分组密码中MDS矩阵的实现方法效能分析

MDS矩阵具有良好的扩散特性,是设计分组密码扩散结构的一种重要手段,并且扩散结构的实现性能将直接影响分组密码的实现性能.文中首先介绍MDS矩阵及其特性,然后以AES中使用的MDS矩阵为例,对MDS矩阵的4种常用实现方法编程实现,并进行定量的效能分析,找到不同应用环境中最优实现方法,对MDS矩阵在其他分组密码算法中的应用具有一定的参考价值.     

Impossible Differential Cryptanalysis on Lai‐Massey Scheme

The Lai‐Massey scheme, proposed by Vaudenay, is a modified structure in the International Data Encryption Algorithm cipher. A family of block ciphers, named FOX, were built on the Lai‐Massey scheme. Impossible differential cryptanalysis is a powerful technique used to recover the secret key of block ciphers. This paper studies the impossible differential cryptanalysis of the Lai‐Massey scheme with affine orthomorphism for the first time. Firstly, we prove that there always exist 4‐round impossible differentials of a Lai‐Massey cipher having a bijective F‐function. Such 4‐round impossible differentials can be used to help find 4‐round impossible differentials of FOX64 and FOX128. Moreover, we give some sufficient conditions to characterize the existence of 5‐, 6‐, and 7‐round impossible differentials of Lai‐Massey ciphers having a substitution‐permutation (SP) F‐function, and we observe that if Lai‐Massey ciphers having an SP F‐function use the same diffusion layer and orthomorphism as a FOX64, then there are indeed 5‐ and 6‐round impossible differentials. These results indicate that both the diffusion layer and orthomorphism should be chosen carefully so as to make the Lai‐Massey cipher secure against impossible differential cryptanalysis.     

Cryptanalysis of mCrypton‐64

In recent years, because of the security requirements of resource‐constrained devices, design and analysis of lightweight block ciphers has received more attention. mCrypton is a lightweight block cipher that has been specifically designed for using in resource‐constrained devices, such as low‐cost radio‐frequency identification tags and sensors. In this paper, we consider cryptanalysis of full‐round mCrypton‐64 using a new extension of biclique attack called non‐isomorphic biclique cryptanalysis. As it is known, effectiveness of the biclique attack is highly dependent to the weakness of key schedule, and it does not seem to be appropriate for block ciphers with strong key scheduling. The non‐isomorphic biclique attack, using an asymmetric key partitioning technique, provides more degrees of freedom to the attacker and makes it possible to use the diffusion layer properties of a block cipher for constructing longer bicliques. Results show that the attack on full‐round mCrypton requires 2^33.9 chosen plaintexts and a time complexity of 2^62.67 encryptions. The computational complexity reduces to 2^62.3, 2^61.4, and 2^59.75 encryptions for 10, 8, and 6 rounds of mCrypton‐64, respectively. We also have a discussion on the general form of the computational complexity for non‐isomorphic biclique cryptanalysis. Copyright © 2014 John Wiley & Sons, Ltd.     

精确的转化型融合线性反馈移位寄存器

For the published block cipher algorithm, two kinds of round functions have been researched. Block ciphers in network environments are taking more risks than ever before because of their initialization key＇s distribution in the internet. The security of block cipher algorithm is affected by linear bias and nonlinear bias which are restricted by confusion layer and diffusion layer. This article takes an approach on how block cipher＇s two round structures are initially transformed when they fuse into LFSR. The SP structure can be considered two F functions in one Feistel round function which combines both right and left of origin data transformation. Furthermore, the round number linear function and nonlinear function of Feistel and SP structure are compared. The merit of SP structure is that it can fuse in LFSR as a nonlinear filter without memory.     

CS-CIPHER两个变体的线性密码分析

CS-CIPHER是NESSIE公布的17个候选算法之一,它的分组长度为64-比特.本文对CS-CIPHER的两个变体进行了线性密码分析.对第一个变体的攻击成功率约为78.5%,数据复杂度为2⁵²,处理复杂度为2³².对第二个变体的攻击成功率约为78.5%,数据复杂度为2⁵²,处理复杂度为2¹¹².     

构造分支数为4的对合线性变换

扩散层是分组密码的一个重要组件,特别是SPN型结构的密码以及轮函数为SPN型的Feistel结构密码,都要用到一个非退化的线性变换作为其扩散层。好的分支数以及线性变换的对合性质对分组密码的扩散性以及实现效率都有很大的提高。本文基于循环移位和异或运算构造了三种线性变换。并证明了这三种线性变换是分支数为4的次最优的线性变换,同时在一定条件下,还证明了它们均是对合的线性变换。     

国内外分组密码理论与技术的研究现状及发展趋势

密码技术，特别是加密技术，是信息安全技术的核心。AES征集和NESSIE计划的相继启动，使得国际上又掀起了一次研究分组密码的新高潮，故概括介绍了国内外分组密码研究的现状，并对其发展趋势进行了分析。同时详细地探讨了与分组密码的主要理论与技术，最后介绍了Rijndael(AES的最终算法）与IDEA（NESSIE分组密码候选算法之一）的两个算法。     

Multiple Related-Key Diff erential Attacks on Pure DDP-Based Cipher

By constructing three types of related-key differential characteristics, we present three corresponding related-key differential attacks on the cipher. As the inde-pendence of the characteristics, we could recover 64 bits of the cipher’s m aster key with 258.6 chosen plain-texts, 258.8 full-round DDP-64 encryptions and 212.8 bits of storage re-sources. To break the cipher, we only need to implement an exhaustive search for the rest 64 bits of the m aster key.     

非线性反馈移存器型序列密码的完全性通用算法

非线性反馈移存器型序列密码被使用于智能卡、射频识别标签（RFID）和无线传感器等硬件资源受限设备的信息加密中,其典型代表为Trivium算法、Grain v1算法和Mickey算法,然而现有的完全性算法在应用于此类序列密码时存在分析轮数较少及对依赖关系区分不清楚等问题.本文提出了一种考察此类序列密码完全性的通用算法,将算法内部状态表示成线性集合和非线性集合,将序列密码每轮更新转化为集合的运算,通过迭代计算可给出算法达到非线性完全性所需轮数的下界,克服了现有完全性算法的不足.应用此通用算法给出Trivium算法更优的1比特差分区分器并完成对Trivium-B算法的实时攻击.本方法可为此类序列密码的设计提供一定的理论依据.     

一类特殊的比特变换的研究

 在S-P网络中,P变换的设计直接影响着分组密码的整体扩散性能.基于此,提出了一类特殊的比特变换的概念,证明了该类比特变换是对合变换且其分支数为4,并给出了输入和输出重量之和等于4的输入输出对的个数.进一步的分析表明,尽管该类比特变换的分支数没有达到最大值,但仍然具有较好的扩散性能.     

一类ARIA型扩散结构分支数的研究

分支数达到最大的二元矩阵被广泛应用到分组密码扩散层的设计中.本文针对ARIA算法的扩散层,首先给出了ARIA型扩散结构的定义,给出了16阶ARIA型扩散结构的分支数情况,进一步给出了分支数为8的16阶ARIA型扩散结构的充要条件,从而构造了一大批可供选择的分支数为8的16阶二元矩阵.其次,解决了16阶ARIA型扩散结构分支数为8的计数问题,最后,给出了分支数为8的16阶对合ARIA型扩散结构的构造方法.本文的研究成果为构造分支数达到最大的16阶对合二元方阵提供了一种新方法.     

Differential Fault Attack on GIFT

GIFT,a lightweight block cipher proposed at CHES2017,has been widely cryptanalyzed this years.This paper studies the differential diffusion characteristics of round function of GIFT at first,and proposes a random nibble-based differential fault attack.The key recovery scheme is developed on the statistical properties we found for the differential distribution table of the S-box.A lot of experiments had been done and experimental results show that one round key can be retrieved with an average of 20.24 and 44.96 fault injections for GIFT-64 and GIFT-128 respectively.Further analysis shows that a certain number of fault injections recover most key bits.So we demonstrate an improved fault attack combined with the method of exhaustive search,which shows that the master key can be recovered by performing 216 and 217 computations and injecting 31 and 32 faults on an average for GIFT-64 and GIFT-128 respectively.     

Differential fault attack on FeW

In order to evaluate the security of the lightweight block cipher FeW,a differential fault attack method was proposed and discussed using a single byte random fault model.In this method,a single byte random fault was introduced on the right side of the last round of FeW to recover the key based on the statistical characteristics of S-box difference distribution,and the difference information was obtained using the characteristics of the linear diffusion function.The experiment results show that the complete key recovery can be achieved with an average of 47.73 and 79.55 fault injections for FeW-64-80 and FeW-64-128 respectively.If 2¹⁰exhaustive calculations are added to the key recovery process,the number of average fault injections required can be reduced to 24.90 and 41.50.This attack is effective on FeW.     

对混沌序列密码的相关密钥攻击

该文首次提出了对混沌序列密码的相关密钥攻击方法。该方法将线性密码分析的思想与对混沌密码的分割攻击方法相结合, 利用多个相关密钥产生的乱数序列对混沌密码实施分割攻击, 从而大大提高了分割攻击方法的效率, 克服了当混沌密码吻合度分布泄漏的信息较小或密钥规模较大时, 分割攻击方法难以将攻击方案的计算复杂性降低在可实现范围内的局限。作为例子, 该文实现了对具有64bit密钥的ZLL混沌密码的相关密钥攻击, 在主频为2.5GHz的Pentium 4-PC机上, 整个攻击时间平均为154s, 成功率为0.96。     

Shorter bit sequence is enough to break stream cipher LILI-128

LILI-128 is the stream cipher proposed as a candidate cipher for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) Project. Some methods of breaking it more efficiently than an exhaustive search for its secret key have been found already. The authors propose a new method, which uses shorter bit sequence to break LILI-128 successfully. An attack that can be made with less data can be a more practical threat. With only 2/sup 7/ bits of keystream, this method can break LILI-128 successfully. The efficiency of our attack depends on the memory size. For example, with 2/sup 99.1/ computations, our attack breaks LILI-128, if 2/sup 28.6/-bit memory is available.     

On the application of wide-trail strategy to improve an extended feistel cryptosystem

In this paper, we discuss a wide-trail-strategy-based method able to enhance the security offered by an encryption scheme developed in the University of Ferrara and based on an extended Feistel structure. By adding a new diffusion layer to the basic round transformation of the original system, we are able to increase the amount of active transformations, improving both the strength of the scheme against linear and differential attacks and the whole cipher performance by considerably reducing the system decoding time.     

MD-64算法的相关密钥-矩形攻击

该文针对MD-64分组密码算法在相关密钥-矩形攻击下的安全性进行了研究。分析了算法中高次DDO (Data Dependent Operations)结构、SPN结构在输入差分重量为1时的差分转移规律,利用高次DDO结构的差分特性和SPN结构重量为1的差分路径构造了算法的两条相关密钥-差分路径,通过连接两条路径构造了算法的完全轮的相关密钥-矩形区分器,并对算法进行了相关密钥-矩形攻击,恢复出了32 bit密钥。攻击算法所需的数据复杂度为262相关密钥-选择明文,计算复杂度为291.6次MD-64算法加密,存储复杂度为266.6 Byte存储空间,成功率约为0.961。分析结果表明,MD-64算法在相关密钥-矩形攻击条件下的安全性无法达到设计目标。     

基于神经网络算法的组合序列密码芯片

序列密码一直是密码学中最重要的加密方式之一.现提出基于神经网络算法的序列密码加密芯片设计,在保留原序列良好统计特性基础上,使输出序列的周期性和线性复杂性均有增加.利用FPGA技术进行序列密码芯片电路设计,灵活运用现代电子设计方法实现了运算功能和时序分配.逻辑综合仿真结果验证了芯片电路的正确性.该研究结果有助于序列密码算法在信息安全及现代保密通信设备中的应用.     

分组密码算法扩散特性的一种统计分析

针对巳有的分组密码扩散特性的依赖性测试方法，分析了其中各统计量的概率分布，使这种统计分析方法有了较完整的理论基础，指出 NESSIE用该方法评价AES决赛算法的不足。给出了运用该统计分析方法对分组密码算法做依赖性测试时抽取样本容量的下界。     

Security analysis of pure DDP-based cipher proper for multimedia and ubiquitous device

DDP-64, based on various controlled operations, is a 64-bit Feistel-like block cipher consisting of 10 rounds with a 128-bit key. It was designed to attempt to have a high security level and a high speed performance in hardware on ubiquitous computing systems and multimedia. In this paper, however, we show that DDP-64 doesn’t have a high security level, more precisely, we show that it is vulnerable to related-key differential attack. This attack, which is much faster than the key exhaustive search, requires about 2⁵⁴ data and 2⁵⁴ time complexities. This work is the first known cryptanalytic result on DDP-64 so far.