CN112398638B - Zero correlation linear code analysis method, system, medium and electronic equipment - Google Patents

Zero correlation linear code analysis method, system, medium and electronic equipment Download PDF

Info

Publication number
CN112398638B
CN112398638B CN202011120542.4A CN202011120542A CN112398638B CN 112398638 B CN112398638 B CN 112398638B CN 202011120542 A CN202011120542 A CN 202011120542A CN 112398638 B CN112398638 B CN 112398638B
Authority
CN
China
Prior art keywords
key
linear
zero correlation
zero
mask
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011120542.4A
Other languages
Chinese (zh)
Other versions
CN112398638A (en
Inventor
王美琴
牛超
李木舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University
Original Assignee
Shandong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University filed Critical Shandong University
Priority to CN202011120542.4A priority Critical patent/CN112398638B/en
Publication of CN112398638A publication Critical patent/CN112398638A/en
Application granted granted Critical
Publication of CN112398638B publication Critical patent/CN112398638B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides a zero correlation linear cryptoanalytic method, system, medium and electronic device, including the following steps: acquiring an adjustable block cipher to be analyzed; taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function; searching linear approximation which enables the correlation value of the linear approximation expression to be zero, and converting the obtained linear approximation, namely a zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decryption is correct or not; wherein, the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of the plaintext, the secret key and the adjustment; in the method, the plaintext, the key and the adjustment are treated equally, so that the rapid and accurate search of the linear approximation is realized, the accuracy of the key can be determined more rapidly, the complexity of decryption is reduced, and the success rate of the integral attack is improved.

Description

Zero correlation linear code analysis method, system, medium and electronic equipment
Technical Field
The present disclosure relates to the field of cryptoanalysis technologies, and in particular, to a zero correlation linear cryptoanalysis method, system, medium, and electronic device.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
Linear cryptanalysis is one of the most important techniques for analyzing block ciphers, from which many cryptanalysis techniques are derived, including linear shell effects, multiple linear cryptanalysis, multidimensional linear cryptanalysis, and the like. Basically, these techniques rely on linear approximation of the target for high absolute correlation. In 2014, Bogdanov and Rijmen proposed a variant of linear cryptanalysis called zero-correlation linear cryptanalysis, which utilizes a linear shell with absolute zero correlation. The main drawback of this technique in the early days was that it required almost the entire codebook to perform the attack. FSE2012 overcomes the problem of zero correlation linear cryptanalysis's limitation in data complexity where multiple linear approximations of the target are zero. Later, the link between the zero correlation linear approximation and the integral discriminator is established in ASIACRYPT 2012.
Another discussion of zero-correlation linear cryptanalysis regarding key regularization begins at FSE2018, where an approximation of zero-correlation linearity containing plaintext, regularization, and ciphertext can be found, sometimes resulting in more rounds of the discriminator covering the target. Note that such improvements are only possible in the case of zero correlation linear cryptanalysis, since Kranz, leaner and Wiemer show that adaptation using the linear adaptation extension algorithm does not introduce new effective linear features. However, Ralph et al's efforts are only applicable to ciphers with linear key-adjusting scheduling algorithms and at the word level, and thus some bit-level discriminators may be missed.
The inventors of the present disclosure found that the initial for an adjustable block cipher EK,TThe zero correlation linear attack (classical block cipher when T is 0) takes into account the linear approximation expression of key K adjusting T:
Figure GDA0003548849840000021
for any given K and T, there is a zero correlation, where the correlation is obtained across all possible plaintext x. Obviously, the plaintext, the key, and the adjustment are not treated equally, which results in a complex process of the zero correlation linear cryptanalysis and a failure to realize faster zero correlation linear cryptanalysis.
Disclosure of Invention
In order to solve the defects of the prior art, the disclosure provides a zero correlation linear cipher analysis method, a system, a medium and an electronic device, wherein plaintext, a secret key and adjustment are treated equally, so that the rapid and accurate search of linear approximation is realized, the accuracy of the secret key can be determined more rapidly, the complexity of decryption is reduced, and the success rate of linear attack is improved.
In order to achieve the purpose, the following technical scheme is adopted in the disclosure:
a first aspect of the present disclosure provides a method of zero correlation linear cryptanalysis.
A zero correlation linear cryptanalysis method, comprising the steps of:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing the plaintext, the secret key and all possible values of the adjustment.
Converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and an adjusted special position in a history table;
through traversing the plaintext, the key and the adjustment at a specific position, the zero and balance characteristics of the ciphertext encrypted by the n rounds of discriminators can be obtained, so that whether the key used for reverse decryption is correct or not is judged.
A second aspect of the present disclosure provides a zero correlation linear cryptoanalytic system, comprising:
a data acquisition module configured to: acquiring an adjustable block cipher to be analyzed;
a linear approximation expression acquisition module configured to: taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
a cryptanalysis module configured to: determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of plaintext, the key and the adjustment.
A third aspect of the present disclosure provides a computer-readable storage medium having stored thereon a program which, when executed by a processor, implements the steps in the zero correlation linear cryptoanalytic method according to the first aspect of the present disclosure.
A fourth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a program stored on the memory and executable on the processor, where the processor implements the steps in the zero correlation linear cryptoanalytic method according to the first aspect of the present disclosure when executing the program.
Compared with the prior art, the beneficial effect of this disclosure is:
1. according to the method, the system, the medium or the electronic equipment, plaintext, the secret key and adjustment are treated equally, rapid and accurate search of linear approximation is achieved, accuracy of the secret key can be determined more rapidly by using the discriminator in the method, the system, the medium or the electronic equipment, complexity of decryption is reduced, and success rate of linear attack is improved.
2. The method, system, medium, or electronic device provided by the present disclosure, by considering plaintext, keys, and adjustments equally in zero-correlation linearity, proves that such zero-correlation linear approximation can be found by SAT and SMT-based automation tools, which is much simpler than the method of Ralph et al, and is applicable to linear and non-linear key adjustment generation algorithms.
3. According to the method, the system, the medium or the electronic equipment, the novel zero correlation linear approximation can be converted into the integral distinguisher adjusted by the correlation key, when the method is applied to TWINE, LBlock and SKINNY, a longer distinguisher can be obtained, and the correctness of the method provided by the disclosure is verified on the toy password through the automatic recovery of results of Ralph and the like.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and are not to limit the disclosure.
Fig. 1 is a schematic flow chart of a zero correlation linear cryptanalysis method provided in embodiment 1 of the present disclosure.
Fig. 2 is a zero correlation discriminator for 10 rounds of toy codes provided in example 1 of the present disclosure.
Fig. 3 is a round function of twinine provided in embodiment 1 of the present disclosure.
Fig. 4 is a key generation algorithm of TWINE-128 provided in embodiment 1 of the present disclosure.
Fig. 5 is a mask propagation of the 17-round TWINE-80 on the data encryption path provided by embodiment 1 of the present disclosure.
Fig. 6 is a mask propagation on the twin-80 key expansion provided in embodiment 1 of the present disclosure.
Fig. 7 is a round function of LBlock provided in embodiment 1 of the present disclosure.
Fig. 8 is a key expansion algorithm of LBlock provided in embodiment 1 of the present disclosure.
FIG. 9 is a zero correlation linear shell for 14 rounds of SKINNY-64/128 provided in example 1 of the present disclosure.
Detailed Description
The present disclosure is further described with reference to the following drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
Example 1:
as shown in fig. 1, an embodiment 1 of the present disclosure provides a zero correlation linear cryptanalysis method, including the following steps:
a zero correlation linear cryptanalysis method, comprising the steps of:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing the plaintext, the secret key and all possible values of the adjustment.
In detail, the following contents are included:
first, the present embodiment briefly reviews that the zero correlation linear cryptanalysis is adjustable in n bits block cipher EK,TThe key is
Figure GDA0003548849840000061
And is adjusted to
Figure GDA0003548849840000062
Where when l is 0, it becomes a normal block cipher without adjustments.
Alternatively, the block cipher may be considered as a vector boolean function:
Figure GDA0003548849840000063
mapping (K, T, x) to EK,T(x) I.e. F (K, T, x) ═ EK,T(x)。
Let alpha and beta be
Figure GDA0003548849840000064
An n-bit vector.
The correlation is:
Figure GDA0003548849840000065
at a given point
Figure GDA0003548849840000066
Wherein F (K, T,. E)K,T(. cndot.) is defined as:
Figure GDA0003548849840000067
wherein<u,v>Representing the inner product of two bit vectors of the same length. Raw zero correlation linear cryptanalysis is derived for any K and T using linear approximation of the input and output masks α and β
Figure GDA0003548849840000068
Such an (. alpha.,. beta.) is referred to as EK,TGiven a zero-correlation linear approximation value EK,TAlmost all the codebook is used to distinguish EK,T. Andrey et al show that one can distinguish between having a data complexity of
Figure GDA0003548849840000069
E of (A)K,T
On FSE2018, Ralph et al suggest to consider using a novel zero correlation linear cryptanalysis where the linear mask used for the adjustment may be non-zero.
Their ideas are formally described below:
is provided with
Figure GDA0003548849840000071
The correlation is:
corF(K,·,·)((α,β),λ)
the definition of F (K, ·) for any fixed key K is:
Figure GDA0003548849840000072
i.e. the correlation is calculated in all possible plaintext and adjustments. To find such zero correlation linear approximation also involves adjusting the bits, Ralph et al adopts the following strategy, applicable to linearly adjusted key expanded ciphers:
firstly, fixing linear masks of plaintext and ciphertext as alpha and beta; then, all linear features with non-zero correlation are derived, the masks of the plain text and the cipher text are respectively alpha and beta, and all possible coefficients are obtainedF(K,·,·)Set of λ (((α, β), λ) ≠ 0
Figure GDA0003548849840000076
Finally, selecting
Figure GDA0003548849840000073
Having corF(K,·,·)((α,β),λ′)=0。
It can be noted that it is possible to note that,
Figure GDA0003548849840000074
the derivation of (d) depends largely on the linearity and simplicity of the adaptation extension; furthermore, since Ralph et al's method is performed manually and works at the word level, it is only applicable to cryptographic algorithms with linear scaling extensions, and some zero-correlation linear approximations may be missed.
The present embodiment treats all public and secret block cipher E inputs equally, and considers linear approximations involving plaintext, keys, justifications, and ciphertext, further to Ralph et al.
After r rounds of encryption, the mask on the block cipher should contain 5 parts: the mask α on the plaintext, the mask γ on the key, the mask λ on the adjustment, the mask κ on the key adjustment after the r-round key adjustment scheduling algorithm, and the mask β on the ciphertext.
Extended due to key adjustmentThe intermediate state is unknown and the output mask k of the key adjustment spreading algorithm is set to zero. Order to
Figure GDA0003548849840000075
E (K, T) represents the output state of the key adjustment expansion algorithm.
Linear approximation
Figure GDA0003548849840000081
Is defined as:
Figure GDA0003548849840000082
followed by a linear approximation
Figure GDA0003548849840000083
Comprises the following steps:
Figure GDA0003548849840000084
and linearly approximated correlation value corF((α, β), γ, λ) is defined as:
Figure GDA0003548849840000085
from the above definitions, it can be seen that the correlation is computed over all possible plaintext, keys and adjustments. Therefore, due to the intervention of the key, it is unknown how to perform the key recovery attack based on such zero correlation linear approximation. To take advantage of this zero correlation linear approximation, the present embodiment will show below how to convert them into correlation key adjusted integral discriminators.
The transformation between the original zero correlation linear approximation and the integral discriminator can be found in 15 years of work by FSE grandson et al, and the theorem most relevant to this embodiment is restated as follows:
theorem 1: order to
Figure GDA0003548849840000086
Is a vector Boolean function, A is
Figure GDA0003548849840000087
A subspace of (a), and
Figure GDA0003548849840000088
assume that for any α ∈ A, (α, β) is a zero-correlation linear approximation. Then for any
Figure GDA0003548849840000089
In that
Figure GDA00035488498400000810
Thereon is provided with
Figure GDA00035488498400000811
And (4) integrating and balancing.
Theorem 1 can be modified into the following form to achieve the object of the present embodiment, and the same strategy of proving theorem 1 can be applied to obtain a new form.
Theorem 2: order to
Figure GDA00035488498400000812
Is a vector Boolean function, A is
Figure GDA00035488498400000813
A subspace of (a), and
Figure GDA00035488498400000814
assuming that for any (α, γ, λ) ε A,
Figure GDA00035488498400000815
is a zero correlation linear approximation. Then for any
Figure GDA00035488498400000816
In that
Figure GDA00035488498400000817
Figure GDA00035488498400000818
Thereon is provided with
Figure GDA00035488498400000819
Make it
Figure GDA00035488498400000820
And (4) integrating and balancing.
From theorem 2, it can be seen that if a linear approximation can be found
Figure GDA00035488498400000821
Figure GDA0003548849840000091
For any (α, γ, λ) in d-dimensional linearity is zero correlation, subspace
Figure GDA0003548849840000092
Then the data complexity of one integral discriminator can be constructed to be 2n+m+l-dAnd the inputs for selection F are:
Figure GDA0003548849840000093
for arbitrary fixation
Figure GDA0003548849840000094
In order to search for a linear approximation where the correlation value is zero in the form given in the present embodiment, the present embodiment adopts a constraint-based method as described in the previous work. Note that the keys and subkeys and adjustments in the original model are considered constant. Thus, the original model only characterizes the propagation of the linear mask over the encrypted data path without considering the key adjustment scheduling algorithm.
In the model of the present embodiment, since the encryption algorithm E is usedK,T(x) Equivalent to a Boolean function F (K, T, x) from
Figure GDA0003548849840000095
To
Figure GDA0003548849840000096
The propagation of the input linear mask on the encrypted data path of the state update inside the encrypted data, the key and the key scheduling data path of the adjusting and expanding algorithm must be modeled.
The framework of the general search algorithm is described in algorithm 1:
algorithm 1:
inputting: a cryptographic algorithm EK,T(. can be viewed as F (K, T, x) ═ EK,T(x)。
And (3) outputting: a zero correlation linear approximation of F.
Figure GDA0003548849840000097
Figure GDA0003548849840000101
In the case of the algorithm 1, the algorithm,
Figure GDA0003548849840000102
is defined heuristically by the cryptanalyst because all are enumerated
Figure GDA0003548849840000103
The mode in (1) is not possible.
In general,
Figure GDA0003548849840000104
selected as the mode with low hamming weight. The sub-process generatelinearmode () { generates a linear model }' generates a mathematical model that contains variables that represent linear features in F, and the relationship between these variables is determined according to propagation rules for linear features.
Thus, it is performed:
Figure GDA0003548849840000105
post, mathematical model
Figure GDA0003548849840000106
Is the set of all non-zero correlation linear features of F. In addition, after fixing the linear masks of (K, T, x) and ciphertext,
Figure GDA0003548849840000107
is the set of all non-zero related linear features of F under the input mask (α, γ, λ) and the output mask β.
Therefore, if this is the case
Figure GDA0003548849840000108
The solution space of (2) is an empty set, and it can be known that the linear approximation ((α, β), γ, λ) is zero-correlated. Since all targets contain only four basic operation types, including exclusive-OR, branching, linear transformation and S-box, the present embodiment specifies only mathematical constraints to be applied to these basic operations, the complete model
Figure GDA0003548849840000109
The basic operations may be combined according to these constraints.
I exclusive OR: the XOR operation will
Figure GDA00035488498400001010
Mapping to
Figure GDA00035488498400001011
Let a and b denote two input linear masks and c denotes an output mask. The linear approximation (a, b, c) results in a non-zero correlation of the exclusive-or if and only if it satisfies a-b-c.
II, branching: branch operation handle
Figure GDA00035488498400001012
Mapping to
Figure GDA00035488498400001013
Wherein x is y is z. Let (a, b, c) be a linear mask of (x, y, z), then (a, b, c) makes the linear approximation of the branch operation if and only if
Figure GDA00035488498400001014
Is non-zero correlated.
III, linear transformation: linear transformation of matrix representation M to vector the columns
Figure GDA00035488498400001015
Mapping to
Figure GDA00035488498400001016
Order to
Figure GDA00035488498400001020
Is composed of
Figure GDA00035488498400001018
Is used to determine the linear mask of (1). Linear approximation of linear transformation M
Figure GDA00035488498400001019
Is non-zero correlation, if and only if
Figure GDA0003548849840000111
IV S box: let S be an S-box with a linear approximation table LAT. Let θ beinAnd thetaoutLinear masks are input and output. Then (theta)in,θout) Correlation values through linear approximation of S are if and only if LAT (theta)in,θout) When not equal to 0, this value is non-zero.
In practice, the mathematical model may be in the language of CP, SAT/SMT, or MILP. In this work, SAT/SMT based methods were chosen and a well-known STP solver was used.
To confirm the correctness of the model proposed in this embodiment, this embodiment attempts to automatically recover the results of Ralph and Hosein et al.
Taking the results of Ralph et al, for example, on SKINNY, first establish a linear approximation encryption and key expansion data path that model describes SKINNY; then adding a constraint that fixes the linear mask of the specific position of the master key to zero, and the masks of the plaintext, the adjustment and the ciphertext to be given values, which are determined by zero correlation linear approximation found in the FSE 2018; finally, there is virtually no solution for the model with a non-zero correlation, meaning that the predefined linear approximation is that the correlation is zero in the model of the present embodiment.
In addition, the model provided by the present embodiment has been practiced in toy codes based on type II GFS structures. The block size and key size of the toy cryptogram are both 16 bits. Using the method provided in this embodiment, a linear approximation of a ten-round zero-correlation toy figure is obtained, as shown in FIG. 2, where the S-box is the same as the TWINE.
(1) Application to TWINE
TWINE is a family of 64-bit lightweight block ciphers with a generalized Feistel structure designed by Suzaki et al. Two members of the family, twin-80 and twin-128, support 80-bit and 128-bit keys, respectively. The round function of TWINE and the two versions of the key generation algorithm can be found in fig. 3 and 4.
Results for TWINE-80: this embodiment finds a set of linear approximations that can be found in table 1. In order to be able to demonstrate the contradiction that linear masking leads to zero correlation in propagation, propagation of the masking in the data path and the key generation path is shown in the form of patterns in fig. 5 and 6, respectively. Given a set of masks (α, γ, β) searched by this embodiment, contradictions can be manually derived in the key generation algorithm. The propagation of the mask is simply characterized as three modes where the white blocks gray and black blocks represent inactive mask, active mask and any mask, respectively.
Table 1: a 17-round zero correlation linear approximation of TWINE-80, where x may be any 4-bit value and c is any non-zero 4-bit value.
Figure GDA0003548849840000121
Table 2: 17-round TWINE-80 integral differentiator, where c is a 4-bit constant, a is a 4-bit active value, b is a 4-bit balanced value,? Is a 4-bit unknown value.
Figure GDA0003548849840000122
This family of zero correlation linear approximations can then be converted to an integral discriminator according to theorem 2, as shown in Table 2. This integral discriminator needs to be at 24Encryption under different master keys goes through 15 nibbles of 4 bits of plaintext, and then the sum of the corresponding positions of the ciphertext bits is balanced. Since this attack requires 24Different keys, so it is considered a coherent key integration attack.
Results of TWINE-128
This example determines two 18-round zero correlation linear shells as shown in Table 3 and their corresponding correlation key integral differentiators as shown in Table 4 giving that the integral differentiator needs to be at 24Under one master key 2 is required15×4=260Individual plaintext choices, the total data complexity is 260+4=264
Table 3: two zero correlation linear approximations of 18 rounds of TWINE-128
Figure GDA0003548849840000131
Table 4: two integral distinguisher of 18-turn TWINE-128
Figure GDA0003548849840000132
Figure GDA0003548849840000141
(2) Application to LBlock
LBlock is a lightweight 64-bit block cipher with an 80-bit key designed by Wu et al in 2011. It is designed according to a variant of the Feistel structure, comprising 32 rounds. The round function and key generation algorithm of LBlock can be seen in fig. 7 and 8.
This example determines a zero correlation linear approximation of a 15 round LBlock, the integral discriminator needs to be at 24Under each master key there is 215×4=260Individual plaintext choices, the total data complexity is 260+4=264
(3) Application in SKINNY
SKINNY is a set of block ciphers designed based on the TWEAKEY structure. In this embodiment, the present embodiment focuses on SKINNY-64/t, where t ∈ {64, 128, 192} represents the size of key adjustment.
The zero correlation linear shell of the STK structure of TK-p. By using the method of the embodiment, the attack result of Ralph and the like can be recovered for SKINNY. In addition, this embodiment also searches for longer discriminators for SKINNY-64/128 and SKINNY-64/192. To confirm the correctness of the results of this embodiment, Ralph et al manually derived zero correlation method can also be used. In the key adjustment extension algorithm of SKINNY, the c-bit nibbles are independent of each other. One nibble can be updated in the key adjustment extension algorithm with a focus on finding the contradiction. For this reason, Ralph et al propose the definition of the Γ sequence.
Definition 1(Γ sequence) from a given input linear mask Γ respectively0And outputs a linear mask ΓrForward and backward propagation with probability 1 are evaluated. Then, for any i, the Γ sequence is defined by the sequence of the (R +1) round, where Γ isr[h′r(i)]Active, inactive and arbitrary values that can be taken are stored in the r-th element.
A contradiction arises when the Γ sequence is inactive for any i, i.e. when the ith block of the main adjustment Λ i is in the active mask, because the main adjustment can be obtained by xoring all the values in the Γ sequence. Furthermore, when there is only one valid value in the Γ sequence, a contradiction is also caused when Λ [ i ] is a zero mask.
An adjustable block cipher based on the STK structure and TK-p has a zero correlation linear shell, as shown below.
Proposition 1: if there is a pair of linear masks (Γ)0,Γr) And nibble position i such that the Γ sequence has at most p active mask blocks, the adjustable block cipher has a nontrivial zero-correlation linear shell.
Proposition 1 shows that applying an inactive mask to the master adjustment nibble causes a contradiction if the number of active nibbles in the Γ sequence does not exceed the number of parallel key adjustment extensions in the STK structure.
Results of SKINNY-64/128
As shown in Table 5, this example demonstrates a 14-pass zero correlation linear approximation of SKINNY-64/128. To illustrate the contradiction leading to zero correlation, the propagation of a linear mask through the encrypted data path and the key-expanded data path is depicted in fig. 9. Contradictions in the key adjustment generation algorithm can then be derived manually using proposition 1.
This embodiment places emphasis on the justification nibble labeled 1, where the Γ sequence in definition 1 is represented using a red box. Since the Γ sequence has only two active nibbles, and SKINNY-64/128 is TK-2 based, applying an inactive mask to the aforementioned adjustment nibbles results in zero correlation contradictions due to proposition 1.
The zero correlation linear shell can then be converted to an integral discriminator. Its corresponding correlation adjusted integral discriminator is given in table 6. The integral discriminator needs to be at 28Main regulation upper application 214×4=256Individual selected plaintext and total data complexity of 256+8=264
Table 5: two zero correlation linear approximations of 14 rounds of SKINNY-64/128
Figure GDA0003548849840000161
Table 6: two integral discriminators of 14 rounds of SKINNY-64/128
Figure GDA0003548849840000162
Figure GDA0003548849840000171
Example 2:
an embodiment 2 of the present disclosure provides a zero correlation linear cryptoanalytic system, including:
a data acquisition module configured to: acquiring an adjustable block cipher to be analyzed;
a linear approximation expression acquisition module configured to: taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
a cryptanalysis module configured to: determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein, the correlation of the zero correlation linear approximation expression is obtained by traversing all possible values of the plaintext, the secret key and the adjustment;
converting the obtained zero correlation distinguisher into an integral distinguisher to carry out key recovery attack, and verifying the addition balance of the integral distinguisher by giving a plaintext, a key and a special position for adjustment in a history table
The working method of the system is the same as the zero correlation linear cryptanalysis method provided in embodiment 1, and is not described herein again.
Example 3:
the embodiment 3 of the present disclosure provides a computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the method implements the steps in the zero correlation linear cryptoanalytic method according to the embodiment 1 of the present disclosure, where the steps are:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing the plaintext, the secret key and all possible values of the adjustment.
Converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and an adjusted special position in a history table;
through traversing the plaintext, the key and the adjustment at a specific position, the zero and balance characteristics of the ciphertext encrypted by the n rounds of discriminators can be obtained, so that whether the key used for reverse decryption is correct or not is judged.
The detailed steps are the same as those of the zero correlation linear cryptanalysis method provided in embodiment 1, and are not described herein again.
Example 4:
a fourth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a program stored in the memory and executable on the processor, where the processor executes the program to implement the steps in the zero correlation linear cryptoanalytic method according to the first aspect of the present disclosure, where the steps are:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a linear approximate approximation expression of the vector Boolean function;
determining the correlation of a group of linear approximation expressions to be zero through a propagation rule of linear masks in the set linear approximation expressions in a block cipher structure, obtaining a zero correlation discriminator and converting the zero correlation discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
wherein the correlation of the linear approximation expression is verified by traversing the plaintext, the secret key and all possible values of the adjustment.
Converting the obtained zero correlation discriminator into an integral discriminator to carry out key recovery attack, and verifying the addition balance of the integral discriminator by giving a plaintext, a key and an adjusted special position in a history table;
through traversing the plaintext, the key and the adjustment at a specific position, the zero and balance characteristics of the ciphertext encrypted by the n rounds of discriminators can be obtained, so that whether the key used for reverse decryption is correct or not is judged.
The detailed steps are the same as those of the zero correlation linear cryptanalysis method provided in embodiment 1, and are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (6)

1. A zero correlation linear cryptanalysis method, comprising the steps of:
acquiring an adjustable block cipher to be analyzed;
taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a zero correlation linear approximation expression of the vector Boolean function;
the plain text, the secret key and the mapping relation between the adjustment and the vector Boolean function are as follows:
Figure FDA0003548849830000011
after r rounds of encryption, the mask on the block cipher should contain 5 parts: alpha is a mask on a plaintext, gamma is a mask on a key, lambda is a mask on adjustment, kappa is a mask on key adjustment after the r-round key adjustment scheduling algorithm, and beta is a mask on a ciphertext; Λ represents a set of masks on plaintext, key and justification and ciphertext; n represents the plaintext and ciphertext length; m represents a key length; l represents the adjustment length;
Figure FDA0003548849830000012
representing a vector Boolean function formed by a cryptographic algorithm;
the zero correlation linear approximation
Figure FDA0003548849830000013
The expression is as follows:
Figure FDA0003548849830000014
wherein, alpha is a mask on a plaintext, beta is a mask on the ciphertext, gamma is a mask on a secret key, and lambda is a mask on adjustment;
Figure FDA0003548849830000015
is an exclusive or operation sign;
Figure FDA0003548849830000016
is a vector boolean function;
Figure FDA0003548849830000017
in the form of a key, it is,
Figure FDA0003548849830000018
for adjustment, x is the plaintext;
determining the correlation of a group of zero correlation linear approximation expressions to be zero according to a set propagation rule of linear masks in the zero correlation linear approximation expressions in a block cipher structure, obtaining a zero correlation linear discriminator and converting the zero correlation linear discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
the specific step of determining that the correlation of a group of zero correlation linear approximation expressions is zero according to the propagation rule of the linear mask in the set zero correlation linear approximation expression in the block cipher structure is as follows: obtaining a zero correlation linear approximation by using a constraint-based method, comprising:
establishing a model to describe the propagation of the linear mask in an encryption and key expansion data path;
adding a constraint that the linear mask of the master key adjustment is fixed to be zero, and setting masks of a plaintext, an adjustment and a ciphertext as given values;
using an STP solver to obtain a linear approximation with zero correlation of the zero correlation linear approximation expression as zero;
wherein, the correlation of the zero correlation linear approximation expression is verified by traversing all possible values of the plaintext, the secret key and the adjustment;
the specific steps of obtaining a zero correlation linear discriminator and converting the zero correlation linear discriminator into an integral discriminator to judge whether a key for reverse decoding is correct are as follows: and according to the relation between the zero correlation linear approximation and the integral discriminator, converting the zero correlation linear discriminator into a correlation key to adjust the integral discriminator to recover the key and the ciphertext.
2. The zero correlation linear cryptanalysis method of claim 1, wherein the plaintext, the key, and the justification are treated equally in a zero correlation linear approximation expression.
3. The method of claim 1, wherein SAT or SMT based standard tools search for a zero correlation linear approximation in a block cipher unified framework.
4. A zero correlation linear cryptanalysis system, comprising:
a data acquisition module configured to: acquiring an adjustable block cipher to be analyzed;
a zero correlation linear approximation expression acquisition module configured to: taking the obtained adjustable block cipher as a vector Boolean function, constructing a plaintext, a secret key and a mapping relation between adjustment and the vector Boolean function, and setting a zero correlation linear approximation expression of the vector Boolean function;
the plain text, the secret key and the mapping relation between the adjustment and the vector Boolean function are as follows:
Figure FDA0003548849830000031
after r rounds of encryption, the mask on the block cipher should contain 5 parts: alpha is a mask on a plaintext, gamma is a mask on a key, lambda is a mask on adjustment, kappa is a mask on key adjustment after the r-round key adjustment scheduling algorithm, and beta is a mask on a ciphertext; Λ represents a set of masks on plaintext, key and justification and ciphertext; n represents the plaintext and ciphertext length; m represents a key length; l represents the adjustment length;
Figure FDA0003548849830000032
representing a vector Boolean function formed by a cryptographic algorithm;
the zero correlation linear approximation
Figure FDA0003548849830000033
The expression is as follows:
Figure FDA0003548849830000034
wherein, alpha is a mask on a plaintext, beta is a mask on the ciphertext, gamma is a mask on a secret key, and lambda is a mask on adjustment;
Figure FDA0003548849830000035
is an exclusive or operation sign;
Figure FDA0003548849830000036
is a vector boolean function;
Figure FDA0003548849830000037
in the form of a key, it is,
Figure FDA0003548849830000038
for adjustment, x is the plaintext;
a cryptanalysis module configured to: determining the correlation of a group of zero correlation linear approximation expressions to be zero according to a set propagation rule of linear masks in the zero correlation linear approximation expressions in a block cipher structure, obtaining a zero correlation linear discriminator and converting the zero correlation linear discriminator into an integral discriminator to judge whether a secret key for reverse decoding is correct or not;
the specific step of determining that the correlation of a group of zero correlation linear approximation expressions is zero according to the propagation rule of the linear mask in the set zero correlation linear approximation expression in the block cipher structure is as follows: obtaining a zero correlation linear approximation by using a constraint-based method, comprising:
establishing a model to describe the propagation of the linear mask in an encryption and key expansion data path;
adding a constraint that the linear mask of the master key adjustment is fixed to be zero, and setting masks of a plaintext, an adjustment and a ciphertext as given values;
using an STP solver to obtain a linear approximation with zero correlation of the zero correlation linear approximation expression as zero;
wherein, the correlation of the zero correlation linear approximation expression is verified by traversing all possible values of the plaintext, the secret key and the adjustment;
the specific steps of obtaining a zero correlation linear discriminator and converting the zero correlation linear discriminator into an integral discriminator to judge whether a key for reverse decoding is correct are as follows: and according to the relation between the zero correlation linear approximation and the integral discriminator, converting the zero correlation linear discriminator into a correlation key to adjust the integral discriminator to recover the key and the ciphertext.
5. A computer-readable storage medium, on which a program is stored, which, when being executed by a processor, carries out the steps of the zero correlation linear cryptoanalytic method of any one of claims 1 to 3.
6. An electronic device comprising a memory, a processor and a program stored on the memory and executable on the processor, wherein the processor implements the steps of the zero correlation linear cryptanalysis method of any one of claims 1-3 when executing the program.
CN202011120542.4A 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment Active CN112398638B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011120542.4A CN112398638B (en) 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011120542.4A CN112398638B (en) 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112398638A CN112398638A (en) 2021-02-23
CN112398638B true CN112398638B (en) 2022-04-26

Family

ID=74596016

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011120542.4A Active CN112398638B (en) 2020-10-19 2020-10-19 Zero correlation linear code analysis method, system, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112398638B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070632A (en) * 2017-03-15 2017-08-18 中国人民解放军信息工程大学 Impossible differential and zero correlation path automatic search method based on SAT

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL214743A0 (en) * 2011-08-18 2012-02-29 Nds Ltd Block cipher modes of operation

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070632A (en) * 2017-03-15 2017-08-18 中国人民解放军信息工程大学 Impossible differential and zero correlation path automatic search method based on SAT

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Improving algorithm 2 in multidimensional (zero-correlation) linear cryptanalysis using χ2-method;Huaifeng Chen;《Springer Science+Business Media New York 2016》;20160102;全文 *

Also Published As

Publication number Publication date
CN112398638A (en) 2021-02-23

Similar Documents

Publication Publication Date Title
Fu et al. MILP-based automatic search algorithms for differential and linear trails for speck
Hao et al. Modeling for three-subset division property without unknown subset: improved cube attacks against Trivium and Grain-128aead
Tang et al. Non-interactive privacy-preserving truth discovery in crowd sensing applications
US8340282B2 (en) Information processing apparatus
Bos et al. Assessing the feasibility of single trace power analysis of Frodo
CN111415013B (en) Privacy machine learning model generation and training method and device and electronic equipment
KR20160132943A (en) Solving digital logic constraint problems via adiabatic quantum computation
Frederiksen et al. On the complexity of additively homomorphic UC commitments
Cintas-Canto et al. ChatGPT vs. Lightweight security: First work implementing the NIST cryptographic standard ASCON
Kazymyrov et al. Influence of addition modulo 2 n on algebraic attacks
Idris et al. A deep learning approach for active S-box prediction of lightweight generalized feistel block ciphers
Hadipour et al. Finding the impossible: automated search for full impossible-differential, zero-correlation, and integral attacks
Niwa et al. GCM security bounds reconsidered
Funabiki et al. Several MILP-aided attacks against SNOW 2.0
AU2018271515B2 (en) Secret tampering detection system, secret tampering detection apparatus, secret tampering detection method, and program
Chen et al. Improved differential attacks on GIFT-64
Samajder et al. Rigorous upper bounds on data complexities of block cipher cryptanalysis
Niu et al. Zero-correlation linear cryptanalysis with equal treatment for plaintexts and tweakeys
CN112398638B (en) Zero correlation linear code analysis method, system, medium and electronic equipment
Shakiba et al. Non-isomorphic biclique cryptanalysis and its application to full-round mCrypton
CN117094022A (en) Encryption system based on computer software development
US7103180B1 (en) Method of implementing the data encryption standard with reduced computation
JPWO2020165931A1 (en) Information processing equipment, secret calculation method and program
CN112134679B (en) Combined high-order side channel attack method, device, equipment and medium for SM4
Li et al. Integral analysis of GRANULE and ESF block ciphers based on MILP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant