高级检索

    轻量级分组密码算法ESF的安全性分析

    Security Analysis of Lightweight Block Cipher ESF

    • 摘要: 自动化分析是当前对密码算法进行安全性评估的重要方法之一,具有高效、易实现的特点.对面向位的分组密码,自从Sun等人在2014年亚洲密码年会上提出基于MILP问题的差分和线性自动化搜索方法,该方法受到了许多密码学者的关注.目前,针对求解多轮密码算法MILP模型,如何减少变量和约束不等式的研究工作相对较少,还有很多问题有待解决.根据异或操作的差分传播模式,在2017年欧洲密码年会上,Sasaki等人给出了不带假设变量的新约束不等式,该约束不等式在降低变量和约束数量的前提下保留了异或操作的差分传播性质.同时,对于S盒的性质,当输入差分变量(线性掩码)非零时,该S盒必定活跃,Sun等人用了4个约束不等式来刻画该性质,经过简单的变换,可以用1个约束来表示该性质.基于这些精炼的约束和自动化搜索方法,针对轻量级分组密码算法ESF,建立单密钥下精炼的差分和线性MILP模型,首次给出了ESF算法在单密钥情形下的差分和线性分析结果,得到了15轮ESF算法差分最小活跃S盒数量为19和16轮ESF算法线性最小活跃S盒数量为15.此外,还搜索到了轮数最长的不可能差分和零相关线性逼近区分器.

       

      Abstract: Automatic analysis is one of the important methods to evaluate the security of cryptographic algorithms. It is characterized by high efficiency and easily implement. In ASIACRYPT 2014, Sun et al. presented a MILP-based automatic search differential and linear trails method for bit-oriented block ciphers, which has attracted the attention of many cryptographers. At present, there are still a lack of research about solving the MILP model, such as how to reduce the number of variables and constraint inequalities. According to the differential propagation model of the XOR operation, in EUROCRYPT 2017, Sasaki et al. gave a set of new constraints without dummy variables. The new constraint inequalities can not only preserve the differential propagation for XOR operation, but also reduce the number of variables. At the same time, Sun et al. uses four constraints to describe the property when the input differential variable (the linear mask variable) of an S-box is non-zero and the S-box must be an active, but in this paper, we just use one constraint. Based on these refined constraints and the automatic method for finding high probability trails of block cipher, we establish the refined differential and linear MILP model under the single key assumption for the lightweight block cipher ESF. We have found that the minimum number of active S-boxes in 15-round differential trail of ESF is 19 and the number is 15 in 16-round linear trail. Moreover, we find so far the longest impossible differential and zero-correlation linear approximation distinguishers of ESF.

       

    /

    返回文章
    返回