7 resultados para SMS4
Resumo:
We present several new observations on the SMS4 block cipher, and discuss their cryptographic significance. The crucial observation is the existence of fixed points and also of simple linear relationships between the bits of the input and output words for each component of the round functions for some input words. This implies that the non-linear function T of SMS4 does not appear random and that the linear transformation provides poor diffusion. Furthermore, the branch number of the linear transformation in the key scheduling algorithm is shown to be less than optimal. The main security implication of these observations is that the round function is not always non-linear. Due to this linearity, it is possible to reduce the number of effective rounds of SMS4 by four. We also investigate the susceptibility of SMS4 to further cryptanalysis. Finally, we demonstrate a successful differential attack on a slightly modified variant of SMS4. These findings raise serious questions on the security provided by SMS4.
Resumo:
SMS4是用于WAPI的分组密码算法,是国内官方公布的第一个商用密码算法.由于公布时间不长,关于它的安全性研究尚没有公开结果发表.该文研究SMS4密码算法对差分故障攻击的安全性.攻击采用面向字节的随机故障模型,并且结合了差分分析技术.该攻击方法理论上仅需要32个错误密文就可以完全恢复出SMS4的128比特种子密钥.因为实际中故障发生的字节位置是不可能完全平均的,所以实际攻击所需错误密文数将略大于理论值;文中的实验结果也验证了这一事实,恢复SMS4的128bit种子密钥平均大约需要47个错误密文.文章结果显示SMS4对差分故障攻击是脆弱的.为了避免这类攻击,建议用户对加密设备进行保护,阻止攻击者对其进行故障诱导.
Resumo:
This thesis is devoted to the study of linear relationships in symmetric block ciphers. A block cipher is designed so that the ciphertext is produced as a nonlinear function of the plaintext and secret master key. However, linear relationships within the cipher can still exist if the texts and components of the cipher are manipulated in a number of ways, as shown in this thesis. There are four main contributions of this thesis. The first contribution is the extension of the applicability of integral attacks from word-based to bitbased block ciphers. Integral attacks exploit the linear relationship between texts at intermediate stages of encryption. This relationship can be used to recover subkey bits in a key recovery attack. In principle, integral attacks can be applied to bit-based block ciphers. However, specific tools to define the attack on these ciphers are not available. This problem is addressed in this thesis by introducing a refined set of notations to describe the attack. The bit patternbased integral attack is successfully demonstrated on reduced-round variants of the block ciphers Noekeon, Present and Serpent. The second contribution is the discovery of a very small system of equations that describe the LEX-AES stream cipher. LEX-AES is based heavily on the 128-bit-key (16-byte) Advanced Encryption Standard (AES) block cipher. In one instance, the system contains 21 equations and 17 unknown bytes. This is very close to the upper limit for an exhaustive key search, which is 16 bytes. One only needs to acquire 36 bytes of keystream to generate the equations. Therefore, the security of this cipher depends on the difficulty of solving this small system of equations. The third contribution is the proposal of an alternative method to measure diffusion in the linear transformation of Substitution-Permutation-Network (SPN) block ciphers. Currently, the branch number is widely used for this purpose. It is useful for estimating the possible success of differential and linear attacks on a particular SPN cipher. However, the measure does not give information on the number of input bits that are left unchanged by the transformation when producing the output bits. The new measure introduced in this thesis is intended to complement the current branch number technique. The measure is based on fixed points and simple linear relationships between the input and output words of the linear transformation. The measure represents the average fraction of input words to a linear diffusion transformation that are not effectively changed by the transformation. This measure is applied to the block ciphers AES, ARIA, Serpent and Present. It is shown that except for Serpent, the linear transformations used in the block ciphers examined do not behave as expected for a random linear transformation. The fourth contribution is the identification of linear paths in the nonlinear round function of the SMS4 block cipher. The SMS4 block cipher is used as a standard in the Chinese Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI) and hence, the round function should exhibit a high level of nonlinearity. However, the findings in this thesis on the existence of linear relationships show that this is not the case. It is shown that in some exceptional cases, the first four rounds of SMS4 are effectively linear. In these cases, the effective number of rounds for SMS4 is reduced by four, from 32 to 28. The findings raise questions about the security provided by SMS4, and might provide clues on the existence of a flaw in the design of the cipher.
Resumo:
分组密码作为现代密码学的一个重要组成部分,是目前最重要和流行的一种数据加密技术,有着非常广泛的应用。此外,近年来分组密码或其组件还经常作为基础模块用于构造Hash函数,MAC算法等。因此对分组密码安全性的分析以及设计安全高效的分组密码算法,在理论研究及实际应用中都有着非常重要的意义。本文的研究内容主要包括两个方面:对现有常用分组密码的安全性分析,以及分组密码及其组件的设计。这两个方面是密不可分,相互融合的。通常都是利用算法存在的弱点或算法设计特点,提出新的密码分析算法。而在算法设计过程中,正是从密码分析获取经验,掌握设计算法的技巧和避免可能存在的缺陷。 本文首先对分组密码分析方法作了大量的调查和研究,在此基础上分析了一些国内外常用和有影响的分组密码,得到了一系列有价值的分析结果。并在密码分析工作的经验基础上,结合现有密码设计理论,在分组密码及其组件的设计方面做了比较深入的研究。本文的主要成果包括: (1) DES算法的分析。DES算法是迄今最重要的分组密码算法之一,目前在一些金融领域,DES和Triple-DES仍被广泛使用着。本文考察了DES算法针对Boomerang攻击和Rectangle攻击的安全性。通过利用DES算法各轮的最优差分路径及其概率,分别给出了这两种攻击方法对DES的攻击算法。 (2) Rijndael算法的分析。Rijndael算法是高级加密标准AES的原型。本文针对大分组Rijndael算法的各个不同版本,利用算法行移位和列混淆变换的一些密码特性,改进了原有的不可能差分攻击结果,极大的降低了攻击的数据和时间复杂度。同时还分别构造了一些新的更长轮的不可能差分路径,利用这些路径给出了一系列对大分组Rijndael算法的改进的不可能差分攻击,这些结果是目前已知的对该算法的最好攻击结果。 (3) SMS4算法的分析。SMS4算法是中国公布的用于无线局域网产品保护的算法。本文首先构造了SMS4算法的一类5轮循环差分特征,利用该特征分别给出了对16轮SMS4算法的矩阵攻击和对21轮SMS4算法的差分分析。随后考察了SMS4算法抵抗差分故障攻击的能力,基于字节故障模型,结合实验指出需要32次故障诱导来恢复全部密钥。后续的工作又进一步将结果改进为只需要进行一次故障诱导再结合2^{44}次密钥搜索即可恢复全部密钥。 (4) CLEFIA密码算法的分析。CLEFIA算法是索尼公司于2007年提出的用于产品版权保护和认证的分组密码算法。针对CLEFIA算法,本文构造了一条概率为1的5轮截断差分特征,再结合其扩散矩阵的密码特性构造了一条3轮线性逼近。随后利用这两条路径组成的8轮差分-线性区分器,给出了对10轮CLEFIA算法的有效的差分-线性攻击。 (5) 分组密码结构的设计及其应用。本文提出了两种新的分组密码结构,并指出了其与原有结构相比的优势,同时分别评估了这两种结构针对差分分析和线性分析等常用密码分析方法的安全性。基于这两个密码结构,结合部分密码组件的设计和测试工作,本文还完成了两个分组密码算法的概要设计,并简要评估了它们的实现效率及针对现有的几种主要密码分析方法的安全性。
Resumo:
统计检测在分组密码安全性评估的过程中发挥着重要的作用,许多密码标准组织纷纷把对分组密码的统计检测作为评估过程中的重要环节来实施.文中提出了一种有效、实用的统计检测方法,该统计检测方法以分组长度为统计单位,将一个分组的某一字节取遍所有的值而其它字节固定不变,经过密码变换后,将256个输出值进行异或,通过检测输出异或值每一位为0(或1)的概率是否为1/2来判断分组密码是否随机.该检测方法可以一定程度地反映出分组密码抵抗积分攻击的能力.与此同时,基于推广的积分攻击方法,文中在已有方法的基础上提出了更一般的统计检测方法.另外,文中分别对Rijndael算法、Camellia算法和SMS4算法进行了统计检测,这3种算法分别从第4轮、第5轮和第7轮开始呈现出良好的统计性能.
Resumo:
从可证明安全的角度研究使用压缩函数的非平衡Feistel结构(UFN-C)的安全性,证明了k+1轮UFN-C是伪随机的,k+2轮UFN-C是超伪随机的;进一步地,探讨了UFN-C的有效构造,降低了Naor和Reingold在1999年文章中类似结构对伪随机函数个数的要求.最后,针对一类具体的UFN-C--SMs4,分析其广义形式SMS4-like结构的伪随机性和超伪随机性,为设计与使用该类结构的分组密码提供了可证明安全的理论依据.
