出了全部256bit密钥,相应的计算复杂度为2^76次Cobra-H128算法加密,数据复杂度为2^76个选择明文,存储复杂度为2^16.2bit.分析结果表明,Cobra-H64/128算法在相关密钥-差分攻击条件下是不安全的.     

42轮SHACAL-2新的相关密钥矩形攻击

利用SHACAL-2密码算法轮变换的特点,构造了一个新型的34轮区分器.基于该区分器和部分密钥分别猜测的技术,针对40轮、42轮简化SHACAL-2分别给出了新的攻击方法.研究结果表明:利用2个相关密钥.对40轮SHACAL-2进行相关密钥矩形攻击其数据复杂度约为2235选择明文数据量,计算复杂度约为243.6次加密;而对42轮SHACAL-2进行相关密钥矩形攻击其数据复杂度约为2235选择明文数据量,计算复杂度约为2472.6次加密.与已有的结果相比较,这些新分析所需的数据复杂度和计算复杂度均有明显的降低.     

LBlock算法的相关密钥-不可能差分攻击

该文研究了LBlock分组密码算法在相关密钥-不可能差分条件下的安全性.利用子密钥生成算法的差分信息泄漏规律,构造了多条低重量子密钥差分链,给出了15轮相关密钥-不可能差分区分器.通过扩展区分器,给出了23轮和24轮LBlock算法的相关密钥-不可能差分攻击方法.攻击所需的数据复杂度分别为2^65.2和2^65.6个选择明文,计算复杂度分别为2^66.2次23轮LBlock算法加密和2^66.6次24轮LBlock算法加密,存储复杂度分别为2^61.2和2^77.2字节存储空间.与已有结果相比,首次将针对LBlock算法的攻击扩展到了23轮和24轮.     

An improvement of Davies’ attack on DES

In this paper we improve Davies’ attack [2] on DES to become capable of breaking the full 16-round DES faster than the exhaustive search. Our attack requires 2⁵⁰ known plaintexts and 2⁵⁰ complexity of analysis. If independent subkeys are used, a variant of this attack can find 26 bits out of the 768 key bits using 2⁵² known plaintexts. All the 768 bits of the subkeys can be found using 2⁶⁰ known plaintexts. The data analysis requires only several minutes on a SPARC workstation. Therefore, this is the third successful attack on DES, faster than brute force, after differential cryptanalysis [1] and linear cryptanalysis [5]. We also suggest criteria which make the S-boxes immune to this attack.     

Timing and hamming weight attacks on minimal cost encryption scheme

The timing and Hamming weight attacks on the data encryption standard (DES) cryptosystem for minimal cost encryption scheme is presented in this article. In the attack, timing information on encryption processing is used to select and collect effective plaintexts for attack. Then the collected plaintexts are utilized to infer the expanded key differences of the secret key, from which most bits of the expanded secret key are recovered. The remaining bits of the expanded secret key are deduced by the correlations between Hamming weight values of the input of the S-boxes in the first-round. Finally, from the linear relation of the encryption time and the secret key's Hamming weight, the entire 56 bits of the secret key are thoroughly recovered. Using the attack, the minimal cost encryption scheme can be broken with 223 known plaintexts and about 221 calculations at a success rate a＞99%. The attack has lower computing complexity, and the method is more effective than other previous methods.     

减缩轮PRIDE算法的线性分析

PRIDE是Albrecht等人在2014美密会上提出的轻量级分组密码算法.PRIDE采用典型SPN密码结构,共迭代20轮.其设计主要关注于线性层,兼顾了算法的效率和安全.该文探讨了S盒和线性层矩阵的线性性质,构造了16条优势为2^-5的2轮线性逼近和8条优势为2^-3的1轮线性逼近.利用合适的线性逼近,结合密钥扩展算法、S盒的线性性质和部分和技术,我们对18轮和19轮PRIDE算法进行了线性分析.该分析分别需要2⁶⁰个已知明文,2^74.9次18轮加密和2⁶²个已知明文,2^74.9次19轮加密.另外,我们给出了一些关于S盒差分性质和线性性质之间联系的结论,有助于减少攻击过程中的计算量.本文是已知明文攻击.本文是关于PRIDE算法的第一个线性分析.     

轻量级密码算法MIBS的零相关和积分分析

MIBS是适用于RFID和传感资源受限环境的轻量级分组算法。该文构造了一些关于MIBS的8轮零相关线性逼近,结合密钥扩展算法的特点和部分和技术,对13轮MIBS-80进行了多维零相关分析。该分析大体需要262.1个已知明文和274.9次加密。此外,利用零相关线性逼近和积分区分器之间的内在联系,推导出8轮的积分区分器,并且对11轮的MIBS-80进行了积分攻击,大体需要260个选择明文和259.8次加密。     

Linearly weak keys of RC5 [private-key cipher]

The author examines the application of linear cryptanalysis to the RC5 private-key cipher and shows that there are expected to be weak keys for which the attack is applicable to many rounds. It is demonstrated that, for the 12-round nominal RC5 version with a 64 bit block size and a 128 bit key, there are 2²⁸ weak keys for which only ~2¹⁷ known plaintexts are required to break the cipher. There are 268 keys for which the cipher is theoretically breakable, requiring ~2⁵⁷ known plaintexts. The analysis highlights the sensitivity of RC5 security to its key scheduling algorithm     

对简化版LBLock算法的相关密钥不可能差分攻击

LBLOCK是吴文玲等人于2011年设计的一种轻量级密码算法。该文利用一个特殊的相关密钥差分特征,对19轮的LBlock算法进行了相关密钥不可能差分攻击,攻击的计算复杂度为O(270.0),所需要的数据量为264。进一步,提出了一种针对21轮LBlock的相关密钥不可能差分攻击,计算复杂度为O(271.5),数据量为263。     

10轮3D分组密码算法的中间相遇攻击

3D密码算法是一个代换-置换网络(SPN)型结构的新分组密码。与美国高级加密标准(AES)不同的是3D密码算法采用3维状态形式。该文利用3D算法结构,构造出一个5轮中间相遇区分器,并由此给出10轮3D的新攻击。结果表明:新攻击的数据复杂度约为2128选择明文,时间复杂度约为2331.1次10轮3D加密。与已有的攻击结构相比较,新攻击有效地降低了攻击所需的数据复杂度以及时间复杂度。     

Differential cryptanalysis of DES-like cryptosystems

The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Bureau of Standards in the mid 1970s, and has successfully withstood all the attacks published so far in the open literature. In this paper we develop a new type of cryptanalytic attack which can break the reduced variant of DES with eight rounds in a few minutes on a personal computer and can break any reduced variant of DES (with up to 15 rounds) using less than 2⁵⁶ operations and chosen plaintexts. The new attack can be applied to a variety of DES-like substitution/permutation cryptosystems, and demonstrates the crucial role of the (unpublished) design rules.     

A Single-Key Attack on the Full GOST Block Cipher

The GOST block cipher is the Russian encryption standard published in 1989. In spite of considerable cryptanalytic efforts over the past 20 years, a key recovery attack on the full GOST block cipher without any key conditions (e.g., weak keys and related keys) has not been published yet. In this paper, we show the first single-key attack, which works for all key classes, on the full GOST block cipher. To begin, we develop a new attack framework called Reflection-Meet-in-the-Middle Attack. This approach combines techniques of the reflection attack and the meet-in-the-middle (MITM) attack. Then we apply it to the GOST block cipher employing bijective S-boxes. In order to construct the full-round attack, we use additional novel techniques which are the effective MITM techniques using equivalent keys on a small number of rounds. As a result, a key can be recovered with a time complexity of 2²²⁵ encryptions and 2³² known plaintexts. Moreover, we show that our attack is applicable to the full GOST block cipher using any S-boxes, including non-bijective S-boxes.