ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (10): 2224-2231.doi: 10.7544/issn1000-1239.2017.20170455

• 信息安全 • 上一篇    下一篇

轻量级分组密码算法ESF的安全性分析

尹军1,2,3,马楚焱4,宋健1,曾光1,马传贵5   

  1. 1(数学工程与先进计算国家重点实验室(中国人民解放军信息工程大学) 郑州 450001); 2(中国科学院信息工程研究所 北京 100093); 3(中国科学院大学 北京 100049); 4(国防科学技术大学 长沙 410073); 5(陆军航空兵学院 北京 101116) (yinjun66888@163.com)
  • 出版日期: 2017-10-01
  • 基金资助: 
    国家自然科学基金项目(61502532,61379150,61772519,61309016,61502529);数学工程与先进计算国家重点实验室开放基金课题(2016A02);河南省重点科技攻关计划项目(122102210126,092101210502)

Security Analysis of Lightweight Block Cipher ESF

Yin Jun1,2,3, Ma Chuyan4, Song Jian1, Zeng Guang1, Ma Chuangui5   

  1. 1(State Key Laboratory of Mathematical Engineering and Advanced Computing (PLA Information Engineering University), Zhengzhou 450001); 2(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093); 3(University of Chinese Academy of Sciences, Beijing 100049); 4(National University of Defense Technology, Changsha 410073); 5(Army Aviation Institute, Beijing 101116)
  • Online: 2017-10-01

摘要: 自动化分析是当前对密码算法进行安全性评估的重要方法之一,具有高效、易实现的特点.对面向位的分组密码,自从Sun等人在2014年亚洲密码年会上提出基于MILP问题的差分和线性自动化搜索方法,该方法受到了许多密码学者的关注.目前,针对求解多轮密码算法MILP模型,如何减少变量和约束不等式的研究工作相对较少,还有很多问题有待解决.根据异或操作的差分传播模式,在2017年欧洲密码年会上,Sasaki等人给出了不带假设变量的新约束不等式,该约束不等式在降低变量和约束数量的前提下保留了异或操作的差分传播性质.同时,对于S盒的性质,当输入差分变量(线性掩码)非零时,该S盒必定活跃,Sun等人用了4个约束不等式来刻画该性质,经过简单的变换,可以用1个约束来表示该性质.基于这些精炼的约束和自动化搜索方法,针对轻量级分组密码算法ESF,建立单密钥下精炼的差分和线性MILP模型,首次给出了ESF算法在单密钥情形下的差分和线性分析结果,得到了15轮ESF算法差分最小活跃S盒数量为19和16轮ESF算法线性最小活跃S盒数量为15.此外,还搜索到了轮数最长的不可能差分和零相关线性逼近区分器.

关键词: 差分密码分析, 线性密码分析, 不可能差分, 零相关线性逼近, ESF, MILP

Abstract: Automatic analysis is one of the important methods to evaluate the security of cryptographic algorithms. It is characterized by high efficiency and easily implement. In ASIACRYPT 2014, Sun et al. presented a MILP-based automatic search differential and linear trails method for bit-oriented block ciphers, which has attracted the attention of many cryptographers. At present, there are still a lack of research about solving the MILP model, such as how to reduce the number of variables and constraint inequalities. According to the differential propagation model of the XOR operation, in EUROCRYPT 2017, Sasaki et al. gave a set of new constraints without dummy variables. The new constraint inequalities can not only preserve the differential propagation for XOR operation, but also reduce the number of variables. At the same time, Sun et al. uses four constraints to describe the property when the input differential variable (the linear mask variable) of an S-box is non-zero and the S-box must be an active, but in this paper, we just use one constraint. Based on these refined constraints and the automatic method for finding high probability trails of block cipher, we establish the refined differential and linear MILP model under the single key assumption for the lightweight block cipher ESF. We have found that the minimum number of active S-boxes in 15-round differential trail of ESF is 19 and the number is 15 in 16-round linear trail. Moreover, we find so far the longest impossible differential and zero-correlation linear approximation distinguishers of ESF.

Key words: differential cryptanalysis, linear cryptanalysis, impossible differential, zero-correlation linear approximation, ESF, MILP

中图分类号: