分组密码算法ARIA的不可能差分分析和中间相遇攻击
|
摘要
21世纪是信息化时代,人们天天遨游在信息的海洋里。越来越多的人通过计算机网络处理大量信息,如电子邮件、网上交易等。信息成为了人类社会发展的重要资源,成为了当今世界进步和发展的动力和核心。信息交互和信息传输过程中的信息安全问题变得越来越重要。信息安全直接关系到国家安全、电子商务的安全以及广大民众的个人隐私权的保护等问题。信息安全的重要性带动了对密码学的研究。密码学作为一门保证数据信息安全的科学,得到越来越广泛的研究和学习。
密码体制按照密钥共享的方式可以分为对称密码体制和公钥密码体制。对称密码主要包括分组密码、流密码和消息认证码(MAC),具有易于软硬件实现、运行速度快、存储量小等优点。
分组密码是一种有效的带密钥的置换,将定长的明文转换成等长的密文。分组密码的加密密钥和解密密钥相同,或者都能由同一个主密钥得出,而且加密和解密过程有典型的对称特性。分组密码在计算机通信和信息系统安全领域有着广泛的应用。分组密码的安全性分析是密码学研究领域的热点问题。本文重点研究分组密码的安全性。
分组密码算法的设计结构主要有两种:一种是Feistel网络结构。该结构每次只有一半的消息分组进入F函数,因此实现时具有占用硬件资源少的特点,适合在计算能力受限的条件下使用。1977年被确定为国际通用的分组加密标准的早期分组密码加密标准DES[50]就是这种结构的分组算法中的典型代表。DES是2000年前应用最为广泛的分组密码算法。DES的分组大小为64比特,密钥长度为56比特。另一种是代替-置换网络(SPN)结构。现行的高级加密标准AES[15]就是这种结构的代表。AES具有128比特的消息分组长度,密钥长度有128/192/256比特三种。
其它很多分组密码算法的设计也受到了DES和AES设计原理的影响,例如韩国分组密码加密标准ARIA算法[40,52,53]就具有与AES十分相似的结构。该算法由几名韩国密码学者在2003年提出[52],并于2004年改进到版本1.0[53]。它基于SPN网络结构,最大分支数为8,支持128比特消息分组及128/192/256比特的密钥长度,对应加密轮数分别为12/14/16轮。轮函数是SPN结构,由轮密钥异或、S盒变换和字节扩散变换组成。
2003年,ARIA首次在韩国的信息安全年会中公开[52]。此时的版本为0.8,算法具有128比特消息分组,有128/192/256比特三种密钥长度,分别对应10/12/14轮迭代。此版本中使用了两个不同的S盒。其中一个S盒是AES的S盒。后来,ARIA在版本0.9[40]中变为使用4个不同的S盒,迭代轮数没有发生变化。最后,在现行版本1.0[53]中,又将迭代轮数增加2轮,变为12/14/16轮,而且对密钥生成算法进行了适当的调整。2004年,韩国国家技术标准局(KATS)将这一版本在网页http://www.nsri.re.kr/ARIA/上公布,并在同年12月正式确定1.0版本的ARIA为韩国分组密码算法加密标准(KS X 1213)。
由于ARIA与AES在结构上有很高的相似性,所以很多AES的分析方法都对ARIA有效。反之,对ARIA有效的分析方法也很有可能用来分析和攻击AES。对ARIA安全性的分析也变得非常重要。
算法的设计者Daesung Kwon等人首先给出了ARIA的分析[40]。其中包括差分和线性分析,截断差分分析,不可能差分分析,积分攻击,高阶差分分析,插值攻击等。后来于2004年,Alex Biryukov等人对版本0.8进行了安全性评估[11]。他们主要进行了截断差分分析和专用线性分析。2007年吴文玲等人提出了对版本0.9的6轮不可能差分分析[61]。2008年李申华对吴文玲的6轮不可能差分分析进行了改进[44]。2009年李艳俊提出了最多攻击到7轮ARIA-256的积分攻击[45]。唐学海[60]等人在2010年提出最多攻击到8轮ARIA-256的中间相遇攻击。
本文中,我们对现行的1.0版本的ARIA算法进行了安全性分析,主要使用了不可能差分分析及中间相遇攻击的分析方法,并有如下结果:
(1)7轮ARIA不可能差分分析
2007年,吴文玲等人首次发现了4轮不可能差分特征,该特征如下:(c,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(0,j,0,0,0,0,0,0,j,j,j,0,0,0,j,0),其中c和j非零。基于此,吴文玲等人提出了第一个约减至6轮的ARIA不可能差分分析。
李申华又于2008年对ARIA的不可能差分分析进行了改进,发现了新的不可能差分特征。利用这类特征对六轮ARIA进行攻击时,相对于吴文玲的不可能差分分析,可以分别减少猜测第1轮和第7轮轮密钥的1字节,从而使需猜测的密钥数由12字节减少到10字节,有效降低了不可能差分攻击的时间复杂度。
这个四轮不可能差分特征可以描述为:(0,c1,0,0,0,0,0,0,0,0,0,0,c12,0,0,0)(?)(0,0,0,j,0,0,0,0,0,0,0,j,j,j,0,0),其中c1,c12和j非零。
李的攻击需要2 120个选择明文和2 96次六轮加密运算,时间复杂度比吴文玲的攻击降低了2 16。
在此基础上,我们对ARIA的不可能差分性质展开了进一步的研究。我们发现想进一步减少猜测密钥的字节数几乎是不可能的了。因此我们从其他方面入手。我们发现了扩散层的一种重要性质,然后结合我们构造的新的4轮不可能差分特征,我们给出了7轮ARIA-256的不可能差分分析。扩散层性质.
由扩散层(DL)的线性表达式,及扩散层变换的自逆特性,我们发现了第一轮中进行扩散变换前状态的各字节之间的4个关系式,利用这4个关系式,我们可以有效过滤攻击过程中无用的明文对,从而大大降低了时间复杂度,使得对ARIA的不可能差分分析能够攻击到7轮。
这4个等式如下通过使状态ΔX1(SL)的各字节满足上述4个等式,我们能在进行扩散变换前以2-48的概率过滤明文对。我们也构造出了对应此4等式的4轮不可能差分特征,形式如下:
4轮不可能差分特征.
给定一对只在第3字节有差分且其他字节无差分的明文(X3,X'3),经过4轮加密运算后,密文对差分ΔX7不可能产生如下形式:(j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0),即密文对只在(0,2,8,11)4字节处有非零差分,在其他字节无差分。这一不可能差分性质可用下式表示:(0,0,c,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0)其中c和j为任意非零值。
我们在4轮不可能差分特征前边加两轮,后边加一轮,构造我们的7轮不可能差分路线,并在第一轮中通过置换层后的状态用4个等式进行过滤。
我们的攻击共需2 125选择明文和大约2 238 7轮加密。
(2)改进的7轮ARIA-256不可能差分分析
在上述7轮不可能差分分析结果基础上,我们经进一步的研究,又发现了扩散层与上述性质类似的性质,不同的是,这次我们得到7个等式,并由此降低了上述7轮攻击的数据和时间复杂度。
这7个等式为:我们也构造了适用于此7个等式的4轮不可能差分特征,并在特征前加2轮,后边加1轮,构成新的7轮不可能差分路线。差分特征为:
4轮不可能差分特征.
给定一对在第(10,15)字节有差分且其他字节无差分的明文(X3,X'3),经过4轮加密运算后,密文对差分ΔX7不可能产生如下形式:(0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0),即密文对只在(1,3,9,10)4字节处有非零差分,在其他字节无差分。这一不可能差分性质可用下式表示(0,0,0,0,0,0,0,0,0,c,0,0,0,0,0,c)(?)(0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0)其中c和j为任意非零值。这一攻击需要2[2]选择明文和大约2 219 7轮加密。
(3) ARIA中间相遇攻击
ARIA算法的中间相遇攻击最早由唐学海[60]等人提出,他们最多攻击到8轮ARIA-256。8轮攻击的数据复杂度为2 56,时间复杂度为2 25.6,预计算复杂度为2 252。而7轮ARIA-192攻击需要2 120个明文,2 1853次7轮ARIA-192加密运算,和2 187次预计算。6轮攻击的数据/时间/预计算复杂度分别为2 56,2 121.5,及2 122.5轮攻击需要25个明文,时间复杂度为2 65.4,预计算复杂度为2 122.5。
在此基础上,我们结合2010年由Orr Dunkelman, Nathan Keller, and Adi Shamir~([24])等人提出的针对AES的中间相遇攻击,提出了新的ARIA中间相遇攻击的4轮区分器,并以此为基础提出了新的最多攻击到8轮的中间相遇攻击,改进了唐学海等人的结果。
4轮区分器
如果δ-集的活性字节是第2字节,用4轮ARIA加密δ-集。则(无序)多重集[△X3,2 0 ,△X6,2 1,…,△X6,2 255]完全由以下30字节变量决定:-状态X 3 0(IN)的7字节1,4,6,10,11,12,15;-状态X 4 0(IN)的全部16字节;-轮密钥k5的7字节1,4,6,10,11,12,15。所以,多重集完全由232字节变量决定。这一多重集共有2 232个可能值。因此如果密钥的猜测值使得对应的多重集产生了上述的2232个值中的一个值,那么这个密钥的猜测值以很高的概率是正确密钥。我们在此区分器前边加1轮,后边加3轮,构造8轮ARIA的中间相遇攻击。我们的8轮攻击需要2 56选择明文,2 248.5加密及2 238预计算。而7轮攻击的数据/时间/预计算复杂度分别为2 112,2 176.7,2 182.2。我们也把6轮攻击的预计算由之前的2 122.5降到了2 110.5。最后我们平衡了5轮攻击的数据/时间/预计算复杂度到2 2.85,2 85.7,285.7。我的结果是目前ARIA算法中间相遇攻击中最好的结果。
The 21 st century is an era filled with information. People all over the world swim in the ocean constituted by information everyday. Lots of them manage information via network, such as, sending and receiving emails, transacting online, and so on. In-formation has become a significant resource during the development of human society. It has also turned into a massive dynamic and core of the world's evolution. The se-curity of information during the online transfer and interchange becomes more and more important. Information security is now directly relevant to the national security, electronic commerce, the protection of citizens'privacy, and so on. The importance of information security drives the research of cryptology. As a science of guaranteeing the security of data and information, the research of cryptology now becomes worldwide topic.
Cryptosystem mainly contains two parts, i.e., public key crpytosystem, and sym-metric cryptosystem. Symmetric cryptography consists of block cipher, stream cipher, and message authentication code (MAC). Symmetric encryption algorithm has many attractive features, such as, high performance and small amount of memories for both software and hardware implementation.
Block cipher is an efficient keyed permutation which transforms a fixed-length block of plaintext into a ciphertext block with same length. The keys of block cipher for encryption and decryption are either the same or both can be derived from a same key easily. Block cipher has extensive usage in many fields, such as computer com-munication and the security of information systems. The security evaluation of block cipher has become a hot topic of cryptographic research now a days. Therefore, the core of this thesis is the cryptanalysis of block cipher.
We can design block cipher mainly using two constructions. One is Feistel Net-work. In this structure, only half of a block enters the F function every time. So it only possesses a small amount of hardware resource, which is a great feature when the capacity of computation is limited. DES (the Data Encryption Standard)[50], which was early standardized for worldwide block cipher encryption algorithm in 1977, is a typical block cipher based on Feistel Network. DES was highly influential and had been widely used in the world before 2000. Its block size is 64-bit and the key length is 56-bit. The other structure is Substitution-Permutation Network (SPN). The current block cipher standard-AES (the Advanced Encryption Standard)[15], is a typical block cipher which has SPN structure. AES has 128-bit block size, and 128/192/256-bit key length.
The design of many other block ciphers is influenced by the rationale of DES and AES, such as the Korean block cipher standard-ARIA[40,52,53], which has extremely similar structure of AES. ARIA was proposed by a group of South Korean researchers in 2003[52], and was updated to version 1.0 in 2004[53]. ARIA is a general-purpose involution SPN block cipher algorithm, and its branch number is 8. ARIA has 128-bit block size with 128/192/256-bit key, and in the original version the corresponding round numbers are 10/12/14 respectively[52], while in the latest version, ARIA v1.O[53], the round numbers are altered to 12/14/16 respectively. ARIA consists of three parts: round key addition, substitution layer and diffusion layer.
In 2003, ARIA version 0.8[52]was first announced at an Korean annual conference on security. It had 128-bit block size, and 10/12/14 rounds for key sizes of 128/192/256, and only two kinds of S-boxes were used. Later ARIA was updated to version 0.9[40], and used four different S-boxes in its substitution layer, while had no change about the round number. In the current one, ARIA version 1.0, the number of rounds was increased to 12/14/16, and also made some suitable modification of the key expan-sion. In 2004, this version was announced and published on its official website at http://www.nsri.re.kr/ARIA/. Later in December, ARIA was established as a Korean Standard block cipher algorithm (KS X 1213) by Korean Agency for Technology and Standards (KATS).
As the structure similarity of ARIA and AES, lots of the technologies of cryptanal-ysis that work on AES can also affect ARIA. Vice-versa, cryptanalysis which attacks ARIA may also be used to break down AES. Therefore, the security analysis of ARIA becomes highly significant.
The designers, Daesung Kwon et al., gave the initial cryptanalysis of ARIA[40]. It contained differential and linear cryptanalysis, truncated differential cryptanalysis, impossible differential cryptanalysis, square attack, higher order differential cryptanal-ysis, interpolation attack, and so on. Later in 2004, Alex Biryukov et al. performed a security evaluation of ARIA in which they focused on dedicated linear cryptanalysis and truncated differential cryptanalysis, and found attacks on ARIA up to 7 rounds. Af-ter that, an impossible differential analysis of 6-round ARIA was proposed by Wenling Wuetal. in 2007[61].
In 2008, Shenhua Li improved Wu's impossible differential attack[44]. In 2009, Yanjun Li proposed integral attacks on ARIA[45]. And Xuehai Tang et al. discoved some meet-in-the-middle attacks on ARIA up to 8 rounds in 2010[60].
In this thesis, we provide some cryptanalysis on ARIA version 1.0, such as impos-sible differential cryptanalysis, meet-in-the-middle attack, etc. The results are listed as follows.
(1) Impossible differential cryptanalysis of ARIA reduced to 7 rounds
Wenling Wu et al. first found the 4-round impossible differentials, which the designers didn't expect, and first proposed an 6-round impossible differential cryptanalysis of ARIA. The 4-round impossible differential used in their crypt-analysis can be expressed below: (c,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(0,j,0,0,0,0,0,0,j,j,j,0,0,0,j,0), where c and j are some nonzero values. In 2008, Shenhua Li found a new impossible differential property which can be used for attacking 6-round ARIA more effectively. When attack 6-round ARIA using the above property,10 bytes of round keys need to be guessed in-stead of 12 bytes in the previous one, because 1 byte from round 1 and 1 byte from round 7 are no longer needed. Therefore, the time complexity is reduced by 216 times.
The 4-round impossible differential property in Li's attack can be described as (0,c1,0,0,0,0,0,0,0,0,0,0,c12,0,0,0)(?)(0,0,0,j,0,0,0,0,0,0,0,j,j,j,0,0), where c1,c12 and j are some nonzero values.
Li's attack needs 2120 chosen plaintexts and 296 encryptions.
Based on all the above results, we do some research on the impossible dif-ferential property of ARIA. We notice that it's nearly impossible to reduce the byte number of guessed key. So we have to dig in from a different direction. We discover an important property of diffusion layer (DL), and combined with our new corresponding 4-round impossible differential property, we propose our 7-round ARIA-256 impossible differential attack.
Important Property of DL.
Since the DL transformation is linear, and DL=DL-1,we find out that there are 4 equations about the bytes of state before DL. And using these 4 equations, we are able to filter useless plaintext pairs in advance and reduced the time complexity massively.
The 4 equations are:
Letting the bytes of state△X1(SL) satisfy 4 equations, we can filter the plaintext pairs by probability 2-48. We also construct a 4-round impossible differential property corresponding to the 4 equations, as below:
4-Round Impossible Differential Property
Given a pair of X3 which is equal in all bytes except the 3rd byte, then after 4 rounds encryption the ciphertext differences△X7 can't be like this (j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0), i.e., the ciphertext pair has nonzero equal difference at bytes (0,2,8,11), and no difference at the other bytes. We expressed the property as: (0,0,c,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0) where c and j denote arbitrary nonzero values. We present an impossible differential cryptanalysis of ARIA-256 reduced to 7 rounds, using the 4-round impossible differential property, with additional two rounds at the beginning and one round at the end. Our attack needs 2125 chosen plaintexts and 2~(238)7-round encryptions.
(2) Improved impossible differential cryptanalysis of 7-round ARIA-256 On the basis of the above research, we do some further study on the impos-sible differential property. And we find some similar properties of DL. Only this time, we obtain 7 equations, which are used for establishing our 7 round attack. The seven equations are: We also find a 4-round impossible differential property corresponding to these 7 equations, and propose our improved cryptanalysis, with additional two rounds at the beginning and one round at the end. We describe the 4-round impossible differential property as below:
4-Round Impossible Differential Property
Given a pair of plaintexts (X3, X'3) which is equal in all bytes except bytes (10,15), then after four rounds encryption the ciphertext differences△X7 can't be like this (0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0), i.e., the ciphertext pair has nonzero equal difference at bytes (1,3,9,10), and no differences at the other bytes. We expressed the property like this: (0,0,0,0,0,0,0,0,0,c,0,0,0,0,0,c)(?) (0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0) where c and j denote arbitrary nonzero values.
(3) Meet-in-the-middle attacks on ARIA
The meet-in-the-middle attack was first developed as an attack on an at-tempted expansion of a block cipher by Diffie and Hellman in 1977[21]. It's useful to attack block ciphers like IDEA[17], AES[18,19,24], etc. Because of the similar structure property to AES, reduced-round ARIA is also vulnerable to this attack.
The meet-in-the-middle attack on ARIA was first introduced by Xuehai Tang et al.[60], and they can attack up to 8 round ARIA-256. The data com-plexity of their 8-round attack was 2~(56), the time complexity was 2~(251.6), and the precomputing complexity was 2~252. And their 7-round attack needed 2120 cho-sen plaintexts,2~(185.3) 7-round ARIR-192 encryptions, and 2187 precomputations. The data/time/precomputing complexity of their 6-round attack were 2~(56),2~(121.5), 2~(122.5) respectively. And their 5-round attack required 25 plaintext,2~(65.4)5-round encryptions, and 2~(122.5) precomputations.
Based on these results, we establish our improved 4-round/3-round distin-guishers, inspired by the work of Orr Dunkelman, Nathan Keller, and Adi Shamir about the meet-in-the-middle attacks on AES[24] in 2010. We propose our new meet-in-the-middle attacks using these improved distinguishers, and improve the recent work of Tang up to eight rounds.
4-Round Distinguisher of ARIA
If the active byte ofδ-set{X02,X12,...,X2552} is byte 2, encrypt this 5-set through 4-round ARIA. Then the (un-ordered) multiset [△AX06.2,△AX16.2,...,△AX2556.2] is fully determined by the following 30 byte parameters:-Seven bytes 1,4,6,10,11,12,15 of the state X03(IN).-The full 16-byte state X04(IN).-Seven bytes 1,4,6,10,11,12,15 of the subkey k5. Therefore, the multiset is totally determined by 232-bit parameters. This multiset assumes 2232 values. So if the key guess made the corresponding multiset assume one of the above 2232 values, it's highly likely that the key is the right key.
We propose our 8-round attack by adding one round before and three rounds after the 4-round distinguisher.
Our 8-round attack needs 256 chosen plaintexts,2248.58-round ARIR-256 encryptions, and 2238 precomputations. The data/time/precomputing complexity of our 7-round attack are 2112,2176.7,2182.2. We also reduce the precomputation of 6-round attack from 2122.5 to 2110.5. And we balance the complexities of data/ time/precomputation of 5-round attack to 228.5,285.7,285.7 repectively. Our result is the best one on ARIA as far as we know to date.
密码体制按照密钥共享的方式可以分为对称密码体制和公钥密码体制。对称密码主要包括分组密码、流密码和消息认证码(MAC),具有易于软硬件实现、运行速度快、存储量小等优点。
分组密码是一种有效的带密钥的置换,将定长的明文转换成等长的密文。分组密码的加密密钥和解密密钥相同,或者都能由同一个主密钥得出,而且加密和解密过程有典型的对称特性。分组密码在计算机通信和信息系统安全领域有着广泛的应用。分组密码的安全性分析是密码学研究领域的热点问题。本文重点研究分组密码的安全性。
分组密码算法的设计结构主要有两种:一种是Feistel网络结构。该结构每次只有一半的消息分组进入F函数,因此实现时具有占用硬件资源少的特点,适合在计算能力受限的条件下使用。1977年被确定为国际通用的分组加密标准的早期分组密码加密标准DES[50]就是这种结构的分组算法中的典型代表。DES是2000年前应用最为广泛的分组密码算法。DES的分组大小为64比特,密钥长度为56比特。另一种是代替-置换网络(SPN)结构。现行的高级加密标准AES[15]就是这种结构的代表。AES具有128比特的消息分组长度,密钥长度有128/192/256比特三种。
其它很多分组密码算法的设计也受到了DES和AES设计原理的影响,例如韩国分组密码加密标准ARIA算法[40,52,53]就具有与AES十分相似的结构。该算法由几名韩国密码学者在2003年提出[52],并于2004年改进到版本1.0[53]。它基于SPN网络结构,最大分支数为8,支持128比特消息分组及128/192/256比特的密钥长度,对应加密轮数分别为12/14/16轮。轮函数是SPN结构,由轮密钥异或、S盒变换和字节扩散变换组成。
2003年,ARIA首次在韩国的信息安全年会中公开[52]。此时的版本为0.8,算法具有128比特消息分组,有128/192/256比特三种密钥长度,分别对应10/12/14轮迭代。此版本中使用了两个不同的S盒。其中一个S盒是AES的S盒。后来,ARIA在版本0.9[40]中变为使用4个不同的S盒,迭代轮数没有发生变化。最后,在现行版本1.0[53]中,又将迭代轮数增加2轮,变为12/14/16轮,而且对密钥生成算法进行了适当的调整。2004年,韩国国家技术标准局(KATS)将这一版本在网页http://www.nsri.re.kr/ARIA/上公布,并在同年12月正式确定1.0版本的ARIA为韩国分组密码算法加密标准(KS X 1213)。
由于ARIA与AES在结构上有很高的相似性,所以很多AES的分析方法都对ARIA有效。反之,对ARIA有效的分析方法也很有可能用来分析和攻击AES。对ARIA安全性的分析也变得非常重要。
算法的设计者Daesung Kwon等人首先给出了ARIA的分析[40]。其中包括差分和线性分析,截断差分分析,不可能差分分析,积分攻击,高阶差分分析,插值攻击等。后来于2004年,Alex Biryukov等人对版本0.8进行了安全性评估[11]。他们主要进行了截断差分分析和专用线性分析。2007年吴文玲等人提出了对版本0.9的6轮不可能差分分析[61]。2008年李申华对吴文玲的6轮不可能差分分析进行了改进[44]。2009年李艳俊提出了最多攻击到7轮ARIA-256的积分攻击[45]。唐学海[60]等人在2010年提出最多攻击到8轮ARIA-256的中间相遇攻击。
本文中,我们对现行的1.0版本的ARIA算法进行了安全性分析,主要使用了不可能差分分析及中间相遇攻击的分析方法,并有如下结果:
(1)7轮ARIA不可能差分分析
2007年,吴文玲等人首次发现了4轮不可能差分特征,该特征如下:(c,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(0,j,0,0,0,0,0,0,j,j,j,0,0,0,j,0),其中c和j非零。基于此,吴文玲等人提出了第一个约减至6轮的ARIA不可能差分分析。
李申华又于2008年对ARIA的不可能差分分析进行了改进,发现了新的不可能差分特征。利用这类特征对六轮ARIA进行攻击时,相对于吴文玲的不可能差分分析,可以分别减少猜测第1轮和第7轮轮密钥的1字节,从而使需猜测的密钥数由12字节减少到10字节,有效降低了不可能差分攻击的时间复杂度。
这个四轮不可能差分特征可以描述为:(0,c1,0,0,0,0,0,0,0,0,0,0,c12,0,0,0)(?)(0,0,0,j,0,0,0,0,0,0,0,j,j,j,0,0),其中c1,c12和j非零。
李的攻击需要2 120个选择明文和2 96次六轮加密运算,时间复杂度比吴文玲的攻击降低了2 16。
在此基础上,我们对ARIA的不可能差分性质展开了进一步的研究。我们发现想进一步减少猜测密钥的字节数几乎是不可能的了。因此我们从其他方面入手。我们发现了扩散层的一种重要性质,然后结合我们构造的新的4轮不可能差分特征,我们给出了7轮ARIA-256的不可能差分分析。扩散层性质.
由扩散层(DL)的线性表达式,及扩散层变换的自逆特性,我们发现了第一轮中进行扩散变换前状态的各字节之间的4个关系式,利用这4个关系式,我们可以有效过滤攻击过程中无用的明文对,从而大大降低了时间复杂度,使得对ARIA的不可能差分分析能够攻击到7轮。
这4个等式如下通过使状态ΔX1(SL)的各字节满足上述4个等式,我们能在进行扩散变换前以2-48的概率过滤明文对。我们也构造出了对应此4等式的4轮不可能差分特征,形式如下:
4轮不可能差分特征.
给定一对只在第3字节有差分且其他字节无差分的明文(X3,X'3),经过4轮加密运算后,密文对差分ΔX7不可能产生如下形式:(j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0),即密文对只在(0,2,8,11)4字节处有非零差分,在其他字节无差分。这一不可能差分性质可用下式表示:(0,0,c,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0)其中c和j为任意非零值。
我们在4轮不可能差分特征前边加两轮,后边加一轮,构造我们的7轮不可能差分路线,并在第一轮中通过置换层后的状态用4个等式进行过滤。
我们的攻击共需2 125选择明文和大约2 238 7轮加密。
(2)改进的7轮ARIA-256不可能差分分析
在上述7轮不可能差分分析结果基础上,我们经进一步的研究,又发现了扩散层与上述性质类似的性质,不同的是,这次我们得到7个等式,并由此降低了上述7轮攻击的数据和时间复杂度。
这7个等式为:我们也构造了适用于此7个等式的4轮不可能差分特征,并在特征前加2轮,后边加1轮,构成新的7轮不可能差分路线。差分特征为:
4轮不可能差分特征.
给定一对在第(10,15)字节有差分且其他字节无差分的明文(X3,X'3),经过4轮加密运算后,密文对差分ΔX7不可能产生如下形式:(0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0),即密文对只在(1,3,9,10)4字节处有非零差分,在其他字节无差分。这一不可能差分性质可用下式表示(0,0,0,0,0,0,0,0,0,c,0,0,0,0,0,c)(?)(0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0)其中c和j为任意非零值。这一攻击需要2[2]选择明文和大约2 219 7轮加密。
(3) ARIA中间相遇攻击
ARIA算法的中间相遇攻击最早由唐学海[60]等人提出,他们最多攻击到8轮ARIA-256。8轮攻击的数据复杂度为2 56,时间复杂度为2 25.6,预计算复杂度为2 252。而7轮ARIA-192攻击需要2 120个明文,2 1853次7轮ARIA-192加密运算,和2 187次预计算。6轮攻击的数据/时间/预计算复杂度分别为2 56,2 121.5,及2 122.5轮攻击需要25个明文,时间复杂度为2 65.4,预计算复杂度为2 122.5。
在此基础上,我们结合2010年由Orr Dunkelman, Nathan Keller, and Adi Shamir~([24])等人提出的针对AES的中间相遇攻击,提出了新的ARIA中间相遇攻击的4轮区分器,并以此为基础提出了新的最多攻击到8轮的中间相遇攻击,改进了唐学海等人的结果。
4轮区分器
如果δ-集的活性字节是第2字节,用4轮ARIA加密δ-集。则(无序)多重集[△X3,2 0 ,△X6,2 1,…,△X6,2 255]完全由以下30字节变量决定:-状态X 3 0(IN)的7字节1,4,6,10,11,12,15;-状态X 4 0(IN)的全部16字节;-轮密钥k5的7字节1,4,6,10,11,12,15。所以,多重集完全由232字节变量决定。这一多重集共有2 232个可能值。因此如果密钥的猜测值使得对应的多重集产生了上述的2232个值中的一个值,那么这个密钥的猜测值以很高的概率是正确密钥。我们在此区分器前边加1轮,后边加3轮,构造8轮ARIA的中间相遇攻击。我们的8轮攻击需要2 56选择明文,2 248.5加密及2 238预计算。而7轮攻击的数据/时间/预计算复杂度分别为2 112,2 176.7,2 182.2。我们也把6轮攻击的预计算由之前的2 122.5降到了2 110.5。最后我们平衡了5轮攻击的数据/时间/预计算复杂度到2 2.85,2 85.7,285.7。我的结果是目前ARIA算法中间相遇攻击中最好的结果。
The 21 st century is an era filled with information. People all over the world swim in the ocean constituted by information everyday. Lots of them manage information via network, such as, sending and receiving emails, transacting online, and so on. In-formation has become a significant resource during the development of human society. It has also turned into a massive dynamic and core of the world's evolution. The se-curity of information during the online transfer and interchange becomes more and more important. Information security is now directly relevant to the national security, electronic commerce, the protection of citizens'privacy, and so on. The importance of information security drives the research of cryptology. As a science of guaranteeing the security of data and information, the research of cryptology now becomes worldwide topic.
Cryptosystem mainly contains two parts, i.e., public key crpytosystem, and sym-metric cryptosystem. Symmetric cryptography consists of block cipher, stream cipher, and message authentication code (MAC). Symmetric encryption algorithm has many attractive features, such as, high performance and small amount of memories for both software and hardware implementation.
Block cipher is an efficient keyed permutation which transforms a fixed-length block of plaintext into a ciphertext block with same length. The keys of block cipher for encryption and decryption are either the same or both can be derived from a same key easily. Block cipher has extensive usage in many fields, such as computer com-munication and the security of information systems. The security evaluation of block cipher has become a hot topic of cryptographic research now a days. Therefore, the core of this thesis is the cryptanalysis of block cipher.
We can design block cipher mainly using two constructions. One is Feistel Net-work. In this structure, only half of a block enters the F function every time. So it only possesses a small amount of hardware resource, which is a great feature when the capacity of computation is limited. DES (the Data Encryption Standard)[50], which was early standardized for worldwide block cipher encryption algorithm in 1977, is a typical block cipher based on Feistel Network. DES was highly influential and had been widely used in the world before 2000. Its block size is 64-bit and the key length is 56-bit. The other structure is Substitution-Permutation Network (SPN). The current block cipher standard-AES (the Advanced Encryption Standard)[15], is a typical block cipher which has SPN structure. AES has 128-bit block size, and 128/192/256-bit key length.
The design of many other block ciphers is influenced by the rationale of DES and AES, such as the Korean block cipher standard-ARIA[40,52,53], which has extremely similar structure of AES. ARIA was proposed by a group of South Korean researchers in 2003[52], and was updated to version 1.0 in 2004[53]. ARIA is a general-purpose involution SPN block cipher algorithm, and its branch number is 8. ARIA has 128-bit block size with 128/192/256-bit key, and in the original version the corresponding round numbers are 10/12/14 respectively[52], while in the latest version, ARIA v1.O[53], the round numbers are altered to 12/14/16 respectively. ARIA consists of three parts: round key addition, substitution layer and diffusion layer.
In 2003, ARIA version 0.8[52]was first announced at an Korean annual conference on security. It had 128-bit block size, and 10/12/14 rounds for key sizes of 128/192/256, and only two kinds of S-boxes were used. Later ARIA was updated to version 0.9[40], and used four different S-boxes in its substitution layer, while had no change about the round number. In the current one, ARIA version 1.0, the number of rounds was increased to 12/14/16, and also made some suitable modification of the key expan-sion. In 2004, this version was announced and published on its official website at http://www.nsri.re.kr/ARIA/. Later in December, ARIA was established as a Korean Standard block cipher algorithm (KS X 1213) by Korean Agency for Technology and Standards (KATS).
As the structure similarity of ARIA and AES, lots of the technologies of cryptanal-ysis that work on AES can also affect ARIA. Vice-versa, cryptanalysis which attacks ARIA may also be used to break down AES. Therefore, the security analysis of ARIA becomes highly significant.
The designers, Daesung Kwon et al., gave the initial cryptanalysis of ARIA[40]. It contained differential and linear cryptanalysis, truncated differential cryptanalysis, impossible differential cryptanalysis, square attack, higher order differential cryptanal-ysis, interpolation attack, and so on. Later in 2004, Alex Biryukov et al. performed a security evaluation of ARIA in which they focused on dedicated linear cryptanalysis and truncated differential cryptanalysis, and found attacks on ARIA up to 7 rounds. Af-ter that, an impossible differential analysis of 6-round ARIA was proposed by Wenling Wuetal. in 2007[61].
In 2008, Shenhua Li improved Wu's impossible differential attack[44]. In 2009, Yanjun Li proposed integral attacks on ARIA[45]. And Xuehai Tang et al. discoved some meet-in-the-middle attacks on ARIA up to 8 rounds in 2010[60].
In this thesis, we provide some cryptanalysis on ARIA version 1.0, such as impos-sible differential cryptanalysis, meet-in-the-middle attack, etc. The results are listed as follows.
(1) Impossible differential cryptanalysis of ARIA reduced to 7 rounds
Wenling Wu et al. first found the 4-round impossible differentials, which the designers didn't expect, and first proposed an 6-round impossible differential cryptanalysis of ARIA. The 4-round impossible differential used in their crypt-analysis can be expressed below: (c,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(0,j,0,0,0,0,0,0,j,j,j,0,0,0,j,0), where c and j are some nonzero values. In 2008, Shenhua Li found a new impossible differential property which can be used for attacking 6-round ARIA more effectively. When attack 6-round ARIA using the above property,10 bytes of round keys need to be guessed in-stead of 12 bytes in the previous one, because 1 byte from round 1 and 1 byte from round 7 are no longer needed. Therefore, the time complexity is reduced by 216 times.
The 4-round impossible differential property in Li's attack can be described as (0,c1,0,0,0,0,0,0,0,0,0,0,c12,0,0,0)(?)(0,0,0,j,0,0,0,0,0,0,0,j,j,j,0,0), where c1,c12 and j are some nonzero values.
Li's attack needs 2120 chosen plaintexts and 296 encryptions.
Based on all the above results, we do some research on the impossible dif-ferential property of ARIA. We notice that it's nearly impossible to reduce the byte number of guessed key. So we have to dig in from a different direction. We discover an important property of diffusion layer (DL), and combined with our new corresponding 4-round impossible differential property, we propose our 7-round ARIA-256 impossible differential attack.
Important Property of DL.
Since the DL transformation is linear, and DL=DL-1,we find out that there are 4 equations about the bytes of state before DL. And using these 4 equations, we are able to filter useless plaintext pairs in advance and reduced the time complexity massively.
The 4 equations are:
Letting the bytes of state△X1(SL) satisfy 4 equations, we can filter the plaintext pairs by probability 2-48. We also construct a 4-round impossible differential property corresponding to the 4 equations, as below:
4-Round Impossible Differential Property
Given a pair of X3 which is equal in all bytes except the 3rd byte, then after 4 rounds encryption the ciphertext differences△X7 can't be like this (j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0), i.e., the ciphertext pair has nonzero equal difference at bytes (0,2,8,11), and no difference at the other bytes. We expressed the property as: (0,0,c,0,0,0,0,0,0,0,0,0,0,0,0,0)(?)(j,0,j,0,0,0,0,0,j,0,0,j,0,0,0,0) where c and j denote arbitrary nonzero values. We present an impossible differential cryptanalysis of ARIA-256 reduced to 7 rounds, using the 4-round impossible differential property, with additional two rounds at the beginning and one round at the end. Our attack needs 2125 chosen plaintexts and 2~(238)7-round encryptions.
(2) Improved impossible differential cryptanalysis of 7-round ARIA-256 On the basis of the above research, we do some further study on the impos-sible differential property. And we find some similar properties of DL. Only this time, we obtain 7 equations, which are used for establishing our 7 round attack. The seven equations are: We also find a 4-round impossible differential property corresponding to these 7 equations, and propose our improved cryptanalysis, with additional two rounds at the beginning and one round at the end. We describe the 4-round impossible differential property as below:
4-Round Impossible Differential Property
Given a pair of plaintexts (X3, X'3) which is equal in all bytes except bytes (10,15), then after four rounds encryption the ciphertext differences△X7 can't be like this (0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0), i.e., the ciphertext pair has nonzero equal difference at bytes (1,3,9,10), and no differences at the other bytes. We expressed the property like this: (0,0,0,0,0,0,0,0,0,c,0,0,0,0,0,c)(?) (0,j,0,j,0,0,0,0,0,j,j,0,0,0,0,0) where c and j denote arbitrary nonzero values.
(3) Meet-in-the-middle attacks on ARIA
The meet-in-the-middle attack was first developed as an attack on an at-tempted expansion of a block cipher by Diffie and Hellman in 1977[21]. It's useful to attack block ciphers like IDEA[17], AES[18,19,24], etc. Because of the similar structure property to AES, reduced-round ARIA is also vulnerable to this attack.
The meet-in-the-middle attack on ARIA was first introduced by Xuehai Tang et al.[60], and they can attack up to 8 round ARIA-256. The data com-plexity of their 8-round attack was 2~(56), the time complexity was 2~(251.6), and the precomputing complexity was 2~252. And their 7-round attack needed 2120 cho-sen plaintexts,2~(185.3) 7-round ARIR-192 encryptions, and 2187 precomputations. The data/time/precomputing complexity of their 6-round attack were 2~(56),2~(121.5), 2~(122.5) respectively. And their 5-round attack required 25 plaintext,2~(65.4)5-round encryptions, and 2~(122.5) precomputations.
Based on these results, we establish our improved 4-round/3-round distin-guishers, inspired by the work of Orr Dunkelman, Nathan Keller, and Adi Shamir about the meet-in-the-middle attacks on AES[24] in 2010. We propose our new meet-in-the-middle attacks using these improved distinguishers, and improve the recent work of Tang up to eight rounds.
4-Round Distinguisher of ARIA
If the active byte ofδ-set{X02,X12,...,X2552} is byte 2, encrypt this 5-set through 4-round ARIA. Then the (un-ordered) multiset [△AX06.2,△AX16.2,...,△AX2556.2] is fully determined by the following 30 byte parameters:-Seven bytes 1,4,6,10,11,12,15 of the state X03(IN).-The full 16-byte state X04(IN).-Seven bytes 1,4,6,10,11,12,15 of the subkey k5. Therefore, the multiset is totally determined by 232-bit parameters. This multiset assumes 2232 values. So if the key guess made the corresponding multiset assume one of the above 2232 values, it's highly likely that the key is the right key.
We propose our 8-round attack by adding one round before and three rounds after the 4-round distinguisher.
Our 8-round attack needs 256 chosen plaintexts,2248.58-round ARIR-256 encryptions, and 2238 precomputations. The data/time/precomputing complexity of our 7-round attack are 2112,2176.7,2182.2. We also reduce the precomputation of 6-round attack from 2122.5 to 2110.5. And we balance the complexities of data/ time/precomputation of 5-round attack to 228.5,285.7,285.7 repectively. Our result is the best one on ARIA as far as we know to date.
引文
[1]Anderson, R., Biham, E., Knudsen, L.:Serpent:A Proposal for the Advanced Encryption Standard. NIST AES Proposal (1998)
[2]Biham, E.:On Matsui's Linear Cryptanalysis. In:DeSantis, A.(ed.) EUROCRYPT 1994. LNCS, vol.950, pp.341-355. Springer, Heidelberg (1995)
[3]Biham, E., Biryukov, A., Shamir, A.:Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In:Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol.1592, pp.12-23. Springer, Heidelberg (1999)
[4]Biham, E., Biryukov, A., Shamir, A.:Miss in the Middle Attacks on IDEA and Khufu. In: Knudsen, L. (cd.) FSE 1999. LNCS,vol.1636, pp.124-138. Springer, Heidelberg (1999)
[5]Biham, E., Dunkelman, O., Keller, N.:Related-Key Impossible Differential Attacks on 8-round AES-192. In:Pointcheval, D. (cd.) CT-RSA 2006. LNCS, vol.3860, pp.21-33. Springer, Heidelberg (2006)
[6]Biham, E., Keller, N.:Cryptanalysis of Reduced Variants of Rijndael. In:The Third AES Candidate Conference, NIST (2000)
[7]Biham, E., Shamir, A.:Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology 4(1),3-72(1991)
[8]E. Biham, A. Shamir:Differential Cryplanalysis of the Data Encryption Standard. Springcr-Verlag, New York,1993.
[9]Biham, E., Dunkelman, O., Keller, N.:New Results on Boomerang and Rectangle Attacks. In:Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol.2365, pp.1-16. Springer, Heidel-berg (2002)
[10]Biham, E., Dunkelman, O., Keller, N., Related-Key Boomerang and Rectangle Attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol.3494, pp.507-525. Springer, Heidelberg (2005)
[11]Biryukov, A., Canniere, C.D., Lano, J., Ors, S.B., Preneel, B.:Security and Performance Analysis of Aria. Version 1.2. (Janaury 7,2004)
[12]Biryukov, A.:The Boomerang Attack on 5 and 6-Round Reduced AES. In:Dobbertin, H., Rijmen, V., Sowa, A. (eds.) Advanced Encryption Standard-AES:4th International Conference. LNCS, vol.3373, pp.11-15. Springer, Heidelberg (2005)
[13]Cheon, J.H., Kim, M., Kim, K., et al:Improved Impossible Differential Cryptanalysis of Rijndael and Crypton. In:Kim, K. (ed.) ICISC2001. LNCS, vol.2288, pp.39-49. Springer, Heidelberg (2002)
[14]Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., J.L.:New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In:Park, C., Chee, S. (eds.) ICISC2004, LNCS, vol.3506, pp.21-32. Springer, Heidelberg (2004)
[15]Daemen, J., Rijmen, V.:The Design of Rijndael:AES-the Advanced Encryption Standard. In:Information Security and Cryptography. Springer, Heidelberg (2002)
[16]Daemen, J., Knudsen, L. R., Rijmen, V.:The Block Cipher SQUARE. In:Biham, E. (ed.) FSE 1997. LNCS, vol.1267, pp.149-165. Springer, Heidelberg (1997)
[17]Demirci, H., Selcuk, A.A., Ture, E.:A New Meet-in-the-Middle Attack on IDEA Block Cipher. In:Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol.3006, pp.117-129. Springer, Heidelberg (2004)
[18]Demirci, H., Selcuk, A.A.:A Meet-in-the-Middle Attack on 8-Round AES. In:Nyberg, K. (ed.) FES 2008. LNCS, vol.5086, pp.116-126. Springer, Heidelberg (2008)
[19]Demirci, H., Taskn, I., Coban, M., Baysal, A.:Improved Meet-in-the-Middle Attacks on AES. In:Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol.5922, pp.144-156. Springer, Heidelberg (2009)
[20]Diffie, W., Hellman, M.:New Directions in Cryptaography. IEEE Transactions on Infor-mation Theory, vol. IT-22(6), pp.644-654. (Nov 1976)
[21]Diffie, W., Hellman, M. E.:Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer Magazine 10(6),74-84 (1977)
[22]Du, C.H., Chen, J.Z.:Impossible Differential Cryptanalysis of ARIA Reduced to 7 Rounds. In:Heng, S.-H., Wright, R.N., Goi, B.-M.(eds.) CANS 2010. LNCS, vol.6467, pp.20-30. Springer, Heidelberg (2010)
[23]Du, C.H., Chen, J.Z., Wang, W.:Novel impossible differential cryptanalysis of ARIA. In: 2010 International Conference on Information Security and Artificial Intelligence (ISAI 2010). vol.3, pp.63-67. IEEE Press,2010.
[24]Dunkelman, O., Keller, N., Shamir, A.:Improved Single-Key Attacks on 8-Round AES-192 and AES-256. In:Abe, M. (ed.) ASIACRYPT 2010, LNCS, vol.6477, pp.158-176. Springer, Heidelberg (2010)
[25]DEAL Specification, AES Candidate, http://www.nist.gov/aes/.
[26]Elgamal, L.:A Public Key Cryptosystem and a Signature Scheme Base on Discrete Loga-rithm. In:IEEE Transactions on Information Theory, vol.31, pp.469-472. (1995)
[27]Ferguson, N., Kelsey, J., Lucks, S. Schneier, B. Stay, M., Wagner, D., Whiting, D.:Im-proved Cryptanalysis of Rijndael. In:Schneier, B. (ed.) FSE 2000. LNCS, vol.1978, pp. 213-230. Springer, Heidelberg (2001)
[28]Galice, S., Minier, M.:Improving Integral Attacks Against Rijndael-256 Up to 9 Rounds. In:Vaudenay, S. (cd.) AFRICACRYPT 2008. LNCS, vol.5023, pp.1-15,Springer, Heidel-berg (2008)
[29]Gilbert, H., Minier, M.:A Collision Attack on 7 rounds of Rijndael. In:The Third Advanced Encryption Standard Candidate Conference, pp.230-241. NIST,2000.
[30]Hong, S., Lee, S., Lim, J., Sung, J., Cheon, D.:Provable security against differential and linear cryptanalysis for the SPN structure. In:Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp.273-283, Springer, Heidelberg (2001)
[31]Hu, Y.P., Zhang, Y.Q., Xiao, G.Z.:Integral Cryptanalysis of SAFER+. Electronic Letters, Vol 35, No.17, pp.1458-1459. (1999)
[32]Jakimoski, G., Desmedt, Y.:Related-Key Differential Cryptanalysis of 192-bit key AES Variants. In:Matsui, M., Zuccherato, R. (eds.) SAC 2003. LNCS, vol.3006, pp.208-221. Springer, Heidelberg (2004)
[33]Jakobsen, T., Knudsen, L.R.:The Interpolation Attack against Block Ciphers. In:Biham, E. (ed.) FSE 1997. LNCS, vol.1267, pp.28-40. Springer, Heidelberg (1999)
[34]Keliher, L., Meijer, H., Tavares, S.:New method for upper bounding the maximum average linear hull probability for SPNs. In:Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp.420-436, Springer, Heidelberg (2001)
[35]Koo, B.W., Jang, H.S., Song, J.H.:Constructing and Cryptanalysis of a 16x16 Binary Matrix as a Diffusion Layer. In:Chae, K., Yung, M. (eds.) WISA 2003. LNCS, vol.2908, pp.489-503. Springer, Heidelberg (2004)
[36]Knudsen, L.R.:Truncated and Higher Order Differentials. In:Preneel, B. (ed.) FSE 1994. LNCS, vol.1008, pp.196-211. Springer, Heidelberg (1995)
[37]Knudsen, L. R.:Truncated Differentials of SAFER. In:Gollmann, D. (ed.) FSE 1996. LNCS, vol.1039, pp.15-26. Springer, Heidelberg (1996)
[38]Knudsen, L.R., Robshaw, M.J.B., Wagner, D.:Truncated Differentials and Skipjack. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol.1666 pp.165-180. Springer, Heidelberg (1999)
[39]Knudsen, L.R., Wagner, D.:Integral Cryptanalysis (extended abstract). In:Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol.2365, pp.629-632. Springer, Heidelberg (2002)
[40]Kwon, D., Kim, J., Park, S., et al.:New Block Cipher:ARIA. In:Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol.2971, pp.432-445. Springer, Heidelberg (2004)
[41]Lai, X.:Higher order derivatives and differential cryptanalysis. In:Communications and Cryptography, Kluwer Academic Press,1994, pp.227-233.
[42]Le, T V.:Novel Cyclic and Algebraic Properties of AES. http://iacr.org/2003/108.ps.gz, 2003.
[43]Le, T.V., Sparr, R., Wernsdorf, R., Desmedt, Y:Complementation-Like and Cyclic Prop-erties of AES Round Functions. In:Dobbertin, H., Rijmen, V., Sowa, A. (eds.) Advanced Encryption Standard-AES:4th International Conference. LNCS, vol.3373, pp.128-141. Springer, Heidelberg (2005)
[44]Li, S., Song, C.:Improved Impossible Differential Cryptanalysis of ARIA. In:ISA 2008, pp.129-132. IEEE Computer Society, Los Alamitos (April 2008)
[45]Li, Y.J., Wu, W.L., Zhang, L.:Integral Attacks on Reduced-Round ARIA Block Cipher. In: Kwak, J., Deng, R.H., Wang, G., Won, Y. (eds.)ISPEC 2010. LNCS, vol.6047, pp.19-29. Springer, Heidelberg (2010)
[46]Li, P., Sun, B., Li, C.:Integral Cryptanalysis of ARIA. In:Bao, F., Yung, M., Lin, D.,D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol.6151, pp.1-14. Springer, Heidelberg (2009)
[47]Li, S.H., Zhang, H.N., Wang, X.Y.:Dedicated Linear Attack on ARIA Version 1.0. In: TSINGHUA SCIENCE AND TECHNOLOGY. vol.14, no.2, pp.212-217. (2009)
[48]Matsui, M.:Linear Cryptanalysis Method for DES Cipher. In:Helleseth, T. (ed.) EURO-CRYPT 1993. LNCS, vol.765, pp.386-397. Springer, Heidelberg (1994)
[49]Murphy, S., Robshaw, M.j.B.:Essential Algebraic Structure within the AES. In:Yung, M. (ed.) CRYPTO 2002. LNCS, vol.2442, pp.1-16. Springer, Heidelberg (2002)
[50]National Bureau of Standards, Data Encryption Standard (DES). U.S. Department of Com-merce, FIPS pub.46, January 1977.
[51]National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES). U.S. Department of Commerce, FIPS-197, November 2001.
[52]National Security Research Institute, Specification of ARIA, Version 0.8. (August 2003)
[53]National Security Research Institute:Specification of ARIA. Version 1.0. (January 2005) http://www.nsri.re.kr/ARIA/doc/ARIAspecification-c.pdf
[54]Phan, R.C.:Impossible Differential Cryptanalysis of 7-round Advanced Encryption Stan-dard (AES). Inf. Process. Lett.91(1),33-38 (July,2004)
[55]Rivest, R. L., Robshaw, M. J. B., Sidney, R., Yin, Y. L.:The RC6 Block Cipher. http://theory.lcs.mit.edu/Rivest/rc6.ps, June 1998.
[56]Rivest, R. L., Shamir, A., Adleman, L.:A method for Obtaining Digital Signatures and Public-key Cryptosystem. In:Communications of the ACM, vol.21(2), pp.120-126. (Feb 1978)
[57]Rivest, R.L., Robshaw, M.J.B., Sidney, R., Yin, Y.L.:The RC6 Block Cipher. (June 1998) http://theory.lcs.mit.edu/Rivest/rc6.ps.
[58]Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson. N.:The Twofish Encryption Algorithm:A 128-Bit Block Cipher. John Wiley and Sons, April 1999. ISBN: 0471353817.
[59]Schneier, B.:A Self-Study Course in Block-Cipher Cryptanalysis. Cryptologia,24(1),18-33 (2000)
[60]Tang, X., Sun, B., Li, R., Li, C.:A meet-in-the-middle attacks on ARIA. Cryptology ePrint Archive, Report 2010/168,2010. http://eprint.iacr.org/.
[61]Wu, W., Zhang, W., Feng, D.:Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia. Journal of Computer Science and Technology 22(3),449-456 (2007)
[62]Zhang, W.T., Wu, W.L., Zhang, L., Feng, D.G.:Improved Related-Key Impossible Differ-ential Attacks on Reduced-Round AES-192. In:E. Biham, E., Youssef, A.M., (eds.) SAC 2006. LNCS, vol.4356, pp.15-27. Springer, Heidelberg (2007)
[63]吴文玲,冯登国,张文涛.分组密码的设计与分析.清华大学出版社(2009)
[64]李申华.对称密码算法ARIA和Salsa20的密码分析.山东大学博士学位论文(2008)
[2]Biham, E.:On Matsui's Linear Cryptanalysis. In:DeSantis, A.(ed.) EUROCRYPT 1994. LNCS, vol.950, pp.341-355. Springer, Heidelberg (1995)
[3]Biham, E., Biryukov, A., Shamir, A.:Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In:Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol.1592, pp.12-23. Springer, Heidelberg (1999)
[4]Biham, E., Biryukov, A., Shamir, A.:Miss in the Middle Attacks on IDEA and Khufu. In: Knudsen, L. (cd.) FSE 1999. LNCS,vol.1636, pp.124-138. Springer, Heidelberg (1999)
[5]Biham, E., Dunkelman, O., Keller, N.:Related-Key Impossible Differential Attacks on 8-round AES-192. In:Pointcheval, D. (cd.) CT-RSA 2006. LNCS, vol.3860, pp.21-33. Springer, Heidelberg (2006)
[6]Biham, E., Keller, N.:Cryptanalysis of Reduced Variants of Rijndael. In:The Third AES Candidate Conference, NIST (2000)
[7]Biham, E., Shamir, A.:Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology 4(1),3-72(1991)
[8]E. Biham, A. Shamir:Differential Cryplanalysis of the Data Encryption Standard. Springcr-Verlag, New York,1993.
[9]Biham, E., Dunkelman, O., Keller, N.:New Results on Boomerang and Rectangle Attacks. In:Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol.2365, pp.1-16. Springer, Heidel-berg (2002)
[10]Biham, E., Dunkelman, O., Keller, N., Related-Key Boomerang and Rectangle Attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol.3494, pp.507-525. Springer, Heidelberg (2005)
[11]Biryukov, A., Canniere, C.D., Lano, J., Ors, S.B., Preneel, B.:Security and Performance Analysis of Aria. Version 1.2. (Janaury 7,2004)
[12]Biryukov, A.:The Boomerang Attack on 5 and 6-Round Reduced AES. In:Dobbertin, H., Rijmen, V., Sowa, A. (eds.) Advanced Encryption Standard-AES:4th International Conference. LNCS, vol.3373, pp.11-15. Springer, Heidelberg (2005)
[13]Cheon, J.H., Kim, M., Kim, K., et al:Improved Impossible Differential Cryptanalysis of Rijndael and Crypton. In:Kim, K. (ed.) ICISC2001. LNCS, vol.2288, pp.39-49. Springer, Heidelberg (2002)
[14]Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., J.L.:New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In:Park, C., Chee, S. (eds.) ICISC2004, LNCS, vol.3506, pp.21-32. Springer, Heidelberg (2004)
[15]Daemen, J., Rijmen, V.:The Design of Rijndael:AES-the Advanced Encryption Standard. In:Information Security and Cryptography. Springer, Heidelberg (2002)
[16]Daemen, J., Knudsen, L. R., Rijmen, V.:The Block Cipher SQUARE. In:Biham, E. (ed.) FSE 1997. LNCS, vol.1267, pp.149-165. Springer, Heidelberg (1997)
[17]Demirci, H., Selcuk, A.A., Ture, E.:A New Meet-in-the-Middle Attack on IDEA Block Cipher. In:Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol.3006, pp.117-129. Springer, Heidelberg (2004)
[18]Demirci, H., Selcuk, A.A.:A Meet-in-the-Middle Attack on 8-Round AES. In:Nyberg, K. (ed.) FES 2008. LNCS, vol.5086, pp.116-126. Springer, Heidelberg (2008)
[19]Demirci, H., Taskn, I., Coban, M., Baysal, A.:Improved Meet-in-the-Middle Attacks on AES. In:Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol.5922, pp.144-156. Springer, Heidelberg (2009)
[20]Diffie, W., Hellman, M.:New Directions in Cryptaography. IEEE Transactions on Infor-mation Theory, vol. IT-22(6), pp.644-654. (Nov 1976)
[21]Diffie, W., Hellman, M. E.:Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer Magazine 10(6),74-84 (1977)
[22]Du, C.H., Chen, J.Z.:Impossible Differential Cryptanalysis of ARIA Reduced to 7 Rounds. In:Heng, S.-H., Wright, R.N., Goi, B.-M.(eds.) CANS 2010. LNCS, vol.6467, pp.20-30. Springer, Heidelberg (2010)
[23]Du, C.H., Chen, J.Z., Wang, W.:Novel impossible differential cryptanalysis of ARIA. In: 2010 International Conference on Information Security and Artificial Intelligence (ISAI 2010). vol.3, pp.63-67. IEEE Press,2010.
[24]Dunkelman, O., Keller, N., Shamir, A.:Improved Single-Key Attacks on 8-Round AES-192 and AES-256. In:Abe, M. (ed.) ASIACRYPT 2010, LNCS, vol.6477, pp.158-176. Springer, Heidelberg (2010)
[25]DEAL Specification, AES Candidate, http://www.nist.gov/aes/.
[26]Elgamal, L.:A Public Key Cryptosystem and a Signature Scheme Base on Discrete Loga-rithm. In:IEEE Transactions on Information Theory, vol.31, pp.469-472. (1995)
[27]Ferguson, N., Kelsey, J., Lucks, S. Schneier, B. Stay, M., Wagner, D., Whiting, D.:Im-proved Cryptanalysis of Rijndael. In:Schneier, B. (ed.) FSE 2000. LNCS, vol.1978, pp. 213-230. Springer, Heidelberg (2001)
[28]Galice, S., Minier, M.:Improving Integral Attacks Against Rijndael-256 Up to 9 Rounds. In:Vaudenay, S. (cd.) AFRICACRYPT 2008. LNCS, vol.5023, pp.1-15,Springer, Heidel-berg (2008)
[29]Gilbert, H., Minier, M.:A Collision Attack on 7 rounds of Rijndael. In:The Third Advanced Encryption Standard Candidate Conference, pp.230-241. NIST,2000.
[30]Hong, S., Lee, S., Lim, J., Sung, J., Cheon, D.:Provable security against differential and linear cryptanalysis for the SPN structure. In:Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp.273-283, Springer, Heidelberg (2001)
[31]Hu, Y.P., Zhang, Y.Q., Xiao, G.Z.:Integral Cryptanalysis of SAFER+. Electronic Letters, Vol 35, No.17, pp.1458-1459. (1999)
[32]Jakimoski, G., Desmedt, Y.:Related-Key Differential Cryptanalysis of 192-bit key AES Variants. In:Matsui, M., Zuccherato, R. (eds.) SAC 2003. LNCS, vol.3006, pp.208-221. Springer, Heidelberg (2004)
[33]Jakobsen, T., Knudsen, L.R.:The Interpolation Attack against Block Ciphers. In:Biham, E. (ed.) FSE 1997. LNCS, vol.1267, pp.28-40. Springer, Heidelberg (1999)
[34]Keliher, L., Meijer, H., Tavares, S.:New method for upper bounding the maximum average linear hull probability for SPNs. In:Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp.420-436, Springer, Heidelberg (2001)
[35]Koo, B.W., Jang, H.S., Song, J.H.:Constructing and Cryptanalysis of a 16x16 Binary Matrix as a Diffusion Layer. In:Chae, K., Yung, M. (eds.) WISA 2003. LNCS, vol.2908, pp.489-503. Springer, Heidelberg (2004)
[36]Knudsen, L.R.:Truncated and Higher Order Differentials. In:Preneel, B. (ed.) FSE 1994. LNCS, vol.1008, pp.196-211. Springer, Heidelberg (1995)
[37]Knudsen, L. R.:Truncated Differentials of SAFER. In:Gollmann, D. (ed.) FSE 1996. LNCS, vol.1039, pp.15-26. Springer, Heidelberg (1996)
[38]Knudsen, L.R., Robshaw, M.J.B., Wagner, D.:Truncated Differentials and Skipjack. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol.1666 pp.165-180. Springer, Heidelberg (1999)
[39]Knudsen, L.R., Wagner, D.:Integral Cryptanalysis (extended abstract). In:Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol.2365, pp.629-632. Springer, Heidelberg (2002)
[40]Kwon, D., Kim, J., Park, S., et al.:New Block Cipher:ARIA. In:Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol.2971, pp.432-445. Springer, Heidelberg (2004)
[41]Lai, X.:Higher order derivatives and differential cryptanalysis. In:Communications and Cryptography, Kluwer Academic Press,1994, pp.227-233.
[42]Le, T V.:Novel Cyclic and Algebraic Properties of AES. http://iacr.org/2003/108.ps.gz, 2003.
[43]Le, T.V., Sparr, R., Wernsdorf, R., Desmedt, Y:Complementation-Like and Cyclic Prop-erties of AES Round Functions. In:Dobbertin, H., Rijmen, V., Sowa, A. (eds.) Advanced Encryption Standard-AES:4th International Conference. LNCS, vol.3373, pp.128-141. Springer, Heidelberg (2005)
[44]Li, S., Song, C.:Improved Impossible Differential Cryptanalysis of ARIA. In:ISA 2008, pp.129-132. IEEE Computer Society, Los Alamitos (April 2008)
[45]Li, Y.J., Wu, W.L., Zhang, L.:Integral Attacks on Reduced-Round ARIA Block Cipher. In: Kwak, J., Deng, R.H., Wang, G., Won, Y. (eds.)ISPEC 2010. LNCS, vol.6047, pp.19-29. Springer, Heidelberg (2010)
[46]Li, P., Sun, B., Li, C.:Integral Cryptanalysis of ARIA. In:Bao, F., Yung, M., Lin, D.,D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol.6151, pp.1-14. Springer, Heidelberg (2009)
[47]Li, S.H., Zhang, H.N., Wang, X.Y.:Dedicated Linear Attack on ARIA Version 1.0. In: TSINGHUA SCIENCE AND TECHNOLOGY. vol.14, no.2, pp.212-217. (2009)
[48]Matsui, M.:Linear Cryptanalysis Method for DES Cipher. In:Helleseth, T. (ed.) EURO-CRYPT 1993. LNCS, vol.765, pp.386-397. Springer, Heidelberg (1994)
[49]Murphy, S., Robshaw, M.j.B.:Essential Algebraic Structure within the AES. In:Yung, M. (ed.) CRYPTO 2002. LNCS, vol.2442, pp.1-16. Springer, Heidelberg (2002)
[50]National Bureau of Standards, Data Encryption Standard (DES). U.S. Department of Com-merce, FIPS pub.46, January 1977.
[51]National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES). U.S. Department of Commerce, FIPS-197, November 2001.
[52]National Security Research Institute, Specification of ARIA, Version 0.8. (August 2003)
[53]National Security Research Institute:Specification of ARIA. Version 1.0. (January 2005) http://www.nsri.re.kr/ARIA/doc/ARIAspecification-c.pdf
[54]Phan, R.C.:Impossible Differential Cryptanalysis of 7-round Advanced Encryption Stan-dard (AES). Inf. Process. Lett.91(1),33-38 (July,2004)
[55]Rivest, R. L., Robshaw, M. J. B., Sidney, R., Yin, Y. L.:The RC6 Block Cipher. http://theory.lcs.mit.edu/Rivest/rc6.ps, June 1998.
[56]Rivest, R. L., Shamir, A., Adleman, L.:A method for Obtaining Digital Signatures and Public-key Cryptosystem. In:Communications of the ACM, vol.21(2), pp.120-126. (Feb 1978)
[57]Rivest, R.L., Robshaw, M.J.B., Sidney, R., Yin, Y.L.:The RC6 Block Cipher. (June 1998) http://theory.lcs.mit.edu/Rivest/rc6.ps.
[58]Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson. N.:The Twofish Encryption Algorithm:A 128-Bit Block Cipher. John Wiley and Sons, April 1999. ISBN: 0471353817.
[59]Schneier, B.:A Self-Study Course in Block-Cipher Cryptanalysis. Cryptologia,24(1),18-33 (2000)
[60]Tang, X., Sun, B., Li, R., Li, C.:A meet-in-the-middle attacks on ARIA. Cryptology ePrint Archive, Report 2010/168,2010. http://eprint.iacr.org/.
[61]Wu, W., Zhang, W., Feng, D.:Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia. Journal of Computer Science and Technology 22(3),449-456 (2007)
[62]Zhang, W.T., Wu, W.L., Zhang, L., Feng, D.G.:Improved Related-Key Impossible Differ-ential Attacks on Reduced-Round AES-192. In:E. Biham, E., Youssef, A.M., (eds.) SAC 2006. LNCS, vol.4356, pp.15-27. Springer, Heidelberg (2007)
[63]吴文玲,冯登国,张文涛.分组密码的设计与分析.清华大学出版社(2009)
[64]李申华.对称密码算法ARIA和Salsa20的密码分析.山东大学博士学位论文(2008)