构造零和区分器的新方法

doi:10.3969/j.issn.1000-436x.2012.11.012

通信学报 ›› 2012, Vol. 33 ›› Issue (11): 91-99.doi: 10.3969/j.issn.1000-436x.2012.11.012

构造零和区分器的新方法

董乐^1,²,吴文玲¹,吴双¹,邹剑^1,²

¹ 中国科学院软件研究所，北京 100190
² 中国科学院研究生院，北京 100190

出版日期:2012-11-25 发布日期:2017-07-25
基金资助:
国家自然科学基金资助项目;国家自然科学基金资助项目

Novel method of constructing the zero-sum distinguishers

Le DONG^1,²,Wen-ling WU¹,Shuang WU¹,Jian ZHOU^1,²

¹ Institute of Software,Chinese Academy of Sciences,Beijing 100190,China
² Graduate University,Chinese Academy of Sciences,Beijing 100190,China

Online:2012-11-25 Published:2017-07-25
Supported by:
The National Natural Science Foundation of China;The National Natural Science Foundation of China

摘要/Abstract

摘要：

通过分析具有相似结构的AES 类置换的扩散性质，提出了一种构造零和区分器的新方法。这种方法组合了高阶积分攻击和高阶差分攻击，利用选择的一个确定其活跃模式的中间状态，构造一条高阶积分路径，然后以此路径的2个终点作为起始点，再构造高阶差分路径。利用此方法，改进了对PHOTON杂凑函数族2个置换的全轮零和攻击，并对进入SHA-3最终轮的JH算法的核心函数构造了31.5轮的零和区分器。

关键词: AES类, 零和区分器, 高阶差分攻击, 高阶积分攻击, PHOTON, JH

Abstract:

A novel method of constructing the zero-sum distinguishers for AES-like permutations was proposed by considering the diffusion properties of these permutations,which have the similar construction.The method combined the higher-order integral attack and the higher-order differential attack.Utilizing the selected intermediate-state-structure whose active mode was determined,a higher-order integral path was constructed.Then,a higher-order differential trace was built from the two ends of the integral path.Applying the method,the full-round zero-sum attack on two permutations adopted by the PHOTON family was improved.Besides,a 31.5-round zero-sum distinguisher of the core function of JH hash function was constructed,which entered into the final round of the SHA-3 competition.

Key words: AES-like, zero-sum distinguishers, higher-order differential attack, higher-order integral attack, PHOTON, JH

董乐,吴文玲,吴双,邹剑. 构造零和区分器的新方法[J]. 通信学报, 2012, 33(11): 91-99.

Le DONG,Wen-ling WU,Shuang WU,Jian ZHOU. Novel method of constructing the zero-sum distinguishers[J]. Journal on Communications, 2012, 33(11): 91-99.

图/表 9

表1

图1

表2

图2

图3

图4

图5

图6

图7

参考文献 18

[1]	JOAN D , VINCENT R . The Design of Rijndael:AES—the Advanced Encryption Standard[M]. Springer-Verlag, 2002.
[2]	GUO J , THOMAS P , AXEL P . The photon family of lightweight hash functions[EB/OL]. , 2011.
[3]	GUO J , THOMAS P , AXEL P . The Photon family of lightweight hash functions[A]. Proc of the Advances in Cryptology-CAYPTO 2011[C]. Santa Barbara,CA,USA, 2011. 222-239.
[4]	WU H . The Hash Function JH[EB/OL]. , 2008.
[5]	RIJMEN V , TOZ D,VANCI . Rebound attack on reduced-round versions of JH[A]. Proc of the Fast Software Encryption-FSE 2010[C]. Seoul,Korea, 2010. 286-303.
[6]	TURAN M-S , UYAN E . Practical near–collisions for reduced round blake,fugue,Hamsi and JH[EB/OL]. , 2010.
[7]	N-PLASENCIA M . How to improve rebound attacks[A]. Proc of the Advances in Cryptology-CAYPTO 2011[C]. Santa Barbara,CA,USA, 2011. 188-205.
[8]	BOURA C , CANTEAUT A . On the influence of the algebraic degree of F-1 on the algebraic degree of G circ F[EB/OL]. , 2011.
[9]	LAI X J . Higher order derivatives and differential cryptanalysis[A]. Proc of Symposium on Communication,Coding and Cryptography,in honor o]James L.Massey on the Occasion of His 60'th Birthday[C]. Monte-Verita,Ascona,Switzerland, 1994. 10-13.
[10]	KNUDSEN L R . Truncated and higher order differentials[A]. Proc of the Fast Software Encryption-FSE 1994[C]. Leuven,Belgium, 1995. 196-211.
[11]	AUMASSON J-P , MEIER W . Zero-sum distinguishers for reduced keccak-f and for the core functions of luffa and hamsi[EB/OL]. , 2009.
[12]	BOURA C , CANTEAUT A . Zero-sum distinguishers for iterated permutations and application to KECCAK-f and Hamsi-256[A]. Proc of the Selected Areas in Cryptography-SAC 2010[C]. Waterloo,Ontario,Canada, 2011. 1-17.
[13]	BOURA C , CANTEAUT A,CANNIèRE C D . Higher-order differential properties of Keccak and Luffa[A]. Proc of the Fast Software Encryption-FSE 2011[C]. Lyngby,Denmark, 2011. 252-269.
[14]	AUMASSON J-P,K?SPER E , KNUDSEN L R , et al . Distinguishers for the compression function and output transformation of hamsi-256[A]. Proc of the Information Security and Privacy-ACISP 2010[C]. Sydney,Australia, 2010. 87-103.
[15]	KNUDSEN L R , WAGNER D . Integral cryptanalysis[A]. Proc of the Fast Software Encryption-FSE 2002[C]. Leuven,Belgium, 2002. 112-127.
[16]	DAEMEN J , KNUDSEN LR , RIJMEN V . The block cipher square[A]. Proc of the Fast Software Encryption-FSE 1997[C]. Haifa,Israel, 1997. 149-165.
[17]	FERGUSON N,KELSEY J , LUCKS S , et a l . Improved cryptanalysis of rijndael[A]. Proc of the Fast Software Encryption-FSE 2000[C]. New York,NY,USA, 2001. 213-230.
[18]	GALICE S , MINIER M . Improving integral attacks against rijndael256 up to 9 rounds[A]. Proc of the Progress in Cryptology – AFRICACRYPT 2008[C]. Casablanca,Morocco, 2008. 1-15.

攻击目标	轮数	时间复杂度	存储	攻击类型	出处
	7	2⁵²	—	积分区分器	文献[2]
PHOTON-160	8	2⁸	2⁴	反弹区分器	文献[2]
中所用置换P₁₉₆	12	2¹⁸³	—	零和区分器	文献[2]
	12	2¹⁶⁷	—	零和区分器	本文5.1节
	7	2⁶⁰	—	积分区分器	文献[2]
PHOTON-224	8	2⁸	2⁴	反弹区分器	文献[2]
中所用置换P₂₅₆	12	2²³⁶	—	零和区分器	文献[2]
	12	2²²³	—	零和区分器	本文5.2节
	22	2¹⁵⁶	2¹⁴³	半自由起始近似碰撞	文献[5]
JH-256压缩函数	22	2⁹⁵	2⁹⁵	半自由起始近似碰撞	文献[7]
	16	2⁹⁶	2⁹⁶	半自由起始碰撞	文献[7]
JH-256杂凑函数	16	2¹⁷⁸	2¹⁰¹	半自由起始碰撞	文献[5]
JH压缩函数	10	2²³	—	半自由起始近似碰撞	文献[6]
JH核心函数	31.5	2⁷⁶⁷	—	零和区分器	本文6.2节

版本	t	b	s	N_r
P₁₀₀	100	5	4	12
P₁₄₄	144	6	4	12
P₁₉₆	196	7	4	12
P₂₅₆	256	8	4	12
P₂₈₈	288	6	8	12

构造零和区分器的新方法

Novel method of constructing the zero-sum distinguishers

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 18

相关文章 0

Metrics

推荐阅读 0