本文選題：分組密碼 + 線性分析�。� 參考：《山東大學》2017年博士論文

【摘要】：分組密碼算法是保證當今網(wǎng)絡空間中信息私密性的一類重要的密碼算法,密碼設計與密碼分析是研究分組密碼算法的兩個主要方面,兩者相輔相成,不斷推動對稱密碼算法體系的發(fā)展。本文主要研究分組密碼算法的安全性分析方法,對幾類重要的分析模型的攻擊過程或者是攻擊使用的區(qū)分器進行改進。具體研究的分析模型包括線性分析、多維線性分析、多維零相關線性分析、不可能差分分析、零相關分析以及積分分析,相關工作為(1)改進了卡方法多維線性分析模型以及多維零相關線性分析模型的攻擊過程;(2)將動態(tài)密鑰猜測技術引入到面向比特的分組密碼算法的線性分析模型中并對Simon進行了改進的線性分析,有效的降低了攻擊的時間復雜度;(3)對不可能差分區(qū)分器、零相關區(qū)分器、積分區(qū)分器之間的關系進行了進一步研究,提出了零相關區(qū)分器向積分區(qū)分器轉化的一般方法,并建立了 Feistel-type算法不可能差分區(qū)分器與零相關區(qū)分器之間更有效的等價條件�！じ倪M卡方法多維線性分析以及多維零相關分析模型:多維線性分析和多維零相關線性分析是攻擊分組密碼算法的兩種重要的分析模型,在使用卡方法的多維線性分析模型中(或者多維零相關線性分析模型),用來區(qū)分正確密鑰和錯誤密鑰的統(tǒng)計數(shù)是從多維區(qū)分器的概率分布情況計算得出。而在本文中,我們提出了一種計算統(tǒng)計數(shù)更簡單的方法:在隨機的明文空間下,從多維(零相關)線性路線的試驗的相關系數(shù)出發(fā),計算最終的統(tǒng)計數(shù)。這樣,可以省掉計算概率分布的過程,如果在計算每條路線相關系數(shù)的時候,將FFT技術引入的話,可以降低distillation階段的時間復雜度。為了說明我們新模型的有效性,我們使用多維零相關線性分析方法對具有雙射輪函數(shù)且模加(或異或)輪密鑰的Feistel結構進行了一般性攻擊,對于模加密鑰的情況,我們的結構攻擊在輪數(shù)上是最優(yōu)的;我們還分析了 CAST-256,將其多維零相關分析結果從28輪擴展到了 29輪,改進了一輪攻擊,雖然與已有的29輪多重零相關分析結果具有相近的復雜度,但是我們的攻擊對區(qū)分器沒有獨立假設,是在無假設條件下最優(yōu)的攻擊結果。·利用動態(tài)密鑰猜測技術改進對Simon的線性分析:Simon是美國國家安全局(NSA)在2013年提出的輕量級分組密碼算法,自出現(xiàn)起就吸引了廣大密碼學者的注意力,至今已存在許多的分析結果,包括差分分析、線性分析、不可能差分分析、積分分析等。在本文中,我們將動態(tài)密鑰猜測技術(該思想提出時是與差分分析結合,有效的改進了對Simon的差分分析結果)引入到面向比特的分組密碼算法的線性分析模型中并對Simon進行了改進的線性分析,有效的降低了攻擊的時間復雜度�；舅悸肥�:首先建立線性區(qū)分器的活性比特向兩邊擴展幾輪后的布爾函數(shù),發(fā)現(xiàn)其中存在許多"與"運算,通過猜測"與" 一邊的密鑰來簡化布爾函數(shù),進而使得針對不同的情況,猜測不同的密鑰值,可以有效的降低密鑰的平均猜測量,從而降低時間復雜度。我們改進了Simon算法所有10個版本的線性分析結果,具體為可以攻擊23輪SIMON32/64,24 輪 SIMON48/72,25 輪 SIMON48/96,30 輪 SIMON64/96,31 輪 SImON64/128,37 輪 SImON96/96,38 輪 SImON96/144,49 輪SIMON128/128,51 輪 SIMON128/192 以及 53 輪 SIMON128/256。對大多數(shù)版本來說,我們的攻擊在輪數(shù)上是最優(yōu)的。·零相關、不可能差分、積分區(qū)分器的新關系:零相關(ZC)、不可能(ID)以及積分(IG)分析方法也是分析分組密碼算法的三種重要模型,最近幾年,三種分析模型攻擊使用的區(qū)分器之間的關系成為密碼學者關注的焦點之一。在ASIACRYPT'12上,Bogdanov等人給出了零相關路線與積分路線的一個基本關系,可以從輸入掩碼與輸出掩碼相互獨立的零相關路線推導出一條積分路線。在ACNS'14上,Blondeau等人使用矩陣表示法,給出了幾類結構的不可能差分路線與零相關路線的等價條件。在CRYPTO'15上,Sun等人也給出了針對這幾個分析方法區(qū)分器等價關系的結論。在本文中,我們(1)針對具有非獨立的輸入輸出掩碼的零相關路線轉化為積分路線的方法進行了深入研究,并給出了將零相關路線轉化為積分路線的更容易的方法,并給出了 TEA、XTEA和HIGHT的新的積分路線;(2)使用可逆的矩陣構造Feistel-type結構不可能差分路線與零相關路線等價性條件,與之前的置換矩陣相比,可以覆蓋更多算法。利用此方法,成功利用算法自身的特點解釋了 SMS4-like、MARS-like、Skipjack算法Rule-A結構和Rule-B結構中不可能差分路線與零相關路線的等價性問題;同時,還利用Four-Cell的18輪不可能差分路線推導出了其18輪零相關路線,遠遠長于之前的12輪路線。
[Abstract]:Block cipher algorithm is one of the most important cryptographic algorithms that guarantee the privacy of information in today's network space. Cryptographic design and cryptanalysis are two main aspects of the study of block cipher algorithms. Both complement each other and constantly promote the development of symmetric cryptographic algorithms. This paper mainly studies the security analysis method of block cipher algorithms. Several important types of analysis model attack process or the discriminator used in attack are improved. The analysis model of specific research includes linear analysis, multidimensional linear analysis, multidimensional zero correlation linear analysis, impossible difference analysis, zero correlation analysis and integral analysis. The related work improves the multidimensional linear analysis model of card method (1). And the attack process of the multidimensional zero correlation linear analysis model; (2) introducing the dynamic key guessing technique into the linear analysis model of the bit oriented block cipher algorithm and improving the linear analysis of Simon, effectively reducing the time complexity of the attack; (3) the integral division, the zero correlation discriminator and the integral distinction The relationship between the devices is further studied, and the general method of transforming the zero correlation diffuser into the zoning partition is put forward, and the more effective equivalence conditions between the Feistel-type algorithm and the zero correlation discriminator are established. Analysis and multidimensional zero correlation linear analysis are two important analysis models for the attack block cipher algorithm. In the multidimensional linear analysis model using the card method (or multidimensional zero correlation linear analysis model), the statistical number of the correct key and the error key is calculated from the probability distribution of the multidimensional diffuser. In this paper, we propose a simpler method for calculating statistics: in the random clear text space, the final statistics are calculated from the correlation coefficient of the multidimensional (zero correlation) linear route. In this way, the process of calculating the probability distribution can be eliminated. If the FFT technology is introduced in the calculation of the correlation coefficient of each route, We can reduce the time complexity of the distillation phase. In order to illustrate the effectiveness of our new model, we use the multidimensional zero correlation linear analysis method to attack the Feistel structure with double ejection function and the mode plus (or or otherwise) key. For the case of encryption key, our structural attack is the best in the number of wheels. We also analyzed the CAST-256, and expanded its multidimensional zero correlation analysis from 28 round to 29 round, improved a round of attack, although it has a similar complexity with the existing 29 round multiple zero correlation analysis results, but our attack has no independent hypothesis, it is the optimal attack result under no hypothesis. Simon is a lightweight block cipher algorithm proposed by the National Security Administration (NSA) of the United States in 2013. It has attracted the attention of many cryptography scholars since it appeared in 2013. There have been many analysis results, including differential analysis, linear analysis, impossible difference analysis, integral analysis, etc. In this paper, we introduce the dynamic key guessing technique (the idea is combined with the difference analysis, improve the difference analysis of Simon effectively) into the linear analysis model of the bit based block cipher algorithm and improve the linear analysis of the Simon, which effectively reduces the time complexity of the attack. It is first established that the active bits of the linear differentiator extend the Boolean function after several rounds on both sides. It is found that there are many "and" operations. By guessing the key of "and", the Boolean function is simplified, and then the average guessing measurement of the key can be effectively reduced by guessing the different key values in different situations and reducing the time of the key. Inter complexity. We improved the linear analysis results of all 10 versions of the Simon algorithm, specifically for the 23 wheel SIMON32/64,24 wheel SIMON48/72,25 wheel SIMON48/96,30 wheel SIMON64/96,31 wheel SImON64/128,37 wheel SImON96/96,38 wheel SImON96/144,49 wheel SIMON128/128,51 wheel SIMON128/192 to the 53 wheel SIMON128/256. pair. In most versions, our attack is the best in the number of wheels. Zero correlation, impossible difference. The new relation of integrator: zero correlation (ZC), ID and IG analysis are also the three important models for analyzing block cipher algorithm. In the last few years, the relationship between the three analysis model attacks is the relationship between the discriminator used. In ASIACRYPT'12, Bogdanov and others give a basic relationship between the zero correlation and the integral route. We can derive an integral route from the independent zero correlation route of the input mask and the output mask. On ACNS'14, Blondeau and other people use matrix representation to give several kinds of structure. The equivalent condition of the possible difference route and the zero correlation route is possible. On CRYPTO'15, Sun et al. Also gives the conclusion of the discriminator equivalence relation for these analysis methods. In this paper, we (1) have studied the method of transforming the zero correlation route of the non independent input and output mask into the integral route. The correlation route is more easy to transform into integral route, and the new integration route of TEA, XTEA and HIGHT is given. (2) the equivalent condition of the impossible difference route with the zero correlation route is constructed by using a reversible matrix. Compared with the previous substitution matrix, it can cover more algorithms. By this method, the algorithm can be used successfully. Its own characteristics explain the equivalence of the SMS4-like, MARS-like, Skipjack algorithm Rule-A structure and the zero correlation route in the Rule-B structure. At the same time, it also derives its 18 round zero correlation route by using the 18 round of the impossible difference route of Four-Cell, which is far longer than the previous 12 wheel route.
【學位授予單位】：山東大學
【學位級別】：博士
【學位授予年份】：2017
【分類號】：TN918.1

【相似文獻】

相關期刊論文 前10條

1 孫紅波;傅仕諍;徐日;;分組密碼算法的基礎平臺研究[J];無線電工程;2014年01期

2 雷旭,徐重陽;一種新的對稱分組密碼算法的設計[J];電視技術;2002年05期

3 李順東,覃征,王向華,賈曉琳;面向移動商務的分組密碼算法[J];西安交通大學學報;2003年08期

4 尤坤,呂永其;分組密碼算法芯片驗證[J];通信技術;2003年11期

5 王勇 ,陳小平;一種以移位為基礎的分組密碼算法[J];信息網(wǎng)絡安全;2004年12期

6 彭巍,周亮;分組密碼算法測試平臺設計[J];成都信息工程學院學報;2005年05期

7 孫旭;李雪梅;魯長江;;分組密碼算法的研究與實現(xiàn)[J];成都理工大學學報(自然科學版);2006年06期

8 yど僖，

本文編號：1937990