CN109450632B - Key recovery method based on white-box block cipher CLEFIA analysis - Google Patents

Key recovery method based on white-box block cipher CLEFIA analysis Download PDF

Info

Publication number
CN109450632B
CN109450632B CN201910025008.6A CN201910025008A CN109450632B CN 109450632 B CN109450632 B CN 109450632B CN 201910025008 A CN201910025008 A CN 201910025008A CN 109450632 B CN109450632 B CN 109450632B
Authority
CN
China
Prior art keywords
vector
affine
lookup table
input
bit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910025008.6A
Other languages
Chinese (zh)
Other versions
CN109450632A (en
Inventor
宫雅婷
陈杰
姚思
徐东
童鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201910025008.6A priority Critical patent/CN109450632B/en
Publication of CN109450632A publication Critical patent/CN109450632A/en
Application granted granted Critical
Publication of CN109450632B publication Critical patent/CN109450632B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)

Abstract

A key recovery method based on white-box block cipher CLEFIA analysis, comprising the steps of: 1. selecting 16 lookup tables which are composed of two adjacent rounds of nonlinear transformation and contain keys; 2. selecting an 8-in 32-out lookup table; 3. obtaining affine mapping; 4. generating a nonlinear lookup table containing keys of two adjacent rounds; 5. constructing an array; 6. generating affine lookup tables containing the keys of two adjacent rounds; 7. constructing a coding set; 8. judging whether all vectors in the array are selected; 9. judging whether 16 lookup tables are selected; 10. the key is recovered. The key recovery method based on the white-box block cipher CLEFIA analysis of the invention continuously analyzes the white-box block cipher CLEFIA used for providing protection in the white-box environment for two rounds, thereby improving the space utilization rate and the time efficiency of the key for restoring the white-box block cipher CLEFIA.

Description

Key recovery method based on white-box block cipher CLEFIA analysis
Technical Field
The invention belongs to the technical field of computers, and further relates to a key recovery method based on the CLEFIA analysis in the technical field of information security. The method and the device can be used for recovering the key information from the white-box packet cipher CLEFIA, and improve the space utilization rate and the time efficiency of recovering the white-box packet cipher CLEFIA key.
Background
With the rapid development of information technology, cryptographic algorithms are being widely applied to important fields such as military, economy and the like, and the security of information is protected. In view of the importance of the cryptographic algorithm, the analysis and research of the implementation of the cryptographic algorithm software and hardware (cryptographic module) have important significance for protecting the information security. In recent years, various analyses of cryptographic modules have been widely known in the industry, and the environments in which cryptographic modules are located are mainly classified into "black box" environments, "gray box" environments, and "white box" environments. In the 'black box' environment, an analyst can access input plaintext and output ciphertext at most, and does not have access to the implementation execution process; in the 'ash box' environment, an analyst can obtain more information through timing analysis and electromagnetic analysis; in the 'white-box' environment, an analyst can freely observe the execution of dynamic code and even change the details of an internal algorithm, the analyst breaks through the analysis mode of the traditional password, and the analyst has strong attack capability and is easy to implement. In recent years, more and more devices are in a 'white-box' attack environment, and a white-box password idea is firstly proposed for people who provide password protection chow and the like in the environment, wherein the idea is to convert a block password implementation into a lookup table network and mix the input and the output of each round by a random bijective function so as to achieve the purpose of hiding key information. In recent years, there has been an increasing analysis of white-box implementations of block ciphers, for example, key extraction from white-box implementations of block ciphers DES and AES, and thus key extraction from CLEFIA white-box implementations constructed based on the white-box cryptographic idea is also possible.
Shi, Wujing.Wei, Zongjian.He, and hongfeng.Fan published the paper "AnUktra-Lightweight White-Box Encryption Scheme for Securing Resource-bound loT Devices" (In Proceedings of the 32nd annular Conference on computer Security Applications, Los Angeles, California,2016, pp.16-29.) discloses a key recovery method that enables analysis of a block cipher CLEFIA whitebox. The method combines 32 in-8 out lookup tables of each round in the realization of the block cipher CLEFIA white box to obtain a round function of each round, thereby obtaining the inverse operation of the round function of each round, constructs 32 in-8 out reversible lookup tables used by each round according to the inverse operation of the round function, constructs 576 in-8 out reversible lookup tables in 18 rounds of the realization of the block cipher CLEFIA white box, recovers plaintext information for a given ciphertext, and further recovers key information. However, the method has the disadvantages that the number of rounds is large and the required lookup table occupies a large storage space in the process of recovering the packet cipher CLEFIA key.
The patent technology "DPA attack and key recovery method and system of smart card SM4 algorithm" (patent application No. 201310445225.3, publication No. CN 103546277B) owned by beijing handshake data systems limited discloses a DPA (differential Power analysis) attack and key recovery method of smart card SM4 algorithm. The method comprises the steps of firstly carrying out DPA attack on the first 4 rounds of the encryption process of the block cipher SM4 to obtain the sub-keys of the first 4 rounds, and recovering the SM4 master key by using the obtained 4 rounds of keys. The method has the disadvantages that the round required in the key recovery process is the fixed first 4 rounds, the randomness is lacked, extra time is required for calculating the position of the round, and the time efficiency of key recovery is reduced.
Disclosure of Invention
The present invention aims to solve the above-mentioned deficiencies of the prior art and to provide a key recovery method based on the CLEFIA analysis of white-box block ciphers.
The specific idea for realizing the purpose of the invention is as follows: selecting 16 lookup tables containing keys and formed by any two adjacent rounds of nonlinear transformations from 144 lookup tables containing keys and formed by white-box block cipher CLEFIA18 rounds of nonlinear transformations, respectively generating 16 nonlinear lookup tables containing keys and 16 affine mappings by using the 16 lookup tables, enabling the generated 16 nonlinear lookup tables containing keys and S boxes of block cipher CLEFIA containing the same keys to satisfy an affine equivalence relation, recovering the affine lookup tables and vectors containing keys in the affine equivalence relation by constructing an encoding set, and recovering key information by using the affine lookup tables and the vectors containing keys which satisfy the conditions and the affine mappings.
The method comprises the following specific steps:
(1) selecting 16 lookup tables containing keys and formed by any two adjacent rounds of nonlinear transformation from 144 lookup tables containing keys and formed by round nonlinear transformation of white-box block ciphers CLEFIA 18;
(2) randomly selecting an unselected lookup table from the 16 lookup tables as an 8-in 32-out lookup table;
(3) obtaining an affine mapping:
(3a) randomly selecting a 32-bit row vector from the 8-in 32-out lookup table as an affine vector;
(3b) randomly selecting 8 different 32-bit row vectors from an 8-in 32-out lookup table, respectively transposing the 8 row vectors to obtain 8 column vectors, and sequentially connecting the 8 column vectors to form a matrix as a linear matrix, wherein at least one row vector in the 8 selected row vectors at each time is never selected;
(3c) judging whether the rank of the linear matrix is equal to the number of columns of the linear matrix, if so, executing the step (3d) after obtaining the reversible linear matrix, otherwise, executing the step (3 b);
(3d) the affine vector and the invertible linear matrix are combined into an affine map obtained using an 8 in 32 out lookup table using the following equation:
Figure BDA0001942152850000031
where, δ represents an affine mapping,
Figure BDA0001942152850000032
representing an exclusive or operation, b representing an affine vector,
Figure BDA0001942152850000033
representing a join operation, M represents an invertible linear matrix;
(4) generating two adjacent rounds of non-linear lookup tables containing keys:
(4a) randomly selecting an unselected 8-bit vector from the inputs of 8-in 32-out lookup tables as the input of a nonlinear lookup table in the current iteration;
(4b) inverting the affine mapping to obtain inverse affine mapping corresponding to the affine mapping;
(4c) in the 8-in 32-out lookup table, looking up the output of the 8-in 32-out lookup table corresponding to the input of the nonlinear lookup table in the current iteration, and using the output to pre-multiply the inverse affine mapping to obtain an 8-bit vector which is used as the output forming a mapping relation with the input of the nonlinear lookup table in the current iteration;
(4d) the input of the nonlinear lookup table during current iteration and the output which forms a mapping relation with the input are put into the nonlinear lookup table during current iteration;
(4e) judging whether all the inputs in 8-input 32-output lookup tables are selected, if so, executing the step (5) after the lookup tables are obtained, otherwise, executing the step (4 a);
(5) construct an array of length 28In an arrayStore is 288bit vectors;
(6) generating two adjacent rounds of affine lookup tables containing keys:
(6a) randomly selecting an unselected vector from the array;
(6b) constructing an empty affine lookup table;
(6c) randomly selecting an unselected 8-bit vector from the input of 8-in 32-out lookup tables as the input of an affine lookup table in the current iteration;
(6d) carrying out exclusive OR operation on the input of the affine lookup table during current iteration and the selected vector, and searching an output corresponding to an exclusive OR value in an inverse S box of the block cipher CLEFIA to be used as an intermediate output;
(6e) searching for an output corresponding to the intermediate output value from the affine lookup table during current iteration, taking the output as an output forming a mapping relation with the input of the affine lookup table during current iteration, and putting the input and the output forming the mapping relation into the affine lookup table during current iteration;
(6f) judging whether all the inputs in 8-input 32-output lookup tables are selected, if so, executing the step (7) after obtaining the affine lookup tables, otherwise, executing the step (6 c);
(7) constructing a coding set:
(7a) obtaining an output vector pair from the affine lookup table by using a vector pair generation method, and carrying out XOR operation on two vectors in the vector pair to obtain a 32-bit vector as a check vector;
(7b) obtaining a 32-bit vector from the affine lookup table by using a vector generation method as a verification vector;
(7c) if the bit value of each element in the check vector is equal to the bit value of the corresponding position element in the verification vector, putting the affine lookup table and the vector selected in the step (7a) into an encoding set;
(8) judging whether all vectors in the array are selected, if so, executing the step (9), otherwise, executing the step (6);
(9) judging whether 16 lookup tables are selected, if so, executing the step (10), otherwise, executing the step (2);
(10) and (3) recovering the key:
(10a) calculating 32-bit sub-keys contained in 4 lookup tables corresponding to each branch in the next round of two adjacent rounds by using the following formula, wherein each lookup table contains 8-bit sub-keys:
Figure BDA0001942152850000041
wherein the content of the first and second substances,
Figure BDA0001942152850000042
represents the 32-bit sub-key contained in the 4 lookup tables corresponding to the ith branch in the r-1 th round and the r-th round of two consecutive rounds of the white-box packet cipher CLEFIA, wherein r is 1,2,3, 18, i is 1,3,
Figure BDA0001942152850000043
represents that 1 8-bit vector is selected from each coding set corresponding to the ith branch of the r-th round of nonlinear transformation, the selected 4 vectors are sequentially connected into a 32-bit vector, theta represents cumulative exclusive-or operation,
Figure BDA0001942152850000044
represents the affine mapping generated by the jth lookup table of the 4 lookup tables corresponding to the ith branch of the r-1 th round of nonlinear transformation, wherein j is 0,1,2,3,
Figure BDA0001942152850000045
expressing that the output corresponding to the 8bit all 0 vector is searched in the jth affine lookup table of the 4 affine lookup tables corresponding to the ith branch in the r-1 round of nonlinear transformation;
(10b) two 32 bits
Figure BDA0001942152850000046
And connecting in turn to obtain a 64-bit key.
Compared with the prior art, the invention has the following advantages:
firstly, the invention uses the white-box block cipher CLEFIA to select any two adjacent rounds of transform corresponding 16 lookup tables containing keys, generates an encoding set consisting of two adjacent rounds of nonlinear lookup tables containing keys and affine lookup tables, reduces the required number of rounds to two rounds, and overcomes the technical problems of more required rounds and large storage space occupied by the required lookup tables in the process of recovering the block cipher CLEFIA keys in the prior art, so that the invention effectively saves the storage space of the lookup tables and improves the space utilization rate in the process of recovering the keys.
Secondly, because the invention uses the white-box block cipher CLEFIA to select any two adjacent rounds of conversion, the key is recovered from the analysis of the two adjacent rounds selected by the white-box block cipher CLEFIA, the first 4 rounds of the key recovery required are fixed and are changed into the two adjacent rounds of the key recovery selected randomly, the technical problems that the prior art needs the first 4 rounds of the key recovery, lacks randomness, needs extra time to calculate the round position and reduces the time efficiency of the key recovery are solved, the invention can randomly select the two adjacent rounds to analyze, reduces the time required for determining the round position and improves the calculation efficiency in the key recovery process.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The steps performed by the present invention will be described in further detail with reference to fig. 1.
Step 1, selecting 16 lookup tables containing keys and formed by any two adjacent rounds of nonlinear transformation from 144 lookup tables containing keys and formed by round nonlinear transformation of white-box block ciphers CLEFIA 18.
The white-box block cipher CLEFIA means that 128-bit output data is obtained after input 128-bit data is subjected to 18 rounds of identical nonlinear transformation with key participation, each round of nonlinear transformation with 64-bit key participation is that the 128-bit input data is divided into 4 branches of input data, the nonlinear transformation of the 1 st branch of input data and the 3 rd branch of input data can be represented by 8 lookup tables containing keys, 18 rounds of nonlinear transformation are carried out, and 144 equivalent lookup tables containing keys are usedThe look-up tables may each be composed of
Figure BDA0001942152850000051
Wherein, r is 1,2,., 18, i is 1,3, j is 0,1,2,3, each lookup table includes 8-bit key, 8-bit input decoding and 32-bit output encoding, 4 8-bit input decoding included in 4 lookup tables corresponding to the ith branch of the r-th round nonlinear transformation
Figure BDA0001942152850000052
Concatenated sequential 32bit input decoding
Figure BDA0001942152850000053
4 32bit output codes contained in 4 lookup tables corresponding to the ith branch of r-1 round nonlinear transformation
Figure BDA0001942152850000054
Wherein the content of the first and second substances,
Figure BDA0001942152850000055
indicating a connect operation.
And 2, randomly selecting an unselected lookup table from the 16 lookup tables as an 8-in 32-out lookup table.
And step 3, obtaining affine mapping.
(3.1) randomly selecting a 32-bit row vector from the 8-in 32-out lookup table as an affine vector
Figure BDA0001942152850000061
(3.2) randomly selecting 8 different 32-bit row vectors from the 8-in 32-out lookup table, respectively transposing the 8 row vectors to obtain 8 column vectors, and sequentially connecting the 8 column vectors to form a matrix as a linear matrix
Figure BDA0001942152850000062
Wherein at least one row vector of the 8 selected row vectors at a time is never selected.
And (3.3) judging whether the rank of the linear matrix is equal to the number of columns of the linear matrix, if so, executing the step (3.4) after obtaining the reversible linear matrix, and otherwise, executing the step (3.2).
When the rank of the linear matrix is equal to the number of columns of the linear matrix, the reversible linear matrix in the step is obtained, and because the linear matrix is reversible, the affine mapping formed by the linear matrix is also reversible.
(3.4) combining the affine vector and the invertible linear matrix into an affine map obtained using an 8 in 32 out lookup table using the following equation:
Figure BDA0001942152850000063
where, δ represents an affine mapping,
Figure BDA0001942152850000064
representing an exclusive or operation, b representing an affine vector,
Figure BDA0001942152850000065
representing a join operation, and M represents an invertible linear matrix.
And 4, generating two adjacent rounds of nonlinear lookup tables containing the keys, wherein the nonlinear lookup table Q and the S-box lookup table S of the block cipher CLEFIA containing the same key satisfy the following formula
Figure BDA0001942152850000066
Wherein
Figure BDA0001942152850000067
The affine transformation is carried out in such a way that,
Figure BDA0001942152850000068
is an 8bit vector.
Figure BDA0001942152850000069
Wherein the content of the first and second substances,
Figure BDA00019421528500000610
the representation of an affine mapping is represented,
Figure BDA00019421528500000611
denotes a compound operation, Mi,jA j-th 32 x 8-th diffusion sub-matrix representing the i-th branch of the white-box packet cipher CLEFIA.
(4.1) when an unselected 8-bit vector is randomly selected from the 8-in 32-out look-up table inputs, the unselected 8-bit vector is used as the input of the nonlinear look-up table at the current iteration.
And (4.2) inverting the affine mapping to obtain an inverse affine mapping corresponding to the affine mapping.
And (4.3) in the 8-in 32-out lookup table, looking up the output of the 8-in 32-out lookup table corresponding to the input of the nonlinear lookup table in the current iteration, and using the output to pre-multiply the inverse affine mapping to obtain an 8-bit vector which is used as the output forming a mapping relation with the input of the nonlinear lookup table in the current iteration.
And (4.4) putting the input of the nonlinear lookup table at the current iteration and the output which forms a mapping relation with the input into the nonlinear lookup table at the current iteration.
(4.5) judging whether all the inputs in 8-input 32-output lookup tables are selected, if so, executing step 5 after obtaining the lookup tables, otherwise, executing (4.1) of the step.
Step 5, constructing an array, wherein the length of the array is 28Stored in the array is 288bit vectors.
And 6, generating an affine lookup table containing the key in two adjacent rounds.
(6.1) randomly selecting an unselected vector from the array
Figure BDA0001942152850000071
(6.2) constructing an empty affine lookup table.
(6.3) randomly selecting an unselected 8-bit vector from the 8-in 32-out lookup table input as the affine lookup table input at the current iteration.
(6.4) XOR-ing the input of the affine lookup table at the current iteration with the selected vector, looking up the output corresponding to the XOR value in the inverse S-box of the block cipher CLEFIA as an intermediate output.
(6.5) looking up an output corresponding to the intermediate output value from the affine lookup table at the time of the current iteration, taking the output as an output forming a mapping relation with the input of the affine lookup table at the time of the current iteration, and putting the input and the output forming the mapping relation into the affine lookup table at the time of the current iteration.
(6.6) judging whether all the inputs in 8-input 32-output lookup tables are selected, if so, executing step 7 after obtaining the affine lookup tables, otherwise, executing (6.3) of the step.
And 7, constructing a coding set.
And obtaining an output vector pair from the affine lookup table by using a vector pair generation method, and carrying out XOR operation on two vectors in the vector pair to obtain a 32-bit vector as a check vector.
The vector pair generation method comprises the following steps:
in step 1, two optional vectors in the array form an input vector pair, wherein the input vectors are never selected.
And 2, respectively searching the output corresponding to each vector in the input vector pair in the affine lookup table during current iteration, and constructing an output vector pair by using the two outputs.
And 3, searching an output vector corresponding to the 8-bit all-0 vector in the array in the affine lookup table during current iteration to serve as an intermediate verification vector.
And 4, carrying out exclusive OR operation on two elements in the input vector pair, searching output corresponding to the exclusive OR value from the affine lookup table during current iteration, and carrying out exclusive OR operation on the output and the intermediate verification vector to obtain a 32-bit vector as the verification vector.
And obtaining a 32-bit vector from the affine lookup table by using a vector generation method to serve as a verification vector.
The vector generation method comprises the following steps:
in step 1, two optional vectors in the array form an input vector pair, wherein the input vectors are never selected.
And 2, respectively searching the output corresponding to each vector in the input vector pair in the affine lookup table during current iteration, and constructing an output vector pair by using the two outputs.
If the bit value of each element in the check vector is equal to the bit value of the element at the corresponding position in the verification vector, the affine lookup table and the selected vector are put into a coding set, and the input of the affine lookup table in the step and the output forming the mapping relation meet the affine transformation
Figure BDA0001942152850000081
The vectors in the coding set being vectors
Figure BDA0001942152850000082
And 8, judging whether all vectors in the array are selected, if so, executing the step 9, and otherwise, executing the step 6.
And 9, judging whether 16 lookup tables are selected or not, if so, executing the step 10, and otherwise, executing the step 2.
And step 10, recovering the key.
Calculating 32-bit sub-keys contained in 4 lookup tables corresponding to each branch in the next round of two adjacent rounds by using the following formula, wherein each lookup table contains 8-bit sub-keys:
Figure BDA0001942152850000083
wherein the content of the first and second substances,
Figure BDA0001942152850000084
represents the 32-bit sub-key contained in the 4 lookup tables corresponding to the ith branch in the r-1 th round and the r-th round of two consecutive rounds of the white-box packet cipher CLEFIA, wherein r is 1,2,3, 18, i is 1,3,
Figure BDA0001942152850000085
means from r-th round notLinearly transforming each coding set corresponding to the ith branch to select 1 8-bit vector, sequentially connecting the selected 4 vectors into a 32-bit vector, wherein theta represents cumulative exclusive-or operation,
Figure BDA0001942152850000086
represents the affine mapping generated by the jth lookup table of the 4 lookup tables corresponding to the ith branch of the r-1 th round of nonlinear transformation, wherein j is 0,1,2,3,
Figure BDA0001942152850000087
indicating that the output corresponding to the 8bit all 0 vector is looked up from the jth affine lookup table of the 4 affine lookup tables corresponding to the ith branch of the r-1 round of nonlinear transformation.
Two 32 bits
Figure BDA0001942152850000088
And connecting in turn to obtain a 64-bit key.

Claims (4)

1. A key recovery method based on white-box block cipher CLEFIA analysis is characterized in that 16 lookup tables containing keys and formed by any two adjacent rounds of nonlinear transformation are selected, two adjacent rounds of nonlinear lookup tables containing keys are generated according to the selected lookup tables, two adjacent rounds of affine lookup tables containing keys are generated according to the generated nonlinear lookup tables, an encoding set is constructed, and the keys are recovered from two rounds of analysis selected by the white-box block cipher CLEFIA, and the method specifically comprises the following steps:
(1) selecting 16 lookup tables containing keys and formed by any two adjacent rounds of nonlinear transformation from 144 lookup tables containing keys and formed by round nonlinear transformation of white-box block ciphers CLEFIA 18;
(2) randomly selecting an unselected lookup table from the 16 lookup tables as an 8-in 32-out lookup table;
(3) obtaining an affine mapping:
(3a) randomly selecting a 32-bit row vector from the 8-in 32-out lookup table as an affine vector;
(3b) randomly selecting 8 different 32-bit row vectors from an 8-in 32-out lookup table, respectively transposing the 8 row vectors to obtain 8 column vectors, and sequentially connecting the 8 column vectors to form a matrix as a linear matrix, wherein at least one row vector in the 8 selected row vectors at each time is never selected;
(3c) judging whether the rank of the linear matrix is equal to the number of columns of the linear matrix, if so, executing the step (3d) after obtaining the reversible linear matrix, otherwise, executing the step (3 b);
(3d) the affine vector and the invertible linear matrix are combined into an affine map obtained using an 8 in 32 out lookup table using the following equation:
Figure FDA0002345894630000011
where, δ represents an affine mapping,
Figure FDA0002345894630000012
representing an exclusive or operation, b representing an affine vector,
Figure FDA0002345894630000013
representing a join operation, M represents an invertible linear matrix;
(4) generating two adjacent rounds of non-linear lookup tables containing keys:
(4a) randomly selecting an unselected 8-bit vector from the inputs of 8-in 32-out lookup tables as the input of a nonlinear lookup table in the current iteration;
(4b) inverting the affine mapping to obtain inverse affine mapping corresponding to the affine mapping;
(4c) in the 8-in 32-out lookup table, looking up the output of the 8-in 32-out lookup table corresponding to the input of the nonlinear lookup table in the current iteration, and using the output to pre-multiply the inverse affine mapping to obtain an 8-bit vector which is used as the output forming a mapping relation with the input of the nonlinear lookup table in the current iteration;
(4d) the input of the nonlinear lookup table during current iteration and the output which forms a mapping relation with the input are put into the nonlinear lookup table during current iteration;
(4e) judging whether all the inputs in 8-input 32-output lookup tables are selected, if so, executing the step (5) after the lookup tables are obtained, otherwise, executing the step (4 a);
(5) construct an array of length 28Stored in the array is 288bit vectors;
(6) generating two adjacent rounds of affine lookup tables containing keys:
(6a) randomly selecting an unselected vector from the array;
(6b) constructing an empty affine lookup table;
(6c) randomly selecting an unselected 8-bit vector from the input of 8-in 32-out lookup tables as the input of an affine lookup table in the current iteration;
(6d) carrying out exclusive OR operation on the input of the affine lookup table during current iteration and the selected vector, and searching an output corresponding to an exclusive OR value in an inverse S box of the block cipher CLEFIA to be used as an intermediate output;
(6e) searching for an output corresponding to the intermediate output value from the affine lookup table during current iteration, taking the output as an output forming a mapping relation with the input of the affine lookup table during current iteration, and putting the input and the output forming the mapping relation into the affine lookup table during current iteration;
(6f) judging whether all the inputs in 8-input 32-output lookup tables are selected, if so, executing the step (7) after obtaining the affine lookup tables, otherwise, executing the step (6 c);
(7) constructing a coding set:
(7a) obtaining an output vector pair from the affine lookup table by using a vector pair generation method, and carrying out XOR operation on two vectors in the vector pair to obtain a 32-bit vector as a check vector;
(7b) obtaining a 32-bit vector from the affine lookup table by using a vector generation method as a verification vector;
(7c) if the bit value of each element in the check vector is equal to the bit value of the corresponding position element in the verification vector, putting the affine lookup table and the vector selected in the step (7a) into an encoding set;
(8) judging whether all vectors in the array are selected, if so, executing the step (9), otherwise, executing the step (6);
(9) judging whether 16 lookup tables are selected, if so, executing the step (10), otherwise, executing the step (2);
(10) and (3) recovering the key:
(10a) calculating 32-bit sub-keys contained in 4 lookup tables corresponding to each branch in the next round of two adjacent rounds by using the following formula, wherein each lookup table contains 8-bit sub-keys:
Figure FDA0002345894630000031
wherein the content of the first and second substances,
Figure FDA0002345894630000032
represents the 32-bit sub-key contained in the 4 lookup tables corresponding to the ith branch in the r-1 th round and the r-th round of two consecutive rounds of the white-box packet cipher CLEFIA, wherein r is 1,2,3, 18, i is 1,3,
Figure FDA0002345894630000033
represents that 1 8-bit vector is selected from each coding set corresponding to the ith branch of the r-th round of nonlinear transformation, the selected 4 vectors are sequentially connected into a 32-bit vector, theta represents cumulative exclusive-or operation,
Figure FDA0002345894630000034
represents the affine mapping generated by the jth lookup table of the 4 lookup tables corresponding to the ith branch of the r-1 th round of nonlinear transformation, wherein j is 0,1,2,3,
Figure FDA0002345894630000035
expressing that the output corresponding to the 8bit all 0 vector is searched in the jth affine lookup table of the 4 affine lookup tables corresponding to the ith branch in the r-1 round of nonlinear transformation;
(10b) two 32 bits
Figure FDA0002345894630000036
And connecting in turn to obtain a 64-bit key.
2. The key recovery method based on the CLEFIA analysis of the white-box packet cipher as claimed in claim 1, wherein the round of nonlinear transformation of the CLEFIA18 in step (1) is that 128-bit output data is obtained by subjecting 128-bit input data to 18 rounds of identical nonlinear transformation with key participation, each round of nonlinear transformation with 64-bit key participation is to divide the 128-bit input data equally into input data of 4 branches, the nonlinear transformation performed on the 1 st branch input data and the 3 rd branch input data can be represented by 8 lookup tables containing keys, and the 18 rounds of nonlinear transformation are composed of 144 equivalent lookup tables containing keys, wherein each lookup table contains 8-bit keys.
3. The key recovery method based on the white-box block cipher CLEFIA analysis of claim 1, wherein the vector pair generation method in step (7a) comprises the following steps:
the first step, two optional vectors form an input vector pair from the array, wherein the input vectors are never selected;
secondly, respectively searching for an output corresponding to each vector in the input vector pair in an affine lookup table during current iteration, and constructing an output vector pair by using the two outputs;
thirdly, searching an output vector corresponding to the 8-bit all-0 vector in the array in an affine lookup table during current iteration to serve as an intermediate verification vector;
and fourthly, performing exclusive OR operation on two elements in the input vector pair, searching output corresponding to the exclusive OR value from the affine lookup table during current iteration, and performing exclusive OR operation on the output and the intermediate verification vector to obtain a 32-bit vector as the verification vector.
4. The key recovery method based on the white-box block cipher CLEFIA analysis of claim 1, wherein the vector generation method in step (7b) comprises the steps of:
the first step, two optional vectors form an input vector pair from the array, wherein the input vectors are never selected;
and secondly, respectively searching for the output corresponding to each vector in the input vector pair in an affine lookup table during current iteration, and constructing an output vector pair by using the two outputs.
CN201910025008.6A 2019-01-11 2019-01-11 Key recovery method based on white-box block cipher CLEFIA analysis Active CN109450632B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910025008.6A CN109450632B (en) 2019-01-11 2019-01-11 Key recovery method based on white-box block cipher CLEFIA analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910025008.6A CN109450632B (en) 2019-01-11 2019-01-11 Key recovery method based on white-box block cipher CLEFIA analysis

Publications (2)

Publication Number Publication Date
CN109450632A CN109450632A (en) 2019-03-08
CN109450632B true CN109450632B (en) 2020-04-28

Family

ID=65544110

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910025008.6A Active CN109450632B (en) 2019-01-11 2019-01-11 Key recovery method based on white-box block cipher CLEFIA analysis

Country Status (1)

Country Link
CN (1) CN109450632B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505054B (en) * 2019-03-28 2021-03-26 杭州海康威视数字技术股份有限公司 Data processing method, device and equipment based on dynamic white box
US20200313850A1 (en) * 2019-03-29 2020-10-01 Irdeto Canada Corporation Method and apparatus for implementing a white-box cipher
CN110784306B (en) * 2019-11-01 2023-10-27 成都卫士通信息产业股份有限公司 SM4 algorithm white box implementation method and device, electronic equipment and computer medium
CN112199696B (en) * 2020-10-09 2022-12-06 西安电子科技大学 Encryption and decryption method based on white-box block cipher
CN113111317B (en) * 2021-04-20 2022-10-04 西安电子科技大学 Software tampering detection method based on white-box CLEFIA encryption method
CN114254372B (en) * 2022-02-28 2022-08-05 北京信安世纪科技股份有限公司 Data encryption processing method and system and electronic equipment

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150129459A (en) * 2014-05-12 2015-11-20 한국전자통신연구원 White-box cryptographic device and method thereof
CN104065473A (en) * 2014-06-25 2014-09-24 成都信息工程学院 Compact realization method of SM4 block cipher algorithm S box
CN104184579A (en) * 2014-09-12 2014-12-03 南京航空航天大学 Lightweight block cipher VH algorithm based on dual pseudo-random transformation
CN104717055B (en) * 2015-03-25 2018-11-20 成都信息工程学院 A kind of template attack method for SM4 cryptographic algorithm wheel input Hamming weight
CN105591734A (en) * 2015-04-24 2016-05-18 桂林电子科技大学 White-box cryptograph non-linear encoding protection method based on table lookup
CN105099666A (en) * 2015-06-26 2015-11-25 中国科学院信息工程研究所 White-box cryptography system for confusing wheel boundary and method
CN105681025B (en) * 2016-01-29 2019-04-16 中国科学院信息工程研究所 A kind of safe whitepack implementation method and device of country password standard algorithm SM4
KR102397579B1 (en) * 2017-03-29 2022-05-13 한국전자통신연구원 Method and apparatus for white-box cryptography for protecting against side channel analysis

Also Published As

Publication number Publication date
CN109450632A (en) 2019-03-08

Similar Documents

Publication Publication Date Title
CN109450632B (en) Key recovery method based on white-box block cipher CLEFIA analysis
Gao et al. EFR-CSTP: Encryption for face recognition based on the chaos and semi-tensor product theory
Seyedzade et al. A novel image encryption algorithm based on hash function
Patel et al. Symmetric keys image encryption and decryption using 3D chaotic maps with DNA encoding technique
Tang et al. A delay coupling method to reduce the dynamical degradation of digital chaotic maps and its application for image encryption
CN113940028B (en) Method and device for realizing white box password
CN110071794B (en) AES algorithm-based information encryption method, system and related components
CN107819580B (en) Image encryption method based on hyper-chaotic system pixel information association
Daemen et al. The Pelican MAC Function.
Agrawal et al. Elliptic curve cryptography with hill cipher generation for secure text cryptosystem
CN112769542A (en) Multiplication triple generation method, device, equipment and medium based on elliptic curve
Li et al. Keyed hash function based on a dynamic lookup table of functions
Wang et al. A chaotic image encryption algorithm based on zigzag-like transform and DNA-like coding
Gabr et al. A combination of decimal-and bit-level secure multimedia transmission
Bai et al. Protect white‐box AES to resist table composition attacks
Song et al. Multi-image reorganization encryption based on SLF cascade chaos and bit scrambling
Tiwari Cryptography in blockchain
Luo et al. Cryptanalysis of a chaotic block cryptographic system against template attacks
CN111614457B (en) P replacement improvement-based lightweight packet encryption and decryption method, device and storage medium
CN111478766B (en) Method, device and storage medium for realizing block cipher MEG
CN112769545A (en) Image encryption method based on adjacent pixel Joseph transformation and Mealy state machine
CN109981247B (en) Dynamic S box generation method based on integer chaotic mapping
CN113824548B (en) Nonlinear white box SM4 implementation method applied to edge internet of things proxy
CN115102685A (en) Physical layer information encryption method based on infinite dimension hyperchaos
KP et al. Embedded Light-Weight Cryptography Technique to Preserve Privacy of Healthcare Wearable IoT Device Data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant