PEAK分组密码

提出了一个对称分组密码算法——PEA K。其分组长度为128bit,密钥长度为128bit到512bit可变,但要64bit对齐。该算法整体结构为变种的非平衡Feistel网络,具有天然的加解密相似性。同时在设计中采用了宽轨迹策略,确保算法对差分密码分析和线性密码分析的安全性。该文的目的是寻求公众对PEAK分组密码的测试、分析和评估。     

Chaos block cipher for wireless sensor network

New block cipher algorithm in single byte for wireless sensor network with excellence of many cipher algorithms is studied. The child keys are generated through the developed discrete Logistic mapping, and the Feistel encrypting function with discrete chaos operation is constructed. The single byte block is encrypted and decrypted through one turn permutation, being divided into two semi-byte, quadri- Feistel structural operation, and one turn permutation again. The amount of keys may be variable with the turns of Feistel structural operation. The random and security of the child key was proven, and the experiment for the block cipher in wireless sensor network was completed. The result indicates that the algorithm is more secure and the chaos block cipher in single byte is feasible for wireless sensor network.     

基于MILP搜索的ANU算法积分分析

ANU算法是由Bansod等人发表在SCN 2016上的一种超轻量级的Feistel结构的分组密码算法。截至目前,没有人提出针对该算法的积分攻击。为了研究ANU算法抗积分攻击的安全性,根据ANU算法的结构建立起基于比特可分性的MILP模型。对该模型进行求解,首次得到ANU算法的9轮积分区分器;利用搜索到的9轮区分器以及轮密钥之间的相关性,对128 bit密钥长度的ANU算法进行12轮密钥恢复攻击,能够恢复43 bit轮密钥。该攻击的数据复杂度为2^63.58个选择明文,时间复杂度为2^88.42次12轮算法加密,存储复杂度为2³³个存储单元。     

基于双伪随机变换和Feistel结构的轻量级分组密码VHF

针对资源受限的移动终端对轻量级密码的需求,提出了一种 基于双伪随机变换和Feistel结构的新的轻量级分组密码算法VHF。类似于许多其他轻量级分组密码,VHF的分组长度为128bit,密钥长度为80bit和128bit。VHF的安全评估结果表明,其可以对已知的攻击实现足够的安全性,如差分分析、线性分析和不可能差分分析等。在安全的基础上测试软件效率及硬件实现,与现有的轻量级分组密码进行的对比表明,VHF的软硬件效率都高于同为面向8位平台的国际标准CLEFIA算法。     

DBST: a lightweight block cipher based on dynamic S-box

IoT devices have been widely used with the advent of 5G. These devices contain a large amount of private data during transmission. It is primely important for ensuring their security. Therefore, we proposed a lightweight block cipher based on dynamic S-box named DBST. It is introduced for devices with limited hardware resources and high throughput requirements. DBST is a 128-bit block cipher supporting 64-bit key, which is based on a new generalized Feistel variant structure. It retains the consistency and significantly boosts the diffusion of the traditional Feistel structure. The SubColumns of round function is implemented by combining bit-slice technology with subkeys. The S-box is dynamically associated with the key. It has been demonstrated that DBST has a good avalanche effect, low hardware area, and high throughput. Our S-box has been proven to have fewer differential features than RECTANGLE S-box. The security analysis of DBST reveals that it can against impossible differential attack, differential attack, linear attack, and other types of attacks.     

MIBS-64算法的三子集中间相遇攻击

MIBS算法于2009年在CANS会议上提出,是一个32轮Feistel结构、64比特分组长度以及包含64比特、80比特两种主密钥长度的轻量级分组密码.针对该算法密钥编排中第1轮到第11轮子密钥之间存在部分重复和等价关系,本文首次完成了MIBS-64的11轮三子集中间相遇攻击,数据复杂度为2⁴⁷,存储复杂度为2⁴⁷64-bit,时间复杂度为2^62.25次11轮加密.与目前已有的对MIBS-64算法的中间相遇攻击相比,将攻击轮数由10轮扩展至11轮,刷新了该算法在中间相遇攻击下的安全性评估结果.     

Piccolo算法的差分故障分析

Piccolo算法是CHES 2011上提出的一个轻量级分组密码算法,它的分组长度为64- bit,密钥长度为80/128-bit,对应迭代轮数为25/31轮.Piccolo算法采用一种广义Feistel结构的变种,轮变换包括轮函数S-P-S和轮置换RP,能够较好地抵抗差分分析、线性分析等传统密码攻击方法.该文将Piccolo算法的S-P-S函数视为超级S盒(Super Sbox),采用面向半字节的随机故障模型,提出了一种针对Piccolo-80算法的差分故障分析方法.理论分析和实验结果表明:通过在算法第24轮输入的第1个和第3个寄存器各诱导1次随机半字节故障,能够将Piccolo-80算法的密钥空间缩小至约22-bit.因此,为安全使用Piccolo算法,在其实现时必须做一定的防护措施.     

简化轮LBlock的密钥中比特检测及分析

LBlock密码算法是近来提出的一类轻量级分组加密算法。利用LBlock算法的结构特点,结合立方检测的基本思想,设计2个密钥中比特捕获算法,对LBlock算法输出所涉及的密钥比特个数情况进行分析。9轮简化LBlock的每个输出比特全部卷入所有的主密钥比特信息,在18维立方变元下,11轮简化LBlock的输出累加中每个比特全部卷入所有的主密钥比特信息。上述2轮简化LBlock均不存在密钥中比特。研究结果表明,全轮LBlock密码算法具有稳固的密钥信息扩散及混淆性,足以抵抗经典立方攻击。     

A note on quantum related-key attacks

In a basic related-key attack against a block cipher, the adversary has access to encryptions under keys that differ from the target key by bit-flips. In this short note we show that for a quantum adversary such attacks are quite powerful: if the secret key is (i) uniquely determined by a small number of plaintext–ciphertext pairs, (ii) the block cipher can be evaluated efficiently, and (iii) a superposition of related keys can be queried, then the key can be extracted efficiently.     

ZF-02分组密码算法的设计与分析

提出了一种以换位变换为核心的分组密码算法(ZF-02算法)．该算法的分组长度为128bits，密钥长度可变．其加解密算法的基本结构可归结为：密钥控制下的入口状态复合换位变换、非线性性能良好的可逆置换和密钥控制下的出口状态复合换位变换．该算法逻辑结构简洁规范，而且易于在软、硬件及多种环境下实现．文中给出了算法的加解密流程和必要的数据参数表，并对其安全性做了基本分析，结果表明它拥有相当好的安全性．     

CRYPTOLOGY AND THE LAW

Abstract

Skipjack is a block cipher designed by the NSA for use in US government phones, and commercial mobile and wireless products by AT&;T. Among its initial implementations in hardware were the Clipper chip and Fortezza PC cards, which have since influenced the private communications market to be compatible with this technology. For instance, the Fortezza card comes in PCMCIA interface and is a very easy plug-n-play device to add on to mobile and wireless systems to provide encryption for wireless transmissions. Initially classified when it was first proposed, Skipjack was declassified in 1998, and it sparked numerous security analyses from security researchers worldwide because it provides insight into the state-of-the-art security design techniques used by a highly secretive government intelligence agency such as the NSA. In this paper, commemorating a decade since Skipjack's public revelation, we revisit the security of Skipjack, in particular its resistance to advanced differential-style distinguishers. In contrast to previous work that considered conventional and impossible differential distinguishers, we concentrate our attention on the more recent advanced differential-style and related-key distinguishers that were most likely not considered in the original design objectives of the NSA. In particular, we construct first-known related-key impossible differential, rectangle and related-key rectangle distinguishers of Skipjack. Our related-key attacks (i.e., related-key miss-in-the-middle and related-key rectangle attacks) are better than all the previous related-key attacks on Skipjack. Finally, we characterize the strength of Skipjack against all these attacks and motivate reasons why, influenced by the Skipjack structure, some attacks fare better. What is intriguing about Skipjack is its simple key schedule and a structure that is a cross between conventional Feistel design principles and the unconventional use of different round types. This work complements past results on the security analysis of Skipjack and is hoped to provide further insight into the security of an NSA-designed block cipher; the only one publicly known to date.     

PFP算法改进的不可能差分分析

目前资源受限环境的应用场景越来越多,该场景下的数据加密需求也随之增加。以国际标准PRESENT算法为代表的一大批轻量级分组密码应运而生。PFP算法是一种基于Feistel结构的超轻量级分组密码算法,它的轮函数设计借鉴了国际标准PRESENT算法的设计思想。PFP算法的分组长度为64比特,密钥长度为80比特,迭代轮数为34轮。针对PFP算法,研究了其抵抗不可能差分分析的能力。在该算法的设计文档中,设计者利用5轮不可能差分区分器攻击6轮的PFP算法,能够恢复32比特的种子密钥。与该结果相比,文中通过研究轮函数的具体设计细节,利用S盒的差分性质构造出7轮不可能差分区分器,并攻击9轮的PFP算法,能够恢复36比特的种子密钥。该结果无论在攻击轮数还是恢复的密钥量方面,均优于已有结果,是目前PFP算法最好的不可能差分分析结果。     

对简化轮数的SNAKE(2)算法的中间相遇攻击

SNAKE算法是由Lee等学者在JW-ISC1997上提出的一个Feistel型分组密码,有SNAKE(1)和SNAKE(2)两个版本。本文评估了简化轮数的SNAKE(2)算法对中间相遇攻击的抵抗能力,用存储复杂度换取时间复杂度,对7/8/9轮64比特分组的SNAKE(2)算法实施了攻击。攻击结果表明,9轮的SNAKE(2)算法对中间相遇攻击是不抵抗的,攻击的数据复杂度和时间复杂度分别为211.2和222,预计算复杂度为232,是现实攻击。     

针对CLEFIA的多字节差分故障分析

研究CLEFIA分组密码对多字节差分故障分析的安全性,给出CLEFIA分组密码算法及故障分析原理。根据在第r轮、r-1轮、 r-2轮注入多字节故障的3种条件,提出一种新的针对CLEFIA的多字节故障模型及分析方法。通过仿真实验进行验证,结果表明,由于其Feistel结构和S盒特性,CLEFIA易遭受多字节故障攻击,6~8个错误密文可恢复128 bit的CLEFIA密钥。     

改进的广义Feistel结构轻量级分组密码算法

随着复杂环境信息物理系统的更加开放,数据的安全传输问题备受关注.轻量级分组密码算法是保证信息物理系统数据安全传输的重要方法之一,但其仍存在软件实现速率低、硬件实现复杂和灵活性缺乏等问题.针对上述问题,提出了一种基于四分支的广义Feistel结构的高性能轻量级分组密码算法.相较于传统的广义Feistel结构算法,该算法进行了以下优化:1)采用由模加、循环位移和异或3种操作组合成的ARX （modular addition, rotation and XOR）结构替换传统广义Feistel结构中的S盒（非线性替换层）和P盒（线性置换层）,简化了算法的轮函数结构; 2)增加非对称双子密钥以处理每轮加密的明文中间状态,使得中间状态不存在未处理的分支,提高了算法的安全性; 3)设计了可扩展的轮常数加模块,提高了算法的灵活性; 4)分支中增加混淆扩散结构f_x,加快了算法的混淆和扩散速度;5)灵活设计了6个版本的轻量级分组密码算法,以适应不同位数的CPU平台.实验和分析表明,该算法实现效率高,具有良好的混淆和扩散能力,以及较高的安全性.     

A related key impossible differential attack against 22 rounds of the lightweight block cipher LBlock

LBlock is a new lightweight block cipher proposed by Wu and Zhang (2011) [12] at ACNS 2011. It is based on a modified 32-round Feistel structure. It uses keys of length 80 bits and message blocks of length 64 bits.In this letter, we examine the security arguments given in the original article and we show that we can improve the impossible differential attack given in the original article on 20 rounds by constructing a 22-round related key impossible differential attack that relies on intrinsic weaknesses of the key schedule. This attack has a complexity of 2⁷⁰ cipher operations using 2⁴⁷ plaintexts. This result was already published in Minier and Naya-Plasencia (2011) [9].     

基于混沌映射的分组密码算法

提出一种新的混沌分组密码算法。该算法基于扩展Feistel结构将128 bit明文加密为128 bit密文。轮函数中的S盒由Logistic混沌映射产生,算法密钥由128 bit的初始密钥通过Cubic映射迭代生成。采用硬件描述语言VerilogHDL设计实现该算法,并用Modelsim对加解密过程进行仿真,实验结果证明其具有高灵敏度的S盒,密钥空间大,混乱和扩散性能好。     

ESF算法的相关密钥不可能差分分析

ESF算法是一种具有广义Feistel结构的32轮迭代型轻量级分组密码。为研究ESF算法抵抗不可能差分攻击的能力,首次对ESF算法进行相关密钥不可能差分分析,结合密钥扩展算法的特点和轮函数本身的结构,构造了两条10轮相关密钥不可能差分路径。将一条10轮的相关密钥不可能差分路径向前向后分别扩展1轮和2轮,分析了13轮ESF算法,数据复杂度是260次选择明文对,计算量是223次13轮加密,可恢复18 bit密钥。将另一条10轮的相关密钥不可能差分路径向前向后都扩展2轮,分析了14轮ESF算法,数据复杂度是262选择明文对,计算复杂度是243.95次14轮加密,可恢复37 bit密钥。     

一种基于Feistel网络的反馈式分组混沌密码的研究

近年采,将混沌理论应用到信息安全已成为研究的一个热点。本文基于Feistel网络,提出了一种新颖的反馈式分组混沌密码算法。在该算法中,当前加密分组输出将影响下一明文分组要运行的轮数,而每一轮使用的孓盒的序号与加密密钥有关,轮数及s盒的序号均由混沌映射动态生成。由于混沌的固有特性,使得加密系统变得更加复杂,更加难以分析和预测。实验结果表明,本算法具有优良的密码学特性,对明文和密钥以及混沌系统参数的细微变动都非常敏感。产生的密文随机性很好。对本算法的安全性进行了分析,结果表明它具有很高的抗穷举攻击的能力。     

SCENERY: a lightweight block cipher based on Feistel structure

In this paper, we propose a new lightweight block cipher called SCENERY. The main purpose of SCENERY design applies to hardware and software platforms. SCENERY is a 64-bit block cipher supporting 80-bit keys, and its data processing consists of 28 rounds. The round function of SCENERY consists of 8 4 × 4 S-boxes in parallel and a 32 × 32 binary matrix, and we can implement SCENERY with some basic logic instructions. The hardware implementation of SCENERY only requires 1438 GE based on 0.18 um CMOS technology, and the software implementation of encrypting or decrypting a block takes approximately 1516 clock cycles on 8-bit microcontrollers and 364 clock cycles on 64-bit processors. Compared with other encryption algorithms, the performance of SCENERY is well balanced for both hardware and software. By the security analyses, SCENERY can achieve enough security margin against known attacks, such as differential cryptanalysis, linear cryptanalysis, impossible differential cryptanalysis and related-key attacks.