分组密码的几类分析方法研究
|
摘要
作为对称密码体制重要组成内容的分组密码是许多密码系统的核心要素,是保障信息机密性和完整性的重要技术。分组密码算法的安全性分析也一直是密码学重要研究内容之一。因此,研究和探索新的分组密码分析方法对分组密码算法的设计与分析都具有重要的意义。
本文对不可能差分分析、复合路径的差分分析、基于比特的积分攻击和改进的中间相遇攻击等密码分析方法进行了分析研究,并基于所得到的研究结果分别对ARIA、AC、CLEFIA分组密码算法的安全性进行了分析。主要做出了以下几方面的工作:
1.分析了一类SP结构分组密码算法的不可能差分分析性质。提出从差分重量的角度对线性扩散矩阵输入进行分类,并以此为基础分析了SP结构分组密码算法的不可能差分性质。构造了一类新的6轮ARIA分组密码算法的不可能差分,给出了输入输出差分重量为10的两类具有一般形式的6轮ARIA的不可能差分的结构和计数,证明了在差分重量的分析方法下,不存在输入输出差分重量小于10的6轮ARIA的不可能差分分析。
2.研究了ARIA的复合路径的差分分析。首先构造并证明了ARIA仅存在两条达到最大差分特征概率上界的差分路径,并进一步在考虑复合路径的情况下,给出了两轮ARIA的最大复合路径的循环差分路径。
3.研究了基于比特的积分攻击方法,提出数据模式周期的概念,改进了基于比特的积分攻击方法。利用改进的基于比特的积分攻击方法对AC分组密码算法进行了分析,构造出3轮基于比特的积分区分器,攻击了4轮AC分组密码,恢复出了最后一轮128比特的子密钥,攻击算法所需的数据量为21 3.5,计算量为2 47。
4.研究了改进的中间相遇攻击方法。利用改进的中间相遇攻击方法,对一种4路分支输入的广义Feistel结构分组密码算法模型结构进行了研究,并基于此对CLEFIA分组密码算法进行了分析。在不考虑密钥白化的情况下,构造了CLEFIA分组密码算法的三类区分器,进而攻击了10轮CLEFIA-128/192/256,11轮CLEFIA-192/256和12轮CLEFIA-256,并对攻击算法的各项指标进行了分析,分析结果表明10轮CLEFIA-128/192/256,11轮CLEFIA-192/256,12轮CLEFIA-256对改进的中间相遇攻击是不免疫的,而且在攻击上述相同轮数CLEFIA分组密码算法情况下,本文的攻击算法与其它攻击算法相比所需的数据量是最优的。
As an important part of symmetric-key cryptography, the block cipher is a core component of some cryptology systems. It can provide the information security such as confidentiality and data integrity. The security analysis of block cipher is always a very active branch in cryptanalysis. Therefore, the research on some new cryptanalytic tools brings a far reaching meaning in design and analysis of block cipher.
The thesis has a deep research on the impossible differential attack, the multi-trail differential attack, the bit-pattern integral attack and the improved meet-in-the-middle attack. Based on the obtained conclusion in research, we then apply these cryptanalytic tools on block ciphers such as ARIA, AC and CLEFIA. Main contributions of this dissertation are summarized as follows:
1. Research on the impossible differential characteristic of a class of SP structure block cipher. A new method is designed to classify the linear diffusion input values by the weight of differential, and the impossible differential characteristics of the SP structure block cipher are analyzed. We specifically construct a new general kind of 6-rond ARIA impossible differential in detail, and prove there are only two classess of impossible differential when the input-and-output weight of differential is ten. The impossible differential structures and count values are also proposed. Finally, we prove there is no 6-round impossible differential with the input-and-output differential weight less than ten based on this new method.
2. Research on the multi-trail differential attack of ARIA. We prove there are only two differentials reaching the upper bound of maximal probability. What’s more, when it comes to the multi-trial differentials, 2-round recycled multi-trial differential with maximal probability is presented.
3. Research on the bit-pattern integral attack. The bit-pattern integral attack is improved with the definition of pattern period. Then we apply the improved bit-pattern integral attack on the AC block cipher, construct 3-round integral distinguisher, and finally analyze the security of 4-round AC against bit-pattern integral attack. With 213.5 chosen plaintexts and 247 4-round AC encryption, we successfully recover 128-bit final round key.
4. Research on the improved meet-in-the-middle attack. We analyze the security of 4-branch generalized Feistel structure against the improved meet-in-the-middle attack and concretely take CLEFIA as an application example. Without the key whitening, we construct three classes of distinguishers and successfully attack 10-round CLEFIA-128/192/256, 11-round CLEFIA-192/256 and 12-round CLEFIA-256 respectively. The results show that 10-round CLEFIA-128/192/256, 11-round CLEFIA-192/256 and 12-round CLEFIA-256 are not immune to the improved meet-in-the-middle attack. And compared to the existing cryptanalytic tools for attacking the same round CLEFIA, the improved meet-in-the-middle attack requires the lowest data complexity.
本文对不可能差分分析、复合路径的差分分析、基于比特的积分攻击和改进的中间相遇攻击等密码分析方法进行了分析研究,并基于所得到的研究结果分别对ARIA、AC、CLEFIA分组密码算法的安全性进行了分析。主要做出了以下几方面的工作:
1.分析了一类SP结构分组密码算法的不可能差分分析性质。提出从差分重量的角度对线性扩散矩阵输入进行分类,并以此为基础分析了SP结构分组密码算法的不可能差分性质。构造了一类新的6轮ARIA分组密码算法的不可能差分,给出了输入输出差分重量为10的两类具有一般形式的6轮ARIA的不可能差分的结构和计数,证明了在差分重量的分析方法下,不存在输入输出差分重量小于10的6轮ARIA的不可能差分分析。
2.研究了ARIA的复合路径的差分分析。首先构造并证明了ARIA仅存在两条达到最大差分特征概率上界的差分路径,并进一步在考虑复合路径的情况下,给出了两轮ARIA的最大复合路径的循环差分路径。
3.研究了基于比特的积分攻击方法,提出数据模式周期的概念,改进了基于比特的积分攻击方法。利用改进的基于比特的积分攻击方法对AC分组密码算法进行了分析,构造出3轮基于比特的积分区分器,攻击了4轮AC分组密码,恢复出了最后一轮128比特的子密钥,攻击算法所需的数据量为21 3.5,计算量为2 47。
4.研究了改进的中间相遇攻击方法。利用改进的中间相遇攻击方法,对一种4路分支输入的广义Feistel结构分组密码算法模型结构进行了研究,并基于此对CLEFIA分组密码算法进行了分析。在不考虑密钥白化的情况下,构造了CLEFIA分组密码算法的三类区分器,进而攻击了10轮CLEFIA-128/192/256,11轮CLEFIA-192/256和12轮CLEFIA-256,并对攻击算法的各项指标进行了分析,分析结果表明10轮CLEFIA-128/192/256,11轮CLEFIA-192/256,12轮CLEFIA-256对改进的中间相遇攻击是不免疫的,而且在攻击上述相同轮数CLEFIA分组密码算法情况下,本文的攻击算法与其它攻击算法相比所需的数据量是最优的。
As an important part of symmetric-key cryptography, the block cipher is a core component of some cryptology systems. It can provide the information security such as confidentiality and data integrity. The security analysis of block cipher is always a very active branch in cryptanalysis. Therefore, the research on some new cryptanalytic tools brings a far reaching meaning in design and analysis of block cipher.
The thesis has a deep research on the impossible differential attack, the multi-trail differential attack, the bit-pattern integral attack and the improved meet-in-the-middle attack. Based on the obtained conclusion in research, we then apply these cryptanalytic tools on block ciphers such as ARIA, AC and CLEFIA. Main contributions of this dissertation are summarized as follows:
1. Research on the impossible differential characteristic of a class of SP structure block cipher. A new method is designed to classify the linear diffusion input values by the weight of differential, and the impossible differential characteristics of the SP structure block cipher are analyzed. We specifically construct a new general kind of 6-rond ARIA impossible differential in detail, and prove there are only two classess of impossible differential when the input-and-output weight of differential is ten. The impossible differential structures and count values are also proposed. Finally, we prove there is no 6-round impossible differential with the input-and-output differential weight less than ten based on this new method.
2. Research on the multi-trail differential attack of ARIA. We prove there are only two differentials reaching the upper bound of maximal probability. What’s more, when it comes to the multi-trial differentials, 2-round recycled multi-trial differential with maximal probability is presented.
3. Research on the bit-pattern integral attack. The bit-pattern integral attack is improved with the definition of pattern period. Then we apply the improved bit-pattern integral attack on the AC block cipher, construct 3-round integral distinguisher, and finally analyze the security of 4-round AC against bit-pattern integral attack. With 213.5 chosen plaintexts and 247 4-round AC encryption, we successfully recover 128-bit final round key.
4. Research on the improved meet-in-the-middle attack. We analyze the security of 4-branch generalized Feistel structure against the improved meet-in-the-middle attack and concretely take CLEFIA as an application example. Without the key whitening, we construct three classes of distinguishers and successfully attack 10-round CLEFIA-128/192/256, 11-round CLEFIA-192/256 and 12-round CLEFIA-256 respectively. The results show that 10-round CLEFIA-128/192/256, 11-round CLEFIA-192/256 and 12-round CLEFIA-256 are not immune to the improved meet-in-the-middle attack. And compared to the existing cryptanalytic tools for attacking the same round CLEFIA, the improved meet-in-the-middle attack requires the lowest data complexity.
引文
[1] Shannon C E. Communication theory of secret system[J]. Bell System Technical Journal, 1949, 28: 656-715.
[2] FIPS 46-3. Data Encryption Standard[S]. National Institute of Standards and Technology, 1977.
[3] Tuchman W. Hellman. Presents no Shortcut Solutions to DES. IEEE Spectrum. 1979, 16: 40-41.
[4] Daemen J, Rijmen V. The Design of Rijndael: AES-The Advanced Encryption Standard[M]. Springer-Verlag, 2002.
[5] FIPS 197. Advanced Encryption Standard[S]. National Institute of Standards and Technology, 2001.
[6] J. L. Massey. SAFER-64: A byte-oriented block-ciphering algorithm[A]. FSE 1993[C], LNCS 809, Springer-Verlag, 1994: 1-17.
[7] J. L. Massey. SAFER-64: One year later[A]. FSE 1995[C], LNCS 1008, Springer-Verlag, 1995: 212-241.
[8] J. L. Massey, G. H. Khachatrian, M. K. Kuregian. Nomination of SAFER++ as Candidate Algorithm for the Advanced Encryption Standard(AES)[EB/OL]. http://www.nist.gov/aes.
[9] R.L.Rivest, M. J. B. Robshaw, R. Sidney and Y. L. Yin. The RC6 Block Cipher, v1.1[EB/OL]. http://www.rsa.com/rsalabs/aes.
[10] S. Contini, R. L. Rivest, M. J. B. Robshaw, R. Sidney and Y. L. Yin. The Security of the RC6 Block Cipher[EB/OL]. http://www.rsa.com/rsalabs/aes.
[11] Daesung Kwon, Jaesung Kim, Sangwoo Park et al. New block cipher: ARIA[A]. In proc. Information Security and Cryptology (ICISC’03)[C]. Seoul, Korea, LNCS 2971, 432-445, Springer-Verlag, November 27-28, 2003.
[12] P Junod, S Vaudenay. FOX: a new family of block cipher[A]. Selected Areas in Cryptography-SAC 2004[C], Springer-Verlag, 2004.
[13] P. S. L. M. Barreto, V. Rijmen. The ANUBIS Block Cipher[EB/OL]. Available from the NESSIE homepage, http://cryptonessie.org.
[14] Sony Corporation. The 128-bit Blockcipher CLEFIA: Algorithm Specification. Revision 1.0[EB/OL] June 1, 2007.
[15] Shirai T, Shibutani K, Akishita T, Moriai S, and Iwata T. The 128-bit Block Cipher CLEFIA[A]. FSE 2007[C], Springer, Heidelbeng, 2007, LNCS 4593, 181-195.
[16] Sony Corporation. The 128-bit Blockcipher CLEFIA: Security and Performance Evaluation. Revision 1.0 June 1, 2007.
[17] NESSIE. http://www.cryptonessie.org.
[18] Anderson, R., Biham, E., Knudsen, L.. Serpent: A Proposal for the Advanced Encryption Standard[EB/OL]. In: NIST AES Proposal 1998. http://www.c1.cam.ac.uk/~rja14/serpent.html.
[19] Matsui M. New Block Encryption Algorithm MISTY[A]. FSE 1997[C], LNCS 1267. Springer-Verlag, 1997, 54-68.
[20] ETSI, Universal Mobile Teleconnunications System(UMTS)[S] ; Specification of the 3GPP confidentiality and integrity algorithms. Document 2: Kasumi specification, 2007. http://www.etsi.org
[21] Handschuh H, Naccache D. SHACAL, NESSIE, 2001. http://www.cosic.esat.kuleuven.be/nessie.
[22] Lai X, Massey J. A Proposal for a New Block Encryption Standard[A]. EUROCRYPT 1990[C], LNCS 473, Springer-Verlag. 1991:389-404.
[23] K. Nyberg. Generalized Feistel Networks[A]. ASIACRYPT 1996[C], LNCS 1163, Springer-Verlag. 1996: 91-104.
[24] M. Kanda. Practical Security Evaluation Against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function[A]. Selected Areas in Cryptography-SAC 2000[C], Springer-Verlag. 2000: 168-179.
[25] K. Ohkuma, H. Shimizu, F. Sano et al. Security Assessment of Hierocypt and Rijndael Against the Differential and Linear Cryptanalysis. Proceeding of the 2nd NESSIE Workshop, 2001.
[26]张文涛,卿斯汉,吴文玲.嵌套Feistel结构的SP型分组密码的可证明安全[J].计算机研究与发展,2004, 40(8): 1389-1397.
[27] Shimizu, Miyaguchi. Fast Data Encipherment Algorithm FEAL[A]. EUROCRYPT 1987[C], LNCS 304, 1988, 267-278.
[28] Schneier. Description of a New Variable-length Key, 64-bit Block Cipher (Blowfish)[A]. FSE 1993[C], LNCS 809, Springer-Verlag, 1994, 191-204.
[29] Charnes, O’Connor, Pieprzyk. Comments on Soviet Encryption Algorithm[A]. EUROCRYPT 1994[C], LNCS 950, Springer-Verlag, 1995, 433-438.
[30] Daemen, Govaerts, Vandewalle. A New Approach to Block Cipher Design[A]. FSE 1993[C], LNCS 809, Springer-Verlag, 1994, 18-32.
[31] Nyberg K, Kundsen L. Provable Security Against Differential Cryptanalysis[J]. Journal of Cryptoloty, 1995, 1(8), 156-168.
[32] K Nyberg. Linear Approximation of Block Ciphers[A]. EUROCRYPT 1994[C], LNCS 950, Springer-Verlag, 1995, 439-444.
[33] G.Alvarez, D. de la Guia, F. Montoya, A. Peinado. Akelarre: a new Block Cipher Algorithm[J]. Third Annual Workshop on Selected Areas in Cryptography (SAC '96), 1996: 1-14.
[34] J. Daemen, L. Kundsen, V. Rijmen. The Block Cipher Square[A]. FSE 1997[C], LNCS 1267, Springer-Verlag, 1997: 149-165.
[35]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析[M].北京:科学出版社. 2010: 7-10.
[36] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone著,胡磊,王鹏等译. Handbook of applied cryptography (应用密码学手册)[M].电子工业出版社. 2005.
[37]吴文玲,冯登国,张文涛.分组密码的设计与分析(第2版)[M].北京:清华大学出版社,2009.
[38] Biham E, Shamir A. Differential Cryptanalysis of DES-like Cryptosystems (Extended Abstract)[A]. Crypto 1990[C]. LNCS 537, Springer-Verlag, 1991: 2-21.
[39] Matsui M. Linear Cryptanalysis Method for DES Cipher[A]. EUROCRYPT 1993[C], LNCS 765. Springer-Verlag, 1993: 386-397.
[40] Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials[A]. EUROCRYPT 1999[C], LNCS 1592. Springer-Verlag, 1999:12-23.
[41] Knudsen L. DEAL-a 128-bit Block Cipher[R]. AES Proposal, 1998.
[42] Knudsen L. Truncated and High Order Differentials[A]. FSE 1995[C], LNCS 1008. Springer-Verlag, 1995: 196-211.
[43] Lai X. High Order Derivatives and Differential Cryptanalysis[M]. Communications and Cryptography. Kluwer Academic Press, 1994:227-233.
[44] Wagner D. The Boomerang Attack[A]. FSE 1999[C], LNCS 1636. Springer-Verlag, 1999: 156-170.
[45] Biham E, Dunkelman O, Keller N. The Rectangle Attack-rectangling the Serpent[A]. EUROCRYPT 2001[C], LNCS 2045. Springer-Verlag, 2001:340-357.
[46] L. Knudsen, M. Robshaw. Non-linear Approximations in Linear Cryptanalysis[A]. EUROCRYPT 1996[C], LNCS 1070. Springer-Verlag, 1997: 252-267.
[47] Nicolas T. Courtois. Feistel Schemes and Bi-linear Cryptanalysis (Extended Abstract)[A]. CRYPTO 2004[C], LNCS 3152. Springer-Verlag, 2004: 23-40.
[48] B. Kaliske Jr. , M. Robshaw. Linear Cryptanalysis Using Multiple Approximations[A]. CRYPTO 1994[C], LNCS 839. Springer-Verlag, 1994: 26-39.
[49] Biham E. New Types of Cryptanalytic Attacks Using Related Keys[A]. EUROCRYPT 1993[C], LNCS 765. Springer-Verlag, 1994: 398-409.
[50] Gilbert H, Minier M. A Collision Attack on 7 Rounds Rijndael[C]. AES, 2000.
[51] Courtois N T, Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations[A]. ASIACRYPT 2002[C], LNCS 2501. Springer-Verlag, 2002: 267-287.
[52] Alex Biryukov, Christophe De Canniere, Joseph Lano, Siddika Berna Ors, Bart Preneel. Security and Performance Analysis of ARIA. Version 1.2. Jan 7, 2003.
[53]李申华.对称密码算法ARIA和Salsa20的安全性分析[D].山东:山东大学博士论文, 2008.
[54] Ping Li, Bing Sun, Chao Li. Intergral Cryptanalysis of ARIA[A]. Information Security and Cryptology- Inscrypt 2009[C], pp. 1-14.
[55] Yanjun Li, Wenling Wu, Lei Zhang. Integral Attacks on Reduced-Round ARIA Block Cipher[A]. Information Security, Practice,and Experience(ISPEC 2010)[C], LNCS 6047. Springer-Verlag, 2010: 19-29.
[56] Ewan Fleischmann, Michael Gorski, Stefan Lucks. Attacking Reduced Rounds of the ARIA Block Cipher[EB/OL]. Crytology ePrint Archive, Report 2009/334, 2009. http://eprint.iacr.org/.
[57] Xuehai Tang, Bing Sun, Ruilin Li, Chao Li. A Meet-in-the-Middle Attack on ARIA[EB/OL]. Crytology ePrint Archive, Report 2010/168, 2010. http://eprint.iacr.org/.
[58]李刚,胡予濮,李洁.低轮ARIA的不可能差分[J].计算机研究与发展,2006,43(Suppl.):244-248.
[59] Wu Wenling, Zhang Wentao, Feng Dengguo. Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia[J]. Journal of Computer Science and Technology, 2007, 22(3), 449-456.
[60] Peng Zhang, Tuilin Li, Bing Sun, Chao Li. New Impossible Differential Cryptanalysis of ARIA[EB/OL]. Cryptology ePrint Archive, Report 2008/227, 2008. http://eprint.iacr.org/.
[61] Wei Li, Dawu Gu, Juanru Li. Differential Fault Analysis on the ARIA Algorithm[J]. Information Sciences, 2008, 178(19), 3727-3737.
[62] AES Candidate Algorithms[EB/OL]. http://csrc.nist.gov/encryption/aes/aes-home.htm#candidates.
[63] NESSIE计划主页. http://www.cryptonessie.org[EB/OL].
[64]吴文玲,马恒太,冯登国,卿斯汉. AC分组密码[J].通信学报, 2002, 23(5), 130-134.
[65]吴文玲,马恒太,卿斯汉. AC分组密码的差分和线性密码分析[J].软件学报,2003, 14(3), 569-574.
[66] Xu Xinagyang. Differential Fault Analysis on AC Block Cipher[J]. Journal of Chinese Computer Systems.
[67] T sunoo Y, Tsujihara E, Shigeri M, Saito T, Suzaki T, Kubo H. Impossible Differential Cryptanalysis of CLEFIA [A]. FSE 2008[C], Springer, Heidelbeng, 2008, LNCS 5086, 398-411.
[68] Wang wei, Wang xiaoyu. Impossible Differential Cryptanalysis of CLEFIA-128/192/256 [J]. Journal of Software. 2009, 20(9), 2587-2596.
[69] Wang wei, Wang xiaoyu. Improved Impossible Differential Cryptanalysis of CLEFIA[EB/OL]. Avaialbe through: http: // www.eprint/2007/466.pdf
[70] Zhang wenying, Han jing. Impossible Differential Cryptanalysis of Reduced Round CLEFIA[A]. Inscrypt 2008[C], Springer, LNCS 5487, Heidelbeng. 2009: 181-191.
[71]韩敬,张文英,徐小华.对低轮CLEFIA分组密码的碰撞-Square攻击[J].电子学报,2009, 37(10): 2309-2313.
[72]唐学海,李超,谢端强. CLEFIA密码的Square攻击[J].电子与信息学报,2009,31(9): 2260-2263.
[73]王薇,王小云.对CLEFIA算法的饱和度分析[J].通信学报,2008,29(10): 88-92.
[74] H. Chen, W. Wu, D. Feng. Differential Fault Analysis on CLEFIA[A]. ICICS 2007[C], LNCS 4861, Springer-Verlag, 2007: 284-295.
[75] J. Takahashi, T. Fukunaga. Improved Differential Fault Analysis on CLEFIA[A]. FDTC 2008, IEEE Computer Security[C], 2008: 25-34,
[76]李玮.若干分组密码算法的故障攻击研究[D].上海交通大学博士论文,2009.
[77] Eli Bihan, Alex Biryukov, Adi Shamir. Miss in the Middle Attacks on IDEA and Khufu[A]. FSE 1999[C], LNCS 1636. Springer-Verlag 1999: 124-138.
[78]吴文玲,张蕾.不可能差分密码分析研究进展[J].系统科学与数学. 2008, 28(8): 971-983.
[79] Aoki K, Ichikawa T, Kanda M, et al. Camellia: A 128-bit Block Cipher Suitable for Multiple Platforms[A]. SAC 2000[C], LNCS 2012. Springer-Verlag, 2001: 41-54.
[80] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure[A]. ACISP 2009[C], LNCS 5594. Springer-Verlag, 2009: 73-89.
[81] Kim J, Hong S, Sung J, et al. Impossible Differential Cryptanalysis for Block Cipher Structures[A]. Indocrypt 2003[C], LNCS 2904. Springer-Verlag, 2003: 82-96.
[82] Yiyuan Luo, Zhongming Wu, Xuejia Lai. Unified Impossible Differential Cryptanalysis on Block Cipher Structures[EB/OL]. Avaialbe through: http: // www.eprint/2009/627.pdf.
[83] Ruilin Li, Bing Sun, Chao Li. Impossible Differential Cryptanalysis of SPN Ciphers[EB/OL]. Avaialbe through: http: // www.eprint/2010/307.pdf.
[84]张庆贵.不可能差分攻击中明文对的筛选方法[J].计算机工程,2010, 36(2), 127-129.
[85] Lucks S. The Saturation Attack-A Bait for Twofish[A]. FSE 2001[C], LNCS 2365. Springer-Verlag, 2002: 1-15.
[86] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS[A]. EUROCRYPT 2001[C], LNCS 2045. Springer-Verlag, 2001: 394-405.
[87] Knudsent L, Wagner D. Integral Cryptanalysis[A]. FSE 2002[C], LNCS 2365. Springer-Verlag, 2002: 112-127.
[88] Z’aba M, Raddum H, Henricksen M, Dawson E. Bit-pattern Based Integral Attack[A]. FSE2008[C], LNCS 5086. Springer-Verlag, 2008: 363-381.
[89] Wei Y, Sun B, Li C. New Intergral Distinguisher for Rijndael-256[EB/OL]. Available through http://eprint.iacr.org/2009/559.
[90] Demirci H, Aydm Sel?uk A. A Meet in the Middle Attack on 8-round AES[A]. FSE 2008[C], LNCS5086, Springer-Verlag, 2008: 116-126.
[91] Demirci H, Ta?km ?, Mustafa ?, Baysal A. Improved Meet-in-the-Middle Attacks on AES[A]. INDOCRYPT 2009[C], LNCS 5922. Springer-Verlag, 2009: 144-156.
[2] FIPS 46-3. Data Encryption Standard[S]. National Institute of Standards and Technology, 1977.
[3] Tuchman W. Hellman. Presents no Shortcut Solutions to DES. IEEE Spectrum. 1979, 16: 40-41.
[4] Daemen J, Rijmen V. The Design of Rijndael: AES-The Advanced Encryption Standard[M]. Springer-Verlag, 2002.
[5] FIPS 197. Advanced Encryption Standard[S]. National Institute of Standards and Technology, 2001.
[6] J. L. Massey. SAFER-64: A byte-oriented block-ciphering algorithm[A]. FSE 1993[C], LNCS 809, Springer-Verlag, 1994: 1-17.
[7] J. L. Massey. SAFER-64: One year later[A]. FSE 1995[C], LNCS 1008, Springer-Verlag, 1995: 212-241.
[8] J. L. Massey, G. H. Khachatrian, M. K. Kuregian. Nomination of SAFER++ as Candidate Algorithm for the Advanced Encryption Standard(AES)[EB/OL]. http://www.nist.gov/aes.
[9] R.L.Rivest, M. J. B. Robshaw, R. Sidney and Y. L. Yin. The RC6 Block Cipher, v1.1[EB/OL]. http://www.rsa.com/rsalabs/aes.
[10] S. Contini, R. L. Rivest, M. J. B. Robshaw, R. Sidney and Y. L. Yin. The Security of the RC6 Block Cipher[EB/OL]. http://www.rsa.com/rsalabs/aes.
[11] Daesung Kwon, Jaesung Kim, Sangwoo Park et al. New block cipher: ARIA[A]. In proc. Information Security and Cryptology (ICISC’03)[C]. Seoul, Korea, LNCS 2971, 432-445, Springer-Verlag, November 27-28, 2003.
[12] P Junod, S Vaudenay. FOX: a new family of block cipher[A]. Selected Areas in Cryptography-SAC 2004[C], Springer-Verlag, 2004.
[13] P. S. L. M. Barreto, V. Rijmen. The ANUBIS Block Cipher[EB/OL]. Available from the NESSIE homepage, http://cryptonessie.org.
[14] Sony Corporation. The 128-bit Blockcipher CLEFIA: Algorithm Specification. Revision 1.0[EB/OL] June 1, 2007.
[15] Shirai T, Shibutani K, Akishita T, Moriai S, and Iwata T. The 128-bit Block Cipher CLEFIA[A]. FSE 2007[C], Springer, Heidelbeng, 2007, LNCS 4593, 181-195.
[16] Sony Corporation. The 128-bit Blockcipher CLEFIA: Security and Performance Evaluation. Revision 1.0 June 1, 2007.
[17] NESSIE. http://www.cryptonessie.org.
[18] Anderson, R., Biham, E., Knudsen, L.. Serpent: A Proposal for the Advanced Encryption Standard[EB/OL]. In: NIST AES Proposal 1998. http://www.c1.cam.ac.uk/~rja14/serpent.html.
[19] Matsui M. New Block Encryption Algorithm MISTY[A]. FSE 1997[C], LNCS 1267. Springer-Verlag, 1997, 54-68.
[20] ETSI, Universal Mobile Teleconnunications System(UMTS)[S] ; Specification of the 3GPP confidentiality and integrity algorithms. Document 2: Kasumi specification, 2007. http://www.etsi.org
[21] Handschuh H, Naccache D. SHACAL, NESSIE, 2001. http://www.cosic.esat.kuleuven.be/nessie.
[22] Lai X, Massey J. A Proposal for a New Block Encryption Standard[A]. EUROCRYPT 1990[C], LNCS 473, Springer-Verlag. 1991:389-404.
[23] K. Nyberg. Generalized Feistel Networks[A]. ASIACRYPT 1996[C], LNCS 1163, Springer-Verlag. 1996: 91-104.
[24] M. Kanda. Practical Security Evaluation Against Differential and Linear Attacks for Feistel Ciphers with SPN Round Function[A]. Selected Areas in Cryptography-SAC 2000[C], Springer-Verlag. 2000: 168-179.
[25] K. Ohkuma, H. Shimizu, F. Sano et al. Security Assessment of Hierocypt and Rijndael Against the Differential and Linear Cryptanalysis. Proceeding of the 2nd NESSIE Workshop, 2001.
[26]张文涛,卿斯汉,吴文玲.嵌套Feistel结构的SP型分组密码的可证明安全[J].计算机研究与发展,2004, 40(8): 1389-1397.
[27] Shimizu, Miyaguchi. Fast Data Encipherment Algorithm FEAL[A]. EUROCRYPT 1987[C], LNCS 304, 1988, 267-278.
[28] Schneier. Description of a New Variable-length Key, 64-bit Block Cipher (Blowfish)[A]. FSE 1993[C], LNCS 809, Springer-Verlag, 1994, 191-204.
[29] Charnes, O’Connor, Pieprzyk. Comments on Soviet Encryption Algorithm[A]. EUROCRYPT 1994[C], LNCS 950, Springer-Verlag, 1995, 433-438.
[30] Daemen, Govaerts, Vandewalle. A New Approach to Block Cipher Design[A]. FSE 1993[C], LNCS 809, Springer-Verlag, 1994, 18-32.
[31] Nyberg K, Kundsen L. Provable Security Against Differential Cryptanalysis[J]. Journal of Cryptoloty, 1995, 1(8), 156-168.
[32] K Nyberg. Linear Approximation of Block Ciphers[A]. EUROCRYPT 1994[C], LNCS 950, Springer-Verlag, 1995, 439-444.
[33] G.Alvarez, D. de la Guia, F. Montoya, A. Peinado. Akelarre: a new Block Cipher Algorithm[J]. Third Annual Workshop on Selected Areas in Cryptography (SAC '96), 1996: 1-14.
[34] J. Daemen, L. Kundsen, V. Rijmen. The Block Cipher Square[A]. FSE 1997[C], LNCS 1267, Springer-Verlag, 1997: 149-165.
[35]李超,孙兵,李瑞林.分组密码的攻击方法与实例分析[M].北京:科学出版社. 2010: 7-10.
[36] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone著,胡磊,王鹏等译. Handbook of applied cryptography (应用密码学手册)[M].电子工业出版社. 2005.
[37]吴文玲,冯登国,张文涛.分组密码的设计与分析(第2版)[M].北京:清华大学出版社,2009.
[38] Biham E, Shamir A. Differential Cryptanalysis of DES-like Cryptosystems (Extended Abstract)[A]. Crypto 1990[C]. LNCS 537, Springer-Verlag, 1991: 2-21.
[39] Matsui M. Linear Cryptanalysis Method for DES Cipher[A]. EUROCRYPT 1993[C], LNCS 765. Springer-Verlag, 1993: 386-397.
[40] Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials[A]. EUROCRYPT 1999[C], LNCS 1592. Springer-Verlag, 1999:12-23.
[41] Knudsen L. DEAL-a 128-bit Block Cipher[R]. AES Proposal, 1998.
[42] Knudsen L. Truncated and High Order Differentials[A]. FSE 1995[C], LNCS 1008. Springer-Verlag, 1995: 196-211.
[43] Lai X. High Order Derivatives and Differential Cryptanalysis[M]. Communications and Cryptography. Kluwer Academic Press, 1994:227-233.
[44] Wagner D. The Boomerang Attack[A]. FSE 1999[C], LNCS 1636. Springer-Verlag, 1999: 156-170.
[45] Biham E, Dunkelman O, Keller N. The Rectangle Attack-rectangling the Serpent[A]. EUROCRYPT 2001[C], LNCS 2045. Springer-Verlag, 2001:340-357.
[46] L. Knudsen, M. Robshaw. Non-linear Approximations in Linear Cryptanalysis[A]. EUROCRYPT 1996[C], LNCS 1070. Springer-Verlag, 1997: 252-267.
[47] Nicolas T. Courtois. Feistel Schemes and Bi-linear Cryptanalysis (Extended Abstract)[A]. CRYPTO 2004[C], LNCS 3152. Springer-Verlag, 2004: 23-40.
[48] B. Kaliske Jr. , M. Robshaw. Linear Cryptanalysis Using Multiple Approximations[A]. CRYPTO 1994[C], LNCS 839. Springer-Verlag, 1994: 26-39.
[49] Biham E. New Types of Cryptanalytic Attacks Using Related Keys[A]. EUROCRYPT 1993[C], LNCS 765. Springer-Verlag, 1994: 398-409.
[50] Gilbert H, Minier M. A Collision Attack on 7 Rounds Rijndael[C]. AES, 2000.
[51] Courtois N T, Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations[A]. ASIACRYPT 2002[C], LNCS 2501. Springer-Verlag, 2002: 267-287.
[52] Alex Biryukov, Christophe De Canniere, Joseph Lano, Siddika Berna Ors, Bart Preneel. Security and Performance Analysis of ARIA. Version 1.2. Jan 7, 2003.
[53]李申华.对称密码算法ARIA和Salsa20的安全性分析[D].山东:山东大学博士论文, 2008.
[54] Ping Li, Bing Sun, Chao Li. Intergral Cryptanalysis of ARIA[A]. Information Security and Cryptology- Inscrypt 2009[C], pp. 1-14.
[55] Yanjun Li, Wenling Wu, Lei Zhang. Integral Attacks on Reduced-Round ARIA Block Cipher[A]. Information Security, Practice,and Experience(ISPEC 2010)[C], LNCS 6047. Springer-Verlag, 2010: 19-29.
[56] Ewan Fleischmann, Michael Gorski, Stefan Lucks. Attacking Reduced Rounds of the ARIA Block Cipher[EB/OL]. Crytology ePrint Archive, Report 2009/334, 2009. http://eprint.iacr.org/.
[57] Xuehai Tang, Bing Sun, Ruilin Li, Chao Li. A Meet-in-the-Middle Attack on ARIA[EB/OL]. Crytology ePrint Archive, Report 2010/168, 2010. http://eprint.iacr.org/.
[58]李刚,胡予濮,李洁.低轮ARIA的不可能差分[J].计算机研究与发展,2006,43(Suppl.):244-248.
[59] Wu Wenling, Zhang Wentao, Feng Dengguo. Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia[J]. Journal of Computer Science and Technology, 2007, 22(3), 449-456.
[60] Peng Zhang, Tuilin Li, Bing Sun, Chao Li. New Impossible Differential Cryptanalysis of ARIA[EB/OL]. Cryptology ePrint Archive, Report 2008/227, 2008. http://eprint.iacr.org/.
[61] Wei Li, Dawu Gu, Juanru Li. Differential Fault Analysis on the ARIA Algorithm[J]. Information Sciences, 2008, 178(19), 3727-3737.
[62] AES Candidate Algorithms[EB/OL]. http://csrc.nist.gov/encryption/aes/aes-home.htm#candidates.
[63] NESSIE计划主页. http://www.cryptonessie.org[EB/OL].
[64]吴文玲,马恒太,冯登国,卿斯汉. AC分组密码[J].通信学报, 2002, 23(5), 130-134.
[65]吴文玲,马恒太,卿斯汉. AC分组密码的差分和线性密码分析[J].软件学报,2003, 14(3), 569-574.
[66] Xu Xinagyang. Differential Fault Analysis on AC Block Cipher[J]. Journal of Chinese Computer Systems.
[67] T sunoo Y, Tsujihara E, Shigeri M, Saito T, Suzaki T, Kubo H. Impossible Differential Cryptanalysis of CLEFIA [A]. FSE 2008[C], Springer, Heidelbeng, 2008, LNCS 5086, 398-411.
[68] Wang wei, Wang xiaoyu. Impossible Differential Cryptanalysis of CLEFIA-128/192/256 [J]. Journal of Software. 2009, 20(9), 2587-2596.
[69] Wang wei, Wang xiaoyu. Improved Impossible Differential Cryptanalysis of CLEFIA[EB/OL]. Avaialbe through: http: // www.eprint/2007/466.pdf
[70] Zhang wenying, Han jing. Impossible Differential Cryptanalysis of Reduced Round CLEFIA[A]. Inscrypt 2008[C], Springer, LNCS 5487, Heidelbeng. 2009: 181-191.
[71]韩敬,张文英,徐小华.对低轮CLEFIA分组密码的碰撞-Square攻击[J].电子学报,2009, 37(10): 2309-2313.
[72]唐学海,李超,谢端强. CLEFIA密码的Square攻击[J].电子与信息学报,2009,31(9): 2260-2263.
[73]王薇,王小云.对CLEFIA算法的饱和度分析[J].通信学报,2008,29(10): 88-92.
[74] H. Chen, W. Wu, D. Feng. Differential Fault Analysis on CLEFIA[A]. ICICS 2007[C], LNCS 4861, Springer-Verlag, 2007: 284-295.
[75] J. Takahashi, T. Fukunaga. Improved Differential Fault Analysis on CLEFIA[A]. FDTC 2008, IEEE Computer Security[C], 2008: 25-34,
[76]李玮.若干分组密码算法的故障攻击研究[D].上海交通大学博士论文,2009.
[77] Eli Bihan, Alex Biryukov, Adi Shamir. Miss in the Middle Attacks on IDEA and Khufu[A]. FSE 1999[C], LNCS 1636. Springer-Verlag 1999: 124-138.
[78]吴文玲,张蕾.不可能差分密码分析研究进展[J].系统科学与数学. 2008, 28(8): 971-983.
[79] Aoki K, Ichikawa T, Kanda M, et al. Camellia: A 128-bit Block Cipher Suitable for Multiple Platforms[A]. SAC 2000[C], LNCS 2012. Springer-Verlag, 2001: 41-54.
[80] Choy J, Chew G, Khoo K, Yap H. Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure[A]. ACISP 2009[C], LNCS 5594. Springer-Verlag, 2009: 73-89.
[81] Kim J, Hong S, Sung J, et al. Impossible Differential Cryptanalysis for Block Cipher Structures[A]. Indocrypt 2003[C], LNCS 2904. Springer-Verlag, 2003: 82-96.
[82] Yiyuan Luo, Zhongming Wu, Xuejia Lai. Unified Impossible Differential Cryptanalysis on Block Cipher Structures[EB/OL]. Avaialbe through: http: // www.eprint/2009/627.pdf.
[83] Ruilin Li, Bing Sun, Chao Li. Impossible Differential Cryptanalysis of SPN Ciphers[EB/OL]. Avaialbe through: http: // www.eprint/2010/307.pdf.
[84]张庆贵.不可能差分攻击中明文对的筛选方法[J].计算机工程,2010, 36(2), 127-129.
[85] Lucks S. The Saturation Attack-A Bait for Twofish[A]. FSE 2001[C], LNCS 2365. Springer-Verlag, 2002: 1-15.
[86] Biryukov A, Shamir A. Structural Cryptanalysis of SASAS[A]. EUROCRYPT 2001[C], LNCS 2045. Springer-Verlag, 2001: 394-405.
[87] Knudsent L, Wagner D. Integral Cryptanalysis[A]. FSE 2002[C], LNCS 2365. Springer-Verlag, 2002: 112-127.
[88] Z’aba M, Raddum H, Henricksen M, Dawson E. Bit-pattern Based Integral Attack[A]. FSE2008[C], LNCS 5086. Springer-Verlag, 2008: 363-381.
[89] Wei Y, Sun B, Li C. New Intergral Distinguisher for Rijndael-256[EB/OL]. Available through http://eprint.iacr.org/2009/559.
[90] Demirci H, Aydm Sel?uk A. A Meet in the Middle Attack on 8-round AES[A]. FSE 2008[C], LNCS5086, Springer-Verlag, 2008: 116-126.
[91] Demirci H, Ta?km ?, Mustafa ?, Baysal A. Improved Meet-in-the-Middle Attacks on AES[A]. INDOCRYPT 2009[C], LNCS 5922. Springer-Verlag, 2009: 144-156.