CN112398638A - Zero correlation linear code analysis method, system, medium and electronic equipment - Google Patents

Zero correlation linear code analysis method, system, medium and electronic equipment Download PDF

Info

Publication number
CN112398638A
CN112398638A CN202011120542.4A CN202011120542A CN112398638A CN 112398638 A CN112398638 A CN 112398638A CN 202011120542 A CN202011120542 A CN 202011120542A CN 112398638 A CN112398638 A CN 112398638A
Authority
CN
China
Prior art keywords
linear
key
zero
correlation
adjustment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011120542.4A
Other languages
Chinese (zh)
Other versions
CN112398638B (en
Inventor
王美琴
牛超
李木舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University
Original Assignee
Shandong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University filed Critical Shandong University
Priority to CN202011120542.4A priority Critical patent/CN112398638B/en
Publication of CN112398638A publication Critical patent/CN112398638A/en
Application granted granted Critical
Publication of CN112398638B publication Critical patent/CN112398638B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides a zero correlation linear cryptoanalytic method, system, medium and electronic device, including the following steps: acquiring an adjustable block cipher to be analyzed; taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function; searching linear approximation which enables the correlation value of the linear approximation expression to be zero, and converting the obtained linear approximation, namely a zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decryption is correct or not; wherein, the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of the plaintext, the secret key and the adjustment; in the method, the plaintext, the key and the adjustment are treated equally, so that the rapid and accurate search of the linear approximation is realized, the accuracy of the key can be determined more rapidly, the complexity of decryption is reduced, and the success rate of the integral attack is improved.

Description

Zero correlation linear code analysis method, system, medium and electronic equipment
Technical Field
The present disclosure relates to the field of cryptoanalysis technologies, and in particular, to a zero correlation linear cryptoanalysis method, system, medium, and electronic device.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
Linear cryptanalysis is one of the most important techniques for analyzing block ciphers, from which many cryptanalysis techniques are derived, including linear shell effects, multiple linear cryptanalysis, multidimensional linear cryptanalysis, and the like. Basically, these techniques rely on linear approximation of the target for high absolute correlation. In 2014, Bogdanov and Rijmen proposed a variant of linear cryptanalysis called zero-correlation linear cryptanalysis, which utilizes a linear shell with absolute zero-correlation. The main drawback of this technique in the early days was that it required almost the entire codebook to perform the attack. FSE2012 overcomes the problem of zero correlation linear cryptanalysis's limitation in data complexity where the target multiple linear approximations are zero. Later, the link between the zero correlation linear approximation and the integral discriminator is established in ASIACRYPT 2012.
Another discussion of zero-correlation linear cryptanalysis with respect to key adjustment begins at FSE2018, where an approximation of zero-correlation linearity containing plaintext, justification, and ciphertext may be found, sometimes resulting in more rounds of the partitioner covering the target. Note that such improvements are only possible in the case of zero correlation linear cryptanalysis, since Kranz, leaner and Wiemer show that adaptation using the linear adaptation extension algorithm does not introduce new effective linear features. However, Ralph et al's efforts are only applicable to ciphers with linear key-adjusting scheduling algorithms and at the word level, and thus some bit-level discriminators may be missed.
The inventors of the present disclosure found that the initial for an adjustable block cipher EK,TThe zero correlation linear attack (classical block cipher when T is 0) takes into account the linear approximation expression of key K adjusting T:
Figure BDA0002731872000000021
for any given K and T, there is a zero correlation, where the correlation is obtained across all possible plaintext x. Obviously, the plaintext, the key, and the adjustment are not treated equally, which results in a complex process of the zero correlation linear cryptanalysis and a failure to realize faster zero correlation linear cryptanalysis.
Disclosure of Invention
In order to solve the defects of the prior art, the disclosure provides a zero correlation linear cipher analysis method, a system, a medium and an electronic device, wherein plaintext, a secret key and adjustment are treated equally, so that the rapid and accurate search of linear approximation is realized, the accuracy of the secret key can be determined more rapidly, the complexity of decryption is reduced, and the success rate of linear attack is improved.
In order to achieve the purpose, the following technical scheme is adopted in the disclosure:
a first aspect of the present disclosure provides a method of zero correlation linear cryptanalysis.
A zero correlation linear cryptanalysis method, comprising the steps of:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a set propagation rule of linear masks in the linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator, and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing all possible values of plaintext, key, and justification.
Converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and an adjusted special position in a history table;
through traversing the plaintext, the key and the adjustment at a specific position, the zero and balance characteristics of the ciphertext encrypted by the n rounds of discriminators can be obtained, so that whether the key used for reverse decryption is correct or not is judged.
A second aspect of the present disclosure provides a zero correlation linear cryptoanalytic system, comprising:
a data acquisition module configured to: acquiring an adjustable block cipher to be analyzed;
a linear approximation expression acquisition module configured to: taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
a cryptanalysis module configured to: determining the correlation of a group of linear approximation expressions to be zero through a set propagation rule of linear masks in the linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of plaintext, the key and the adjustment.
A third aspect of the present disclosure provides a computer-readable storage medium having stored thereon a program which, when executed by a processor, implements the steps in the zero correlation linear cryptoanalytic method according to the first aspect of the present disclosure.
A fourth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor implements the steps in the zero correlation linear cryptoanalytic method according to the first aspect of the present disclosure when executing the program.
Compared with the prior art, the beneficial effect of this disclosure is:
1. according to the method, the system, the medium or the electronic equipment, plaintext, the secret key and adjustment are treated equally, rapid and accurate search of linear approximation is achieved, accuracy of the secret key can be determined more rapidly by using the discriminator in the method, the system, the medium or the electronic equipment, complexity of decryption is reduced, and success rate of linear attack is improved.
2. The method, system, medium, or electronic device provided by the present disclosure, by considering plaintext, keys, and adjustments equally in zero-correlation linearity, proves that such zero-correlation linear approximation can be found by SAT and SMT-based automation tools, which is much simpler than the method of Ralph et al, and is applicable to linear and non-linear key adjustment generation algorithms.
3. According to the method, the system, the medium or the electronic equipment, the novel zero correlation linear approximation can be converted into the integral distinguisher adjusted by the correlation key, when the method is applied to TWINE, LBlock and SKINNY, a longer distinguisher can be obtained, and the correctness of the method provided by the disclosure is verified through the automatic recovery of results of Ralph and the like and the toy password.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure.
Fig. 1 is a schematic flow chart of a zero correlation linear cryptanalysis method provided in embodiment 1 of the present disclosure.
Fig. 2 is a zero correlation discriminator for 10 rounds of toy codes provided in example 1 of the present disclosure.
Fig. 3 is a round function of twinine provided in embodiment 1 of the present disclosure.
Fig. 4 is a key generation algorithm of TWINE-128 provided in embodiment 1 of the present disclosure.
Fig. 5 is a mask propagation of the 17-round TWINE-80 on the data encryption path provided by embodiment 1 of the present disclosure.
Fig. 6 is a mask propagation on the twin-80 key expansion provided in embodiment 1 of the present disclosure.
Fig. 7 is a round function of LBlock provided in embodiment 1 of the present disclosure.
Fig. 8 is a key expansion algorithm of LBlock provided in embodiment 1 of the present disclosure.
FIG. 9 is a zero correlation linear shell for 14 rounds of SKINNY-64/128 provided in example 1 of the present disclosure.
Detailed Description
The present disclosure is further described with reference to the following drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular is intended to include the plural unless the context clearly dictates otherwise, and it should be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of features, steps, operations, elements, components, and/or combinations thereof.
The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
Example 1:
as shown in fig. 1, an embodiment 1 of the present disclosure provides a zero correlation linear cryptanalysis method, including the following steps:
a zero correlation linear cryptanalysis method, comprising the steps of:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a set propagation rule of linear masks in the linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator, and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing all possible values of plaintext, key, and justification.
In detail, the following contents are included:
first, the present embodiment briefly reviews that the zero correlation linear cryptanalysis is applied to n-bit adjustable block cipher EK,TThe key is
Figure BDA0002731872000000061
And is adjusted to
Figure BDA0002731872000000062
Where when l is 0, it becomes a common block cipher without adjustments.
Alternatively, the block cipher may be considered as a vector boolean function:
Figure BDA0002731872000000063
mapping (K, T, x) to EK,T(x) I.e. F (K, T, x) ═ EK,T(x)。
Let alpha and beta be
Figure BDA0002731872000000064
An n-bit vector.
The correlation is:
Figure BDA0002731872000000065
at a given point
Figure BDA0002731872000000066
Wherein F (K, T,. E)K,T(. cndot.) is defined as:
Figure BDA0002731872000000067
where < u, v > represents the inner product of two bit vectors of the same length. Raw zero correlation linear cryptanalysis is derived for any K and T using linear approximation of the input and output masks α and β
Figure BDA0002731872000000068
Such an (. alpha.,. beta.) is referred to as EK,TGiven a zero-correlation linear approximation value EK,TAlmost all the codebook is used to distinguish EK,T. Andrey et al show that one can distinguish between having a data complexity of
Figure BDA0002731872000000069
E of (A)K,T
On FSE2018, Ralph et al suggest to consider using a novel zero correlation linear cryptanalysis where the linear mask used for the adjustment may be non-zero.
Their ideas are formally described below:
is provided with
Figure BDA0002731872000000071
The correlation is:
corF(K,·,·)((α,β),λ)
the definition of F (K, ·) for any fixed key K is:
Figure BDA0002731872000000072
i.e. the correlation is calculated in all possible plaintext and adjustments. To find such zero correlation linear approximation also involves adjusting the bits, Ralph et al adopts the following strategy, applicable to linearly adjusted key expanded ciphers:
firstly, fixing linear masks of plaintext and ciphertext as alpha and beta; then, all linear features with non-zero correlation are derived, the masks of the plain text and the cipher text are respectively alpha and beta, and all possible coefficients are obtainedF(K,·,·)Set of λ (((α, β), λ) ≠ 0
Figure BDA0002731872000000076
Finally, selecting
Figure BDA0002731872000000073
Having corF(K,·,·)((α,β),λ′)= 0。
It can be noted that it is possible to note that,
Figure BDA0002731872000000074
the derivation of (d) depends largely on the linearity and simplicity of the adaptation extension; furthermore, since Ralph et al's method is performed manually and works at the word level, it is only applicable to cryptographic algorithms with linear scaling extensions, and some zero-correlation linear approximations may be missed.
This embodiment treats all public and secret block cipher E inputs equally, and considers linear approximations involving plaintext, keys, justifications, and ciphertext, further to Ralph et al.
After r rounds of encryption, the mask on the block cipher should contain 5 parts: the mask α on the plaintext, the mask γ on the key, the mask λ on the adjustment, the mask κ on the key adjustment after the r round key adjustment scheduling algorithm, and the mask β on the ciphertext.
Since the intermediate state of the key adjustment spreading is unknown, the output mask k of the key adjustment spreading algorithm is set to zero. Order to
Figure BDA0002731872000000075
E (K, T) represents the output state of the key adjustment expansion algorithm.
Linear approximation
Figure BDA0002731872000000081
Is defined as:
Figure BDA0002731872000000082
followed by a linear approximation
Figure BDA0002731872000000083
Comprises the following steps:
Figure BDA0002731872000000084
and linearly approximated correlation value corF((α, β), γ, λ) is defined as:
Figure BDA0002731872000000085
from the above definitions, it can be seen that the correlation is computed over all possible plaintext, keys and adjustments. Therefore, due to the intervention of the key, it is unknown how to perform the key recovery attack based on such zero correlation linear approximation. To take advantage of this zero correlation linear approximation, the present embodiment will show below how to convert them into correlation key adjusted integral discriminators.
The transformation between the original zero correlation linear approximation and the integral discriminator can be found in 15 years of work by FSE grandson et al, and the theorem most relevant to this embodiment is restated as follows:
theorem 1: order to
Figure BDA0002731872000000086
Is a vector Boolean function, A is
Figure BDA0002731872000000087
A subspace of (a), and
Figure BDA0002731872000000088
assume that for any α ∈ A, (α, β) is a zero-correlation linear approximation. Then for any
Figure BDA0002731872000000089
In that
Figure BDA00027318720000000810
α ∈ A } has
Figure BDA00027318720000000811
And (4) integrating and balancing.
Theorem 1 can be modified into the following form to achieve the object of the present embodiment, and the same strategy of proving theorem 1 can be applied to obtain a new form.
Theorem 2: letting F:
Figure BDA00027318720000000812
is a vector Boolean function, A is
Figure BDA00027318720000000813
A subspace of (a), and
Figure BDA00027318720000000814
suppose that for any (, γ, λ) ε A,
Figure BDA00027318720000000815
is a zero correlation linear approximation. Then for any
Figure BDA00027318720000000816
In that
Figure BDA00027318720000000817
Figure BDA00027318720000000818
(α, γ, λ) is ∈ A }. there is
Figure BDA00027318720000000819
Make it
Figure BDA00027318720000000820
And (4) integrating and balancing.
From theorem 2, it can be seen that if a linear approximation can be found
Figure BDA00027318720000000821
Figure BDA0002731872000000091
For any (α, γ, λ) in d-dimensional linearity is zero correlation, subspace
Figure BDA0002731872000000092
Then the data complexity for constructing an integral discriminator is 2n+m+l-dAnd the inputs for selection F are:
Figure BDA0002731872000000093
for arbitrary fixation
Figure BDA0002731872000000094
To search for a linear approximation of zero for a given form of correlation value in this embodiment, this embodiment employs the constraint-based approach described in the manual work above. Note that the keys and subkeys and adjustments in the original model are considered constant. Thus, the original model only characterizes the propagation of the linear mask over the encrypted data path without considering the key adjustment scheduling algorithm.
In the model of the present embodiment, since the encryption algorithm E is usedK,T(x) Equivalent to a Boolean function F (K, T, x) from
Figure BDA0002731872000000095
To
Figure BDA0002731872000000096
The propagation of the input linear mask on the encrypted data path of the state update inside the encrypted data, the key and the key scheduling data path of the adjusting and expanding algorithm must be modeled.
The framework of the general search algorithm is described in algorithm 1:
algorithm 1:
inputting: a cryptographic algorithm EK,T(. can be viewed as F (K, T, x) ═ EK,T(x)。
And (3) outputting: a zero correlation linear approximation of F.
1. Order to
Figure BDA00027318720000000912
Is preset
Figure BDA0002731872000000097
A subset of (c);
2.For
Figure BDA0002731872000000098
do;
3.
Figure BDA0002731872000000099
4. to the direction of
Figure BDA00027318720000000910
The following restrictions are added:
5. the linear mask on the fixation (K, T, x) is (α, γ, λ);
6. the linear mask of the fixed ciphertext is beta;
7.If
Figure BDA00027318720000000911
without a solution, then ((α, β), γ, λ) is output as a zero correlation linear approximation of F.
In the case of the algorithm 1, the algorithm,
Figure BDA00027318720000001017
is defined heuristically by the cryptanalyst because all are enumerated
Figure BDA0002731872000000101
The mode in (1) is not possible.
In general,
Figure BDA00027318720000001018
selected as the mode with low hamming weight. The sub-process generatelinearmode () { generation linear model } generates a mathematical model that contains variables representing the linear characteristics in F, and the relationship between these variables is determined according to the propagation rules of the linear characteristics.
Thus, it is performed:
Figure BDA00027318720000001012
post, mathematical model
Figure BDA00027318720000001015
Is the set of all non-zero correlation linear features of F. In addition, after fixing the linear masks of (K, T, x) and ciphertext,
Figure BDA00027318720000001013
is the set of all non-zero related linear features of F under the input mask (α, γ, λ) and the output mask β.
Therefore, if this is the case
Figure BDA00027318720000001014
The solution space of (2) is an empty set, and the linear approximation ((α, β), γ, λ) zero correlation can be known. Since all targets contain only four basic operation types, including exclusive-OR, branching, linear transformation and S-box, the present embodiment specifies only mathematical constraints to be applied to these basic operations, the complete model
Figure BDA00027318720000001016
The basic operations may be combined according to these constraints.
I exclusive OR: the XOR operation will
Figure BDA0002731872000000102
Mapping to
Figure BDA0002731872000000103
Let a and b denote two input linear masks and c denotes an output mask. The linear approximation (a, b, c) results in a non-zero correlation of the exclusive-or if and only if it satisfies a-b-c.
II, branching: branch operation handle
Figure BDA0002731872000000104
Mapping to
Figure BDA0002731872000000105
Wherein x is y is z. Let (a, b, c) be a linear mask of (x, y, z), then (a, b, c) makes the linear approximation of the branch operation if and only if
Figure BDA0002731872000000106
Is non-zero correlated.
III, linear transformation: linear transformation of matrix representation M to vector the columns
Figure BDA0002731872000000107
Mapping to
Figure BDA0002731872000000108
Order to
Figure BDA0002731872000000109
Is composed of
Figure BDA00027318720000001010
Is used to determine the linear mask of (1). Linear approximation of linear transformation M
Figure BDA00027318720000001011
Is non-zero correlation, if and only if
Figure BDA0002731872000000111
IV S box: let S be an S-box with a linear approximation table LAT. Let θ beinAnd thetaoutLinear masks are input and output. Then (theta)inout) Correlation values through linear approximation of S are if and only if LAT (theta)inout) When not equal to 0, this value is non-zero.
In practice, the mathematical model may be in the language of CP, SAT/SMT, or MILP. In this work, SAT/SMT based methods were chosen and a well-known STP solver was used.
To confirm the correctness of the model proposed in this embodiment, this embodiment attempts to automatically recover the results of Ralph and Hosein et al.
Taking the results of Ralph et al, for example, on SKINNY, first establish a linear approximation encryption and key expansion data path that model describes SKINNY; then adding a constraint that fixes the linear mask of the specific position of the master key as zero, and the masks of the plaintext, the adjustment and the ciphertext as given values, which are determined by the zero correlation linear approximation found in the FSE 2018; finally, there is virtually no solution for the model with a non-zero correlation, meaning that the predefined linear approximation is that the correlation is zero in the model of the present embodiment.
In addition, the model provided by the present embodiment has been practiced in toy codes based on type II GFS structures. The block size and key size of the toy cryptogram are both 16 bits. Using the method provided in this embodiment, a linear approximation of a ten-round zero-correlation toy figure is obtained, as shown in FIG. 1, where the S-box is the same as the TWINE.
(1) Application to TWINE
TWINE is a family of 64-bit lightweight block ciphers with a generalized Feistel structure designed by Suzaki et al. Two members of the family, twin-80 and twin-128, support 80-bit and 128-bit keys, respectively. The round function of TWINE and the two versions of the key generation algorithm can be found in fig. 3 and 4.
Results for TWINE-80: this embodiment finds a set of linear approximations that can be found in table 1. In order to be able to demonstrate the contradiction that linear masking leads to zero correlation in propagation, propagation of the masking in the data path and the key generation path is shown in the form of patterns in fig. 5 and 6, respectively. Given a set of masks (α, γ, β) searched by this embodiment, contradictions can be manually deduced in the key generation algorithm. The propagation of the mask is simply characterized as three modes where the white blocks gray and black blocks represent inactive mask, active mask and any mask, respectively.
Table 1: a 17-round zero correlation linear approximation of TWINE-80, where x may be any 4-bit value and c is any non-zero 4-bit value.
Figure BDA0002731872000000121
Table 2: 17-round TWINE-80 integral differentiator, where c is a 4-bit constant, a is a 4-bit active value, b is a 4-bit balanced value,? Is a 4-bit unknown value.
Figure BDA0002731872000000122
This family of zero correlation linear approximations can then be converted to an integral discriminator according to theorem 2, as shown in Table 2. This integral discriminator needs to be at 24Encryption under different master keys goes through 15 4-bit half bytes of plaintext, and then the sum of the corresponding positions of ciphertext bits is balanced. Since this attack requires 24Different keys, so it is considered a correlation key integration attack.
Results of TWINE-128
This example determines two 18-round zero correlation linear shells as shown in Table 3 and their corresponding correlation key integral differentiators as shown in Table 4 giving that the integral differentiator needs to be at 24Under one master key 2 is required15×4=260Individual plaintext choices, the total data complexity is 260+4=264
Table 3: two zero correlation linear approximations of 18 rounds of TWINE-128
Figure BDA0002731872000000131
Table 4: two integral distinguisher of 18-turn TWINE-128
Figure BDA0002731872000000132
Figure BDA0002731872000000141
(2) Application to LBlock
LBlock is a lightweight 64-bit block cipher with an 80-bit key designed by Wu et al in 2011. It is designed according to a variant of the Feistel structure, comprising 32 rounds. The round function and key generation algorithm of LBlock can be seen in fig. 7 and 8.
This example determines a zero for a 15 round LBlockThe correlation linear approximation integral distinguisher needs to be 24Under each master key there is 215×4=260Individual plaintext choices, the total data complexity is 260+4=264
(3) Application in SKINNY
SKINNY is a set of block ciphers designed based on the TWEAKEY structure. In this embodiment, the present embodiment focuses on SKINNY-64/t, where t ∈ {64,128,192} represents the size of the key adjustment.
The zero correlation linear shell of the STK structure of TK-p. By using the method of the embodiment, the attack result of Ralph and the like can be recovered for SKINNY. In addition, this embodiment also searches for longer discriminators for SKINNY-64/128 and SKINNY-64/192. To confirm the correctness of the results of this embodiment, Ralph et al manual zero-correlation derivation method can also be used. In the key adjustment extension algorithm of SKINNY, the c-bit half bytes are independent of each other. One nibble can be updated in the key adjustment extension algorithm with a focus on finding the contradiction. For this reason, Ralph et al propose the definition of the Γ sequence.
Definition 1(Γ sequence) from a given input linear mask Γ respectively0And outputs a linear mask ΓrForward and backward propagation with probability 1 are evaluated. Then, for any i, the Γ sequence is defined by the sequence of the (R +1) round, where Γ isr[h′r(i)]Active, inactive and arbitrary values that can be taken are stored in the r-th element.
A contradiction is caused when the Γ sequence is inactive for any i, i.e. when the ith block of the main adjustment Λ i is in the active mask, because the main adjustment can be obtained by xoring all the values in the Γ sequence. Furthermore, when there is only one valid value in the Γ sequence, spears are also caused when Λ [ i ] is a zero mask.
An adjustable block cipher based on the STK structure and TK-p has a zero correlation linear shell, as shown below.
Proposition 1: if there is a pair of linear masks (Γ)0r) And nibble position i such that the Γ sequence has at most p active mask blocks, the adjustable block cipher has a non-flatLinear shell of null correlation.
Proposition 1 shows that applying an inactive mask to the main adjustment nibble causes a contradiction if the number of active nibbles in the Γ sequence does not exceed the number of parallel key adjustment expansions in the STK structure.
Results of SKINNY-64/128
As shown in Table 7, this example demonstrates a 14-round linear approximation of zero correlation for SKINNY-64/128. To illustrate the contradiction leading to zero correlation, the propagation of a linear mask through the encrypted data path and the key-expanded data path is depicted in fig. 9. Contradictions in the key adjustment generation algorithm can then be derived manually using proposition 1.
This embodiment places emphasis on the justification nibble labeled 1, where the Γ sequence in definition 1 is represented using a red box. Since the Γ sequence has only two active nibbles, and SKINNY-64/128 is TK-2 based, applying an inactive mask to the aforementioned adjusting nibbles derives the zero correlation spear due to proposition 1.
The zero correlation linear shell can then be converted to an integral discriminator. Its corresponding correlation tuning integral discriminator is given in table 8. The integral discriminator needs to be at 28Main regulation upper application 214×4=256Individual selected plaintext and total data complexity of 256+8=264
Table 7: two zero correlation linear approximations of 14 rounds of SKINNY-64/128
Figure BDA0002731872000000161
Table 8: two integral discriminators of 14 rounds of SKINNY-64/128
Figure BDA0002731872000000162
Figure BDA0002731872000000171
Example 2:
an embodiment 2 of the present disclosure provides a zero correlation linear cryptoanalytic system, including:
a data acquisition module configured to: acquiring an adjustable block cipher to be analyzed;
a linear approximation expression acquisition module configured to: taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
a cryptanalysis module configured to: determining the correlation of a group of linear approximation expressions to be zero through a set propagation rule of linear masks in the linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein, the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of the plaintext, the secret key and the adjustment;
converting the obtained zero correlation distinguisher into an integral distinguisher to carry out key recovery attack, and verifying the addition balance of the integral distinguisher by giving a plaintext, a key and a special position for adjustment in a history table
The working method of the system is the same as the zero correlation linear cryptanalysis method provided in embodiment 1, and is not described herein again.
Example 3:
the embodiment 3 of the present disclosure provides a computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the method implements the steps in the zero correlation linear cryptoanalytic method according to the embodiment 1 of the present disclosure, where the steps are:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a set propagation rule of linear masks in the linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator, and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing all possible values of plaintext, key, and justification.
Converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and an adjusted special position in a history table;
zero and balance characteristics of ciphertexts after n rounds of distinguishers encrypt can be obtained by traversing the plaintext, the secret key and the adjustment at a specific position, so that whether the secret key used for reverse decryption is correct or not is judged.
The detailed steps are the same as those of the zero correlation linear cryptanalysis method provided in embodiment 1, and are not described herein again.
Example 4:
a fourth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a program stored on the memory and executable on the processor, where the processor executes the program to implement the steps in the zero correlation linear cryptoanalytic method according to the first aspect of the present disclosure, where the steps are:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a set propagation rule of linear masks in the linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator, and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing all possible values of plaintext, key, and justification.
Converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and an adjusted special position in a history table;
zero and balance characteristics of ciphertexts after n rounds of distinguishers encrypt can be obtained by traversing the plaintext, the secret key and the adjustment at a specific position, so that whether the secret key used for reverse decryption is correct or not is judged.
The detailed steps are the same as those of the zero correlation linear cryptanalysis method provided in embodiment 1, and are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (10)

1. A zero correlation linear cryptanalysis method, comprising the steps of:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing the plaintext, the secret key and all possible values of the adjustment.
2. The zero correlation linear cryptanalysis method of claim 1, wherein in the zero correlation linear approximation expression, plaintext, key, and justification are treated equally;
or,
and converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and a special position for adjustment in a history table.
Or,
and obtaining the zero sum balance characteristic of the ciphertext encrypted by the n rounds of discriminators by traversing the plaintext, the key and the adjustment at the specific position, and further judging whether the key used for reverse decryption is correct.
3. The zero correlation linear cryptanalysis method of claim 1, wherein the zero correlation linear approximation is obtained using a constraint-based approach.
4. The zero correlation linear cryptanalysis method of claim 3, wherein the constraint-based method specifically comprises:
establishing a model to describe the propagation of the linear mask in an encryption and key expansion data path;
adding a constraint that the linear mask of the master key adjustment is fixed to be zero, and setting masks of a plaintext, an adjustment and a ciphertext as given values;
and (5) solving the model by using STP to obtain the linear approximation with the correlation value of the linear approximation expression being zero.
5. The method of claim 1, wherein SAT or SMT based standard tools search for zero correlation linear approximations in a block cipher unified framework.
6. The method of claim 1, wherein the zero correlation linear discriminator is transformed into a correlation key adjusting integral discriminator for key and ciphertext recovery based on the relationship between the zero correlation linear approximation and the integral discriminator.
7. The method of claim 1, wherein after multiple rounds of encryption, the mask on the block cipher comprises five parts: a mask on a plaintext, a mask on a key, a mask on an adjustment, a mask on a key adjustment after a multi-round key adjustment scheduling algorithm, and a mask on a ciphertext;
wherein the mask on key adjustment after multiple rounds of key adjustment scheduling algorithm is set to zero.
8. A zero correlation linear cryptanalysis system, comprising:
a data acquisition module configured to: acquiring an adjustable block cipher to be analyzed;
a linear approximation expression acquisition module configured to: taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
a cryptanalysis module configured to: determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of plaintext, the key and the adjustment.
9. A computer-readable storage medium, on which a program is stored, which, when being executed by a processor, carries out the steps of the zero correlation linear cryptoanalytic method of any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a program stored on the memory and executable on the processor, wherein the processor implements the steps of the zero correlation linear cryptanalysis method of any one of claims 1-7 when executing the program.
CN202011120542.4A 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment Active CN112398638B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011120542.4A CN112398638B (en) 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011120542.4A CN112398638B (en) 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112398638A true CN112398638A (en) 2021-02-23
CN112398638B CN112398638B (en) 2022-04-26

Family

ID=74596016

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011120542.4A Active CN112398638B (en) 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112398638B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140198912A1 (en) * 2011-08-18 2014-07-17 Cisco Technology Inc. Block Cipher Modes of Non-Malleable Operation
CN107070632A (en) * 2017-03-15 2017-08-18 中国人民解放军信息工程大学 Impossible differential and zero correlation path automatic search method based on SAT

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140198912A1 (en) * 2011-08-18 2014-07-17 Cisco Technology Inc. Block Cipher Modes of Non-Malleable Operation
CN107070632A (en) * 2017-03-15 2017-08-18 中国人民解放军信息工程大学 Impossible differential and zero correlation path automatic search method based on SAT

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAIFENG CHEN: "Improving algorithm 2 in multidimensional (zero-correlation) linear cryptanalysis using χ2-method", 《SPRINGER SCIENCE+BUSINESS MEDIA NEW YORK 2016》 *

Also Published As

Publication number Publication date
CN112398638B (en) 2022-04-26

Similar Documents

Publication Publication Date Title
Fu et al. MILP-based automatic search algorithms for differential and linear trails for speck
Bogdanov et al. On the wrong key randomisation and key equivalence hypotheses in Matsui’s Algorithm 2
Frederiksen et al. On the complexity of additively homomorphic UC commitments
Cintas-Canto et al. ChatGPT vs. Lightweight security: First work implementing the NIST cryptographic standard ASCON
CN113794552B (en) SM3 parallel data encryption operation method and system based on SIMD
CN106656459A (en) Side channel energy analysis method and device for SM3-HMAC
Bogdanov et al. Bicliques with minimal data and time complexity for AES
Hadipour et al. Finding the impossible: automated search for full impossible-differential, zero-correlation, and integral attacks
Niwa et al. GCM security bounds reconsidered
Carmer et al. Linicrypt: a model for practical cryptography
Funabiki et al. Several MILP-aided attacks against SNOW 2.0
Sun et al. Linear cryptanalyses of three AEADs with GIFT-128 as underlying primitives
Chen et al. Improved differential attacks on GIFT-64
US7257229B1 (en) Apparatus and method for key scheduling
AU2018271515B2 (en) Secret tampering detection system, secret tampering detection apparatus, secret tampering detection method, and program
Niu et al. Zero-correlation linear cryptanalysis with equal treatment for plaintexts and tweakeys
Shakiba et al. Non-isomorphic biclique cryptanalysis and its application to full-round mCrypton
CN112398638B (en) Zero correlation linear code analysis method, system, medium and electronic equipment
US7151829B2 (en) System and method for implementing a hash algorithm
Chen et al. Cube attacks on round-reduced MORUS and G imli
CN112134679B (en) Combined high-order side channel attack method, device, equipment and medium for SM4
Li et al. Integral analysis of GRANULE and ESF block ciphers based on MILP
Cao et al. Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers
ElSheikh et al. Integral attacks on round-reduced Bel-T-256
Sun et al. Zero-correlation attacks: statistical models independent of the number of approximations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant