分组密码的线性类分析方法研究
详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
摘要
分组密码是现代密码学的重要组成部分,是信息与网络安全中实现数据加密、消息认证及密钥管理的核心密码算法。随着差分分析方法以及线性分析方法的提出,人们对分组密码的安全性分析有了系统的研究工具。它们的出现不仅为分组密码的分析理论奠定了坚实的基础,同时也为分组密码的设计理论提供了一定的依据。此后,基于这两种分析方法的研究工作成为了分组密码的研究热点,密码学者相继提出了多种扩展方法,如截断差分分析方法、高阶差分分析方法、不可能差分分析方法、飞来去器攻击方法、矩形攻击方法、多线性分析方法、非线性分析方法、多维线性分析方法、差分-线性分析方法等。这些工作极大地推动了分组密码的分析理论的发展,从而对分组密码的设计理论提出了更高的要求,并最终促进了分组密码的发展。
     本文主要从两个方面研究了线性类密码分析方法。一方面,针对几种国际上比较流行的分组密码算法,我们研究了这些算法抵抗线性分析方法、多线性分析方法的能力,从而对这些算法的安全性评估起到借鉴作用;另一方面,基于已有的线性类密码分析思想和方法(如线性分析方法、多线性分析方法、多维线性分析方法、线性堆思想,等等),我们提出了一些新的、有效的组合类分析方法,这些分析方法几乎适用于各种分组密码。它们的出现将对分组密码的分析理论与设计理论起到积极的作用。论文的主要贡献如下:
     (1)研究了ARIA算法抵抗线性分析的能力,通过引入一种针对SPN类型分组密码的线性特征,得到了一系列4轮简化ARIA的线性特征,在此基础上,提出了针对7轮、9轮以及11轮简化ARIA的线性攻击算法。ARIA算法是韩国官方2004年公布的分组密码标准算法,主要用于轻量级环境实现和硬件系统实现。在ARIA算法的设计文档中,设计者认为不存在对8轮或8轮以上简化ARIA的线性攻击算法,而本文的结果表明这样的线性攻击是存在的。该结果是到目前为止关于ARIA算法最好的分析结果。
     (2)研究了SMS4算法抵抗多线性分析的能力,提出了针对22轮简化SMS4的多线性攻击算法。SMS4是用于国内无线局域网安全标准WAPI的分组密码,是国内官方公布的第一个商用密码算法。我们首次从多线性分析的角度出发来研究SMS4的安全性,通过分析SMS4的算法结构和轮函数的特性,提出了一系列18轮简化SMS4的线性特征,基于这些线性特征,我们对22轮简化SMS4进行了有效的多线性攻击并得到了关于SMS4算法较好的分析结果。
     (3)提出了差分-线性堆分析方法,并通过将该方法应用于SERPENT算法来证实其有效性。线性堆思想是由K. Nyberg提出的、利用具有相同输入掩码和相同输出掩码的线性特征集合来研究分组密码安全性的方法。基于该思想,我们提出了差分-线性堆的概念并引入了一种利用差分-线性堆来研究分组密码安全性的分析方法。与已有的差分-线性分析方法相比,新方法能够充分挖掘属于同一差分-线性堆的多个差分-线性特征的统计特性,从而使得该方法具有更优的数据复杂度。我们将其用于分析SERPENT算法的安全性并得到了较好的分析结果。
     (4)提出了差分-多线性分析方法以及差分-多维线性分析方法,通过将新方法分别应用于DES算法和SERPENT算法来证实其有效性。在现代分组密码算法的设计中,设计者往往已经考虑了算法抵抗差分分析方法、截断差分分析方法与线性分析方法的能力,分析者很难得到可用的、较多轮数的简化算法的截断差分特征或线性特征,但是,他们一般可以找到有效的、较少轮数的简化算法的这些统计特征。基于该特征,分析者就能够利用差分-线性分析方法对较多轮数的简化算法进行有效的攻击。本文将差分分析方法分别与多线性分析方法、多维线性分析方法进行有机结合,得到了新的组合类分析方法。与已有的差分-线性分析方法相比,新方法具有更优的数据复杂度。为了验证新方法的有效性,我们将其分别用于DES算法和SERPENT算法,得到了较好的分析结果。
     (5)提出了线性故障攻击方法,并通过将该方法应用于SERPENT算法来证实其有效性。作为旁路攻击的一种重要方法,差分故障攻击已经被广泛用于分组密码的安全性分析,但攻击者需要将故障导入在该分组密码的最后少数几轮中。本文通过研究故障攻击方法的特性,结合线性分析方法的思想,首次提出了线性故障攻击方法。与差分故障攻击方法相比,新方法能够将故障导入的轮数进一步提前并实现有效的攻击。为了验证新方法的有效性,我们将其用于分析SERPENT算法的安全性并得到了较好的分析结果。
Block cipher is one of the most important components in cryptology, and it is always served as the core cryptological algorithm in the aspects such as data encryption, message authentication, key management, and so on. With the presentation of differential cryptanalysis and linear cryptanalysis, people can investigate the security of block cipher systematically. Since then, the research work based on differential cryptanalysis and linear cryptanalysis has become a hotspot in cryptology, many efforts have been made to generalize and extend these approaches in order to derive more effective crypanalytic methods such as truncated differential cryptanalysis, higher order differential cryptanalysis, impossible differential cryptanalysis, boomerang attack, rectangle attack, multiple linear cryptanalysis, non-linear cryptanalysis, multidimensional linear cryptanalysis, differential-linear cryptanalysis, and so on. Such work has dramatically pushed forward the analysis theory of block cipher, resulting in considerable improvement of the design theory of block cipher and finally facilitating the development of block cipher greatly.
     In this dissertation, we work on linear cryptanalysis and its extensions from two aspects. Firstly, we study the security of some well-known block ciphers by means of linear cryptanalysis and multiple linear cryptanalysis, which may be helpful in the security evaluation of these ciphers. Moreover, we propose some new effective cryptanalytic methods based on the approaches such as linear cryptanalysis, multiple linear cryptanalysis, multidimensional linear cryptanalysis, linear hull, and so on. As a matter of fact, our novel cryptanalytic tools can be used in the security analysis of various block ciphers. The highlights of this dissertation are listed as follows:
     (1) The block cipher ARIA was selected as a data encryption standard by the Korean Ministry of Commerce, Industry and Energy in 2004. In this dissertation, we present a kind of special linear characteristics for SPN block ciphers and then derive a series of 4-round linear characteristics of ARIA. Based on such 4-round linear characteristics, we propose attacks on 7-round, 9-round and 11-round ARIA respectively. The designers of ARIA expect that there isn’t any effective attack on 8 or more rounds of ARIA by means of linear cryptanalysis. However, our work shows that such attacks do exist. Moreover, our cryptanalytic results are the best known cryptanalytic results of ARIA so far.
     (2) SMS4, the first commercial cryptological algorithm released by Chinese government in 2006, is an underlying block cipher used in WLAN Authentication and Privacy Infrastructure (WAPI), the Chinese national standard for WLAN. In this dissertation, we study the security of the block cipher SMS4 against multiple linear crytanalysis for the first time. By analyzing the properties of the structure and the round function of SMS4, we find a series of 5-round iterative linear characteristics of the cipher, from which a list of 18-round linear characteristics of the cipher can be constructed. With the help of such 18-round linear characteristics, we mount an effective key recovery attack on 22-round SMS4. Compared with the previously best cryptanalytic results on 22-round SMS4, our result has better data complexity as well as comparable time complexity and memory complexity.
     (3) In 1994, K. Nyberg proposed a cryptanalytic approach by using a set of linear characteristics with the same input mask and the same output mask which is denoted as linear hull. Following this idea, we introduce the concept of differential-linear hull and the cryptanalytic method by adopting differential-linear hull. In comparison with differential-linear crypatanlysis, our new method can exploit more statistical properties from a differential-linear hull, thus leading to a better data complexity. For the purpose of illustration, we mount an effective key recovery attack on reduced-round SERPENT by applying the new method.
     (4) Generally, modern block ciphers are devised to avoid good long truncated differential and linear characteristics in order to resist traditional attacks such as differential, truncated differential and linear cryptanalysis, but usually good short ones still exist. According to differential-linear cryptanalysis, an adversary can obtain long cryptanalytic distinguishers by concatenating good short truncated differential and linear characteristics, which leads to more powerful attacks on block ciphers. In this dissertation, we present several extensions to differential-linear cryptanalysis, called differential-multiple linear cryptanalysis and differential-multidimensional linear cryptanalysis, by combining differential and multiple linear cryptanalysis, differential and multidimensional linear cryptanalysis respectively. Compared with differential-linear cryptanalysis, our extensions improve the data complexity of cryptanalysis. As a demonstration, we use the new approaches to cryptanalyze reduced-round DES and SERPENT respectively, and the corresponding cryptanalytic results confirm the effectiveness of these approaches.
     (5) As one of the most important approaches in side channel attacks, differential fault analysis (DFA) has already been applied to attack many block ciphers by means of inducing some faults at the last few rounds of block ciphers. In this dissertation, we present a new fault attack on block ciphers called linear fault analysis (LFA), in which linear characteristics for some consecutive rounds of a block cipher will be utilized instead of exploiting differential distributions of S-Boxes within the block cipher in DFA. Basically, the new approach can handle the case that faults are induced several rounds earlier compared to DFA. For the sake of verification, we mount a key recovery attack on SERPENT by adopting LFA and achieve a good cryptanalytic result.
引文
[1] C.E Shannon Communication Theory of Secrecy System Bell System Technical Journal,Vol 28,PP 656 715,1949
    [2] w Diffie,M E Hellman New Directions in Cryptography IEEE Transactions on Information Theory,Vol 22,No 6,PP 644 654,1976
    [3]Data Encryption Standard FIPS PUB 46,National Bureau of Standards,Washington D C,1977
    [4] R L Rivest,A Shamir,L M Adleman A Method for Obtaining Digital Signature and Public-key Cryptosystems Communications oftheACM,Vol 21,PP 120 126,1978
    [5] A C Yao Theory and Applications of Trapdoor Functions Proceeding of the IEEE 23rd Annual Symposiurn on the Foundations of Computer Science,IEEE computer society,PP 80 91.1982
    [6] A C Yao Protocols for Secure Computations Proceeding of the IEEE 23rd Annual Symposium on the Foundations of Computer Science,IEEE computer society,PP 160 164,1982
    [7] G J Simmons Authentication Theory/Coding Theory CRYPTO’84,Lecture Notes in Computer Science,Vol 196,PP 411_431,1985
    [8] T ELGamal A Public key Cryptosystem and a Signature Scheme Based on Discrete Logarihms CRYPTO’84,Lecture Notes in Computer Science,Vol 196,PP 10 1 8,1985
    [9] S Goldwasser,S Micali,C Rackoff.The Knowledge Complexity of Interactive Proof Systems SIAM Journal on Computing,Vol 1 8,PP 1 86 208,1989
    [10] V S Miller Use of Elliptic Curves in Cryptography CRYPTO’85,Lecture Notes in Computer Science,Vol 21 8,PP 41 7_426,1 986
    [11] E Biham,A Shamir Differential Cryptanalysis of DES like Cryptosystems Journal of Cryptology,Vol 1,No 4,PP 3_72,1991
    [12] M Matsui Linear Cryptanalysis Method for DES Cipher EUROCRYPT’93,Lecture Notes in Computer Science,Vol 765,PP 386 397,1 994
    [13]L Brown,J Pieprzyk,J Seberry LOKI-A Cryptographic Primitive for Authentication and Secrecy Applications AUSCRYPT’90,Lecture Notes in Computer Science,Vol 453,PP 229 236,1990
    [14]L Brown,J Pieprzyk,J Seberry Improving Resistance to Differential and the Redesign of LOKI ASIACRYPT’91,Lecture Notes in Computer Science,Vol 739,PP 36 50,1991
    [15] L R Knudsen Cryptanalysis ofLOKI ASIACRYPT’91,Lecture Notes in Computer Science,Vol 739,pp 22 35,1993
    [16] L R Knudsen Cryptanalysis of LOKl91 ASIACRYPT’92,Lecture Notes in Computer Science,Vol 71 8,PP 196 208,1992
    [17]T Tokita,T Sorimachi,M Matsui Linear Cryptanalysis of LOKI and SzDES ASIACRYPT’94,Lecture Notes in Computer Science,Vol 91 7,PP 293 303,1 995
    [18] A Shimizu,S Miyaguchi Fast Data Encipherment Algorithm FEAL EUROCRYPT’87,Lecture Notes in Computer Science,Vol 293,PP 267 280,1988
    [19] B Den Boer Cryptanalysis of FEAL EUROCRYPT’88,Lecture Notes in Computer Science,Vol 330,PP 293 300,1 988
    [20] S Murphy The Cryptanalysis of FEAL-4 with 20 Chosen Plaintexts Journal of Cryptology,Vol 2,No 3,PP 145 154,1990
    [21]H Gilbert,G Chasse A Statistical Attack on the FEAL-8 Cryptosystem CRYPTO’90,Lecture Notes in Computer Science,Vol 537,PP 22 33,1 992
    [22] M Matsui,A Yamagish A New Method for Known Plaintext Attack of FEAL Cipher EUROCRYPT’92,Lecture Notes in Computer Science,Vol 658,PP 81 91,1992
    [23] K Ohtaand,K Aoki Linear Cryptanalysis of the Fast Data Encipherment Algorithm CRYPTO’94,Lecture Notes in Computer Science,Vol 839,PP 12 16,1994
    [24] B Schneier Applied Cryptography Second Edition-Protocols,Algorithms,and Source Code in C,JohnWiley&Sons,Inc,1996
    [25]王育民,刘建伟通信网的安全理论与技术西安电子科技大学出版社,pp.41-81,2002年5月
    [26] AES Available at http://www nist gov/aes
    [27] Advanced Encryption Standard National Institute of Standards and Technology,FIPS 197,2001
    [28] NESSIE Available at https://www cosic esat kuleuven ac be/nessie
    [29] KISA A Design and Analysis of SEED(S) Available at http://www kisa or kr/technology subl/128-seed Pdf,1998
    [30] National Security Research Institute,Korea Specification ofARIA Version 1 0,2005
    [31] CRYPTREC http://wwwipa gojp/security/enc/CRYPTREC/indexehtml
    [32] Office of State Commercial Cipher Administration Block Cipher for WLAN Products SMS4 http://www oscca gov cn/UpFile/200621016423197990 pdf rinChinese)
    [33] P Junod,S Vaudenay FOX:A New Family of Block Ciphers SAC’04,Lecture Notes in Computer Science,Vol 3357,PP 131 146,2004
    [34]X Lai,J L Massey IDEA,Primitive submitted to NESSIE by R Straub,MediaCrypto A G,2000
    [35] L R Rivest The RC5 Encryption Algorithm FSE’94,Lecture Notes in Computer Science,Vol 1008,PP 86 96,1995
    [36] B S Kaliski,"EL Yin On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm CRYPTO’95,LectureNotesinComputer Science,Vol 963,PP 171 1 84,1995
    [37] ETSI Universal Mobile Telecommunications System(UMTS),Specification of the 3GPP Confidentiality and Integrity Algorithms,Document 2,KASUMI Specification,2007『38]T Shirai,K Shibutani,T Akishita,S Moriai,T 1wata The 1 28-bit Block Cipher CLEFIA FSE’07,Lecture Notes in Computer Science,Vol 4593,PP 1 81 195,2007
    [39]冯登国,吴文玲,张文涛分组密码的设计与分析(第二版)清华大学出版社,2009
    [40]陈鲁生,沈世镒现代密码学科学出版社,pp 40 66,2002年7月
    [41] National Institute of Standards and Technology(NIST)Federal Information Processing Standards Publication 81(FIPS PUB 81):DES Modes ofOperation,December 1980
    [42] National Institute of Standards and Technology(NIST)NIST Special Publication 800-38A,Recommendation for Block Cipher Modes of Operation:Methods and Techniques,December 2001
    [43] National Institute of Standards and Technology(NIST)NIST Special Publication 800-38C,Recommendation for Block Cipher Modes of Operation:The CCM Mode for Authentication and Confidentiality,May 2004
    [44] National Institute of Standards and Technology(NIST)NIST Special Publication 800-38B,Recommendation for Block Cipher Modes of Operation:The CMAC Mode for Authentication.Mldv 2005
    [45] International Organization for Standardization ISO/IEC WD 19772:2004,Information Technology-Security Techniques-Authenticated Encryption Mechanisms,2004
    [46]胡予濮,张玉清,肖国镇对称密码学机械工业出版社,pp 40_66,2002年3月
    [47] K Nyberg,L R Knudsen Provable Security against Differential Cryptanalysis Journal of Cryptology,Vol 1,No 8,PP 156 168,1995
    [48] L R Knudsen Practically Secure Feistel Ciphers FSE’93,Lecture Notes in Computer Science,Vol 809,pp 211_221,1994
    [49] M Kanda Practical Security Evaluation against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function SAC’00,Lecture Notes in Computer Science,Vol 201 2,PP 168 179,2000
    [50] M Luby,C Rackoff.How-to Construct Pseudorandom Permutations from Pseudorandom Functions SIAM Journal on Computing,Vol 17,No 2,PP 373 386,1988
    [51] J Patarin Security of Random Feistel Schemes with 5 or More Rounds CRYPTO’04,Lecture Notes in Computer Science,Vol 3 1 52,PP 1 06 1 22,2004
    [52] w Wu Pseudorandomness of Camellia-like Scheme Journal of Computer Science and Technology,Vol 12,No 1,PP 1 10,2006
    [53] J Patarin New-Results on Pseudorandom Permutation Generators Based on the DES Scheme CRYPTO’91,Lecture Notes in Computer Science,Vol 579,PP 301_312,1991
    [54] S Even,Y Mansour A Construction of a Cipher from a Single Pseudorandom Permutation ASIACRYPT’91,Lecture Notes in Computer Science,Vol 739,PP 210 224,1991
    [55] u M Maurer A Simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutation Generators EUROCRYPT’92,Lecture Notes in Computer Science,Vol 658,PP 239 255,1992
    [56] S Lucks Faster Luby-Rackoff Ciphers FSE’96,Lecture Notes in Computer Science,Vol 1039,PP 1 89 203,1996
    [57] J Patarin About Feistel Schemes with Six(or More)Rounds FSE’98,Lecture Notes in Computer Science,Vol 1372,PP 103 121,1998
    [58] S Patel,Z Ramzan,G Sundaram Towards Making Luby-Rackoff Ciphers Optimal and Practical FSE’99,Lecture Notes in Computer Science,Vol 1636,PP 171 1 85,1999
    [59] M Naor,O Reingold On the Construction of Pseudorandom Permutations Luby-Rackoff Revisited Journal ofCryptology,Vol 12,No 1,PP 9 66,1999
    [60] L R Knudsen The Security of Feistel Ciphers with Six Rounds or Less Journal of Cryptology,Vol 1 5,No 3,PP 207 222,2002
    [61] J Patarin Luby-Rackoff:7 Rounds Are Enough for 2”(?)Security CRYPTO’03,Lecture Notes in Computer Science,Vol 2729,PP 513 529,2003
    [62] u M Maurer,K Pietrzak The Security of Many-Round Luby-Rackoff Pseudorandom Permutation EUROCRYPT’03,Lecture Notes in Computer Science,Vol 2656,PP 544 561,2003
    [63] R Anderson,E Biham,L R Knudsen SERPENT:A Proposal for the Advanced Encryption Standard NIST AES Proposal,1 998
    [64] B Schneier,J Kelsey Unbalanced Feistel Networks and Block Cipher Design FSE’95,Lecture Notes in Computer Science,Vol 3557,PP 121 144,1996
    [65] S Moriai,S Vaudenay On the Pseudorandomness of Top-Level Schemes of Block Ciphers ASIACRYPT’00,Lecture Notes in Computer Science,Vol 1 976,PP 289 302,2000
    [66]张立廷,吴文玲使用压缩函数的非平衡Feistel结构的伪随机性和超伪随机性计算机学报,Vol 32,No 7,PP 1320 1330,2009
    [67] w Wu,w Zhang,D Lin On the Security of Generalized Feistel Scheme with SP Round Function International Journal Network Security,Vol 2,No 3,PP 296 305,2006
    [68]T Shirai,B Preneel On Feistel Structures Using Diffusion Mappings across Multiple Rounds ASIACRYPT’04,Lecture Notes in Computer Science,Vol 3329,PP 1 15,2004
    [69] T Shirai,K Shibutani On Feistel Structures Using a Diffusion Switching Mechanism FSE’06,Lecture Notes in Computer Science,Vol 4047,PP 41 56,2006
    [70]吴文玲,贺也平-类广义Feistel密码的安全性评估电子与信息学报,Vol 24,No 9,PP 1177 11 84.2002
    [71] M Matsui New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis FSE’96,Lecture Notes in Computer Science,Vol 1039,PP 205 217,1996
    [72] M Matsui New Block Encryption Algorithm MISTY FSE’97,Lecture Notes in Computer Science,Vol 1267,PP 54_68,1997
    [73]T 1wata,T Yoshino,T Yuasa,K Kurosawa Round Security and Super-Pseudorandomness of MISTY rype Structure FSE’01,Lecture Notes in Computer Science,Vol 2355,PP 233 247,2002
    [74] G Piret,J-J Quisquater Security of the MISTY Structure in the Luby-Rackoff Model:Improved Results SAC’04,Lecture Notes in Computer Science,Vol 3357,PP 100 115,2005
    [75] J S Kang,O Yi,D Hong,et al Pseudorandomness of Misty-type Transformations and the Block Cipher KASUMI ACISP’01,Lecture Notes in Computer Science,Vol 2119,PP 60 73.2001
    [76] J S Kang,s U Shin,D Hong,O Yi Provable Security of KASUMI and 3GPP Encryption Mode F8 ASIACRYPT’01,Lecture Notes in Computer Science,Vol 2248,PP 255 271,2001
    [77] T.1wata,T Yagi,K Kurosawa On the Pseudorandomness of KASUMI rype Permutations ACISP’03,Lecture Notes in Computer Science,Vol 2727,PP 277 289,2003
    [78] S Vaudenay On the Lai-Massey Scheme ASIACRYPT’99,Lecture Notes in Computer Science,Vol 1716,PP 9 19,2000
    [79]X Lai High Order Derivatives and Differential Cryptanalysis Communications and Cryptography,PP 227 233,1 994
    [80] L R Knudsen Truncated and High Order Differentials FSE’95,Lecture Notes in ComputerScience,Vol 1008,PP 196 211,1995
    [81] E Biham,A Biryukov,A Shamir Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials EUROCRYPT’99,Lecture Notes in Computer Science,Vol 1 592,PP 12 23.1999
    [82]D Wagner The Boomerang Attack FSE’99,Lecture Notes in Computer Science,Vol 1636,PP 156 170.1999
    [83] E Biham,O Dunkelman,N Keller The Rectangle Attack-Rectangling the SERPENT.EUROCRYPT’01,Lecture Notes in Computer Science,Vol 2045,PP 340 357,2001
    [84] B S Kaliski,M J B Robshaw Linear Cryptanalysis Using Multiple Approximations CRYPTO’94,Lecture Notes in Computer Science,Vol 839,PP 26 39,1994
    [85] A Biryukov,C De Canniere,M Quisquater On Multiple Linear Approximations CRYPTO’04,Lecture Notes in Computer Science,Vol 3152,PP 1 22,2004
    [86] C Harpes,G Kramer,J L Massey A Generalization of Linear Cryptanalysis and the Applicability of Matsui’s Piling-up Lemma EUROCRYPT’95,Lecture Notes in Computer Science,Vol 921,pp 24 38,1995
    [87] L R Knudsen,M J B Robshaw Non-Linear Approximations in Linear Cryptanalysis EUROCRYPT’96,Lecture Notes in Computer Science,Vol 1070,PP 224-236,1996
    [88] N T Courtois Feistel Schemes and Bi-Linear Cryptanalysis CRYPTO’04,Lecture Notes in Computer Science,Vol 3152,pp 23_40,2004
    [89] M Hermelin,J Y Cho,K Nyberg Multidimensional Linear Cryptanalysis of Reduced Round SERPENT ACISP’08,Lecture Notes in Computer Science,Vol 5107,PP 203 215,2008
    [90] M Hermelin,J Y Cho,K Nyberg Statistical Tests for Key Recovery Using Multidimensional Extension of Matsui’s Algorithm 1 EUROCRYPT’09-Poster Session,2009
    [91] J Y Cho,M Hermelin,K Nyberg A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round SERPENT.ICISC’08,Lecture Notes in Computer Science,Vol 5461,PP 383 398,2009
    [92] M Hermelin,J Y Cho,K Nyberg Multidimensional Extension of Matsui’s Algorithm 2 FSE’09,Lecture Notes in Computer Science,Vol 5665,PP 209 227,2009
    [93] K Nyberg Linear Approximation of Block Ciphers EUROCRYPT’94,Lecture Notes in Computer Science,Vol 950,PP 439_444,1 995
    [94] N T Courtois,J Pieprzyk Cryptanalysis of Block Ciphers with Overdefined Systems of Equations ASIACRYPT’02,Lecture Notes in Computer Science,Vol 2501,PP 267 287,2002
    [95] E Biham New rypes of Cryptanalytic Attacks Using Related Keys Journal of Cryptology, Vol 7,No 1,pp 229 246,1994
    [96] J Daemen,L R Knudsen,V Rijmen The Block Cipher SQUARE FSE’97,Lecture Notes in Computer Science,Vol 1267,PP 149 165,1997
    [97] L R Knudsen,D Wagner Integral Cryptanalysis FSE’02,Lecture Notes in Computer Science,Vol 2365,PP 112 127,2002
    [98] A Biryukov,A Shamir Structural Cryptanalysis of SASAS EUROCRYPT’01,Lecture Notes in Computer Science,Vol 2045,PP 394~405,2001
    [99] S Lucks The Saturation Attack a Bait for TwOFISH FSE’01,Lecture Notes in Computer Science,Vol 2365,PP 1 15,2002
    [100] D Boneh,R A DeMillo,R J Lipton On the Importance of Checking Cryptographic Protocols for Faults EUROCRYPT’96,Lecture Notes in Computer Science,Vol 1233,PP 37 51.1997
    [101] E Biham,A Shamir DifferentialFaultAnalysis ofSecretKey Cryptosystems CRYPTO’97,Lecture Notes in Computer Science,Vol 1294,PP 513 525,1997
    [102]P.C Kocher Timing Attacks on Implementations of Diffie Hellman,RSA,DSS,and Other Systems CRYPTO’96,LectureNotesinComputer Science,Vol 1109,PP 104_113,1996
    [103]P.C Kocher,J Jail%,B Jun Differential Power Analysis CRYPTO’99,Lecture Notes in Computer Science,Vol 1666,PP 388 397,1999
    [104] s K Langford,M E Hellman Differential-Linear Cryptanalysis CRYPTO’94,Lecture Notes in Computer Science,Vol 839,PP 17_25,1994
    [105] E Biham,O Dunkelman,N Keller Enhancing Differential-Linear Cryptanalysis ASIACRYPT’02,Lecture Notes in Computer Science,Vol 2501,PP 254 266,2002
    [106] J Kelsey,B Schneier,D Wagner Key-Schedule Cryptoanalysis of IDEA,GDES,GOST, SAFER,and Triple-DES CRYPTO’96,Lecture Notes in Computer Science,Vol 1109,PP 237 251,1996
    [107] E Biham,O Dunkelman,N Keller Related-Key Boomerang and Rectangle Attacks EUROCRYPT’05,Lecture Notes in Computer Science,Vol 3494,PP 507 525,2005
    [108] A Biuuko~D Khovratovich Related-key Cryptanalysis ofthe Full AES-192 and AES-256 ASIACRYPT’09,Lecture Notes in Computer Science,Vol 5912,PP 1 1 8,2009
    [109] A BiryukoK D Khovratovich,I Nikolic Distinguisher and Related-key Attack on the Full AES-256 CRYPTO’09,Lecture Notes in Computer Science,Vol 5677,PP 231_249,2009
    [110] O Dunkelman,N Keller,A Shamir APractical-TimeAttack ontheKASUMICryptosystem Used in GSM and 3G Telephony CRYPTO’1 0,Lecture Notes in Computer Science,Vol 6223.PP 393-410.2010
    [111] V.V.Shorin V.V.Jelezniakov,E M Gabidulin Linear and Differential Cryptanalysis of Russian GOST WCC’01,Electronic Notes in Discrete Mathematics,Vol 6,PP 538_547,2001
    [112] J Borst,B Preneel,J Vandewalle Linear Cryptanalysis ofRC5 and RC6 FSE’99,Lecture Notes in Computer Science,Vol 1636,PP 16 30,1999
    [113] J Y Cho Linear Cryptanalysis ofReduced-Round PRESENT CT-RSA'10,Lecture Notes in Computer Science,Vol 5985,PP 302 317,2010[1 14] J Nakahara Jr,P Sepehrdad,B Zhang,M W3ng Linear(Hull)and Algebraic Cryptanalysis of the Block Cipher PRESENT CANS’09,Lecture Notes in Computer Science,Vol 5888,PP 58 75,2009
    [115]L Keliher,H Meijer,S Tavares Improving the Upper Bound on the Maximum Average Linear Hull Probability for RIJNDAEL SAC’01,Lecture Notes in Computer Science,Vol 2259,PP 112 128,2001
    [116] S Park,sH Sung,S Lee,J Lim ImprovingtheUpperBound ontheMaximumDifferential and the Maximum Linear Hull Probability for SPN Structures and AES FSE’03,Lecture Notes in Computer Science,Vol 2887,PP 247 260,2003
    [117]L Keliher Refined Analysis ofBounds Related to Linear and Differential Cryptanalysis for the AES AES’04,Lecture Notes in Computer Science,Vol 3373,PP 42 57,2005[11 8]T Kim,J Kim,S Hung,J Sung Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher Cryptology ePrintArchive,Report 2008/281,2008
    [119] E Biham,O Dunkelman,N Keller Linear Cryptanalysis of Reduced Round SERPENT FSE’01,Lecture Notes 1n Computer Science,Vol 2355,pp 16 27,2002
    [120] B Collard,F.X Standaert,J J Quisquater Improved and Multiple Linear Cryptanalysis of Reduced Round SERPENT INSCRYPT’07,Lecture Notes in Computer Science,Vol 4990,pp 51 65,2008
    [121]D Kwon,J Kim,S Park et al New Block Cipher:ARIA ICISC’03,Lecture Notes in Computer Science,Vol 2971,PP 432-445,2003
    [122] w Wu,w Zhang,D Feng Impossible Differential Cryptanalysis ofReduced-Round ARIA and Camellia Journal of Computer Science and Technology,Vol 22,No 3,PP 449-456,2007
    [123] R Li,B Sun,P Zhang,C Li New Impossible Differentials of ARIA Cryptology ePrint Archive,Report 2008/227,2008
    [124] C Du,J Chen Impossible Differential Cryptanalysis of ARIA Reduced to 7 Rounds CANS’10,LectureNoteslnComputer Sciecne,Vol 6467,PP 20 30,2010
    [125] P Li,B Sun,C Li Integral Cryptanalysis of ARIA INSCRYPT’09,Lecture Notes in Computer Science,Vol 6151,pp 1 14,2010
    [126] Y Li,w Wu,L Zhang Integral Attacks on Reduced-Round ARIABlock Cipher ISPEC’10,Lecture Notes 1n Computer Science,Vol 6047,pp 19 29,2010
    [127] E Fleischmann,C Forler,M Gorski,S Lucks New Boomerang Attacks on ARIA INDOCRYPT’10,Lecture Notes 1n Computer Science,Vol 6498,PP 163 175,2010
    [128]X Tang,B Sun,R Li,C Li A Meet-in-the-middle Attack on ARIA Cryptology ePrint Archive,Report 2010/168,2010
    [129] A A Selguk On Probability of Success in Linear and Differential Cryptanalysis Journal of Cryptology,Vol 21,No 1,pp 131 147,2008
    [130] F Liu,w Ji,L Hu,J Ding,S Lv A Pyshkin,R P Weinmann Analysis ofthe SMS4 Block Cipher ACISP’07,Lecture Notes in Computer Science,Vol 4586,PP 158 170,2007
    [131] J Lu Attacking Reduced-round Versions of the SMS4 Block Cipher in the Chinese WAPI Standard ICICS’07,Lecture Notes in Computer Science,Vol 4861,PP 306 31 8,2007
    [132]D Toz,O Dunkelman Analysis of Two Attacks on Reduced-round Versions of the SMS4 ICICS’08,Lecture Notes 1n Computer Science,Vol 5308,PP 141 156,2008
    [133]L Zhang,w Zhang,w Wu Cryptanalysis of Reduced-round SMS4 Block Cipher ACISP’08,Lecture Notes 1n Computer Science,Vol 5107,pp 216 229,2008
    [134]T Kim,J Kim,S Hung,J Sung Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher Cryptology ePrintArchive,Report 2008/281,2008
    [135] w Zhang,w Wu,D Feng,B Su Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard ISPEC’09,Lecture Notes in Computer Science,Vol 545 1,pp 324 335,2009
    [136] M Matsui On Correlation between the Order of S-boxes and the Strength of DES EUROCRYPT’94,Lecture Notes 1n Computer Science,Vol 950,PP 366 375,1995
    [137] B Collard,FX Standaert,J J Quisquater Improving the Time Complexity of Matsui’s Linear Cryptanalysis ICISC’07,Lecture Notes in Computer Science,Vol 4817,PP 77_88,2007
    [138]L Keliher,H Meijer,S Tavares New-Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs EUROCRYPT’01,Lecture Notes in Computer Science,Vol 2045.PP 420-436.2001
    [139] E Biham,O Dunkelman,N Keller Differential-linear Cryptanalysis of SERPENT FSE’03,Lecture Notes in Computer Science,Vol 2887,pp 9_21,2003
    [140]T Kohno,J Kelsey,B Schneier Preliminary Cryptanalysis of Reduced-round SERPENT Third AES Candidate Conference,2000
    [141] TM CoveL JA Thomas Elements of Information Theory 2nd edition,Wiley Series in Telecommunications and Signal Processing,Wiley-Interscience,2006
    [142]李玮若干分组密码算法的故障攻击研究上海交通大学博士学位论文,2009
    [143] J M Dutertre,A P Mirbaha,D Naccache,A L Ribotta,A Tria Reproducible Single-Byte Laser Fault Injection PASTIS’10,2010
    [144] F Chabaud,S Vaudenay Links between Differential and Linear Cryptanalysis EUROCRYPT’94,Lecture Notes in Computer Science,Vol 950,PP 356~65,1995

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700