不可能差分区分器的构造方法研究
|
摘要
不可能差分分析是针对分组密码的一种重要分析方法,该分析技术的关键在于给出分组密码算法最长的不可能差分区分器。不可能差分区分器的长度也是衡量分组密码抵抗不可能差分分析的一个重要标准。本文致力于分组密码整体结构不可能差分区分器的构造方法研究,主要工作如下:
1.对SP结构的不可能差分性质进行了研究,首次提出并证明了SP结构不可能差分区分器存在的充要条件,进而给出了搜索SP结构全部不可能差分区分器的方法,因此能够找到SP结构最长的不可能差分区分器。作为特例,证明了AES算法至多存在4轮的不可能差分区分器;并证明了如果P盒采用MDS矩阵设计,则SP结构不存在超过2轮的不可能差分区分器。本文对评价SP结构抗不可能差分分析的能力具有参考价值。
2.对常见的广义Feistel结构的不可能差分性质进行了研究,给出了嵌套SP/SPS结构的m分组广义Skipjack结构、CAST256结构和广义MARS结构迄今为止最长的不可能差分区分器。较之前人结论,使上述三个结构的不可能差分对应的长度比现有结果增加了2轮、m-1轮和m-1轮;分析了New-Structure I-IV结构的不可能差分性质,首次给出了这些结构的14轮、无限轮、16轮和19轮不可能差分区分器,从而丰富了常见的广义Feistel结构的安全性分析的结论。
3.提出了构造一般广义Feistel结构不可能差分区分器的解标签方法。该方法对广义Feistel结构的具体结构和轮函数的具体结构没有限制,以多个常见的嵌套SP结构的广义Feistel结构为例,找出的不可能差分区分器的长度均长于已知的最佳结果。最后通过证明密码结构之间存在差分-线性相似关系,将解标签方法扩展到解决分组密码结构的零相关线性逼近的搜索问题。
4.分析了Inscrypt2009年会提出的VGF2结构的安全性,指出任意轮VGF2结构均存在概率为1的差分路径,并给出了任意轮VGF2结构的不可能差分区分器,进而提出了对满轮VGF2算法的唯密文攻击方法,能够在不求解密钥的前提下实时获得明文的一半比特。本文以264次MAC运算和0.392的成功率,找到了基于256比特VGF2算法的类CBC消息认证码的消息碰撞,并以2128次MAC运算和1的成功率进行了泛伪造攻击。
5.研究了类FOX结构的不可能差分特性,首次证明了类FOX结构存在着不依赖于轮函数和线性正形置换具体结构的新的4轮不可能差分,并在轮函数设计为SP结构时,给出了类FOX结构的5轮不可能差分的构造。
Impossible differential cryptanalysis is one of the most powerful attacks against blockcipher, and the key step of this cryptanalysis is to find out the longest impossible differentials.The length of impossible differentials can also be treated as a measurement against impossibledifferential cryptanalysis. This paper works on constructing impossible differentials for blockcipher structures, and our main contribution includes:
1. This paper studies the impossible differential property for SP structures. For the first time,we provide a necessary and sufficient condition of the existence of impossible differentials in SPstructure, then we provide a method to search out all impossible differentials in SPN, by whichwe can find the longest impossible differentials in SP structure. As a special example, we provethat impossible diffentials in AES can not exceed4rounds, and we prove that if the SP structureemploies MDS matrix as the P layer, we can never find impossible differentials longer than2rounds. This paper is helpful in measuring the immunity against impossible cryptanalysis for SPstructure.
2. We study on the impossible differential properties for some popular generalized Feistelstructures. We provide the longest impossible differentials for m-dataline Skipjack-likestructure, CAST256-like structure and MARS-like structure. Compare with the existed results,our results improve2, m1and m1rounds for each structure respectively. Besides, westudy on the impossible differential properties for New-Structure I~IV, and we provide14rounds, infinite rounds,16rounds and19rounds impossible differentials for these structuresrepectively. Our investigation enriches the security results of generalized Feistel structures.
3We propose the solution-tag method to find impossible differentials of generalized Feistelstructures. This method has no restrict on neither the overall structure nor the round function,compare with traditional methods, we can find longer impossible differentials of somewell-known block cipher structures with SP round functions. Later, we point that there exsitsdifferential-linear conjugation relationships between overall structures, by this property, thesolution-tag method can be used to find zero-corollaries for some block cipher structures.
4. We analyze the security of VGF2structure, which was proposed in Inscrypt2009, wepointed that there exists1-probability differential in arbitrary rounds VGF2, also we proved thatthere exists impossible differential for arbitrary rounds VGF2. Sequentially, we launch areal-time ciphertext-only attack on the full round block cipher VGF2, this attack can obtain halfbits of the plaintext without calculate the key. And we further find a collision for VGF2-basedCBC-like MAC within264MAC operations and successful rate reaches0.392. We also launcha universal forgery attack on VGF2-based CBC-like MAC, in the attack, we need2128times MAC operations and the successful rate reaches1.
5. This paper investigates impossible properties of FOX-like structure. And prove that thereexist new4rounds impossible differentials in FOX-like structure, which do not depend on thestrength of the round function or the orthomorphic permutation. Also, we provide the method forfinding5rounds impossible differentials in FOX-like structure with SP-based round function.
1.对SP结构的不可能差分性质进行了研究,首次提出并证明了SP结构不可能差分区分器存在的充要条件,进而给出了搜索SP结构全部不可能差分区分器的方法,因此能够找到SP结构最长的不可能差分区分器。作为特例,证明了AES算法至多存在4轮的不可能差分区分器;并证明了如果P盒采用MDS矩阵设计,则SP结构不存在超过2轮的不可能差分区分器。本文对评价SP结构抗不可能差分分析的能力具有参考价值。
2.对常见的广义Feistel结构的不可能差分性质进行了研究,给出了嵌套SP/SPS结构的m分组广义Skipjack结构、CAST256结构和广义MARS结构迄今为止最长的不可能差分区分器。较之前人结论,使上述三个结构的不可能差分对应的长度比现有结果增加了2轮、m-1轮和m-1轮;分析了New-Structure I-IV结构的不可能差分性质,首次给出了这些结构的14轮、无限轮、16轮和19轮不可能差分区分器,从而丰富了常见的广义Feistel结构的安全性分析的结论。
3.提出了构造一般广义Feistel结构不可能差分区分器的解标签方法。该方法对广义Feistel结构的具体结构和轮函数的具体结构没有限制,以多个常见的嵌套SP结构的广义Feistel结构为例,找出的不可能差分区分器的长度均长于已知的最佳结果。最后通过证明密码结构之间存在差分-线性相似关系,将解标签方法扩展到解决分组密码结构的零相关线性逼近的搜索问题。
4.分析了Inscrypt2009年会提出的VGF2结构的安全性,指出任意轮VGF2结构均存在概率为1的差分路径,并给出了任意轮VGF2结构的不可能差分区分器,进而提出了对满轮VGF2算法的唯密文攻击方法,能够在不求解密钥的前提下实时获得明文的一半比特。本文以264次MAC运算和0.392的成功率,找到了基于256比特VGF2算法的类CBC消息认证码的消息碰撞,并以2128次MAC运算和1的成功率进行了泛伪造攻击。
5.研究了类FOX结构的不可能差分特性,首次证明了类FOX结构存在着不依赖于轮函数和线性正形置换具体结构的新的4轮不可能差分,并在轮函数设计为SP结构时,给出了类FOX结构的5轮不可能差分的构造。
Impossible differential cryptanalysis is one of the most powerful attacks against blockcipher, and the key step of this cryptanalysis is to find out the longest impossible differentials.The length of impossible differentials can also be treated as a measurement against impossibledifferential cryptanalysis. This paper works on constructing impossible differentials for blockcipher structures, and our main contribution includes:
1. This paper studies the impossible differential property for SP structures. For the first time,we provide a necessary and sufficient condition of the existence of impossible differentials in SPstructure, then we provide a method to search out all impossible differentials in SPN, by whichwe can find the longest impossible differentials in SP structure. As a special example, we provethat impossible diffentials in AES can not exceed4rounds, and we prove that if the SP structureemploies MDS matrix as the P layer, we can never find impossible differentials longer than2rounds. This paper is helpful in measuring the immunity against impossible cryptanalysis for SPstructure.
2. We study on the impossible differential properties for some popular generalized Feistelstructures. We provide the longest impossible differentials for m-dataline Skipjack-likestructure, CAST256-like structure and MARS-like structure. Compare with the existed results,our results improve2, m1and m1rounds for each structure respectively. Besides, westudy on the impossible differential properties for New-Structure I~IV, and we provide14rounds, infinite rounds,16rounds and19rounds impossible differentials for these structuresrepectively. Our investigation enriches the security results of generalized Feistel structures.
3We propose the solution-tag method to find impossible differentials of generalized Feistelstructures. This method has no restrict on neither the overall structure nor the round function,compare with traditional methods, we can find longer impossible differentials of somewell-known block cipher structures with SP round functions. Later, we point that there exsitsdifferential-linear conjugation relationships between overall structures, by this property, thesolution-tag method can be used to find zero-corollaries for some block cipher structures.
4. We analyze the security of VGF2structure, which was proposed in Inscrypt2009, wepointed that there exists1-probability differential in arbitrary rounds VGF2, also we proved thatthere exists impossible differential for arbitrary rounds VGF2. Sequentially, we launch areal-time ciphertext-only attack on the full round block cipher VGF2, this attack can obtain halfbits of the plaintext without calculate the key. And we further find a collision for VGF2-basedCBC-like MAC within264MAC operations and successful rate reaches0.392. We also launcha universal forgery attack on VGF2-based CBC-like MAC, in the attack, we need2128times MAC operations and the successful rate reaches1.
5. This paper investigates impossible properties of FOX-like structure. And prove that thereexist new4rounds impossible differentials in FOX-like structure, which do not depend on thestrength of the round function or the orthomorphic permutation. Also, we provide the method forfinding5rounds impossible differentials in FOX-like structure with SP-based round function.
引文
[1]Data Encryption Standard. Federal Information Processing Standard [S]. Washington D.C.:National Bureau of Standards, U. S. Department of Commerce,1977.
[2]E. Biham, and A. Shamir. Differential Cryptanalysis of DES-like Cryptosystems[J]. Journal of Cryptology,1991,14(1):3-72.
[3]M. Matsui. Linear Cryptanalysis Method for DES Cipher[A]. In:Proceedings of Advances in Cryptology-EUROCRYPT'93[C]. LNCS765, Springer-Verlag,1994:386-397.
[4]J. Daemen and V. Rijmen. The Design of Rijndael:AES-The Advanced Encryption Standard [M]. Springer-verlag,2002.
[5]吴文玲,冯登国,张文涛.分组密码的设计与分析(第二版)[M].北京:清华大学出版社,2009.10.
[6]H. Feistel. Cryptography and Computer Privacy [J]. Scientific American,1973,228:15-23.
[7]H.M. Heys and S.E. Tavares. The Design of Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis [A]. Proceedings of2nd ACM Conference on Computer and Communications Security[C],1994:148-155.
[8]B. Schneier and J. Kelsey. Unbalanced Feistel Networks and Block Cipher Design[A]. In:Proceedings of Fast Software Encryption-FSE'96[C]. LNCS1039, Springer-Verlag,1996:121-144.
[9]S.Vaudenay. On the Lai-Massey scheme[A]. Advances in Cryptology-ASIACRYPT'99[C], LNCS1716, Springer-Verlag,1999:8-19.
[10]P.Junod and S. Vaudenay. FOX:a New Family of Block Ciphers[A]. Selected Areas in Cryptography-SAC[C]. LNCS2595, Springer-Verlag,2004:131-146.
[11]Wenling Wu, Wentao Zhang and Dengguo Feng. Integral Cryptanalysis of Reduced FOX Block Cipher[A]. Information Security and Cryptology-ICISC2005[C], LNCS3935, pp.229-241, Springer-Verlag,2006.
[12]魏悦川,孙兵,李超.FOX密码的不可能差分分析[J].通信学报,2010,Vo1.9:24-29.
[13]Zhongming Wu and Xuejia Lai and Bo Zhu and Yiyuan Luo. Impossible Differential Cryptanalysis of FOX[R]. http://eprint. Iacr.org/2009/357.
[14]吴文玲,卫宏儒.低轮FOX分组密码的碰撞-积分攻击[J].电子学报.2005(7):1307-1310.
[15]L. Xiao and H. M. Heys. Hardware Design and Analysis of Block Cipher Components[A].In Proceedings of the5th International Conference on Information Security and Cryptology-ICISC'02[C]. LNCS2587, Springer-Verlag,2003:164-181.
[16]王念平,金晨辉,余昭平.对合型列混合变换的研究[J].电子学报,2005,33(10):1917-1920.
[17]A.M.Youssef, S. Mister, S. E. Tavares. On the Design of Linear Transformations for Substitution Permutation Encryption Networks[A]. Workshop on Selected Areas in Cryptography-SAC'97[C]. Workshop record,1997:40-48.
[18]L.R. Knudsen and T.A. Berson. Truncated Differentials of SAFER[A]. In Fast Software Encryption-Third International Workshop, FSE'96[C], Volume1039of Lecture Notes in Computer Science, Berlin, Heidelberg, New York, Springer-Verlag,1996.
[19]M. Kanda and T. Matsumoto. Security of Camellia against Truncated Differential Cryptanalysis[A]. In Fast Software Encryption-8th International Workshop, FSE'00[C].
[20]A. Moriai, M. Sugita, K. Aoki, M. Kanda. Security of E2against truncated Differential Cryptanalysis[A]. Sixth Annual Workshop on Selected Areas in Cryptography (SAC'99)[C], LNCS1758. pp.106-117, Springer Verlag, Berlin,1999.
[21]S. Moriai, M. Sugita and M. Kanda. Security of E2against truncated Differential Cryptanalysis[J]. IEICE, Trans, fundamentals, Vol.E84-A NO.1, pp.319-325, January2001.
[22]M. Sugita, K. Kobara, H. Imai. Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Block-Oriented Block Ciphers like RIJNDAEL, E2[A]. Third AES Workshop[C],2000.
[23]J. Daemen, L. Knudsen, and V Rijmen. The Block Cipher Square[A]. Fast Software Encryption[C], LNCS1267, Springer-Verlag,1997:149-165.
[24]唐学海,李超,谢端强CLEFIA密码的Square攻击[J].电子与信息学报,2009,31(9):2260-2263
[25]Ji W and Hu L. Square Attack on Reduced-Round Zodiac Cipher[A]. ISPEC2008[C], Springer-Verlag,2008, LNCS,4991:377-391.
[26]E. Biham, A. Biryukov, A. Shamir. Cryptanalysis of Skipjack Reduced to31Rounds Using Impossible Differentials[A]. In J. Stern, editor, Advances in Cryptology:EUROCRYPT'99[C], LNCS1592, pp.12-23. Springer Verlag,1999.
[27]L. Knudsen. DEAL-A128-bit Block Cipher[R]. Technical Report151, Department of Informatics, University of Bergen, Bergen, Norway, Feb.1998.
[28]J. Daemen and V Rijmen. The Block Cipher Square[A]. In:Proceedings of Fast Software Encryption-FSE'97[C]. LNCS1267, Springer-Verlag,1997:149-165.
[29]NTT-Nippon Telegraph and Telephone Corporation. E2:Efficient Encryption Algorithm[EB].:Available at http://info.isl.ntt.co.jp/e2,2007-2-2.
[30]K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita. Camellia:A128-bit Block Cipher Suitable for Multiple Platforms[A]. In:Proceedings of Selected Areas in Cryptography-SAC'00[C]. LNCS2012, Springer-Verlag,2001:41-54.
[31]Shirai, T, Preneel, B. On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds [A]. In:Lee, P.J.(ed.) ASIACRYPT2004[C]. LNCS, vol.3329, pp.1-15.Springer, Heidelberg (2004)
[32]Shirai, T, Shibutani, K.:On Feistel Structures Using a Diffusion Switching Mechanism[A].In:Robshaw, M.(ed.) FSE2006[C]. LNCS, vol.4047, pp.41-56. Springer,Heidelberg (2006)
[33]Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.:The128-bit Block cipher CLEFIA[A]. In:Biryukov, A.(ed.) FSE2007[C], vol.4593, pp.181-195. Springer,Heidelberg (2007).
[34] Wei Yongzhuang and Hu Yupu. Improved Impossible Differential Cryptanalysis of AES-128[J].ChineseJournal of Elecronics. Vol.16, No.1, pp.187-189,2007.
[35] E. Biham, O. Dunkelman, and N. Keller. Related-Key Impossible Differential Attacks on8-RoundAES-192[A]. In CT-RSA’06[C], LNCS, pages21–33. Springer-Verlag,2006
[36] E. Biham and N. Keller. Cryptanalysis of Reduced Variants of Rijndael[EB],1999. Available online atwww.madchat.fr/crypto/codebreakers/35-ebiham.pdf.
[37] O. Dunkelman and N. Keller. An Improved Impossible Differential Attack on MISTY1[A]. InASIACRYPT’08[C], LNCS, pages441–454. Springer-Verlag,2008.
[38] J. Lu, O. Dunkelman, N. Keller, and J. Kim. New Impossible Differential Attacks on AES[A]. InINDOCRYPT’08[C], LNCS, pages279–293. Springer-Verlag,2008.
[39] J. Lu, J. Kim, N. Keller, and O. Dunkelman. Improving the Efficiency of Impossible DifferentialCryptanalysis of Reduced Camellia and MISTY1[A]. In CT-RSA’08[C], LNCS, pages370–386.Springer-Verlag,2008.
[40] Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Saito, T. Suzaki, and H. Kubo. Impossible DifferentialCryptanalysis of CLEFIA[A]. In FSE’08[C], LNCS, pages398–411. Springer-Verlag,2008.
[41] Wenling Wu, Wentao Zhang, and Dengguo Feng, Impossible Differential Cryptanalysis ofReduced-Round ARIA and Camellia[J], Journal of Computer Science and Technology, Vol.22, No.3,pp:449-456,2007.
[42] Wentao Zhang, WenlingWu, and Dengguo Feng, New Results on Impossible Differential Cryptanalysis ofReduced AES[A], Information Security and Cryptology-ICISC2007[C], LNCS4817, pp:239-250,Springer-Verlag,2007.
[43] Raphael Chung-Wei Phan, Impossible Differential Cryptanalysis of7-round AES[J], InformationProcessing Letters, Vol.91, Number1, pp:33-38,2004.
[44] Kim, J., Hong, S., Sung, J., Lee, S., Lim, J. Impossible Differential Cryptanalysis for Block CipherStructures[A]. In: Johansson, T., Maitra, S.(eds.) Indocrypt2003[C], LNCS, vol.2904, pp.82-96,Springer, Heidelberg(2003)
[45] Luo Yi-yuan, Wu Zhong-ming, Lai Xue-jia. A Unified Method for Finding Impossible Differentials ofBlock Cipher Structures[EB], Cryptology ePrint Archive, Report2009/627, available through:http://eprint.iacr.org/2009/627.
[46] Ruilin Li, Bing Sun, and Chao Li. Impossible Differential Cryptanalysis of SPN Ciphers[EB]. CryptologyePrint Archive, Report2010/307, available through: http://eprint.iacr.org/2010/307.
[47] Ruilin Li and Bing Sun and Chao Li. From Camellia to p-Camellia: Some Observations on MISTYStructure with SPN Round Function[EB]. Cryptology ePrint Archive, Report2010/661, available through:http://eprint.iacr.org/2010/661.
[48]Y. Wei, P. Li, B. Sun, C. Li. Impossible Differential Cryptanalysis on Feistel Ciphers with SP and SPS Round Functions[A]. ACNS2010[C], LNCS6123, pp.105-122Springer-Verlag,2010.
[49]金晨辉,郑浩然,张少武,胡斌,史建红.密码学[M].北京:高等教育出版社,2009.11.
[50]V. Rijmen, J. Daemen, B. Preneel, A. Bossalaers, and E. D. Win. The Cipher Shark[A]. In:Proceedings of Fast Software Encryption-FSE'96[C]. LNCS1039, Springer-Verlag,1996:99-111.
[51]Daesung Kwon, Jaesung Kim, Sangwoo Park, et.al. New Block Cipher:ARIA[a]. In Proc. ICICS'03[C], Seoul, Korea, LNCS2971, Springer-Verlag,November27~28,2003, pp.432~445.
[52]国家商用密码管理办公室.无线局域网产品中使用的SMS4算法[EB/OL]. Available at http://www.oscca.gov.cn/UPFile,2007-6-1.
[53]柳柏濂.组合矩阵论(第二版)[M].北京:科学出版社,2006.1.
[54]F. MacWilliams and N. Sloane. The Theory of Error-Correcting Codes[M]. North-Holland,1977.
[55]Nakahara J Jr.3D:A Three-Dimensional Block Cipher[A]. in CANS2008[C], pp.252-267, December2-4,2008.
[56]Tang Xue-hai, Li Chao, Wang Mei-yi. Impossible Differential Attack on3D Cipher[J]. Journal of Electronics&Information Technology. Vol.32, No.10, pp.2516-2520. October,2010.
[57]Jorge Nakahara Jr. New Impossible Differential and Known-Key Distinguishers for the3D Cipher[A]. in ISPEC2011[C], pp.208-221, May30-June1,2011.
[58]Takuma Koyama, LeiWang, Yu Sasaki, Kazuo Sakiyama, and Kazuo Ohta. New Truncated Differential Cryptanalysis on3D Block Cipher[A]. in ISPEC2012[C], pp.109-125, April9-12,2012.
[59]Skipjack and KEA Algorithm Specifications, Version2.0[EB],29May1998. Available at the National Institute of Standards and Technology's web page, http://csrc.nist.gov/encryption/skipjack-kea.htm.
[60]Adams C. CAST-256[EB].:Available at http://www.nist.gov/aes,2007-4-7.
[61]吕述望,张如文.一类Feistel密码的线性分析[J].电子与信息学报,2003,25(9):1137-1242.
[62]张如文.一类广义Feistel密码的线性分析[J].中国科学院研究生院学报,2003,20(1):31-38.
[63]吴文玲,贺也平.一类广义Feistel密码的安全性评估[J].电子与信息学报,2002,24(9):1177-1184.
[64]C. Burwick, D. Coppersmith, E. C'Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas, L. O'Connor, M. Peyravian, D. Safford, and N. Zunic. MARS-A Candidate Cipher for AES[R], NIST AES Proposal, June1998.
[65]Shengbao Wu, Mingsheng Wang. Security Evaluation against Differential Cryptanalysis for Block Cipher Structures[EB]. Cryptology ePrint Archive, Report2011/551, Available through: http://eprint.iacr.org/2011/551
[66]J. Sung, S. Lee, J.Kim, S. Hong, S. Park. Provable Security for the Skipjack-like Structure against Differential and Linear Cryptanalysis[A]. ASIACRYPT2000[C]. LNCS1976, Springer-Verlag.2000:274-288.
[67]M. Pudovkina. On Impossible Truncated Differentials of Generalized Feistel and Skipjack Ciphers[R]. FSE2009Rump Session. Avaiable at:http://fse2009rump.cr.yp.to/e31bba5d1227eac5ef0daa6bcbf66f27.pdf.
[68]北京大学数学系几何与代数教研室代数小组.高等代数(第二版)[M].北京:高等教育出版社,1988
[69]Internet RFC/STD/FYI/BCP Archives:RFC2144-The CAST-128Encryption Algorithm[EB], May1997. http://www.faqs.org/rfcs/rfc2144.html.
[70]Shengbao Wu and Mingsheng Wang. Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers[EB]. Cryptology ePrint Archive, Report2012/214, Available through: http://eprint.iacr.org/2012/214.
[71]Ruilin Li, Bing Sun, Chao Li, Longjiang Qu. Cryptanalysis of a generalized unbalanced Feistel network structure[A]. In:ACISP2010[C], pp.1-18.
[72]Bogdanov A and Rijmen V. Zero-correlation linear cryptanalysis of block cipher[EB]. Cryptology ePrint Archive, Report2011/123. Available through:http://eprint.iacr.org/2011/123.
[73]Hadi Soleimany. Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock[EB]. Cryptology ePrint Archive, Report2012/570. Available through:http://eprint.iacr.org/2012/570.
[74]Bogdanov A, Wang M. Zero Correlation Linear Cryptanalysis with Reduced Data Complexity [A]. In Canteaut, A.(ed.) FSE2012[C]. LNCS, Vol.7549, pp.29-48, Springer, Heidelberg (2012)
[75]Ju-Sung Kang, Seokhie Hong, Sangjin Lee, Okyeon Yi, Choonsik Park, and Jongin Lim. Practical and Provable Security Against Differential and Linear Cryptanalysis for Substitution-Permutation Networks[J]. ETRI Journal, Volume23, Number4, December2001
[76]Kanda M. Practical Security Evaluation Against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function[A]. Selected Areas in Cryptography SAC2000[C], August14-15,2000, Waterloo, Canada. Berlin, Germany:Springer-Verlag,2001, LNCS2012:324-338.
[77]Kanda M, Matsumoto T. Security of Camellia Against Truncated Differential Cryptanalysis [A].8th International Workshop, Fast Software Encryption2001[C], April2-4,2001, Yokohama, Japan. Berlin, Germany:Springer-Verlag,2002, LNCS2355:286-299.
[78]Wu Wen-ling, Zhang Wen-tao, Lin Dong-dai. Security on Generalized Feistel Scheme with SP Round Function[EB]. Cryptology ePrint Archive, Report2004/337. Available through: http://eprint.iacr. org/2004/337.
[79]王念平.一类广义Feistel密码的安全性能分析[J].大连海事大学学报,2007,33(3):63-67.
[80]Lei Zhang, Wenling Wu, and Liting Zhang. Proposition of Two Cipher Structures [A]. Inscrypt2009[C], LNCS6151, pp.215-229,2010. Springer-Verlag Berlin Heidelberg(2010)
[81]Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone应用密码学手册(胡磊,王鹏等译)[M].北京:电子工业出版社,2005.6
[82]NIST, Recommendation for Block Cipher Modes of Operation:The CMAC Mode for Authentication[EB/OL], NIST Special Publication800-38B,2005.
[83]B. Preneel. Analysis and Design of Cryptographic Hash Functions[D]. PhD thesis, Katholieke Universiteit Leuven,1993.
[84]R.C. Merkle, One Way Hash Functions and DES[A]. Advances in Cryptology-CRYPTO'89[C]. LNCS, vol.435, pp.428-446, Springer, Heidelberg (1990).
[85]I.B.Damgard, A Design Principle for Hash Functions[A]. Advances in Cryptology-CRYPTO'89[C]. LNCS, vol.435, pp.416-427, Springer, Heidelberg (1990).
[86]T. Iwata, K. Kurosawa, OMAC:One-Key CBC MAC [A]. FSE2003[C], LNCS2887, pp.129-153,2003.
[87]Keting Jia, Xiaoyun Wang, Zheng Yuan and Guangwu Xu. Distinguishing Attack and Second-Preimage Attack on the CBC-like MACs[EB]. Cryptology ePrint Archive, Report2008/542. Available through: http://eprint.iacr.org/2008/542
[88]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析[M].北京:科学出版社,2010.5.
[2]E. Biham, and A. Shamir. Differential Cryptanalysis of DES-like Cryptosystems[J]. Journal of Cryptology,1991,14(1):3-72.
[3]M. Matsui. Linear Cryptanalysis Method for DES Cipher[A]. In:Proceedings of Advances in Cryptology-EUROCRYPT'93[C]. LNCS765, Springer-Verlag,1994:386-397.
[4]J. Daemen and V. Rijmen. The Design of Rijndael:AES-The Advanced Encryption Standard [M]. Springer-verlag,2002.
[5]吴文玲,冯登国,张文涛.分组密码的设计与分析(第二版)[M].北京:清华大学出版社,2009.10.
[6]H. Feistel. Cryptography and Computer Privacy [J]. Scientific American,1973,228:15-23.
[7]H.M. Heys and S.E. Tavares. The Design of Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis [A]. Proceedings of2nd ACM Conference on Computer and Communications Security[C],1994:148-155.
[8]B. Schneier and J. Kelsey. Unbalanced Feistel Networks and Block Cipher Design[A]. In:Proceedings of Fast Software Encryption-FSE'96[C]. LNCS1039, Springer-Verlag,1996:121-144.
[9]S.Vaudenay. On the Lai-Massey scheme[A]. Advances in Cryptology-ASIACRYPT'99[C], LNCS1716, Springer-Verlag,1999:8-19.
[10]P.Junod and S. Vaudenay. FOX:a New Family of Block Ciphers[A]. Selected Areas in Cryptography-SAC[C]. LNCS2595, Springer-Verlag,2004:131-146.
[11]Wenling Wu, Wentao Zhang and Dengguo Feng. Integral Cryptanalysis of Reduced FOX Block Cipher[A]. Information Security and Cryptology-ICISC2005[C], LNCS3935, pp.229-241, Springer-Verlag,2006.
[12]魏悦川,孙兵,李超.FOX密码的不可能差分分析[J].通信学报,2010,Vo1.9:24-29.
[13]Zhongming Wu and Xuejia Lai and Bo Zhu and Yiyuan Luo. Impossible Differential Cryptanalysis of FOX[R]. http://eprint. Iacr.org/2009/357.
[14]吴文玲,卫宏儒.低轮FOX分组密码的碰撞-积分攻击[J].电子学报.2005(7):1307-1310.
[15]L. Xiao and H. M. Heys. Hardware Design and Analysis of Block Cipher Components[A].In Proceedings of the5th International Conference on Information Security and Cryptology-ICISC'02[C]. LNCS2587, Springer-Verlag,2003:164-181.
[16]王念平,金晨辉,余昭平.对合型列混合变换的研究[J].电子学报,2005,33(10):1917-1920.
[17]A.M.Youssef, S. Mister, S. E. Tavares. On the Design of Linear Transformations for Substitution Permutation Encryption Networks[A]. Workshop on Selected Areas in Cryptography-SAC'97[C]. Workshop record,1997:40-48.
[18]L.R. Knudsen and T.A. Berson. Truncated Differentials of SAFER[A]. In Fast Software Encryption-Third International Workshop, FSE'96[C], Volume1039of Lecture Notes in Computer Science, Berlin, Heidelberg, New York, Springer-Verlag,1996.
[19]M. Kanda and T. Matsumoto. Security of Camellia against Truncated Differential Cryptanalysis[A]. In Fast Software Encryption-8th International Workshop, FSE'00[C].
[20]A. Moriai, M. Sugita, K. Aoki, M. Kanda. Security of E2against truncated Differential Cryptanalysis[A]. Sixth Annual Workshop on Selected Areas in Cryptography (SAC'99)[C], LNCS1758. pp.106-117, Springer Verlag, Berlin,1999.
[21]S. Moriai, M. Sugita and M. Kanda. Security of E2against truncated Differential Cryptanalysis[J]. IEICE, Trans, fundamentals, Vol.E84-A NO.1, pp.319-325, January2001.
[22]M. Sugita, K. Kobara, H. Imai. Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Block-Oriented Block Ciphers like RIJNDAEL, E2[A]. Third AES Workshop[C],2000.
[23]J. Daemen, L. Knudsen, and V Rijmen. The Block Cipher Square[A]. Fast Software Encryption[C], LNCS1267, Springer-Verlag,1997:149-165.
[24]唐学海,李超,谢端强CLEFIA密码的Square攻击[J].电子与信息学报,2009,31(9):2260-2263
[25]Ji W and Hu L. Square Attack on Reduced-Round Zodiac Cipher[A]. ISPEC2008[C], Springer-Verlag,2008, LNCS,4991:377-391.
[26]E. Biham, A. Biryukov, A. Shamir. Cryptanalysis of Skipjack Reduced to31Rounds Using Impossible Differentials[A]. In J. Stern, editor, Advances in Cryptology:EUROCRYPT'99[C], LNCS1592, pp.12-23. Springer Verlag,1999.
[27]L. Knudsen. DEAL-A128-bit Block Cipher[R]. Technical Report151, Department of Informatics, University of Bergen, Bergen, Norway, Feb.1998.
[28]J. Daemen and V Rijmen. The Block Cipher Square[A]. In:Proceedings of Fast Software Encryption-FSE'97[C]. LNCS1267, Springer-Verlag,1997:149-165.
[29]NTT-Nippon Telegraph and Telephone Corporation. E2:Efficient Encryption Algorithm[EB].:Available at http://info.isl.ntt.co.jp/e2,2007-2-2.
[30]K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita. Camellia:A128-bit Block Cipher Suitable for Multiple Platforms[A]. In:Proceedings of Selected Areas in Cryptography-SAC'00[C]. LNCS2012, Springer-Verlag,2001:41-54.
[31]Shirai, T, Preneel, B. On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds [A]. In:Lee, P.J.(ed.) ASIACRYPT2004[C]. LNCS, vol.3329, pp.1-15.Springer, Heidelberg (2004)
[32]Shirai, T, Shibutani, K.:On Feistel Structures Using a Diffusion Switching Mechanism[A].In:Robshaw, M.(ed.) FSE2006[C]. LNCS, vol.4047, pp.41-56. Springer,Heidelberg (2006)
[33]Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.:The128-bit Block cipher CLEFIA[A]. In:Biryukov, A.(ed.) FSE2007[C], vol.4593, pp.181-195. Springer,Heidelberg (2007).
[34] Wei Yongzhuang and Hu Yupu. Improved Impossible Differential Cryptanalysis of AES-128[J].ChineseJournal of Elecronics. Vol.16, No.1, pp.187-189,2007.
[35] E. Biham, O. Dunkelman, and N. Keller. Related-Key Impossible Differential Attacks on8-RoundAES-192[A]. In CT-RSA’06[C], LNCS, pages21–33. Springer-Verlag,2006
[36] E. Biham and N. Keller. Cryptanalysis of Reduced Variants of Rijndael[EB],1999. Available online atwww.madchat.fr/crypto/codebreakers/35-ebiham.pdf.
[37] O. Dunkelman and N. Keller. An Improved Impossible Differential Attack on MISTY1[A]. InASIACRYPT’08[C], LNCS, pages441–454. Springer-Verlag,2008.
[38] J. Lu, O. Dunkelman, N. Keller, and J. Kim. New Impossible Differential Attacks on AES[A]. InINDOCRYPT’08[C], LNCS, pages279–293. Springer-Verlag,2008.
[39] J. Lu, J. Kim, N. Keller, and O. Dunkelman. Improving the Efficiency of Impossible DifferentialCryptanalysis of Reduced Camellia and MISTY1[A]. In CT-RSA’08[C], LNCS, pages370–386.Springer-Verlag,2008.
[40] Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Saito, T. Suzaki, and H. Kubo. Impossible DifferentialCryptanalysis of CLEFIA[A]. In FSE’08[C], LNCS, pages398–411. Springer-Verlag,2008.
[41] Wenling Wu, Wentao Zhang, and Dengguo Feng, Impossible Differential Cryptanalysis ofReduced-Round ARIA and Camellia[J], Journal of Computer Science and Technology, Vol.22, No.3,pp:449-456,2007.
[42] Wentao Zhang, WenlingWu, and Dengguo Feng, New Results on Impossible Differential Cryptanalysis ofReduced AES[A], Information Security and Cryptology-ICISC2007[C], LNCS4817, pp:239-250,Springer-Verlag,2007.
[43] Raphael Chung-Wei Phan, Impossible Differential Cryptanalysis of7-round AES[J], InformationProcessing Letters, Vol.91, Number1, pp:33-38,2004.
[44] Kim, J., Hong, S., Sung, J., Lee, S., Lim, J. Impossible Differential Cryptanalysis for Block CipherStructures[A]. In: Johansson, T., Maitra, S.(eds.) Indocrypt2003[C], LNCS, vol.2904, pp.82-96,Springer, Heidelberg(2003)
[45] Luo Yi-yuan, Wu Zhong-ming, Lai Xue-jia. A Unified Method for Finding Impossible Differentials ofBlock Cipher Structures[EB], Cryptology ePrint Archive, Report2009/627, available through:http://eprint.iacr.org/2009/627.
[46] Ruilin Li, Bing Sun, and Chao Li. Impossible Differential Cryptanalysis of SPN Ciphers[EB]. CryptologyePrint Archive, Report2010/307, available through: http://eprint.iacr.org/2010/307.
[47] Ruilin Li and Bing Sun and Chao Li. From Camellia to p-Camellia: Some Observations on MISTYStructure with SPN Round Function[EB]. Cryptology ePrint Archive, Report2010/661, available through:http://eprint.iacr.org/2010/661.
[48]Y. Wei, P. Li, B. Sun, C. Li. Impossible Differential Cryptanalysis on Feistel Ciphers with SP and SPS Round Functions[A]. ACNS2010[C], LNCS6123, pp.105-122Springer-Verlag,2010.
[49]金晨辉,郑浩然,张少武,胡斌,史建红.密码学[M].北京:高等教育出版社,2009.11.
[50]V. Rijmen, J. Daemen, B. Preneel, A. Bossalaers, and E. D. Win. The Cipher Shark[A]. In:Proceedings of Fast Software Encryption-FSE'96[C]. LNCS1039, Springer-Verlag,1996:99-111.
[51]Daesung Kwon, Jaesung Kim, Sangwoo Park, et.al. New Block Cipher:ARIA[a]. In Proc. ICICS'03[C], Seoul, Korea, LNCS2971, Springer-Verlag,November27~28,2003, pp.432~445.
[52]国家商用密码管理办公室.无线局域网产品中使用的SMS4算法[EB/OL]. Available at http://www.oscca.gov.cn/UPFile,2007-6-1.
[53]柳柏濂.组合矩阵论(第二版)[M].北京:科学出版社,2006.1.
[54]F. MacWilliams and N. Sloane. The Theory of Error-Correcting Codes[M]. North-Holland,1977.
[55]Nakahara J Jr.3D:A Three-Dimensional Block Cipher[A]. in CANS2008[C], pp.252-267, December2-4,2008.
[56]Tang Xue-hai, Li Chao, Wang Mei-yi. Impossible Differential Attack on3D Cipher[J]. Journal of Electronics&Information Technology. Vol.32, No.10, pp.2516-2520. October,2010.
[57]Jorge Nakahara Jr. New Impossible Differential and Known-Key Distinguishers for the3D Cipher[A]. in ISPEC2011[C], pp.208-221, May30-June1,2011.
[58]Takuma Koyama, LeiWang, Yu Sasaki, Kazuo Sakiyama, and Kazuo Ohta. New Truncated Differential Cryptanalysis on3D Block Cipher[A]. in ISPEC2012[C], pp.109-125, April9-12,2012.
[59]Skipjack and KEA Algorithm Specifications, Version2.0[EB],29May1998. Available at the National Institute of Standards and Technology's web page, http://csrc.nist.gov/encryption/skipjack-kea.htm.
[60]Adams C. CAST-256[EB].:Available at http://www.nist.gov/aes,2007-4-7.
[61]吕述望,张如文.一类Feistel密码的线性分析[J].电子与信息学报,2003,25(9):1137-1242.
[62]张如文.一类广义Feistel密码的线性分析[J].中国科学院研究生院学报,2003,20(1):31-38.
[63]吴文玲,贺也平.一类广义Feistel密码的安全性评估[J].电子与信息学报,2002,24(9):1177-1184.
[64]C. Burwick, D. Coppersmith, E. C'Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas, L. O'Connor, M. Peyravian, D. Safford, and N. Zunic. MARS-A Candidate Cipher for AES[R], NIST AES Proposal, June1998.
[65]Shengbao Wu, Mingsheng Wang. Security Evaluation against Differential Cryptanalysis for Block Cipher Structures[EB]. Cryptology ePrint Archive, Report2011/551, Available through: http://eprint.iacr.org/2011/551
[66]J. Sung, S. Lee, J.Kim, S. Hong, S. Park. Provable Security for the Skipjack-like Structure against Differential and Linear Cryptanalysis[A]. ASIACRYPT2000[C]. LNCS1976, Springer-Verlag.2000:274-288.
[67]M. Pudovkina. On Impossible Truncated Differentials of Generalized Feistel and Skipjack Ciphers[R]. FSE2009Rump Session. Avaiable at:http://fse2009rump.cr.yp.to/e31bba5d1227eac5ef0daa6bcbf66f27.pdf.
[68]北京大学数学系几何与代数教研室代数小组.高等代数(第二版)[M].北京:高等教育出版社,1988
[69]Internet RFC/STD/FYI/BCP Archives:RFC2144-The CAST-128Encryption Algorithm[EB], May1997. http://www.faqs.org/rfcs/rfc2144.html.
[70]Shengbao Wu and Mingsheng Wang. Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers[EB]. Cryptology ePrint Archive, Report2012/214, Available through: http://eprint.iacr.org/2012/214.
[71]Ruilin Li, Bing Sun, Chao Li, Longjiang Qu. Cryptanalysis of a generalized unbalanced Feistel network structure[A]. In:ACISP2010[C], pp.1-18.
[72]Bogdanov A and Rijmen V. Zero-correlation linear cryptanalysis of block cipher[EB]. Cryptology ePrint Archive, Report2011/123. Available through:http://eprint.iacr.org/2011/123.
[73]Hadi Soleimany. Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock[EB]. Cryptology ePrint Archive, Report2012/570. Available through:http://eprint.iacr.org/2012/570.
[74]Bogdanov A, Wang M. Zero Correlation Linear Cryptanalysis with Reduced Data Complexity [A]. In Canteaut, A.(ed.) FSE2012[C]. LNCS, Vol.7549, pp.29-48, Springer, Heidelberg (2012)
[75]Ju-Sung Kang, Seokhie Hong, Sangjin Lee, Okyeon Yi, Choonsik Park, and Jongin Lim. Practical and Provable Security Against Differential and Linear Cryptanalysis for Substitution-Permutation Networks[J]. ETRI Journal, Volume23, Number4, December2001
[76]Kanda M. Practical Security Evaluation Against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function[A]. Selected Areas in Cryptography SAC2000[C], August14-15,2000, Waterloo, Canada. Berlin, Germany:Springer-Verlag,2001, LNCS2012:324-338.
[77]Kanda M, Matsumoto T. Security of Camellia Against Truncated Differential Cryptanalysis [A].8th International Workshop, Fast Software Encryption2001[C], April2-4,2001, Yokohama, Japan. Berlin, Germany:Springer-Verlag,2002, LNCS2355:286-299.
[78]Wu Wen-ling, Zhang Wen-tao, Lin Dong-dai. Security on Generalized Feistel Scheme with SP Round Function[EB]. Cryptology ePrint Archive, Report2004/337. Available through: http://eprint.iacr. org/2004/337.
[79]王念平.一类广义Feistel密码的安全性能分析[J].大连海事大学学报,2007,33(3):63-67.
[80]Lei Zhang, Wenling Wu, and Liting Zhang. Proposition of Two Cipher Structures [A]. Inscrypt2009[C], LNCS6151, pp.215-229,2010. Springer-Verlag Berlin Heidelberg(2010)
[81]Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone应用密码学手册(胡磊,王鹏等译)[M].北京:电子工业出版社,2005.6
[82]NIST, Recommendation for Block Cipher Modes of Operation:The CMAC Mode for Authentication[EB/OL], NIST Special Publication800-38B,2005.
[83]B. Preneel. Analysis and Design of Cryptographic Hash Functions[D]. PhD thesis, Katholieke Universiteit Leuven,1993.
[84]R.C. Merkle, One Way Hash Functions and DES[A]. Advances in Cryptology-CRYPTO'89[C]. LNCS, vol.435, pp.428-446, Springer, Heidelberg (1990).
[85]I.B.Damgard, A Design Principle for Hash Functions[A]. Advances in Cryptology-CRYPTO'89[C]. LNCS, vol.435, pp.416-427, Springer, Heidelberg (1990).
[86]T. Iwata, K. Kurosawa, OMAC:One-Key CBC MAC [A]. FSE2003[C], LNCS2887, pp.129-153,2003.
[87]Keting Jia, Xiaoyun Wang, Zheng Yuan and Guangwu Xu. Distinguishing Attack and Second-Preimage Attack on the CBC-like MACs[EB]. Cryptology ePrint Archive, Report2008/542. Available through: http://eprint.iacr.org/2008/542
[88]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析[M].北京:科学出版社,2010.5.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |