认证加密算法FASER的安全性分析

Research on Cryptanalysis on Authenticated Cipher FASER

CAESAR是日本于2013年发起的密码竞赛活动,旨在面向全球征集对称认证加密算法.FASER是提交到CAESAR竞赛的认证加密算法簇,它包括两个算法:FASER128和FASER256.该算法簇基于流密码体制,即根据输出密钥和初始随机向量生成与明文流等长的伪随机密钥流,然后用该伪随机密钥流异或明文流进而输出密文流.FASER包括加密算法和认证算法,其认证算法于加密算法类似.本文我们发现FASER的每拍输出字的比特之间有很强的相关性,根据这种相关性我们给出FASER128和FASER256的代数攻击.首先我们给出FASER128加密算法的状态恢复攻击,其时间复杂度约为2^(29),数据复杂度约为64个密钥字,我们将该攻击算法在普通的个人计算机上实现,该攻击算法在数分钟内即可恢复FASER128的状态.进一步,我们给出FASER128的密钥恢复攻击,其时间复杂度约为2^(36),该攻击算法在多核计算机上可以并行实现.例如在32核计算机上可以在几分钟之内恢复出种子密钥.这表明FASER128不安全.进一步,我们的攻击可以很容易地移植到FASER256,并在文章最后给出了针对FASER256的状态恢复攻击,其攻击复杂度不超过2^(48).由于我们的工作,FASER于2014年被撤销.

CAESAR is a worldwide cryptography competition launched by Japan in 2013, aiming at collecting symmetrical encryption algorithms with authentication. FASER is a family of authenticated ciphers submitted to the CAESAR competition, which contains two ciphers： FASER128 and FASER256. Both the two ciphers are based on stream cipher cryptosystem, they generate pseudo-random key streams according to the initial keys and initial random vectors as the inputs. The pseudo-random stream used in the encryption has the same length as that of plaintext stream, and the ciphertext stream is obtained by the XOR operation of the pseudo-random stream and the plaintext stream.This study reveals that the bits in pseudo-random word generated by any time in FASER are strongly correlated. With this correlation property, we induce an effective algebraic attack on FASER128 and FASER256. We first present a state recovery attack on the encryption of FASER128 with time complexity of about 2^29 operations and data complexity of about 64 key words. The attack can be executed in an ordinary personal computer, and the algorithm costs only a few minutes to recover the secret state of FASER128. Moreover, a key recovery attack is deduced with time complexity of about2^36 operations, which can be done easily by parallel computing in multi-core PCs. For instance, in a32-core computer, the secret key can be recovered in a few minutes. The result shows that FASER128 is very insecure. It is also shown that our attack can be easily applied to FASER256 and a practical state recovery attack on FASER256 is presented, and the time complexity is no more than 2^48. Our work caused FASER to be withdrawn in 2014.