8轮Kiasu-BC的多重不可能差分攻击

Multiple Impossible Differentials Cryptanalysis on 8-round Kiasu-BC

Jean等人在2014年亚密会上提出可调密钥的算法框架,并在AES-128基础上,新增64比特调柄,得到了新的可调分组密码——Kiasu-BC.算法设计者声称Kiasu-BC相较于其它基于AES的可调分组密码而言,算法结构更简洁、加密过程更高效,并在2014年提交至CAESAR竞赛.因此,对可调分组密码的设计而言,研究新增调柄的安全性,具有极其重要的意义.本文借鉴了调柄生成的非零差分会抵消攻击路径差分的思想,提出了在单密钥模式下对8轮Kiasu-BC的多重不可能差分攻击.利用构造的三条攻击路径,可重复使用明文对轮密钥进行多次筛选,从而提高轮密钥筛选效率.此外,我们综合运用了一系列技术如"early abort"技术、明文早夭技术、基于密钥扩展方案的轮密钥筛选技术等,改进了Kiasu-BC算法不可能差分攻击的时间、数据和存储复杂度.本文的时间、数据和存储复杂度分别为2^(115.5)次8轮加密和2^(109.8)次查表、2^(116)选择明文和2^(97.6)字节.这是已知对Kiasu-BC最好的不可能差分攻击结果.

At Asia Crypt 2014, Jean et al. presented the TWEAKEY framework and a tweakable block cipher Kiasu-BC which was based on the AES-128 and added 64 bits tweak. The designers claimed that Kiasu-BC is more lightweight and faster than other tweakable block ciphers from AES,and submitted Kiasu-BC to CAESAR authenticated encryption competition in 2014. This shows that a cryptanalysis of the additional tweak is highly important for the design of tweakable block ciphers.This paper takes advantage of the idea that non-zero tweak difference may cancel the difference in the attack trails, and presents multiple impossible differentials cryptanalysis on 8-round Kiasu-BC in the single-key model. Utilizing constructed three attack trails, we can reuse the plaintexts and multiple sieve subkeys, so as to improve the efficiency of sieving subkey. Furthermore, we use a combination of various techniques, such as early abort technique, the new early abort technique, the master key sieving technique based on key schedule algorithm, to improve the previous best impossible differential cryptanalysis on the time, data and memory complexities. The time, data, memory complexities are 2^（115.5） of 8-round Kiasu-BC encryptions and 2^（109.8） lookups, 2^（116） chosen plaintexts and 2^（97.6） bytes,respectively. This is so far the best result for impossible differential cryptanalysis of Kiasu-BC.