卫星电话GMR-2流密码算法碰撞特性分析

doi:10.11959/j.issn.1000-436x.2018026

通信学报 ›› 2018, Vol. 39 ›› Issue (2): 88-95.doi: 10.11959/j.issn.1000-436x.2018026

卫星电话GMR-2流密码算法碰撞特性分析

李瑞林(),胡娇,唐朝京

国防科技大学电子科学学院，湖南长沙410073

修回日期:2017-12-25 出版日期:2018-02-01 发布日期:2018-03-28
作者简介:高博|高博|高博
基金资助:
国家自然科学基金资助项目(61402515);国家自然科学基金资助项目(61702536)

Collision analysis of the GMR-2 cipher used in the satellite phone

Ruilin LI(),Jiao HU,Chaojing TANG

College of Electronic Science,National University of Defense Technology,Changsha 410073,China

Revised:2017-12-25 Online:2018-02-01 Published:2018-03-28
Supported by:
The National Natural Science Foundation of China(61402515);The National Natural Science Foundation of China(61702536)

摘要/Abstract

摘要：

研究了卫星电话GMR-2流密码算法的碰撞特性，以算法的F组件为桥梁，通过分析密钥差分与算法F组件输出碰撞以及F组件输出碰撞与密钥流字节碰撞之间的联系，最终得到密钥差分与密钥流碰撞之间的关系。研究表明，对于相同的帧号，当密钥对只在某一个字节上有差分，且差分的前4 bit与后4 bit相等时，该密钥对将以高概率使密钥流发生碰撞。实验结果显示，密钥流碰撞概率为2^?8.248，远远高于理想碰撞概率2^?120。这再次证明了GMR-2加密算法存在较大的安全隐患。

关键词: 卫星电话, 流密码, GMR-2, 碰撞分析

Abstract:

A collision property analysis of the GMR-2 cipher used in the satellite phone was presented.By using the F-component as a bridge,the link between the difference of the key byte and the collision of the output ofFas well as the link between the collision of the output of F and the collision of keystream byte were analyzed,which finally revealed the relationship between the difference of the original key byte and the keystream collision.The theoretical analysis showed that for a random frame number,a special chosen key pair could lead to a keystream collision with a high probability,when the key pair has only one byte difference in which the most significant 4 bit of the difference was equal to the last significant 4 bit.The experimental result shows that the keystream collision probability is 2^?8.248,which is far higher than the ideal collision probability 2^?120.This proves once again,that there exists serious potential security hazards in the GMR-2 cipher.

Key words: satellite phones, stream cipher, GMR-2, collision analysis

中图分类号:

TN918

李瑞林,胡娇,唐朝京. 卫星电话GMR-2流密码算法碰撞特性分析[J]. 通信学报, 2018, 39(2): 88-95.

Ruilin LI,Jiao HU,Chaojing TANG. Collision analysis of the GMR-2 cipher used in the satellite phone[J]. Journal on Communications, 2018, 39(2): 88-95.

图/表 9

图1

表1

图2

表2

图3

图4

表3

当输出差分为0时，输入差分Δα的概率分布"

Δα	$I N_{τ_{1} (α)} (Δ α, Δ τ_{1} (α))$	$N_{τ_{1} (α)} (Δ α, Δ τ_{1} (α))$	$\Pr_{τ_{1} (α)} (Δ α \to Δ τ_{1} (α))$
0	0~15	16	1
8	5,6,13,14	4	0.25
9	3,10	2	0.125
11	2,9	2	0.125
12	4,7,8,11	4	0.25
13	1,12	2	0.125
15	0,15	2	0.125
其他	?	0	0

表3

表4

表5

碰撞概率对比"

c	Pr ₁(c)	$P r_{1} (c)^{*}$	$P r_{2} (c)^{*}$	$P r_{2} (c)^{} - P r_{1} (c)^{}$
0	2^?8.544	2^?8.456	2^?8.455	2^?19.488
1	2^?9.077	2^?8.996	2^?8.994	2^?18.899
2	2^?8.544	2^?8.456	2^?8.455	2^?19.488
3	2^?9.077	2^?9.000	2^?8.998	2^?19.209
4	2^?9.077	2^?8.940	2^?8.938	2^?18.950
5	2^?8.544	2^?8.492	2^?8.491	2^?19.508
6	2^?8.544	2^?8.454	2^?8.453	2^?19.536
7	2^?6.817	2^?6.795	2^?6.791	2^?15.230
平均值	2^?8.314	2^?8.250	2^?8.248	2^?17.719

表5

参考文献 14

[1]	何元智 . 军民融合重大举措—天通一号卫星移动通信系统[C]// 2016中国卫星应用大会. 2016.
	HE Y Z , . A Milestone of civil-military integrated satellite communication:tiantong-01 system[C]// China Satellite Conference 2016. 2016.
[2]	2016中国卫星应用若干重大进展[J]. 卫星应用, 2017(1): 32-39.
	Significant progress in Chinese satellite applications in 2016[J]. Satellite Application, 2017(1): 32-39
[3]	李磊 . 移动通信GSM中密码算法安全性研究[D]. 郑州:解放军信息工程大学, 2012.
	LI L . Research on security of cryptographic algorithm in GSM[D]. Zhengzhou:PLA Information Engineering University, 2012.
[4]	关杰, 丁林, 刘树凯 . SNOW 3G与ZUC流密码的猜测决定攻击[J]. 软件学报, 2013(6): 1324-1333.
	GUAN J , DING L , LIU S K . Guess and determine attack on SNOW 3G and ZUC[J]. Journal of Software, 2013(6): 1324-1333.
[5]	吴泳钢, 古天龙, 徐周波 . SNOW 3G加密算法的BDD攻击[J]. 桂林电子科技大学学报, 2016,36(3): 199-203.
	WU Y G , GU T L , XU Z B . BDD attack on SNOW 3G encryption algorithm[J]. Journal of Guilin University of Electronic Technology, 2016,36(3): 199-203.
[6]	BARKAN P , BIHAM E , KELLER N . Instant cipher-text only cryptanalysis of GSM encrypted communication[J]. Journal of Cryptology, 2008,21(3): 392-429.
[7]	BIRYUKOV A , SHAMIR A , WAGNER D . Real time cryptanalysis of A5/1 on a PC[M]// Fast Software Encryption,Springer Berlin Heidelberg, 2000: 1-18.
[8]	DUNKELMAN O , KELLER N , SHAMIR A . A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony[C]// Icar Crgptology Eprint Archive. 2010: 393-410.
[9]	WU H , HUANG T , NGUYEN P ,et al. Differential attacks against stream cipher ZUC[C]// International Conference on the Theory and Application of Cryptology and Information Security. 2012: 262-277.
[10]	ZHANG B , XU C , MEIER W . Fast correlation attacks over extension fields,large-unit linear approximation and cryptanalysis of SNOW 2.0[C]// Cryptology Conference. 2015: 643-662.
[11]	ZHOU C , FENG X , LIN D . The Initialization stage analysis of ZUC v1.5[C]// Cryptology and Network Security. 2011: 40-53.
[12]	DRIESSEN B , HUND R , WILLEMS C ,et al. Don't trust satellite phones:a security analysis of two satphone standards[C]// Security and Privacy (SP). 2012: 128-142.
[13]	DRIESSEN B , HUND R , WILLEMS C ,et al. An experimental security analysis of two satphone standards[J]. ACM Transactions on Information ＆ System Security, 2013,16(3): 1-30.
[14]	LI R , LI H , LI C ,et al. A low data complexity attack on the GMR-2 Cipher Used in the Satellite Phones[C]// FSE. 2013: 485-501.

符号	含义
⊕	异或，即按比特模2加
ΔX	2 bit序列的异或差分，即ΔX =X⊕X^?
Δ a→Δb	差分Δa能产生差分Δb
X \|\|Y	2 bit序列的级联
Γ	Γ={δ‖δ:δ∈{0x1,0x2,…,0xf}}

α	τ ₁(α)	τ ₂(τ₁(α))
(0,0,0,0),(1,1,1,1)	2	6
(0,0,0,1),(1,1,0,0)	5	3
(0,0,1,0),(1,0,0,1)	0	4
(0,0,1,1),(1,0,1,0)	6	2
(0,1,0,0),(1,0,0,0)	3	7
(0,1,0,1),(1,1,0,1)	7	1
(0,1,1,0),(1,1,1,0)	4	4
(0,1,1,1),(1,0,1,1)	1	5
(0,0,0,1),(1,1,0,0)	5	3

δ	c=0	c=	c=2	c=3	c=4	c=5	c=6	c=7
8	1	1	1	1	0.5	1	1	0.5
9	1	1	1	1	1	1	0	1
11	0	1	1	1	1	1	1	1
12	1	0.5	1	0.5	1	1	1	1
13	1	1	1	1	1	0	1	1
15	1	1	0	1	1	1	1	1
其他	0	0	0	0	0	0	0	0

卫星电话GMR-2流密码算法碰撞特性分析

Collision analysis of the GMR-2 cipher used in the satellite phone

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 14

相关文章 14

Metrics

推荐阅读 0

[1]	周照存, 冯登国. 流密码分析方法研究综述[J]. 通信学报, 2022, 43(11): 183-198.
[2]	黄春光,程海,丁群. 基于PUF的Logistic混沌序列发生器[J]. 通信学报, 2019, 40(3): 182-189.
[3]	刘龙飞,杨凯,杨晓元. 新的周期为p^m的GF(h)上广义割圆序列的线性复杂度[J]. 通信学报, 2017, 38(9): 39-45.
[4]	马猛,赵亚群. 简化版Trivium算法的线性逼近研究[J]. 通信学报, 2016, 37(6): 185-191.
[5]	董丽华,胡予濮,曾勇. 多重周期序列联合二次复杂度的计算[J]. 通信学报, 2012, 33(6): 11-18.
[6]	潘臻,唐小虎. 全动态密钥流生成器DF-FCSR-8[J]. 通信学报, 2012, 33(2): 15-22.
[7]	张凤荣,胡予濮,马华,谢敏,高军涛. 正形置换的迭代构造与计数[J]. 通信学报, 2011, 32(11A): 204-208.
[8]	孙思维,胡磊. WEP数据加密协议的两种改进攻击[J]. 通信学报, 2010, 31(9): 103-109.
[9]	曾光,杨阳,韩文报,范淑琴. 本原多项式与基于字的线性反馈寄存器[J]. 通信学报, 2009, 30(11A): 111-116.
[10]	肖鸿,张串绒,肖国镇,王新梅. 互控-钟控移位寄存器序列[J]. 通信学报, 2008, 29(10): 210-214.
[11]	件丽花,李媛,胡予濮. 新型非线性滤波生成器的区分攻击研究[J]. 通信学报, 2007, 28(11A): 152-155.
[12]	王培荣,徐喆,付冲,朱伟勇,王兴伟. 复合混沌数字图像加密算法[J]. 通信学报, 2006, 27(11A): 285-289.
[13]	张龙,吴文玲,温巧燕. 流密码代数攻击的研究现状及其展望[J]. 通信学报, 2006, 27(1): 91-98.
[14]	苏明,符方伟. 随机周期序列k错线性复杂度的期望上界[J]. 通信学报, 2005, 26(2): 60-65.