Midori-64算法的截断不可能差分分析

分析了Midori-64算法在截断不可能差分攻击下的安全性.首先,通过分析Midori算法加、解密过程差分路径规律,证明了Midori算法在单密钥条件下的截断不可能差分区分器至多6轮,并对6轮截断不可能差分区分器进行了分类;其次,根据分类结果,构造了一个6轮区分器,并给出11轮Midori-64算法的不可能差分分析,恢复了128比特主密钥,其时间复杂度为2^121.4,数据复杂度为2^60.8,存储复杂度为2^96.5.     

一类基于混沌函数的分组密码的安全性评估

评估了一类基于混沌函数的分组密码(generalized Feistel structure,简称GFS)抵抗差分密码分析和线性密码分析的能力.如果轮函数是双射且它的最大差分特征概率和线性逼近概率分别是p和q,则r轮GFS的最大差分特征和线性逼近的概率分别以p^r-1和q^r-1为其上界.     

Piccolo算法的相关密钥-不可能差分攻击

现有的对于Piccolo算法的安全性分析结果中,除Biclique分析外,以低于穷举搜索的复杂度最长仅攻击至14轮Piccolo-80和18轮Piccolo-128算法.通过分析Piccolo算法密钥扩展的信息泄漏规律,结合算法等效结构,利用相关密钥-不可能差分分析方法,基于分割攻击思想,分别给出了15轮Piccolo-80和21轮Piccolo-128含前向白化密钥的攻击结果.当选择相关密钥量为2⁸时,攻击所需的数据复杂度分别为2^58.6和2^62.3,存储复杂度分别为2^60.6和2^64.3,计算复杂度分别为2⁷⁸和2^82.5;在选择相关密钥量为2⁴时,攻击所需的数据复杂度均为2^62.6和2^62.3,存储复杂度分别为2^64.6和2^64.3,计算复杂度分别为2^77.93和2^124.45.分析结果表明,仅含前向白化密钥的15轮Piccolo-80算法和21轮Piccolo-128算法在相关密钥-不可能差分攻击下是不安全的.     

用不可能差分法分析12轮ESF算法

轻量级分组密码算法ESF是一种具有广义Feistel结构的32轮迭代型分组密码,轮函数具有SPN结构,分组长度为64比特,密钥长度为80比特。为了研究ESF算法抵抗不可能差分攻击的能力,基于一条8轮不可能差分路径,根据轮密钥之间的关系,通过向前增加2轮、向后增加2轮的方式,对12轮ESF算法进行了攻击。计算结果表明,攻击12轮ESF算法所需的数据复杂度为O(2⁵³),时间复杂度为O(260.43),由此说明12轮的ESF算法对不可能差分密码分析是不免疫的。     

Camellia-128的截断差分攻击改进

基于2001年ASIACRYPT（亚密会）会议上Sugita等人提出的9轮截断差分区分器, 提出了Camellia算法的10轮截断差分区分器。进一步地利用这个区分器和密钥恢复中的提前抛弃技术, 给出了12轮Camellia-128的攻击, 恢复出所有密钥的数据复杂度和时间复杂度分别为2⁹⁷和2¹²⁴。这个结果是目前针对Camellia算法的截断差分攻击中最好的。     

缩减轮数Crypton算法中间相遇攻击的改进

Crypton密码算法是韩国学者提出的一种AES候选算法。通过研究Crypton算法的结构特征和一类截断差分路径的性质,利用差分枚举技术权衡存储复杂度和数据复杂度,提出了4轮和4.5轮中间相遇区分器。新的区分器减少了预计算表中的多重集数量,降低了存储复杂度。基于4轮区分器首次给出对7轮Crypton-128的中间相遇攻击,时间复杂度为2¹¹³,数据复杂度为2¹¹³,存储复杂度为290.72。基于4.5轮区分器首次给出对8轮Crypton-192的中间相遇攻击,时间复杂度为2¹⁷²,数据复杂度为2¹¹³,存储复杂度为2¹³⁸。     

故障模型下MORUS算法的差分扩散性质研究

MORUS算法是由H.Wu等人设计的一类认证加密算法,目前已顺利进入CAESAR竞赛第3轮竞选.研究MORUS算法故障模型下的差分扩散性质.采用面向比特的随机故障模型,结合差分分析技术与中间相遇思想,改进了针对MORUS算法的差分链搜索算法.运用该算法找到了5步概率为2^-85的差分链,从而实现了对初始化过程5步的简化版MORUS-640-128算法的差分-区分攻击,攻击所需的数据量和区分优势分别为2⁸⁹和0.99965.最后,利用差分故障分析方法对认证过程3步的简化版MORUS-640-128算法进行了伪造攻击.     

概率积分及其在PUFFIN算法中的应用

积分分析是一种针对分组密码十分有效的分析方法,其通常利用密文某些位置的零和性质构造积分区分器.基于高阶差分理论,可通过研究密文与明文之间多项式的代数次数来确定密文某些位置是否平衡.从传统的积分分析出发,首次考虑常数对多项式首项系数的影响,提出了概率积分分析方法,并将其应用于PUFFIN算法的安全性分析.针对PUFFIN算法,构造了7轮概率积分区分器,比已有最好的积分区分器轮数长1轮.进一步,利用构造的概率积分区分器,对9轮PUFFIN算法进行密钥恢复攻击.该攻击可恢复92比特轮密钥,攻击的数据复杂度为2^24.8个选择明文,时间复杂度为2^35.48次9轮算法加密,存储复杂度为2²⁰个存储单元.     

ESF算法的不可能差分密码分析

分析研究了分组密码算法ESF抵抗不可能差分的能力,使用8轮不可能差分路径,给出了相关攻击结果。基于一条8轮的不可能差分路径,根据轮密钥之间的关系,通过改变原有轮数扩展和密钥猜测的顺序,攻击了11轮的ESF,改善了关于11轮的ESF的不可能差分攻击的结果。计算结果表明:攻击11轮的ESF所需要的数据复杂度为O(2⁵³),时间复杂度为O(2³²),同时也说明了11轮的ESF对不可能差分是不免疫的。     

MARS和Rijndael的能量攻击

使用能量攻击对MARS 和Rijndael进行了深入分析.结果表明:对于256,192和128比特密钥的MARS算法,能量攻击的复杂度平均分别为2²⁸⁸,2¹⁶⁸ 和 2116.对于256,192和128比特密钥的Rijndael算法,能量攻击的复杂度平均分别为2¹³¹,2⁹⁹和267.虽然攻击的复杂度实际上无法达到,但是此攻击方法大大降低了MARS 和Rijndae的密钥规模.     

Differential Attack on Five Rounds of the SC2000 Block Cipher<Superscript>*</Superscript>

The SC2000 block cipher has a 128-bit block size and a user key of 128,192 or 256 bits,which employs a total of 6.5 rounds if a 128-bit user key is used.It is a CRYPTREC recommended e-government cipher in Japan.In this paper we address how to recover the user key from a few subkey bits of SC2000,and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127.Finally,we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key;the attack requires 2-125.68 chosen plaintexts and has a time complexity of 2 125.75 5-round SC2000 encryptions.The attack does not threat the security of the full SC2000 cipher,but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.     

Related-Key Impossible Diferential Attack on Reduced-Round LBlock简

LBlock is a 32-round lightweight block cipher with 64-bit block size and 80-bit key. This paper identifies 16- round related-key impossible differentials of LBlock, which are better than the 15-round related-key impossible differentials used in the previous attack. Based on these 16-round related-key impossible differentials, we can attack 23 rounds of LBlock while the previous related-key impossible differential attacks could only work on 22-round LBlock. This makes our attack on LBlock the best attack in terms of the number of attacked rounds.     

Differential cryptanalysis of eight-round SEED

Block Cipher SEED is one of the standard 128-bit block ciphers of ISO/IEC together with AES and Camellia (Aoki et al., 2000, ISO/IEC 18033-3, 2005; Korea Information Security Agency, 1999; National Institute of Standards and Technology, 2001) [1], [4], [5] and [6]. Since SEED had been developed, there is no distinguishing cryptanalysis except a 7-round differential attack in 2002 [7]. For this, they used the six-round differential characteristics with probability ²−124 and analyzed seven-round SEED with 2¹²⁶ chosen plaintexts. In this paper, we propose a new seven-round differential characteristic with probability ²−122 and analyze eight-round SEED with 2¹²⁵ chosen plaintexts. The attack requires about 2¹²² eight-round encryptions. This is the best-known attack on a reduced version of SEED so far.     

Differential attack on nine rounds of the SEED block cipher

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2^69.71 bytes, and has a time complexity of 2^126.36 encryptions with a success probability of 99.9% when using 2¹²⁵ chosen plaintexts, or a time complexity of 2^125.36 encryptions with a success probability of 97.8% when using 2¹²⁴ chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.     

AC分组密码的差分和线性密码分析

讨论AC分组密码对差分和线性密码分析的安全性,通过估计3轮AC的差分活动盒子的个数下界和12轮AC的线性活动盒子的个数下界,本文得到AC的12轮差分特征概率不大于2-128和线性逼近优势不大于2-67.因此,AC分组密码对差分和线性密码分析是安全的.     

Cryptanalysis of full PRIDE block cipher

PRIDE is a lightweight block cipher proposed at CRYPTO 2014 by Albrecht et al., who claimed that the construction of linear layers is efficient and secure. In this paper, we investigate the key schedule and find eight 2-round iterative related-key differential characteristics, which can be used to construct 18-round related-key differentials. A study of the first subkey derivation function reveals that there exist three weak-key classes, as a result of which all the differences of subkeys for each round are identical. For the weak-key classes, we also find eight 2-round iterative related-key differential characteristics. Based on one of the related-key differentials, we launch an attack on the full PRIDE block cipher. The data and time complexity are 2³⁹ chosen plaintexts and 2⁹² encryptions, respectively. Moreover, by using multiple related-key differentials, we improve the cryptanalysis, which then requires 2^41.6 chosen plaintexts and 2^42.7 encryptions, respectively. Finally, we use two 17-round related-key differentials to analyze full PRIDE, which requires 2³⁵ plaintexts and 2^54.7 encryptions. These are the first results on full PRIDE, and show that the PRIDE block cipher is not secure against related-key differential attack.     

对SMS4密码算法改进的差分攻击

差分分析和线性分析是重要的密码算法分析工具.多年来,很多研究者致力于改善这两种攻击方法.Achiya Bar-On等人提出了一种方法,能够使攻击者对部分状态参与非线性变换的SPN结构的密码算法进行更多轮数的差分分析和线性分析.这种方法使用了两个辅助矩阵,其目的就是更多地利用密码算法中线性层的约束,从而能攻击更多轮数.将这种方法应用到中国密码算法SMS4的多差分攻击中,获得了一个比现有攻击存储复杂度更低和数据复杂度更少的攻击结果.在成功概率为0.9时,实施23轮的SMS4密钥恢复攻击需要2^113.5个明文,时间复杂度为2^126.7轮等价的23轮加密.这是目前为止存储复杂度最低的攻击,存储复杂度为2¹⁷个字节.     

轻量级分组密码MIBS-80算法的Biclique分析

提出了针对轻量级分组密码算法 MIBS-80 的 Biclique 分析.利用两条独立的相关密钥差分路径,构造了4轮维度为4 的 Biclique 结构,在此基础上对密钥空间进行了划分,结合预计算技术,对每一个密钥子空间进行筛选以降低中间相遇攻击所需的计算复杂度,实施了对12 轮 MIBS-80 的密钥恢复攻击.攻击的数据复杂度为2⁵²个选择明文,计算复杂度约为2^77.13次12 轮 MIBS-80 加密,存储复杂度约为2^8.17,成功实施攻击的概率为1.与已有攻击方法相比,在存储复杂度及成功率方面具有优势.