μ^(2)算法的积分攻击和不可能差分攻击

Integral Cryptanalysis and Impossible Differential Cryptanalysis of theμ^(2) Algorithm

2算法是由Yeoh等人设计的一种轻量级分组密码算法(doi:10.1007/978-981-15-0058-9-27),该算法全轮共15轮,采用TYPE-II广义Feistel结构,Yeoh等人在设计文档中对μ^(2)算法抵抗差分分析、线性分析的能力进行了评估,但μ^(2)算法抵抗积分攻击和不可能差分分析的能力目前尚不清楚。该文给出了μ^(2)算法的8轮和9轮积分区分器和9轮不可能差分,利用8轮积分区分器,对9轮μ^(2)算法进行了积分攻击,攻击的时间复杂度为2^(76)次9轮加密,数据复杂度为2^(48),存储复杂度为2^(48);利用9轮不可能差分,对11轮μ^(2)算法进行了不可能差分分析,攻击的时间复杂度为2^(49)次11轮加密,数据复杂度为2^(64)对明文。结果表明,9轮的μ^(2)算法不能抵抗积分攻击,11轮的μ^(2)算法不能抵抗不可能差分分析。另外,该文对μ^(2)算法抵抗差分攻击的能力进一步评估并证明4轮μ^(2)算法的差分特征的最大概率为2^(-39),与设计报告指出的4轮差分特征的概率不超过2^(-36)相比结果更为紧致。

μ^(2)is a lightweight block cipher designed by Yeoh et al(doi:10.1007/978-981-15-0058-9-27).The cipher has 15 rounds in total and adopts TYPE-II generalized feistel network.The ability of theμ^(2)algorithm to resist differential analysis and linear analysis is evaluated by Yeoh et al.in the design document,but the ability ofμ^(2)algorithm to resist integral attack and impossible differential attack is not clear.In this paper,8/9-round integral distinguishers and 9-round impossible difference are given.Using 8-round integral distinguishers,9-roundμ^(2)is attacked and the time complexity of the attack is 2^(76)9-round encryptions,the data complexity is 2^(48),and the memory complexity is 2^(48).Using 9-round impossible difference,11-roundμ^(2)is attacked and the time complexity of the attack is 2^(49)11-round encryptions,the data complexity is 2^(64) pairs of plaintexts.The results show that the 9-roundμ^(2)algorithm can not resist integral attack,and the 11-roundμ^(2)algorithm can not resist impossible differential analysis.In addition,the ability ofμ^(2)algorithm to resist differential attack is reevaluated,and the maximum probability of differential characteristic of 4-roundμ^(2)algorithm is 2^(-39),which is more compact than the probability 2^(-36)pointed out in the design report.