循环移位对Rijndael密码安全性的影响

目前针对新一轮高级加密标准(AES)Rijndael密码的最有效攻击算法仍是由设计者提出的Square攻击。文献[1]中指出Square攻击是一种选择明文攻击，攻击强度不依赖于S盒、列混合矩阵和密钥扩散准则的选取。本文提出的逆序Square攻击算法是一种选择密文攻击方法，对5、6轮的Rjjndael密码的攻击优于Square攻击，对RD-256的攻击较原算法复杂度降低2^3，Square攻击对RD-192的攻击优于逆序攻击。如果改变密码循环移位的方向或密钥扩展算法中的循环移位方向则逆序攻击对5、6轮RD-128的攻击复杂度较Square攻击降低2^8，对7轮RD-192的攻击优于Square攻击，而在许多文献中将改变后的行移位方向默认为原算法移位的方向。     

描述Rijndael的一个新的方程组

由于Rijndael的S盒的代数表达式是逆函数合成GF(28)上一个q-多项式,该文合理假设S盒的变量并通过讨论各变量之间的关系,把Rijndael用GF(28)上一个多变量二次方程组来表示,使得Rijndael的密钥恢复等同于求解这个方程组.该方程组较Murphy-Robshaw方程组更简单,用XSL技术求解复杂度更低。     

Rijndael密码的逆序Square攻击

2000年10月Rijnael被选为高级加密标准(AES),目前对它最有效攻击仍是由设计者提出的Square攻击。Square攻击是利用密码Square特性提出的选择明文攻击,可以对六轮和六轮以下的Rijndael密码进行成功的攻击,攻击六轮Rijndael的所有密钥的计算量为2272+264,五轮密码的复杂度为3240+232。该文提出了逆序Square攻击算法,该算法是基于密码Square特性提出的选择密文攻击方法。它攻出六轮Rijndael密码的所有密钥的复杂度为272+256,五轮密码的复杂度为240+224。若改变密钥扩散准则中的圈循环顺序,五轮密码的逆序Square攻击复杂度由240降为232,六轮的攻击复杂度由272降为264。     

具有可变安全特性的分组密码算法RC5及其抗攻击分析

目前，分组密码算法面临的主要攻击是穷尽攻击，差分攻击和线性攻击，利用可变长密钥，可变长分组，可变圈数，基于伪随机数据控制的循环移位和模２＾３２加法群运算等方法，使ＲＣ５有效地提高了其抵御上述三类攻击的能力。本文描述并分析了ＲＣ５算法及其安全特性。     

密钥控制的多S盒Rijndael算法

根据AESS盒的设计思想构造出了一批密码性能良好的S盒,并从方差的角度对它们的雪崩概率进行了分析。在此基础上,对Rijndael算法中的字节代换步骤SubBytes进行改进,从而提出了一种基于密钥控制的多S盒的Rijndael算法。实验结果表明,改进后的算法对差分攻击的抵抗能力有所提高,雪崩效应更趋合理。     

LTE中的Rijndael算法研究

从外部结构和内部数学模型两个角度深入分析了LTE中的Rijndael算法,包括算法的核心迭代轮运算,给出了算法的流程图,用伪C代码实现其加密过程,并通过给出的代码完成了测试例的加密处理.     

基于Rijndael算法的OTP认证方案设计

传统的OTP认证方案是一种性能高且安全性较好的一次性口令身份认证方案,但安全漏洞较多。文章针对传统OTP认证方案的缺陷进行了研究改进,提出了一种新型基于刚ndaef算法的OTP认证方案,新方案可以有效防止伪造服务器攻击,能进行会话密钥的协商,并且能够保持会话密钥新鲜性,大大提高了方案整体的安全性,非常适合应用于网络环境中。     

T′算法在域GF(2)上的性能研究

代数攻击算法XSL是域GF(2)上求解大规模的多元多项式方程组的有效算法,分析发现XSL中的T′算法不能达到其希望的结束条件Free=T或Free=T-1。给出T′算法的一个真实结束条件和2个变量选择原则,并在原T′算法的基础上增加概率算法和以较大概率估计变量取值。结果表明改进后的T′算法可以简化方程组求解。     

改进的减轮E2算法中间相遇攻击

E2算法是AES首轮征集的15个候选算法之一,具有优良的软硬件实现效率和较强的安全性。该文利用多重集和差分枚举技术,对E2算法进行中间相遇攻击。首先以E2-128为例,改进了已有的4轮中间相遇区分器,将5轮密钥恢复攻击预计算复杂度降低为${2^{31}}$次5轮算法加密。其次针对E2-256,将所得区分器向后增加两轮,构造了6轮中间相遇区分器,并实现了9轮中间相遇攻击,攻击所需的数据复杂度为${2^{105}}$个选择明文,存储复杂度为${2^{200}}$ Byte,时间复杂度为${2^{205}}$次9轮算法加密。与现有对E2算法的安全性分析结果相比,该文实现了对E2-256最长轮数的攻击。     

基于Grobner基的Rijndael-192代数攻击方案

由于对Rijndael算法实施Grobner基攻击的一个关键环节是构造出其零维Grobner基,本文对Rijndael-192密码的线性变换和多变元方程系统进行了深入研究,通过选择合理的项序及变量次序,提出了Rijndael-192零维Grobner基的构造方法.文中详述了该Grobner基的构造方法,并给出了相关性质的理论证明.此外,本文提出了一种Rijndael-192的Grobner基攻击方案,攻击复杂度低于穷举攻击.     

Activity attack on reduced variants of Rijndael

The famous Square attacks against the Rijndael algorithm have taken advantage of the change of the balance of some bytes. Further study shows that the change of activity always happens before the change of balance, which builds the foundation for a new activity attack presented in this paper. In the activity attack, the round in which the activity changes is executed in an equivalent form to avoid the obstructive restriction of the subkeys of that round.The existence of the birthday paradox guarantees much fewer plaintexts necessary for activity attacks comparing with that for corresponding Square attacks. But no benefit may result from the new attacks performed independently because the activity attacks guess four instead of one key byte once. Only when both the balance property and the activity property are exploited at the same time can much better performance be obtained. The better performance in the simulation shows that the consuming time and chosen plaintexts necessary are both reduced to one tenth of those of the corresponding Square attacks. So the activity attacks could be viewed as an efficient supplement to the Square attacks.     

Trivium序列密码的线性性质和代数性质

Trivium是C.De Cannière和B.Preneel在2005年为欧洲eSTREAM项目设计的序列密码,Trivium被选为最终的7个算法之一.Trivium的内部状态为288比特,密钥长度为80比特.文中给出Trivium的分组密码迭代模型,在这个模型下,利用计算程序得出了Trivium各轮输出关于内部状态的线性逼近及其线性逼近概率,当初始化轮数超过246时,其输出关于输入的线性逼近概率不大于1/2＋2-41.利用计算机搜索程序,给出Trivi-um在轮的代数方程规模,利用l 152个输出比特,得到的二次方程组包含6 788个变量、11 232个方程,从实验上证明了Trivium算法能抗线性攻击和代数攻击.     

MD-64算法的相关密钥-矩形攻击

该文针对MD-64分组密码算法在相关密钥-矩形攻击下的安全性进行了研究。分析了算法中高次DDO (Data Dependent Operations)结构、SPN结构在输入差分重量为1时的差分转移规律,利用高次DDO结构的差分特性和SPN结构重量为1的差分路径构造了算法的两条相关密钥-差分路径,通过连接两条路径构造了算法的完全轮的相关密钥-矩形区分器,并对算法进行了相关密钥-矩形攻击,恢复出了32 bit密钥。攻击算法所需的数据复杂度为262相关密钥-选择明文,计算复杂度为291.6次MD-64算法加密,存储复杂度为266.6 Byte存储空间,成功率约为0.961。分析结果表明,MD-64算法在相关密钥-矩形攻击条件下的安全性无法达到设计目标。     

Attacks on Block Ciphers of Low Algebraic Degree

In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as S-boxes. Also, attacks based on higher-order differentials are introduced. They are special and important cases of the interpolation attacks. The attacks are applied to several block ciphers, the six-round prototype cipher by Nyberg and Knudsen, which is provably secure against ordinary differential cryptanalysis, a modified version of the block cipher SHARK, and a block cipher suggested by Kiefer. Received April 1999 and revised October 2000 Online publication 9 April 2001     

Improvement Differential fault attack on TWINE

A new method of differential fault attack was proposed,which was based on the nibble-group differential diffusion property of the lightweight block cipher TWINE.On the basis of the statistical regularity of the S-box differential distribution,the lower bound of the probability of recovering round key was calculated.Then expectation of number of fault injections when restoring seed key can be estimated.Theoretical proof and experimental results both show that an average of nine times of fault injections in 33,34 and 35 rounds bring about the seed key recovered completely.Finally,the improvement of the fault injection location was proposed,which enhances the feasibility of the genuine attack.     

The cryptanalysis of FEAL-4 with 20 chosen plaintexts

An algebraic method is given for a chosen plaintext cryptanalysis of the Nippon Telegraph and Telephone Corporation's FEAL-4 block cipher. The method given uses 20 chosen plaintexts, but can be adapted to use as few as four chosen plaintexts.This research was supported by S.E.R.C. Research Grant GR/E 64640.