基于深度学习的LBlock安全性分析及其应用

杨小东; 李锴彬; 杜小妮; 梁丽芳; 贾美纯

doi:10.11999/JEIT221003

基于深度学习的LBlock安全性分析及其应用

doi: 10.11999/JEIT221003

杨小东^{1, 2, 4},
李锴彬^{1, 4},
杜小妮^{2, 3, 4, ,},
梁丽芳^{3, 4},
贾美纯^{3, 4}

1.
西北师范大学计算机科学与工程学院兰州 730070
2.
桂林电子科技大学广西密码学与信息安全重点实验室桂林 541004
3.
西北师范大学数学与统计学院兰州 730070
4.
西北师范大学密码技术与数据分析重点实验室兰州 730070

基金项目: 国家自然科学基金(62172337)，广西密码学与信息安全重点实验室研究课题(GCI201910)

详细信息

作者简介:
杨小东：男，博士/博士后，教授，研究方向为应用密码学与信息安全

李锴彬：男，硕士生，研究方向为分组密码

杜小妮：女，博士/博士后，教授，研究方向为应用密码学

梁丽芳：女，硕士生，研究方向为应用密码学

贾美纯：女，硕士生，研究方向为应用密码学

通讯作者:
杜小妮　ymldxn@126.com

中图分类号: TN915.08; TP309.7
计量
- 文章访问数: 1112
- HTML全文浏览量: 430
- PDF下载量: 199
- 被引次数: 2
出版历程
- 收稿日期: 2022-07-28
- 修回日期: 2022-09-02
- 网络出版日期: 2022-09-06
- 刊出日期: 2023-10-31

Security Analysis of LBlock and Its Application Based on Deep Learning

YANG Xiaodong^{1, 2, 4},
LI Kaibin^{1, 4},
DU Xiaoni^{2, 3, 4
, ,},
LIANG Lifang^{3, 4},
JIA Meichun^{3, 4}

1.
College of Computer Science and Engineering, Northwest Normal University, Lanzhou 730070, China
2.
Guangxi Key Laboratory of Cryptography and Information Security, Guilin University of Electronic Technology, Guilin 541004, China
3.
College of Mathematics and Statistic, Northwest Normal University, Lanzhou 730070, China
4.
Key Laboratory of Cryptography and Data Analytics, Northwest Normal University, Lanzhou 730070, China

Funds: The National Natural Science Foundation of China (62172337), Guangxi Key Laboratory of Cryptography and Information Security (GCI201910)

摘要

摘要: 目前通过深度学习对轻量级分组密码进行安全性分析正成为一个全新的研究热点。Gohr在2019年的美密会上首次将深度学习应用于分组密码安全性分析(doi: 10.1007/978-3-030-26951-7_6)，利用卷积神经网络学习固定输入差分的密文差分分布特征，从而构造出高精度的神经网络区分器。LBlock算法是一种具有优良软硬件实现效率的轻量级分组密码算法，自算法发表以来受到了研究者的广泛关注。该文基于残差网络，构造了减轮LBlock差分神经网络区分器，所得7轮和8轮区分器模型的精度分别是0.999和0.946。进一步利用构造的9轮区分器，提出了针对11轮LBlock的密钥恢复攻击方案。实验结果表明，当密码算法迭代轮数较少时，该方案进行攻击时无需单独考虑S盒，相比于传统攻击方案具有方案流程简单和易于实现等特点，并且在数据复杂度和时间复杂度方面具有较大的优越性。
- LBlock /
- 差分区分器 /
- 深度学习 /
- 密钥恢复攻击
Abstract: Currently, the security analysis of lightweight block ciphers by using deep learning is becoming a new research hotspot. At the Crypto2019, Gohr first applied deep learning to the security analysis of block ciphers, the high-accuracy neural distinguisher is constructed, which used convolutional neural networks to learn the ciphertext distribution of the given input differentials. LBlock is a lightweight block cipher with excellent software and hardware implementation efficiency, which attracted extensive attention from scholars since its publication. In this paper, with the application of the residual network, a round-reduced neural differential distinguisher of LBlock is constructed, in which the accuracy of the 7-round and 8-round distinguishers reach 0.999 and 0.946, respectively. Moreover, based on the 9-round neural distinguisher, a key recovery attack scheme against 11-round LBlock is proposed. Experiment results show that under the case of the number of iteration rounds of the algorithm is small, the scheme need not consider the S-box separately. Compared with the traditional attack schemes, the new scheme is not only simpler and easy to be implemented, but also possess great advantages on data complexity and time complexity.
- LBlock /
- Differential distinguisher /
- Deep learning /
- Key recovery attack

HTML全文

图 1 LBlock分组密码算法

下载: 全尺寸图片幻灯片

图 2 残差网络区分器模型

下载: 全尺寸图片幻灯片

${\varDelta _x} = 0x0/0x4$ 的7轮LBlock神经网络区分器的性能度量

下载: 全尺寸图片幻灯片

${\varDelta _x} = 0x0/0x2$ 的8轮LBlock神经网络区分器的性能度量

下载: 全尺寸图片幻灯片

${\Delta _x} = 0x0/0x1$ 的9轮LBlock神经网络区分器的性能度量

下载: 全尺寸图片幻灯片

图 6 LBlock11轮密钥恢复攻击错误密钥均值分布

下载: 全尺寸图片幻灯片

表 1 LBlock的11轮密钥恢复攻击复杂度对比

方案来源	数据复杂度	时间复杂度
文献[14]	2⁴⁹	2⁵²
文献[15]	2⁴⁸	2⁵⁹
本文方案	2^23.41	2^29.03

下载: 导出CSV

算法1 神经网络区分器的构造
输入：样本数量 $n$ ，输入差分 ${\varDelta _x}$
输出： ${\text{model}}$
(1) 随机生成数量为 $n$ 的 $({P_0},{P_1})$ 和 $K$ ， $({P'_0} ,{P'_1}) = ({P_0},{P_1}) \oplus {\varDelta _x}$
(2) 通过密钥扩展算法生成子密钥 ${K^i}$
(3) 分别对 $({P_0},{P_1}),({P_0}^\prime ,{P_1}^\prime )$ 使用LBlock加密，得到相对应的　密文 $({C_0},{C_1}),({C_0}^\prime ,{C_1}^\prime )$ ，构成训练集和验证集的数据部分
(4) 将 $({C_0},{C_1})$ 的标签 $Y$ 标为0，为负样本； $({C_0}^\prime ,{C_1}^\prime )$ 的标签　 $Y$ 标为1，为正样本
(5) ${\text{Traindata}} \leftarrow (({C_0},{C_1},{C_0}^\prime ,{C_1}^\prime ),Y)$
(6) ${\text{model}} \leftarrow {\text{TrainDistinguisher}}({\text{Traindata}})$
(7) return ${\text{model}}$

下载: 导出CSV

表 2 LBlock 7～9轮区分器模型的性能指标

迭代轮数(r)	训练轮数(epoch)	输入差分 ${\varDelta _x}$	精度(acc) (%)	损失率(loss) (%)	训练时间(s)
7	20	0x0/0x1	99.63	0.37	1 240
		0x0/0x2	99.57	0.44	574
		0x0/0x4	99.96	0.05	1 251
		0x0/0x8	99.91	0.10	1 220
		0x0/0x40	99.91	0.10	1 212
		0x0/0x80	99.93	0.07	1 211
8	30	0x0/0x1	94.34	4.67	1 812
		0x0/0x2	94.58	4.53	1 828
		0x0/0x4	93.57	5.27	1 820
		0x0/0x8	93.58	5.37	1 810
		0x0/0x40	93.94	5.09	1 815
		0x0/0x80	93.54	5.39	1 821
9	50	0x0/0x1	65.53	21.05	2 926
		0x0/0x2	65.43	21.09	3 000
		0x0/0x4	62.53	22.06	3 068
		0x0/0x8	61.68	22.26	1 832
		0x0/0x40	64.79	21.48	2 934
		0x0/0x80	64.61	21.48	3 015

下载: 导出CSV

算法2 密钥恢复攻击
输入：样本数量 $n$ ，输入差分 ${\varDelta _x}$ ， ${\text{model}}$
输出：候选密钥的概率
(1) 随机生成数量为 $n$ 的 $({P_0},{P_1})$ 和 $K$ ， $({P'_0} ,{P'_1} ) = ({P_0},{P_1}) \oplus {\varDelta _x}$
(2) 通过密钥扩展算法生成子密钥 ${K^i}$
(3) $({P'_0} ,{P'_1} )$ 使用LBlock加密，得到相对应的密文 $({C'_0} ,{C'_1} )$
(4) for $i \in \{ 1,{\text{ }}n\}$ do
(5) 对密文对 $({C'_0} ,{C'_1})$ 分别使用LBlock解密一轮，得到 $({x_0},{x_1})$
(6) 将 $({x_0},{x_1})$ 放入 ${\text{model}}$ 中，得到概率 ${\omega ^i}$
(7) end for
(8) 按 ${\omega ^i}$ 的大小降序排列

下载: 导出CSV

参考文献(17)

[1]	BIHAM E and SHAMIR A. Differential cryptanalysis of DES-like cryptosystems[J]. Journal of Cryptology, 1991, 4(1): 3–72. doi: 10.1007/BF00630563
[2]	HOSPODAR G, GIERLICHS B, DE Mulder E, et al. Machine learning in side-channel analysis: A first study[J]. Journal of Cryptographic Engineering, 2011, 1(4): 293–302. doi: 10.1007/s13389-011-0023-x
[3]	DAEMEN J and RIJMEN V. The Rijndael block cipher: AES proposal[C]. The First Candidate Conference (AeS1), Alexandria, USA, 1999: 343–348.
[4]	ALANI M M. Neuro-cryptanalysis of DES and triple-DES[C]. Proceedings of the 19th International Conference on Neural Information Processing, Doha, Qatar, 2012: 637–646.
[5]	HU Xinyi and ZHAO Yaqun. Research on plaintext restoration of AES based on neural network[J]. Security and Communication Networks, 2018, 2018: 6868506. doi: 10.1155/2018/6868506
[6]	GOHR A. Improving attacks on round-reduced speck32/64 using deep learning[C]. The 39th Annual International Cryptology Conference on Advances in Cryptology, Santa Barbara, USA, 2019: 150–179.
[7]	BENAMIRA A, GERAULT D, PEYRIN T, et al. A deeper look at machine learning-based cryptanalysis[C]. The 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology, Zagreb, Croatia, 2021: 805–835.
[8]	SU Hengchuan, ZHU Xuanyong, and MING Duan. Polytopic attack on round-reduced simon32/64 using deep learning[C]. The 16th International Conference on Information Security and Cryptology, Guangzhou, China, 2020: 3–20.
[9]	宿恒川, 朱宣勇, 段明. 基于PU分类的差分区分器及其应用[J]. 密码学报, 2021, 8(2): 330–337. doi: 10.13868/j.cnki.jcr.000441 SU Hengchuan, ZHU Xuanyong, and DUAN Ming. Differential distinguisher based on PU learning and its application[J]. Journal of Cryptologic Research, 2021, 8(2): 330–337. doi: 10.13868/j.cnki.jcr.000441
[10]	HOU Zezhou, REN Jiongjiong, and CHEN Shaozhen. Improve neural distinguisher for cryptanalysis[EB/OL]. https://eprint.iacr.org/2021/1017, 2021.
[11]	CHEN Yi, SHEN Yantian, YU Hongbo, et al. Neural aided statistical attack for cryptanalysis[EB/OL]. https://eprint.iacr.org/2020/1620, 2020.
[12]	BAKSI A. Machine learning-assisted differential distinguishers for lightweight ciphers[M]. BAKSI A. Classical and Physical Security of Symmetric Key Cryptographic Algorithms. Singapore: Springer, 2022: 141–162.
[13]	WU Wenling and ZHANG Lei. LBlock: A lightweight block cipher[C]. The 9th International Conference on Applied Cryptography and Network Security, Nerja, Spain, 2011: 327–344.
[14]	XIE M, LI Jingjing, and ZANG Yuechuan. Related-key impossible differential cryptanalysis of LBlock[J]. Chinese Journal of Electronics, 2017, 26(1): 35–41. doi: 10.1049/cje.2016.06.031
[15]	CAO Wenqin and ZHANG Wentao. Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers[J]. Cybersecurity, 2021, 4(1): 32. doi: 10.1186/s42400-021-00096-4
[16]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep residual learning for image recognition[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 770–778.
[17]	ZHOU Chunning, ZHANG Wentao, DING Tianyou, et al. Improving the MILP-based security evaluation algorithm against differential/linear cryptanalysis using a divide-and-conquer approach[J]. IACR Transactions on Symmetric Cryptology, 2020, 2019(4): 438–469. doi: 10.13154/tosc.v2019.i4.438-469

施引文献

期刊类型引用(2)

1.	虞飞，余赟，周利辉，彭春光. 一种不依赖超参数的稀疏信号单快拍DOA估计方法. 系统工程与电子技术. 2021(04): 894-900 . 百度学术
2.	王梅，张四平. 基于SOA的改进型Apriori算法. 西安工程大学学报. 2016(04): 487-493 . 百度学术