高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

分组密码算法uBlock积分攻击的改进

王晨 崔佳敏 李木舟 王美琴

王晨, 崔佳敏, 李木舟, 王美琴. 分组密码算法uBlock积分攻击的改进[J]. 电子与信息学报, 2024, 46(5): 2149-2158. doi: 10.11999/JEIT231231
引用本文: 王晨, 崔佳敏, 李木舟, 王美琴. 分组密码算法uBlock积分攻击的改进[J]. 电子与信息学报, 2024, 46(5): 2149-2158. doi: 10.11999/JEIT231231
WANG Chen, CUI Jiamin, LI Muzhou, WANG Meiqin. Improved Integral Cryptanalysis on Block Cipher uBlock[J]. Journal of Electronics & Information Technology, 2024, 46(5): 2149-2158. doi: 10.11999/JEIT231231
Citation: WANG Chen, CUI Jiamin, LI Muzhou, WANG Meiqin. Improved Integral Cryptanalysis on Block Cipher uBlock[J]. Journal of Electronics & Information Technology, 2024, 46(5): 2149-2158. doi: 10.11999/JEIT231231

分组密码算法uBlock积分攻击的改进

doi: 10.11999/JEIT231231
基金项目: 国家重点研发计划(2018YFA0704702),国家自然科学基金(62032014),山东省自然科学基金重大基础研究项目(ZR202010220025),青岛创新项目(QDBSH20230101008)
详细信息
    作者简介:

    王晨:女,博士生,研究方向为分组密码算法的安全性分析

    崔佳敏:女,博士生,研究方向为对称密码算法的安全性分析

    李木舟:男,博士,研究方向为对称密码算法的分析与设计

    王美琴:女,教授,研究方向为对称密码算法的分析与设计

    通讯作者:

    李木舟 muzhouli@mail.sdu.edu.cn

  • 中图分类号: TN918.4; TP309.7

Improved Integral Cryptanalysis on Block Cipher uBlock

Funds: The National Key Research and Development Program of China (2018YFA0704702), The National Natural Science Foundation of China (62032014), The Major Basic Research Project of Natural Science Foundation of Shandong Province, China (ZR202010220025), Qingdao Innovation Project (QDBSH20230101008)
  • 摘要: 积分攻击是由Daemen等人(doi: 10.1007/BFb0052343)于1997年提出的一种密码分析方法,是继差分分析和线性分析之后最有效的密码分析方法之一。作为2018年全国密码算法设计竞赛分组算法的获胜算法,uBlock抵抗积分攻击的能力受到较多的关注。为了重新评估uBlock家族密码算法抵抗积分攻击的安全性,该文利用单项式传播技术,结合混合整数线性规划(MILP)工具搜索积分区分器,并利用部分和技术进行密钥恢复攻击。对于uBlock-128/128和uBlock-128/256,基于搜索到的9轮积分区分器分别进行了首个11轮和12轮攻击,数据复杂度为$ {2}^{127} $选择明文,时间复杂度分别为$ {2}^{127.06} $和$ {2}^{224} $次加密,存储复杂度分别为$ {2}^{44.58} $和 $ {2}^{138} $字节;对于uBlock-256/256,基于搜索到的10轮积分区分器进行了首个12轮攻击,数据复杂度为$ {2}^{253} $选择明文,时间复杂度为$ {2}^{253.06} $次加密,存储复杂度为$ {2}^{44.46} $字节。与之前uBlock的最优积分攻击结果相比,uBlock-128/128和uBlock-256/256的攻击轮数分别提高2轮,uBlock-128/256的攻击轮数提高3轮。本文的攻击说明,uBlock针对积分攻击依然有足够的安全冗余。
  • 图  1  uBlock轮函数

    图  2  uBlock-128/128算法11轮密钥恢复

    表  1  uBlock积分分析结果比较

    算法版本攻击轮数积分区分器数据复杂度时间复杂度存储复杂度参考文献
    uBlock-128/1289$ \left({\mathcal{C}}^{4},{\mathcal{A}}^{124}\right)\stackrel{8\mathrm{R}}{\to }{\left({\mathcal{B}}^{1},{\mathcal{U}}^{2},{\mathcal{B}}^{1}\right)}^{32} $$ {2}^{124} $$ {2}^{125.47} $$ {2}^{6.25} $[24]
    10$ \left({\mathcal{C}}^{4},{\mathcal{A}}^{124}\right)\stackrel{8\mathrm{R}}{\to }{\left({\mathcal{B}}^{1},{\mathcal{U}}^{1},{\mathcal{B}}^{2}\right)}^{32} $$ {2}^{124} $$ {2}^{124.07} $$ {2}^{44.32} $本文
    11$ \left({\mathcal{A}}^{1},{\mathcal{C}}^{1},{\mathcal{A}}^{126}\right)\stackrel{9\mathrm{R}}{\to }{\left({\mathcal{U}}^{3},{\mathcal{B}}^{1}\right)}^{32} $$ {2}^{127} $$ {2}^{127.06} $$ {2}^{44.58} $本文
    uBlock-128/2569$ \left({\mathcal{C}}^{4},{\mathcal{A}}^{124}\right)\stackrel{8\mathrm{R}}{\to }{\left({\mathcal{B}}^{1},{\mathcal{U}}^{2},{\mathcal{B}}^{1}\right)}^{32} $$ {2}^{124} $$ {2}^{125.47} $$ {2}^{6.25} $[24]
    11$ \left({\mathcal{C}}^{4},{\mathcal{A}}^{124}\right)\stackrel{8\mathrm{R}}{\to }{\left({\mathcal{B}}^{1},{\mathcal{U}}^{1},{\mathcal{B}}^{2}\right)}^{32} $$ {2}^{124} $$ {2}^{179.19} $$ {2}^{137.81} $本文
    11$ \left({\mathcal{A}}^{1},{\mathcal{C}}^{1},{\mathcal{A}}^{126}\right)\stackrel{9\mathrm{R}}{\to }{\left({\mathcal{U}}^{3},{\mathcal{B}}^{1}\right)}^{32} $$ {2}^{127} $$ {2}^{224} $$ {2}^{46} $本文
    12$ \left({\mathcal{A}}^{1},{\mathcal{C}}^{1},{\mathcal{A}}^{126}\right)\stackrel{9\mathrm{R}}{\to }{\left({\mathcal{U}}^{3},{\mathcal{B}}^{1}\right)}^{32} $$ {2}^{127} $$ {2}^{224} $$ {2}^{138} $本文
    uBlock-256/25610$ \left({\mathrm{C}}^{8},{\mathcal{A}}^{248}\right)\stackrel{9\mathrm{R}}{\to }{\left({\mathcal{B}}^{1},{\mathcal{U}}^{2},{\mathcal{B}}^{1}\right)}^{64} $$ {2}^{248} $$ {2}^{249.38} $$ {2}^{7.25} $[24]
    11$ \left({\mathcal{C}}^{8},{\mathcal{A}}^{248}\right)\stackrel{9\mathrm{R}}{\to }{\left({\mathcal{B}}^{1},{\mathcal{U}}^{2},{\mathcal{B}}^{1}\right)}^{64} $$ {2}^{248} $$ {2}^{248.06} $$ {2}^{44.32} $本文
    12$ \left({\mathcal{C}}^{3},{\mathcal{A}}^{253}\right)\stackrel{10\mathrm{R}}{\to }{\left({\mathcal{U}}^{3},{\mathcal{B}}^{1}\right)}^{64} $$ {2}^{253} $$ {2}^{253.06} $$ {2}^{44.46} $本文
    下载: 导出CSV

    表  2  4-bit S盒(S)

    x0x00x10x20x30x40x50x60x70x80x90xa0xb0xc0xd0xe0xf
    S(x)0x70x40x90xc0xb0xa0xd0x80xf0xe0x10x60x00x30x20x5
    下载: 导出CSV

    表  3  $ \mathrm{P}{\mathrm{L}}_{{n}} $和$ \mathrm{P}{\mathrm{R}}_{{n}} $

    类型置换后
    $ \mathrm{P}{\mathrm{L}}_{128} ${1, 3, 4, 6, 0, 2, 7, 5}
    $ \mathrm{P}{\mathrm{R}}_{128} ${2, 7, 5, 0, 1, 6, 4, 3}
    $ \mathrm{P}{\mathrm{L}}_{256} ${2, 7, 8, 13, 3, 6, 9, 12, 1, 4, 15, 10, 14, 11, 5, 0}
    $ \mathrm{P}{\mathrm{R}}_{256} ${6, 11, 1, 12, 9, 4, 2, 15, 7, 0, 13, 10, 14, 3, 8, 5}
    下载: 导出CSV
  • [1] BIHAM E and SHAMIR A. Differential cryptanalysis of DES-like cryptosystems[C]. Conference on the Theory and Application of Cryptography. Santa Barbara, USA, 1990: 2–21. doi: 10.1007/3-540-38424-3_1.
    [2] BIHAM E and SHAMIR A. Differential cryptanalysis of DES-like cryptosystems[J]. Journal of Cryptology, 1991, 4(1): 3–72. doi: 10.1007/BF00630563.
    [3] MATSUI M. Linear cryptanalysis method for DES cipher[C]. Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, 1993, 765: 386–397. doi: 10.1007/3-540-48285-7_33.
    [4] DAEMEN J, KNUDSEN L, and RIJMEN V. The block cipher square[C]. The 4th International Workshop on Fast Software Encryption, Haifa, Israel, 1997: 149–165. doi: 10.1007/BFb0052343.
    [5] KNUDSEN L and WAGNER D. Integral cryptanalysis[C]. The 9th International Workshop on Fast Software Encryption, Leuven, Belgium, 2002: 112–127. doi: 10.1007/3-540-45661-9_9.
    [6] TODO Y. Structural evaluation by generalized integral property[C]. The 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 2015: 287–314. doi: 10.1007/978-3-662-46800-5_12.
    [7] TODO Y. Integral cryptanalysis on full MISTY1[C]. The 35th Annual Cryptology Conference, Santa Barbara, USA, 2015: 413–432. doi: 10.1007/978-3-662-47989-6_20.
    [8] TODO Y. Integral cryptanalysis on full MISTY1[J]. Journal of Cryptology, 2017, 30(3): 920–959. doi: 10.1007/s00145-016-9240-x.
    [9] TODO Y and MORII M. Bit-based division property and application to SIMON family[C]. The 23rd International Conference on Fast Software Encryption, Bochum, Germany, 2016: 357–377. doi: 10.1007/978-3-662-52993-5_18.
    [10] XIANG Zejun, ZHANG Wentao, BAO Zhenzhen, et al. Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers[C]. The 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 2016: 648–678. doi: 10.1007/978-3-662-53887-6_24.
    [11] DERBEZ P and LAMBIN B. Fast MILP models for division property[J]. IACR Transactions on Symmetric Cryptology, 2022, 2022(2): 289–321. doi: 10.46586/tosc.v2022.i2.289-321.
    [12] ROHIT R and SARKAR S. Cryptanalysis of reduced round SPEEDY[C]. 13th International Conference on Cryptology in Africa, Fes, Morocco, 2022: 133–149. doi: 10.1007/978-3-031-17433-9_6.
    [13] SHIBA R, SAKAMOTO K, LIU Fukang, et al. Integral and impossible-differential attacks on the reduced-round Lesamnta-LW-BC[J]. IET Information Security, 2022, 16(2): 75–85. doi: 10.1049/ise2.12044.
    [14] SHIRAYA T, TAKEUCHI N, SAKAMOTO K, et al. MILP-based security evaluation for AEGIS/Tiaoxin-346/Rocca[J]. IET Information Security, 2023, 17(3): 458–467. doi: 10.1049/ise2.12109.
    [15] WANG Senpeng, HU Bin, GUAN Jie, et al. MILP-aided method of searching division property using three subsets and applications[C]. The 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, 2019: 398–427. doi: 10.1007/978-3-030-34618-8_14.
    [16] HAO Yonglin, LEANDER G, MEIER W, et al. Modeling for three-subset division property without unknown subset[C]. The 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, 2020: 466–495. doi: 10.1007/978-3-030-45721-1_17.
    [17] HAO Yonglin, LEANDER G, MEIER W, et al. Modeling for three-subset division property without unknown subset[J]. Journal of Cryptology, 2021, 34(3): 22. doi: 10.1007/s00145-021-09383-2.
    [18] HU Kai, SUN Siwei, WANG Meiqin, et al. An algebraic formulation of the division property: Revisiting degree evaluations, cube attacks, and key-independent sums[C]. The 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, 2020: 446–476. doi: 10.1007/978-3-030-64837-4_15.
    [19] CUI Jiamin, HU Kai, WANG Qingju, et al. Integral attacks on pyjamask-96 and round-reduced pyjamask-128[C]. Cryptographers’ Track at the RSA Conference, Virtual Event, 2022: 223–246. doi: 10.1007/978-3-030-95312-6_10.
    [20] CUI Jiamin, HU Kai, WANG Meiqin, et al. On the field-based division property: Applications to MiMC, feistel MiMC and GMiMC[C]. The 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, China, 2022: 241–270. doi: 10.1007/978-3-031-22969-5_9.
    [21] 胡斌, 张贵显. $ {\mu }^{2} $算法的积分攻击和不可能差分攻击[J]. 电子与信息学报, 2022, 44(9): 3335–3342. doi: 10.11999/JEIT210638.

    HU Bin and ZHANG Guixian. Integral cryptanalysis and impossible differential cryptanalysis of the $ {\mu }^{2} $ algorithm[J]. Journal of Electronics & Information Technology, 2022, 44(9): 3335–3342. doi: 10.11999/JEIT210638.
    [22] 吴文玲, 张蕾, 等. The Block Cipher uBlock [OL]. https://sfjs.cacrnet.org.cn/site/term/list_76_1.html.

    WU Wenling, ZHANG Lei, ZHENG Yafei, et al. The Block Cipher uBlock [OL]. https://sfjs.cacrnet.org.cn/site/term/list_76_1.html.
    [23] 吴文玲, 张蕾, 郑雅菲, 等. 分组密码uBlock[J]. 密码学报, 2019, 6(6): 690–703. doi: 10.13868/j.cnki.jcr.000334.

    WU Wenling, ZHANG Lei, ZHENG Yafei, et al. The block cipher uBlock[J]. Journal of Cryptologic Research, 2019, 6(6): 690–703. doi: 10.13868/j.cnki.jcr.000334.
    [24] TIAN Wenqiang and HU Bin. Integral cryptanalysis on two block ciphers pyjamask and uBlock[J]. IET Information Security, 2020, 14(5): 572–579. doi: 10.1049/iet-ifs.2019.0624.
    [25] MAO Yongxia, WU Wenling, WANG Bolin, et al. Improved division property for ciphers with complex linear layers[C]. The 27th Australasian Conference on Information Security and Privacy, Wollongong, Australia, 2022: 106–124. doi: 10.1007/978-3-031-22301-3_6.
    [26] 黄明, 张莎莎, 洪春雷, 等. 分组密码复杂线性层可分性传播的MILP刻画方法[J]. 软件学报, 2023: 1–13. doi: 10.13328/j.cnki.jos.006839.

    HUANG Ming, ZHANG Shasha, HONG Chunlei, et al. MILP modeling of division property propagation for block ciphers with complex linear layers[J]. Journal of Software, 2023: 1–13. doi: 10.13328/j.cnki.jos.006839.
    [27] https://www.sagemath.org.
    [28] SUN Siwei, HU Lei, WANG Peng, et al. Automatic security evaluation and (Related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers[C]. The 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, China, 2014: 158–178. doi: 10.1007/978-3-662-45611-8_9.
    [29] SUN Ling, WANG Wei, and WANG Meiqin. MILP-aided bit-based division property for primitives with non-bit-permutation linear layers[J]. IET Information Security, 2020, 14(1): 12–20. doi: 10.1049/iet-ifs.2018.5283.
    [30] FERGUSON N, KELSEY J, LUCKS S, et al. Improved cryptanalysis of rijndael[C]. The 7th International Workshop on Fast Software Encryption, New York, USA, 2000: 213–230. doi: 10.1007/3-540-44706-7_15.
  • 加载中
图(2) / 表(3)
计量
  • 文章访问数:  294
  • HTML全文浏览量:  160
  • PDF下载量:  65
  • 被引次数: 0
出版历程
  • 收稿日期:  2023-11-07
  • 修回日期:  2024-01-29
  • 网络出版日期:  2024-03-09
  • 刊出日期:  2024-05-30

目录

    /

    返回文章
    返回