对简化版MORUS算法的改进动态立方攻击

MORUS算法是Wu等人设计的认证加密算法，现已进入CAESAR竞赛的第三轮.动态立方攻击是Dinur等人2011年提出的针对迭代型序列密码的分析方法.提出了一种改进的动态立方攻击方法，优化了动态立方攻击的立方集合的选取规则，提出了优先猜测关键值并恢复相应的关键秘密信息的方法，据此给出了成功率更高的秘密信息恢复方法.利用该方法分析了初始化5步的简化版MORUS算法，最终以O（2^95.05）的复杂度恢复所有128比特密钥，攻击的成功率大于92%.     

MORUS-1280-128算法的区分分析

MORUS算法是被提交到CAESAR竞赛中的一种认证加密算法,已经进入第三轮安全评估。对算法进行区分分析对于其安全性评估具有很重要的意义。以MORUS-1280-128为例,在nonce重用的情况下,对算法进行区分分析能够区分出密文的绝大部分比特,并通过寻找内部状态碰撞对算法进行标签伪造攻击。该研究结果对MORUS算法的安全性分析有很重要的意义。     

Piccolo算法的相关密钥-不可能差分攻击

现有的对于Piccolo算法的安全性分析结果中,除Biclique分析外,以低于穷举搜索的复杂度最长仅攻击至14轮Piccolo-80和18轮Piccolo-128算法.通过分析Piccolo算法密钥扩展的信息泄漏规律,结合算法等效结构,利用相关密钥-不可能差分分析方法,基于分割攻击思想,分别给出了15轮Piccolo-80和21轮Piccolo-128含前向白化密钥的攻击结果.当选择相关密钥量为2⁸时,攻击所需的数据复杂度分别为2^58.6和2^62.3,存储复杂度分别为2^60.6和2^64.3,计算复杂度分别为2⁷⁸和2^82.5;在选择相关密钥量为2⁴时,攻击所需的数据复杂度均为2^62.6和2^62.3,存储复杂度分别为2^64.6和2^64.3,计算复杂度分别为2^77.93和2^124.45.分析结果表明,仅含前向白化密钥的15轮Piccolo-80算法和21轮Piccolo-128算法在相关密钥-不可能差分攻击下是不安全的.     

Midori-64算法的截断不可能差分分析

分析了Midori-64算法在截断不可能差分攻击下的安全性.首先,通过分析Midori算法加、解密过程差分路径规律,证明了Midori算法在单密钥条件下的截断不可能差分区分器至多6轮,并对6轮截断不可能差分区分器进行了分类;其次,根据分类结果,构造了一个6轮区分器,并给出11轮Midori-64算法的不可能差分分析,恢复了128比特主密钥,其时间复杂度为2^121.4,数据复杂度为2^60.8,存储复杂度为2^96.5.     

MD5碰撞攻击中的充要条件集

通过分析MD5中非线性函数的性质以及模2³²减差分和异或差分的性质,证明了Liang Jie和Lai Xuejia 给出的产生MD5碰撞的充分条件集中的条件是保证第23～62步的差分路径满足的充要条件,给出了保证第63、64步的输出差分满足的充要条件集.利用得到的充要条件集,提出了对MD5的改进的碰撞攻击算法,该算法的平均计算复杂度约为已有碰撞攻击算法的0.718 7倍,并通过实验对该算法的改进效果进行了验证.     

5轮Salsa20的代数-截断差分攻击

Salsa20 流密码算法是Estream 最终胜出的7 个算法之一.结合非线性方程的求解及Salsa20 的两个3 轮高概率差分传递链,对5 轮Salsa20 算法进行了代数-截断差分攻击.计算复杂度不大于O(2¹⁰⁵),数据复杂度为O(2¹¹),存储复杂度为O(2¹¹),成功率为97.72%.到目前为止,该攻击结果是对5 轮Salsa20 算法攻击最好的结果.     

Camellia-128的截断差分攻击改进

基于2001年ASIACRYPT（亚密会）会议上Sugita等人提出的9轮截断差分区分器, 提出了Camellia算法的10轮截断差分区分器。进一步地利用这个区分器和密钥恢复中的提前抛弃技术, 给出了12轮Camellia-128的攻击, 恢复出所有密钥的数据复杂度和时间复杂度分别为2⁹⁷和2¹²⁴。这个结果是目前针对Camellia算法的截断差分攻击中最好的。     

缩减轮数Crypton算法中间相遇攻击的改进

Crypton密码算法是韩国学者提出的一种AES候选算法。通过研究Crypton算法的结构特征和一类截断差分路径的性质,利用差分枚举技术权衡存储复杂度和数据复杂度,提出了4轮和4.5轮中间相遇区分器。新的区分器减少了预计算表中的多重集数量,降低了存储复杂度。基于4轮区分器首次给出对7轮Crypton-128的中间相遇攻击,时间复杂度为2¹¹³,数据复杂度为2¹¹³,存储复杂度为290.72。基于4.5轮区分器首次给出对8轮Crypton-192的中间相遇攻击,时间复杂度为2¹⁷²,数据复杂度为2¹¹³,存储复杂度为2¹³⁸。     

MARS和Rijndael的能量攻击

使用能量攻击对MARS 和Rijndael进行了深入分析.结果表明:对于256,192和128比特密钥的MARS算法,能量攻击的复杂度平均分别为2²⁸⁸,2¹⁶⁸ 和 2116.对于256,192和128比特密钥的Rijndael算法,能量攻击的复杂度平均分别为2¹³¹,2⁹⁹和267.虽然攻击的复杂度实际上无法达到,但是此攻击方法大大降低了MARS 和Rijndae的密钥规模.     

SMS4算法的不可能差分攻击研究

为研究分组加密算法SMS4抵抗不可能差分攻击的能力,使用了14轮不可能差分路径,给出了相关攻击结果。基于1条14轮不可能差分路径,对16轮和18轮的SMS4算法进行了攻击,改进了关于17轮的SMS4的不可能差分攻击的结果,将数据复杂度降低到O(269.47)。计算结果表明:攻击16轮SMS4算法所需的数据复杂度为O(2¹⁰³),时间复杂度为O(2⁹²);攻击18轮的SMS4算法所需的数据复杂度为O(2¹⁰⁴),时间复杂度为O(2123.84)。     

Differential fault analysis on Camellia

Camellia is a 128-bit block cipher published by NTT and Mitsubishi in 2000. On the basis of the byte-oriented model and the differential analysis principle, we propose a differential fault attack on the Camellia algorithm. Mathematical analysis and simulating experiments show that our attack can recover its 128-bit, 192-bit or 256-bit secret key by introducing 30 faulty ciphertexts. Thus our result in this study describes that Camellia is vulnerable to differential fault analysis. This work provides a new reference to the fault analysis of other block ciphers.     

Regular 2 w -ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures

With the growing demand of efficient cryptosystems, their secure implementations against various side-channel attacks and the fault attack are also requested from the practice. Several countermeasures are proposed so far, and this paper proposes a new regular 2 ^w -ary right-to-left exponentiation algorithm, which can be equipped with very efficient DPA (differential power attack) and FA (fault attack) countermeasures. Since its regular behavior clearly prevents the simple power analysis attack, the new algorithm gives a strong resistance to all the well-known major implementation attacks. This paper also gives a variant of the new algorithm for securely implementing the RSA cryptosystem with CRT (Chinese Remainder Theorem).     

Improved differential fault analysis on PRESENT-80/128

PRESENT is a hardware-optimized 64-bit lightweight block cipher which supports 80- and 128-bit secret keys. In this paper, we propose a differential fault analysis (DFA) on PRESENT-80/128. The proposed attack is based on a 2-byte random fault model. In detail, by inducing several 2-byte random faults in input registers after 28 rounds, our attack recovers the secret key of the target algorithm. From simulation results, our attacks on PRESENT-80/128 can recover the secret key by inducing only two and three 2-byte random faults, respectively. These are superior to known DFA results on them.     

对流密码LILI-128的差分故障攻击

对LILI-128算法对差分故障攻击的安全性进行了研究。攻击采用面向比特的故障模型, 并结合差分分析和代数分析技术, 在 LILI-128 算法LFSRd中注入随机的单比特故障, 得到关于LILI-128算法内部状态的代数方程组, 并使用Crypto MiniSAT解析器求解恢复128位初始密钥。实验结果表明, 280个单比特故障注入就可以在1 min内完全恢复LILI-128全部128位密钥。因此, LILI-128密码实现安全性易遭差分故障攻击威胁, 需要对加密设备进行故障攻击防御, 以提高LILI-128密码实现安全性。     

Differential Attack on Five Rounds of the SC2000 Block Cipher<Superscript>*</Superscript>

The SC2000 block cipher has a 128-bit block size and a user key of 128,192 or 256 bits,which employs a total of 6.5 rounds if a 128-bit user key is used.It is a CRYPTREC recommended e-government cipher in Japan.In this paper we address how to recover the user key from a few subkey bits of SC2000,and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127.Finally,we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key;the attack requires 2-125.68 chosen plaintexts and has a time complexity of 2 125.75 5-round SC2000 encryptions.The attack does not threat the security of the full SC2000 cipher,but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.     

Differential fault analysis on the ARIA algorithm

The ARIA algorithm is a Korean Standard block cipher, which is optimized for lightweight environments. On the basis of the byte-oriented model and the differential analysis principle, we propose a differential fault attack on the ARIA algorithm. Mathematical analysis and simulating experiment show that our attack can recover its 128-bit secret key by introducing 45 faulty ciphertexts. Simultaneously, we also present a fault detection technique for protecting ARIA against this proposed analysis. We believe that our results in this study will also be beneficial to the analysis and protection of the same type of other iterated block ciphers.     

On the security of the block cipher GOST suitable for the protection in U-business services

The paper revisits the security of the block cipher GOST, which is suitable for the protection in U-business services due to its simple design. Inspired from the reflection-meet-in-the-middle attack on GOST, we firstly find a large portion of weak keys on the full GOST: GOST has 2¹²⁸ weak keys in which key recovery attack is mounted with a data complexity of 2³² known plaintexts and a time complexity of 2^125.5. Secondly, we present a differential fault attack on the full GOST, which required 64 fault injections to recover the entire key. This is the first known side-channel attack on GOST.     

Evaluate the security margins of SHA-512, SHA-256 and DHA-256 against the boomerang attack评估飞去来器方法对 SHA-512, SHA-256 和 DHA-256 三种哈希函数的攻击效率

For an n-bit random permutation, there are three types of boomerang distinguishers, denoted as Type I, II and III, with generic complexities 2ⁿ, 2^n/3 and 2^n/2 respectively. In this paper, we try to evaluate the security margins of three hash functions namely SHA-512, SHA-256 and DHA-256 against the boomerang attack. Firstly, we give a boomerang attack on 48-step SHA-512 with a practical complexity of 2⁵¹. The correctness of this attack is verified by providing a Type III boomerang quartet. Then, we extend the existing differential characteristics of the three hash functions to more rounds. We deduce the sufficient conditions and give thorough evaluations to the security margins as follows: Type I boomerang method can attack 54-step SHA-512, 51-step SHA-256 and 46-step DHA-256 with complexities 2⁴⁸⁰, 2²¹⁸ and 2²³⁶ respectively. Type II boomerang method can attack 51-step SHA-512, 49-step SHA-256 and 43-step DHA-256 with complexities 2^158.50, 2^72.91 and 2^74.50 respectively. Type III boomerang method can attack 52-step SHA-512, 50-step SHA-256 and 44-step DHA-256 with complexities 2^223.80, 2^123.63 and 2^99.85 respectively.