轻量级分组密码算法ESF的安全性分析

尹军; 马楚焱; 宋健; 曾光; 马传贵

doi:10.7544/issn1000-1239.2017.20170455

轻量级分组密码算法ESF的安全性分析

尹军^1,2,3,
马楚焱⁴,
宋健¹,
曾光¹,
马传贵⁵

¹(数学工程与先进计算国家重点实验室(中国人民解放军信息工程大学) 郑州 450001)
²(中国科学院信息工程研究所北京 100093)
³(中国科学院大学北京 100049)
⁴(国防科学技术大学长沙 410073)
⁵(陆军航空兵学院北京 101116) (yinjun66888@163.com)

基金项目: 国家自然科学基金项目(61502532,61379150,61772519,61309016,61502529)；数学工程与先进计算国家重点实验室开放基金课题(2016A02)；河南省重点科技攻关计划项目(122102210126,092101210502)

详细信息

中图分类号: TP309.7
计量
- 文章访问数: 1845
- HTML全文浏览量: 0
- PDF下载量: 695
出版历程
- 发布日期: 2017-09-30

Security Analysis of Lightweight Block Cipher ESF

¹(State Key Laboratory of Mathematical Engineering and Advanced Computing (PLA Information Engineering University), Zhengzhou 450001)
²(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093)
³(University of Chinese Academy of Sciences, Beijing 100049)
⁴(National University of Defense Technology, Changsha 410073)
⁵(Army Aviation Institute, Beijing 101116)

摘要

摘要: 自动化分析是当前对密码算法进行安全性评估的重要方法之一，具有高效、易实现的特点.对面向位的分组密码，自从Sun等人在2014年亚洲密码年会上提出基于MILP问题的差分和线性自动化搜索方法，该方法受到了许多密码学者的关注.目前，针对求解多轮密码算法MILP模型，如何减少变量和约束不等式的研究工作相对较少，还有很多问题有待解决.根据异或操作的差分传播模式，在2017年欧洲密码年会上，Sasaki等人给出了不带假设变量的新约束不等式，该约束不等式在降低变量和约束数量的前提下保留了异或操作的差分传播性质.同时，对于S盒的性质，当输入差分变量(线性掩码)非零时，该S盒必定活跃，Sun等人用了4个约束不等式来刻画该性质，经过简单的变换，可以用1个约束来表示该性质.基于这些精炼的约束和自动化搜索方法，针对轻量级分组密码算法ESF，建立单密钥下精炼的差分和线性MILP模型，首次给出了ESF算法在单密钥情形下的差分和线性分析结果，得到了15轮ESF算法差分最小活跃S盒数量为19和16轮ESF算法线性最小活跃S盒数量为15.此外，还搜索到了轮数最长的不可能差分和零相关线性逼近区分器.
- 差分密码分析 /
- 线性密码分析 /
- 不可能差分 /
- 零相关线性逼近 /
- ESF /
- MILP
Abstract: Automatic analysis is one of the important methods to evaluate the security of cryptographic algorithms. It is characterized by high efficiency and easily implement. In ASIACRYPT 2014, Sun et al. presented a MILP-based automatic search differential and linear trails method for bit-oriented block ciphers, which has attracted the attention of many cryptographers. At present, there are still a lack of research about solving the MILP model, such as how to reduce the number of variables and constraint inequalities. According to the differential propagation model of the XOR operation, in EUROCRYPT 2017, Sasaki et al. gave a set of new constraints without dummy variables. The new constraint inequalities can not only preserve the differential propagation for XOR operation, but also reduce the number of variables. At the same time, Sun et al. uses four constraints to describe the property when the input differential variable (the linear mask variable) of an S-box is non-zero and the S-box must be an active, but in this paper, we just use one constraint. Based on these refined constraints and the automatic method for finding high probability trails of block cipher, we establish the refined differential and linear MILP model under the single key assumption for the lightweight block cipher ESF. We have found that the minimum number of active S-boxes in 15-round differential trail of ESF is 19 and the number is 15 in 16-round linear trail. Moreover, we find so far the longest impossible differential and zero-correlation linear approximation distinguishers of ESF.
- differential cryptanalysis /
- linear cryptanalysis /
- impossible differential /
- zero-correlation linear approximation /
- ESF /
- MILP