HC系列密码算法

HC系列密码算法是新加坡学者Hongjun Wu设计的面向软件实现的快速同步流密码(序列密码),其设计借鉴了RC4算法中表驱动的思想,同时引入了面向字的非线性函数来更新算法的内部状态。 HC系列算法有HC-256、HC-256’和HC-128三种算法。     

Cobra-H64/128算法的相关密钥-差分攻击

本文研究了Cobra-H64/128分组密码算法在相关密钥-差分攻击下的安全性.针对Cobra-H64算法,利用新构造的相关密钥-差分路径和CP逆变换存在的信息泄露规律给出攻击算法1,恢复出了全部128bit密钥,相应的计算复杂度为2^40.5次Cobra-H64算法加密,数据复杂度为2^40.5个选择明文,存储复杂度为2^22bit,成功率约为1;针对Cobra-H128算法,利用新构造的相关密钥-差分路径给出攻击算法2,恢复出了全部256bit密钥,相应的计算复杂度为2^76次Cobra-H128算法加密,数据复杂度为2^76个选择明文,存储复杂度为2^16.2bit.分析结果表明,Cobra-H64/128算法在相关密钥-差分攻击条件下是不安全的.     

基于MILP的轻量级密码算法ACE的差分分析

研究了轻量级密码算法ACE的差分性质。首先定义了n维环形与门组合，充分分析了该结构中与门之间的相互关系，仅利用O(n)个表达式给出其精确的MILP差分刻画，将ACE算法中的非线性操作转化为32维环形与门组合，从而给出了ACE算法的MILP差分模型。其次根据MILP模型求解器Gurobi的求解特点，给出了快速求解ACE的MILP差分模型的方法。对于3～6步的ACE置换，得到了最优差分链，利用多差分技术给出了更高概率的差分对应，从而给出了ACE置换为3步的认证加密算法ACE-Aε-128的差分伪造攻击与哈希算法ACE-H-256的差分碰撞攻击，成功概率为2^-90.52，并证明了4步ACE置换达到了128bit的差分安全边界。实际上，n维环形与门组合的MILP差分刻画具有更多的应用场景，可应用于SIMON、Simeck等密码算法的分析中。     

HC-128的内部状态表

HC-128算法是HC-256算法的简化版,为欧洲eSTREAM工程最终胜出的7个序列密码算法之一。 HC-128由初始化算法和密钥流产生算法两部分构成,为基于表驱动的适于软件实现的算法。由于其安全性能高,至今未见有效的分析方法。 HC-128利用内部状态表的转换、选择来构造序列密码,因此内部状态表的安全性直接影响着序列密码算法的安全性。该文对HC-128的内部状态表进行了研究,给出了根据内部状态表P和Q(两个512字,共计1024字)倒推出密钥和初始向量的算法。     

改进的减轮Kiasu-BC算法的中间相遇攻击

Kiasu-BC算法是加密认证竞赛CAESAR第一轮入选方案Kiasu的内置可调分组密码。Kiasu-BC算法是基于AES-128轮函数构造的可调分组密码算法，通过对Kiasu-BC算法的结构特征进行研究，利用调柄自由度以及内部密钥间的制约关系，降低预计算的复杂度。结合差分枚举技术，构造新的5轮中间相遇区分器，改进Kiasu-BC算法的8轮中间相遇攻击。改进后攻击的时间复杂度为2¹¹⁴，存储复杂度为2⁶³，数据复杂度为2¹⁰⁸。     

基于混合整数线性规划的MORUS初始化阶段的差分分析

认证加密算法MORUS是凯撒(CAESAR)竞赛的优胜算法，抗差分分析性能是衡量认证加密算法安全性的重要指标之一。该文研究了MORUS算法初始化阶段的差分性质，首先给出了一个差分推导规则，可以快速获得一条概率较大的差分链。在此基础上利用混合整数线性规划(MILP)自动搜索技术求解更优的差分链。为了提高搜索速度，结合MORUS初始化阶段的结构特点给出了分而治之策略。根据ΔIV的重量、取值将MILP模型划分为多个子模型并证明了部分子模型的等价性，大大缩减了模型的求解时间，得到了MORUS初始化阶段1～6步状态更新的最优差分链。最后给出了简化版MORUS的差分-区分攻击，该文的结果较之前的工作有较大的提升。     

LBlock-s算法的不可能差分分析

LBlock-s算法是CAESAR竞赛候选认证加密算法LAC中的主体算法,算法结构与LBlock算法基本一致,只是密钥扩展算法采用了扩散效果更好的增强版设计.利用新密钥扩展算法中仍然存在的子密钥间的迭代关系,通过选择合适的14轮不可能差分特征,我们给出了对21轮LBlock-s算法的不可能差分分析.攻击需要猜测的子密钥比特数为72比特,需要的数据量为2⁶³个选择明文,时间复杂度约为2^67.61次21轮加密.利用部分匹配技术,我们也给出了直到23轮LBlock-s算法低于密钥穷举量的不可能差分分析结果.这些研究可以为LAC算法的整体分析提供参考依据.     

加密数字图像的局部消息认证

本文介绍了SHA-256算法,提出了一种图像认证方法,并用SHA-256对数字图像进行局部认证.为保证图像的机密性,用像素置乱方法将原图像加密.接收方将图像解密后,对要认证的图像提取敏感区域,并对敏感区域消息用SHA-256算法提取摘要,与接收到的摘要对比以确定图片信息是否被篡改.     

SERPENT和SAFER密码算法的能量攻击

SERPENT和SAFER是AES的两个候选算法,本文使用能量攻击方法对它们进行了深入分析,结果表明:对于256、192和128比特密钥的SERPENT算法,能量攻击平均需分别进行2¹⁵⁹、2¹¹⁹和2⁷⁹次试验.虽然所需的试验次数实际没法达到,但是此攻击方法大大地降低了SERPENT的密钥规模,并且发现对于能量攻击,SERPENT有许多弱密钥.经过深入分析和穷尽搜索可知:能量攻击可以获取SAFER的种子密钥.文中还给出了两种抵抗能量攻击的SERPENT的改进密钥方案以及设计密钥方案时需注意的问题.     

HDMI接口上基于RSA算法的连接保护系统

目前,HDMI接口上唯一可用的连接保护算法HDCP在系统结构和认证协议部分有安全性的缺陷.针对现有的缺陷以及实际应用需求设计了新的连接保护系统,认证部分采用证书系统结合RSA算法,加密模块种子扩展到128位,大大提高了该接口的安全性.     

An Efficient State Recovery Attack on the X-FCSR Family of Stream Ciphers

We describe a state recovery attack on the X-FCSR family of stream ciphers. In this attack we analyse each block of output keystream and try to solve for the state. The solver will succeed when a number of state conditions are satisfied. For X-FCSR-256, our best attack has a computational complexity of only 2^4.7 table lookups per block of keystream, with an expected 2^44.3 such blocks before the attack is successful. The precomputational storage requirement is 2³³. For X-FCSR-128, the computational complexity of our best attack is 2^16.3 table lookups per block of keystream, where we expect 2^55.2 output blocks before the attack comes through. The precomputational storage requirement for X-FCSR-128 is 2⁶⁷.     

Making the Impossible Possible

This paper introduces new techniques and correct complexity analyses for impossible differential cryptanalysis, a powerful block cipher attack. We show how the key schedule of a cipher impacts an impossible differential attack, and we provide a new formula for the time complexity analysis that takes this parameter into account. Further, we show, for the first time, that the technique of multiple differentials can be applied to impossible differential attacks. Then, we demonstrate how this technique can be combined in practice with multiple impossible differentials or with the so-called state-test technique. To support our proposal, we implemented the above techniques on small-scale ciphers and verified their efficiency and accuracy in practice. We apply our techniques to the cryptanalysis of ciphers including AES-128, CRYPTON-128, ARIA-128, CLEFIA-128, Camellia-256 and LBlock. All of our attacks significantly improve previous impossible differential attacks and generally achieve the best memory complexity among all previous attacks against these ciphers.     

Switching of phase-locked states in the intracavity phase-modulated He-Ne laser

It is known that there exist two solutions for the He-Ne laser phase locked by synchronous internal phase modulation. One corresponds to a phase difference between adjacent modes of even integers of π (even state) and the other to odd integers of π (odd state). Although their frequency power spectra in general look similar, they appear in the time response as two different sets of pulse trains 180° out of phase with respect to each other. Of the two, for a given set of conditions, it has not yet been possible to predict which state will oscillate. In our observations we find that, if the modulation frequency is fixed slightly higher than the average axial-mode spacing near the line center, the two states can be controlled by varying the amplitude of the modulation signal, resulting in a switching action between the two states. Furthermore, we find that in a narrow region of "detuning" and in a small range of modulation amplitudes, both states oscillate simultaneously. The above results were analyzed by considering the asymmetry in the frequency characteristics of the gain medium due to the presence of the isotope Ne²²in the He-Ne mixture. Based on this fact and the concept of "supermode" competition, we give a physical explanation for the observed behaviors. This is supported by the absence of amplitude-dependent switching in a He-Ne tube containing only pure isotope Ne²⁰. We observe also in a He-Ne tube containing 75% Ne²⁰and 25% Ne²²the dominance of one state over the other; this result is consistent with the qualitative theory given.     

CLEFIA密码的Square攻击

该文根据CLEFIA密码的结构特性,得到了Square攻击的新的8轮区分器,并指出了设计者提出的错误8轮区分器。利用新的8轮区分器对CLEFIA密码进行了10到12轮的Square攻击,攻击结果如下:攻击10轮CLEFIA-128\192\256的数据复杂度和时间复杂度分别为297和292.7;攻击11轮CLEFIA-192\256的数据复杂度和时间复杂度分别为298和2157.6;攻击12轮CLEFIA-256的数据复杂度和时间复杂度分别为298.6和2222。攻击结果表明:在攻击10轮CLEFIA时,新的Square攻击在数据复杂度和时间复杂度都优于设计者给出的Square攻击。     

Improved Practical Attacks on Round-Reduced Keccak

The Keccak hash function is the winner of NIST’s SHA-3 competition, and so far it showed remarkable resistance against practical collision finding attacks: After several years of cryptanalysis and a lot of effort, the largest number of Keccak rounds for which actual collisions were found was only 2. In this paper, we develop improved collision finding techniques which enable us to double this number. More precisely, we can now find within a few minutes on a single PC actual collisions in the standard Keccak-224 and Keccak-256, where the only modification is to reduce their number of rounds to 4. When we apply our techniques to 5-round Keccak, we can get in a few days near collisions, where the Hamming distance is 5 in the case of Keccak-224 and 10 in the case of Keccak-256. Our new attack combines differential and algebraic techniques, and uses the fact that each round of Keccak is only a quadratic mapping in order to efficiently find pairs of messages which follow a high probability differential characteristic. Since full Keccak has 24 rounds, our attack does not threaten the security of the hash function.     

一种新的对称分组密码算法-SEA

描述了一种新的对称分组密码算法——SEA(Smart Encryption Algorithin)。通过在加密过程中交替使用两种互不相容的群运算和一个构造简单但非线性强度较高的函数，本密码算法能达到的必要的混乱和扩散，且具有良好的明文雪崩效应和密钥雪崩效应。在本密码算法中，明文和密文分组长度均为128bit，密钥长度128bit，192bit和256bit三种可选。在性能上，本算法不仅逻辑结构严谨、构造简单，而且安全、易实现。     

AES S盒的马尔可夫性质研究

对AESS盒的阶次运算进行了研究,发现AESS盒的连续状态转移是一个马尔可夫链,其256个状态可以划分为5个常返态闭集,状态周期分别为59,87,81,27,2。     

针对流密码HC-256’的区分攻击

流密码HC-256’是eSTREAM计划候选密码HC-256的改进算法,至今未见关于HC-256’的安全性分析结果。该文提出了一种针对HC-256’的线性区分攻击,利用不同的非线性函数代替内部状态更新函数来寻找偶数位置上密钥流生成序列的弱点,通过线性逼近HC-256’的内部状态构造区分器。分析结果表明,需要约2 281bit,就能以0.9545的区分优势对密钥流进行区分。同时,该攻击为解决Sekar等人在2009年IWSEC会议上提出的问题进行了有益的探索。