分组密码安全性研究的新进展

本文介绍了近期在分组密码(DES一类)安全性研究的进展情况,重点对差分密码分析和线性密码分析的方法和结果进行论述,对分组密码的安全性提出了展望。     

On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited

Luby and Rackoff [26] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so-called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following: • Reduce the success probability of the adversary. • Provide a construction of pseudorandom permutations with large input-length using pseudorandom functions with small input-length. Received 2 August 1996 and revised 26 July 1997     

Attacks on Fast Double Block Length Hash Functions

The security of hash functions based on a block cipher with a block length of m bits and a key length of k bits, where , is considered. New attacks are presented on a large class of iterated hash functions with a 2m -bit hash result which processes in each iteration two message blocks using two encryptions. In particular, the attacks break three proposed schemes: Parallel-DM, the PBGV hash function, and the LOKI DBH mode. Received 1 March 1996 and revised 16 December 1996     

The research and design of reconfigurable computing for Block cipher

This paper describes a new specialized Reconfigurable Cryptographic for Block ciphers Architecture（RCBA）.Application-specific computation pipelines can be configured according to the characteristics of the block cipher processing in RCBA,which delivers high performance for cryptographic applications.RCBA adopts a coarse-grained reconfigurable architecture that mixes the appropriate amount of static configurations with dynamic configurations.RCBA has been implemented based on Altera’s FPGA,and representative algorithms of block cipher such as DES,Rijndael and RC6 have been mapped on RCBA architecture successfully.System performance has been analyzed,and from the analysis it is demonstrated that the RCBA architecture can achieve more flexibility and efficiency when compared with other implementations.     

基于混沌的双模块Feistel结构高安全性高速分组密码算法安全性分析

该文对基于混沌的双模块Feistel结构(CFE)高安全性高速分组算法的安全性进行了分析。分析结果表明,算法不适合用积分攻击、中间相遇攻击、不变量攻击、插值攻击和循环移位攻击分析其安全性;可以抵抗相关密钥攻击;更进一步地构造出了5轮不可能差分特征链,并利用其进行区分攻击;求得算法的活性S盒下界为6,概率约为2–21;算法存在5轮零相关线性特征。     

分组密码处理器的可重构分簇式架构

该文在研究分组密码算法处理特征的基础上,提出了可重构分簇式分组密码处理器架构。在指令的控制下,数据通路可动态地重构为4个32bit簇,2个64bit簇和一个128bit簇,满足了分组密码算法数据处理所需的灵活性。基于分簇结构,提出了由指令显性地分隔电路结构的低功耗优化技术,采用此技术使得整体功耗降低了36.1%。设计并实现了5级流水线以及运算单元内流水结构,处理AES/DES/IDEA算法的速度分别达到了689.6Mbit/s, 400Mbit/s和416.7Mbit/s。     

A construction of a cipher from a single pseudorandom permutation

We suggest a scheme for a block cipher which uses only one randomly chosen permutation,F. The key, consisting of two blocks,K ₁ andK ₂, is used in the following way. The message block is XORed withK ₁ before applyingF, and the outcome is XORed withK ₂, to produce the cryptogram block. We show that the resulting cipher is secure (when the permutation is random or pseudorandom). This removes the need to store, or generate a multitude of permutations. Shimon Even was supported by the Fund for the Promotion of Research at the Technion, and by Bellcore, Morristown, NJ 07940, U.S.A. Part of the work was done while Yishay Mansour was in the IBM T.J. Watson Research Center.     

Attacks on Block Ciphers of Low Algebraic Degree

In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as S-boxes. Also, attacks based on higher-order differentials are introduced. They are special and important cases of the interpolation attacks. The attacks are applied to several block ciphers, the six-round prototype cipher by Nyberg and Knudsen, which is provably secure against ordinary differential cryptanalysis, a modified version of the block cipher SHARK, and a block cipher suggested by Kiefer. Received April 1999 and revised October 2000 Online publication 9 April 2001     

Diffusion and Security Evaluation of Feistel-PG

Feistel-PG structure is a new specific Gen-eralized Feistel structure (GFS) adopted in DBlock and LHash. Its main feature is adding a sbox-size permutation before the round function. Different choices of the per-mutation may aff ect the security property of ciphers with Feistel-PG structure but how it eff ects is not clear. We evaluate the values of diffusion round for all possible pa-rameters and summarize the characteristics of optimum shuffles. The results show that one special kind of Feistel-PG achieves full diffusion in less cost than the improved GFS. This advantage may attract the designers' interests and this kind of Feistel-PG ciphers are suggested to de-signers. We also evaluate the security of suggested ciphers against various byte-oriented attacks, including differential cryptanalysis, linear cryptanalysis, impossible differential attack and integral attack. Some permutations with opti-mum diffusion but relatively weaker security are filtered out and these permutations should be avoided by design-ers.     

基于可变S盒的分组密码算法及其在媒体网关中的应用

分组密码算法是信息安全领域中最为重要的加解密技术之一。与传统的分组密码不同，该算法具有可变的S盒和变化的循环加密结构，从而大大提高了抗差分攻击和线性攻击的能力。结合某媒体网关的设计项目，研究了该算法并详细探导了其设计方法。员后，测试了算法的实际性能。     

10轮3D分组密码算法的中间相遇攻击

3D密码算法是一个代换-置换网络(SPN)型结构的新分组密码。与美国高级加密标准(AES)不同的是3D密码算法采用3维状态形式。该文利用3D算法结构,构造出一个5轮中间相遇区分器,并由此给出10轮3D的新攻击。结果表明:新攻击的数据复杂度约为2128选择明文,时间复杂度约为2331.1次10轮3D加密。与已有的攻击结构相比较,新攻击有效地降低了攻击所需的数据复杂度以及时间复杂度。     

The Security of Feistel Ciphers with Six Rounds or Less

This paper considers the security of Feistel networks where the round functions are chosen at random from a family of 2 ^k randomly chosen functions for any k . Also considered are the networks where the round functions are themselves permutations, since these have applications in practice. The constructions are attacked under the assumption that a key-recovery attack on one round function itself requires an exhaustive search over all 2 ^k possible functions. Attacks are given on all three-, four-, five-, and six-round Feistel constructions and interesting bounds on their security level are obtained. In a chosen text scenario the key recovery attacks on the four-round constructions, the analogue to the super pseudorandom permutations in the Luby and Rackoff model, take roughly only the time of an exhaustive search for the key of one round. A side result of the presented attacks is that some constructions, which have been proved super pseudorandom in the model of Luby and Rackoff, do not seem to offer more security in our model than constructions which are not super pseudorandom.     

分组密码算法两种S盒设计的可证安全性注记

对分组密码算法进行可证明安全性的工作存在一些争论。我们针对分组密码算法S盒设计的可证明安全性进行研究并提出:可证明安全性是设计者对算法应该采取的说明与论证过程;对分析者而言,只有当算法被破译之后才能否定安全性的证明。而在遵循S盒设计规则的同时,从多项式代数表出次数、相对于完全随机的优势度、线性偏差概率、非线性偏差概率等方面加以描述是必要的过程。     

Whitenoise密码Wu破译方法的分析与改进

Whitenoise是由BSB Utilities公司提出的一个序列密码算法。Wu在2003年8月巧妙地给出了破译Whitenoise算法的一个解方程组方法。该文对Wu的破译算法进行了深入分析, 证明了Wu方法的两个基本假设是错误的, 因而Wu的方法不可能求出正确密钥。此外, 该文还对Wu的破译方法进行了改进, 给出了求解Whitenoise密码的秘密整数和秘密素数的方法, 并给出了对Whitenoise密码的一个预测攻击方法, 利用该方法可由其前80445个乱数求出其任一时刻的乱数。此外, 该文还给出了求出其全部秘密要素的一个思路。     

Linear ciphers and spreads

The purpose of this paper is to point out a correspondence between certain types of linear ciphers and projective planes. With the aid of this correspondence we are then able to answer a number of questions posed in [3].     

KeeLoq密码Courtois攻击方法的分析和修正

KeeLoq密码是由Willem Smit设计的分组密码算法,广泛应用于汽车的无线门锁装置。Courtois等人在2007年提出了破译KeeLoq的4种滑动-代数攻击方法,其中第4种滑动-代数攻击方法的计算复杂性最小。本文证明了Courtois的第4种滑动-代数攻击方法的攻击原理是错误的,因而无法实现对KeeLoq的破译。此外,本文还对该方法进行了修正,提出了改进的攻击方法,利用232个已知明文能够以O(248) 次加密的计算复杂性求出KeeLoq密码的密钥,成功率为1。对于KeeLoq密码26％的密钥,其连续64圈圈函数形成的复合函数至少具有两个不动点,此时改进的攻击方法的计算复杂性还可降至O(248) 次加密。     

Differential Fault Attack on the Stream Cipher LIZARD

In this paper, we try to give a security evaluation of LIZARD stream cipher in regard to fault attacks, which, to the best of our knowledge, is the first fault analysis on LIZARD. We design a differential engine of LIZARD to track the differential trail of the keystreams. It is shown that the distributions of the keystream differences are heavily biased. Utilizing this characteristic, we propose an improved method to identify the fault location for LIZARD whose success probability approaches 1. Then we use the fault-free keystream and faulty keystreams to generate system of equations in internal state variables and solve it by SAT solver. The result shows that with 100 keystream bits, only 6 different faults are needed to recover the internal state. Finally, the comparison between LIZARD and Grain v1 shows that LIZARD is more resistable than Grain v1 in regard to fault attacks.     

Magpie:一种高安全的轻量级分组密码算法

论文提出了一种新的高安全轻量级密码算法,命名为Magpie.Magpie是基于SPN结构,分组长度为64位,密钥长度为96位,包含32轮运算.Magpie密码算法包括两个部分:运算部分和控制部分.运算部分,每轮运算包括五个基本运算模块:常数加,S盒变换,行移位,列混合,轮密钥加.控制部分,将密钥的第65位到96位作为Magpie加密算法的控制信号,其中密钥第65位到第80位作为S盒变换控制信号,第81位到第96位值作为列混合,行移位变换和每轮运算的控制信号.在Xilinx Virtex-5 FPGA上实现面积仅为10679 Slices,加密速率为6.4869Gb/s.     

2轮Trivium的多线性密码分析

作为欧洲流密码发展计划eSTREAM的7个最终获选算法之一,Trivium的安全性考察表明至今为止还没有出现有效的攻击算法。该文针对2轮Trivium,通过找出更多线性逼近方程,对其进行了多线性密码分析,提出了一种更有效的区分攻击算法。与现有的单线性密码分析算法相比,该算法攻击成功所需的数据量明显减少,即：若能找到n个线性近似方程,在达到相同攻击成功概率的前提下,多线性密码分析所需的数据量只有单线性密码分析的1/n。该研究结果表明,Trivium的设计还存在一定的缺陷,投入实用之前还需要实施进一步的安全性分析。     

非平衡分组密码的实现

分析了非平衡分组密码的性质,给出了它们的一些构造方法。