摘要
轻量级分组密码RECTANGLE采用SPN结构,分组长度是64比特,密钥长度是80或128比特,迭代轮数是25轮。其采用比特切片技术,在软硬件实现方面均有很好的性能。本文以Matsui和Moriai等人的自动化搜索算法为基础,采用包珍珍等人提出的2种优化策略,对RECTANGLE-80版本进行相关密钥差分分析。我们对最窄点处的密钥状态差分进行限制,使最窄点密钥状态差分的汉明重量取值范围分别属于区间[1,1],[1,2],[1,3],[1,4],[1,5]五种情况,目的是求得此五种情况下前9轮相关密钥差分最大概率及其对应的路径。我们获得了此5种情况前8轮的最大概率及其对应的路径,前2种情况9轮最大概率及其对应路径和后3种情况9轮最大概率的上界。以上5种情况的结果显示,当取值范围属于后三种情况时,前8轮的最大概率是相同的,由此说明随着取值范围的扩大,最大概率趋向稳定。当最窄点密钥状态差分的汉明重量取值范围属于[1,1]或[1,2]时,9轮的最大概率为2^-42。当取值范围分别是[1,3],[1,4]和[1,5]时,9轮最大概率的上界分别是2^-41,2^-37,2^-34。我们预测9轮最大概率的上界是2^-41,由此可以预测18轮的最大概率的上界是2^-82,从而RECTANGLE-80可以抵抗相关密钥差分分析。这是目前RECTANGLE抵抗相关密钥密码分析安全性评估最好结果。
RECTANGLE is a 25-round SP-network with a 64-bit block length and a 80-bit or 128-bit seed key. It uses bit-slice technique to have good performance on both hardware and software platforms. Based on Matsui and Moriai et al's approaches and two strategies proposed by Zhenzhen Bao et al., we investigate the security of RECTANGLE against related-key differential cryptanalysis by restricting the Hamming weights of the key difference at the narrowest point to the following 5 ranges:[1,1],[1,2],[1,3],[1,4], or[1,5]. Our purpose is to obtain the best reduced-round related-key differential characteristics in RECTANGLE. As a result, we obtain the best related-key differential characteristics of the first eight rounds in the five cases, the best related-key differential characteristics of nine rounds in the first two cases, and an upper bound on probabilities of the best related-key differential characteristic of nine rounds in the last three cases. Our results show that the probabilities of the best characteristics on the first eight rounds are the same in the last three cases. Hence, with the expansion of the range on Hamming weights, the probability of the best characteristics tend to be stable. When the Hamming weights belong to[1,1] or[1,2], the probability of the best 9-round characteristic is 2^-42. When Hamming weights belong to[1,3],[1,4] or[1,5], the probability of the best 9-round characteristic is 2^-41, 2^-37, 2^-34 respectively. We predict that the upper bound on probability of the best 9-round related-key differential characteristic is 2^-41. Therefore, the upper bound on probability of the best 18-round related-key differential characteristic is 2^-82, which shows that RECTANGLE-80 have enough security against related-key differential cryptanalysis.
作者
王沙沙
张文涛
向泽军
WANG Shasha;ZHANG Wentao;XIANG Zejun(State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
出处
《信息安全学报》
CSCD
2019年第4期94-108,共15页
Journal of Cyber Security
基金
国家自然科学基金(No.61379138)
信息保障技术重点实验室开放基金(No.KJ-15-003)资助