通信学报 ›› 2020, Vol. 41 ›› Issue (8): 11-21.doi: 10.11959/j.issn.1000-436x.2020164

• 学术论文 • 上一篇    下一篇

基于Nonce重用的ACORN v3状态恢复攻击

张国双1,2,陈晓1,2,林东岱1,2,刘凤梅3   

  1. 1 中国科学院信息工程研究所,北京 100093
    2 中国科学院大学网络空间安全学院,北京 100049
    3 信息保障技术重点实验室,北京 100072
  • 修回日期:2020-07-05 出版日期:2020-08-25 发布日期:2020-09-05
  • 作者简介:张国双(1982- ),男,河北临城人,中国科学院信息工程研究所博士生,主要研究方向为密码理论、认证加密算法设计与分析等|陈晓(1968- ),女,浙江杭州人,博士,中国科学院信息工程研究所研究员、博士生导师,主要研究方向为信息安全|林东岱(1964- ),男,山东聊城人,博士,中国科学院信息工程研究所研究员、博士生导师,主要研究方向为密码理论、安全协议、网络空间安全等|刘凤梅(1973- ),女,河南郸城人,博士,信息保障技术重点实验室研究员,主要研究方向为密码理论与应用
  • 基金资助:
    国家自然科学基金资助项目(6187204);“十三五”国家密码发展基金资助项目(MMJJ20170201);北京市自然科学基金资助项目(4202070)

State recovery attack on ACORN v3 in nonce-reuse setting

Guoshuang ZHANG1,2,Xiao CHEN1,2,Dongdai LIN1,2,Fengmei LIU3   

  1. 1 Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
    2 School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China
    3 Science and Technology on Information Assurance Laboratory,Beijing 100072,China
  • Revised:2020-07-05 Online:2020-08-25 Published:2020-09-05
  • Supported by:
    The National Natural Science Foundation of China(6187204);“The 13th Five-Years” National Cryptogram Development Fund(MMJJ20170201);Beijing Municipal Natural Science Foundation(4202070)

摘要:

基于差分代数方法,利用猜测确定技术给出了Nonce重用两次情况下ACORN v3的状态恢复攻击,攻击所需的计算复杂度为2122.5c,数据复杂度和存储复杂度可忽略不计,其中c是求解线性方程组的复杂度。针对Nonce多次重用时的情形进行了分析,发现ACORN v3较复杂的滤波函数,使由密钥流直接提取关于内部状态线性方程的方法变得不可行,从而有效规避了通过增加Nonce重用次数来显著降低攻击复杂度的安全风险。

关键词: 认证加密, 密码分析, ACORN, 状态恢复攻击

Abstract:

Based on differential-algebraic method and guess-and-determine technique,the state recovery attack of ACORN v3 was presented when one pair of key and Nonce was used to encrypt two messages.The time complexity of the attack was 2122.5c,where c was the time complexity of solving linear equations.The data complexity and the storage complexity were negligible.Furthermore,according to the analysis on the sense of multiple nonce reuse,it is found that relatively complicated filter function of ACORN v3 makes it infeasible to extract the linear equations about the internal state directly from key streams.Thus,the risk of significantly reducing the attack complexity by increasing the times of nonce reuse can be effectively avoided.

Key words: authenticated cipher, cryptanalysis, ACORN, state recovery attack

中图分类号: 

No Suggested Reading articles found!