基于差分表的Blow-CAST-Fish算法的密钥恢复攻击

针对Blow-CAST-Fish算法攻击轮数有限和复杂度高等问题，提出一种基于差分表的Blow-CAST-Fish算法的密钥恢复攻击。首先，对S盒的碰撞性进行分析，分别基于两个S盒和单个S盒的碰撞，构造6轮和12轮差分特征；然后，计算轮函数f₃的差分表，并在特定差分特征的基础上扩充3轮，从而确定密文差分与f₃的输入、输出差分的关系；最后，选取符合条件的明文进行加密，根据密文差分计算f₃的输入、输出差分值，并查寻差分表找到对应的输入、输出对，从而获取子密钥。在两个S盒碰撞的情况下，所提攻击实现了9轮Blow-CAST-Fish算法的差分攻击，比对比攻击多1轮，时间复杂度由2^107.9降低到2⁷⁴；而在单个S盒碰撞的情况下，所提攻击实现了15轮Blow-CAST-Fish算法的差分攻击，与对比攻击相比，虽然攻击轮数减少了1轮，但弱密钥比例由{\mathrm{2}}^{-\mathrm{52.4}}提高到{\mathrm{2}}^{-\mathrm{42}}，数据复杂度由2⁵⁴降低到2⁴⁷。测试结果表明，在相同差分特征基础上，基于差分表的攻击的攻击效率更高。

Blow-CAST-Fish key recovery attack based on differential tables

Aiming at the problems of limited attack rounds and high attack complexity of Blow-CAST-Fish （Blow-C.Adams S.Tavares-Fish） algorithm， a key recovery attack of Blow-CAST-Fish algorithm based on differential table was proposed. Firstly， after analyzing the collision of S-box， based on the collision of two S-boxes and a single S-box respectively， the 6-round and 12-round differential characteristics were constructed. Secondly， the differential tables of f₃ were calculated， and three rounds were expanded based on the specific differential characteristic， thereby determining the relationship between ciphertext difference and the input and output differences of f₃. Finally， the plaintexts meeting the conditions were selected to encrypt， the input and output differences of f₃ were calculated according to the ciphertext difference， and the corresponding input and output pairs were found by querying the differential table， as a result， the subkeys were obtained. At the situation of two S-boxes collision， the proposed attack completed a differential attack of 9-round Blow-CAST-Fish algorithm， compared with the comparison attack， the number of attack rounds was increased by one， and the time complexity was reduced from 2^107.9 to 2⁷⁴. At the situation of single S-box collision， the proposed attack completed a differential attack of 15-round Blow-CAST-Fish algorithm， compared with the comparison attack， although the number of attack rounds was reduced by one， the proportion of weak keys was increased from {\mathrm{2}}^{-\mathrm{52.4}} to {\mathrm{2}}^{-\mathrm{42}} and the data complexity was reduced from 2⁵⁴ to 2⁴⁷. The test results show that the attack based on differential table can increase the efficiency of attack based on the same differential characteristics.