几个国际标准分组密码算法的安全性分析
详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
摘要
分组密码是加解密双方用同一密钥进行加密和解密运算的密码算法,是保障数据机密性与完整性的重要技术。分组密码的安全性分析有利于发现算法中存在的不足,以确保算法在实际应用中的安全,并指导新的算法设计。上世纪末,随着美国AES计划[1]、欧洲NESSIE计划[2]和日本CRYPTREC计划[3]的相继实施,对相应标准密码算法的安全性分析被国际密码学者广泛关注,极大地推动了分组密码分析与设计工作的发展。
     本文主要对三个国际标准分组密码算法AES、Camellia和CLEFIA的安全性进行分析,提出一些有意义的密码学性质,并与国际上最前沿的分析结果相比得到最优的结果。
     1、分组密码AES的安全性分析
     分组密码Rijndael是由两位比利时密码学者Daemen和Rijmen于1997年设计,并于2000年10月被美国国家标准和技术研究所(NIST)公布为高级加密标准AES (Advanced Encryption Standard)。之后,AES被CRYPTREC工程和NESSIE工程推荐,并由国际标准化组织(ISO)选定为国际标准ISO/IEC18033-3。AES的分组长度为128比特,采用SPN结构,密钥长度有128比特、192比特和256比特三个版本,本文分别用AES-128、AES-192与AES-256表示。
     AES的中间相遇攻击是由Demirci和Selcuk于2008年FSE会议上提出[7],他们利用4轮AES区分器给出了7轮AES-192和8轮AES-256的分析结果。在2010年亚密会上,Dunkelman, Keller和Shamir提出了差分列举技术思想和Multiset技术,有效的减少了Demirci和Selquk攻击的存储和时间复杂度。同时,利用数据/时间/存储折衷技术给出了7轮AES-128的中间相遇分析结果。在2013年欧密会上,Derbez, Fouque和Jean利用Hash函数分析中的反弹(Rebound)技术,极大减少了Dunkelman等人攻击的时间和存储复杂度。并构造了5轮AES-256区分器,给出了9轮AES-256的分析结果。
     本文主要考虑单密钥模式下,对AES-192/256的中间相遇攻击。我们提出了一种改进中间相遇攻击的新方法——基于密钥的中间状态过滤,并利用此方法构造了5轮AES-192区分器,结合数据/时间/存储折衷完成了对9轮AES-192的中间相遇攻击。我们的攻击延续了Dunkelman等人所提出的差分列举的思想,但不同的是,我们利用中间状态的密钥关系,用有序数列代替Multiset来获取更多的信息量,以减少攻击的复杂度。这是除Biclique方法之外[10],首次对9轮AES-192的分析结果。同时,我们利用攻击中预计算与在线阶段的密钥关系,将整个攻击分割为一系列的子攻击,每个子攻击都是相互独立的。当所有的子攻击工作于串行模式的时候,相应的存储空间可以重复使用。利用此方法,我们降低了整个攻击的存储复杂度。对于9轮AES-256,与2013年欧密会的结果[9]相比,存储复杂度降低了232,但数据复杂度和时间复杂度不受影响。
     2、分组密码Camellia的安全性分析
     分组密码算法Camellia由日本NTT和三菱公司于2000年设计,其分组长度为128比特,密钥长度有128比特、192比特和256比特三个版本。Camellia被CRYPTREC工程推荐为日本的e-government算法,也是NESSIE工程最终选取的算法之一,并且由国际标准化组织(ISO)选定为国际标准ISO/IEC18033-3。本文研究了Camellia算法的不可能差分分析和中间相遇攻击。
     首先,我们给出了带FL/FL-1层Camellia算法的7轮不可能差分特征。利用该不可能差分特征,我们分析了不带白化密钥的10轮Camellia-128,以及带白化密钥的10轮Camellia-192和11轮Camellia-256算法。同时,我们给出了在3/4弱密钥空间里,带FL/FL-1层的7轮不可能差分特征。之后利用该特征给出了弱密钥条件下、10/11/12轮Camellia-128/192/256的不可能差分分析。在此基础上,我们提出了复合攻击的思想:即利用每次失败的攻击来推出2比特的密钥条件,经过a次攻击,推出2×a比特密钥信息。从而,将弱密钥条件下的攻击转化为对全密钥空间的攻击。除此之外,我们还给出了中间14轮Camellia-256和12轮Camellia-192的分析结果。
     其次,结合2010年亚密会上Dunkelman等人所提出的差分列举思想和Mulitset技术,我们给出了7轮Camellia-192的中间相遇性质。并以此构造了12轮Camellia-192的中间相遇攻击,复杂度比当前最优结果快大约28倍。此外,我们给出了8轮Camellia-256的中间相遇性质,并以此构造了带两个FL/FL-1层的13轮Camellia-256的中间相遇攻击,据我们所知,这是第一个对首轮开始13轮Camellia-256的分析结果。我们同样给出了不带白化密钥的14轮Camellia-256的分析结果。
     3、分组密码CLEFIA的安全性分析
     CLEFIA是由索尼公司(Sony Corporation)于2007年设计,2012年被ISO/IEC29192-2选举为轻量级分组密码算法标准,2013年被日本CRYP-TREC项目推荐为e-Government建议算法。CLEFIA采用四路广义Fesitel结构,分组长度为128比特,密钥长度有128比特、192比特和256比特三个版本。
     本文给出了一个10轮的CLEFIA截断差分特征,并给出了13轮CLEFIA-128的分析结果。之后,结合Isobe等人提出的函数归约技术,我们给出了14/15轮CLEFIA-192/256的分析结果。复杂度比当前最优结果快大约240倍。最后,结合轮函数的密钥关系,我们给出了14轮CLEFIA-128的分析结果,据我们所知,这是第一个对14轮CLEFIA-128的分析结果。
The block cipher plays an important role in cryptography, which is the core tech-nique of providing confidentiality and integrity protections in secure communication. It belongs to the symmetric-key ciphers that use the same key to encrypt and decrypt. Cryptanalysis of block ciphers can not only ensure their security application in practice by discovering the weakness of them, but also guide the design of new block ciphers. In previous years, with the competition of AES by NIST, the process of NESSIE and the CRYPTREC project, the security analysis of international standard ciphers has attracted a great amount of attentions from worldwide cryptology researchers, that greatly promoted the analysis and design of block ciphers.
     This thesis focus on the cryptanalysis of three international standard ciphers AES, Camellia and CLEFIA. We also propose some interesting properties of ciphers and get the best results of attack compared with the previous works.
     1. Cryptanalysis of9-Round AES-192/256
     The block cipher Rijndael was designed by Daemen and Rijmen in1997, and was selected as the Advanced Encryption Standard (AES) in2001by NIST. AES was also selected as an e-government recommended cipher by CRYPTREC in2002, NESSIE block cipher portfolio in2003and international standard by ISO/TEC18033-3in2005. It is a Substitution-Permutation Network (SPN) with variable key length of128,192,256, which are denoted as AES-128, AES-192and AES-256, respectively.
     The meet-in-the-middle (MITM) attack on AES was introduced by Demirci and Selcuk at FSE2008to improve the collision attack proposed by Gilbert and Minier. They constructed a4-round distinguisher to attack the7-round AES-192and8-round AES-256. At ASIACRYPT2010, Dunkelman, Keller and Shamir ex-ploited the differential enumeration and multiset ideas for MITM attack to reduce the high memory complexity in Demirci and Selcuk attack. Then combined with the data/time/memory tradeoff, they get the result of attack on7-round AES-128. Further-more, Derbez, Fouque and Jean presented a significant improvement of Dunkelman et al.'s attack at EUROCRYPT2013. Using the rebound-like idea, they gave the most efficient attacks on7-round AES-128and8-round AES-192/256. Besides, they introduced a5-round distinguisher to analyse9-round AES-256.
     In this paper, we focuse on key-recovery attacks on9-round AES-192and AES-256under single-key model with the framework of the meet-in-the-middle attack. A new technique named key-dependent sieve is introduced to further reduce the size of lookup table of the attack. We construct a5-round distinguisher and attack the9-round AES-192with2121chosen plaintexts,2187.59-round encryptions and2185128-bit words of memory. If the attack starts from the third round, the complexities would be further reduced by a factor of16. Moreover, we show that the whole attack is able to be sorted into a series of sub-attacks by using of the shared key information in the online and offline phases. That supports us to reduce the memory complexity of the attack without any cost of the data and time complexities, since we can perform the attack in streaming mode by working on each sub-attack independently and releasing the memories afterwards. For9-round attacks on AES-192and AES-256, the memory complexities are reduced by28and232times, respectively.
     2. Cryptanalysis of Reduced-Round Camellia
     The block cipher Camellia is a128-bit block cipher with variable key length of128,192and256, which are denoted as Camellia-128, Camellia-192and Camellia-256, respectively. Camellia was proposed by NTT and Mitsubishi in2000, and was selected as an e-government recommended cipher by CRYPTREC in2002, NESSIE block cipher portfolio in2003and international standard by ISO/IEC18033-3in 2005. In this paper, we study the security analysis of reduced-round Camellia with the methods of impossible differential attack and meet-in-the-middle attack.
     Firstly, we introduce a7-round impossible differential of Camellia including FL/FL-1layer. Utilizing impossible differential attack,10-round Camellia-128is breakable with2118.5chosen plaintexts and2123.510round encryptions. Moreover, the results of attack on10-round Camellia-192and11-round Camellia-256can also be improved. Further, we introduce a7-round impossible differentials of Camellia for weak keys, which can be used to attack the reduced-round Camellia under weak-key setting. The weak keys that work for the impossible differential take3/4of the whole key space, therefore, we can further get rid of the weak-key assumption and leverage the attacks to all keys by utilizing a method that is called the multiplied method. As a result, for the whole key space,10-round Camellia-128,11-round Camellia-192and12-round Camellia-256can be attacked with about2120,2184and2240encryptions, re-spectively. In addition, we are able to extend the attacks to12-round Camellia-192and14-round Camellia-256which include two FL/FL-1layers, provided that the attacks do not have to be started from the first round.
     Secondly, combined with the differential enumeration technique proposed by Dunkelman et al. at ASIACRYPT2010and other sophisticated techniques, we pro-pose a new7-round MITM property for Camellia-192and mount a12-round attack with2113chosen plaintexts,2180encryptions and2154128-bit memories. Furthermore, we present an8-round property of Camellia and achieve13-round attack on Camellia-256with2113chosen plaintexts,2232.7encryptions and2227128-bit memories. We also give a result of attack on14-round Camellia-256without whitening keys. To the best our knowledge, there are the most efficient results of cryptanalysis of reduced-round Camellia-192/256.
     3. Cryptanalysis of Reduced-Round CLEFIA
     CLEFIA is a128-bit block cipher with variable key length of128,192and256, which are denoted as CLEFIA-128, CLEFIA-192and CLEFIA-256, respectively. It was proposed by Sony Corporation in2007,and was selected as an international standard by ISO/IEC29192-2in2011and e-Government recommended cipher by CRYPTREC project in2013.
     In this paper, taking advantage of the property of diffusion layer, we introduce a10-round truncated differential characteristic of CLEFIA, and give the key recovery at-tacks on13-round CLEFIA-128. Furthermore, we gave the attacks on14/15-round CLEFIA-192/256by applying the function reduction technique. More interest-ing, combined with the key schedule, we achieve an attack on14-round CLEFIA-128. Compared with the best results of previous attacks, we present the most efficient crypt-analysis of reduced-round CLEFIA.
引文
[1]National Institute of Standards and Technology. ADVANCED ENCRYPTION STAN-DARD. Proceedings of FIPS PUB 197, Federal Information Processing Standards Publi-cation,2001.
    [2]New European Schemes for Signatures, Integrity, and Encryption. Final Report of European project IST-1999-12324. https://www.cosic.esat.kuleuven.be/nessie/Bookv015.pdf.
    [3]Cryptography Research and Evaluation Committees.http://www.cryptrec.go.jp/english/in dex.html.
    [4]Aoki K, Ichikawa T, Kanda M, et al. Specification of Camellia-a 128-bit Block Cipher. version 2.0,2001.
    [5]Shirai T, Shibutani K, Akishita T, et al. The 128-Bit Blockcipher CLEFIA (Extended Ab-stract). In:Biryukov A, (eds.). Proceedings of Fast Software Encryption-FSE 2007, volume 4593 of Lecture Notes in Computer Science. Springer,2007.181-195.
    [6]International Standardization of Organization (ISO). International Standard-ISO/IEC 18033-3, Information technology-Security techniques-Encryption algorithms-Part 3:Block ciphers.2010.
    [7]Demirci H, Selcuk A A. A Meet-in-the-Middle Attack on 8-Round AES. In:Nyberg K, (eds.). Proceedings of FSE 2008, volume 5086 of Lecture Notes in Computer Science. Springer,2008.116-126.
    [8]Dunkelman O, Keller N, Shamir A. Improved Single-Key Attacks on 8-Round AES-192 and AES-256. In:Abe M, (eds.). Proceedings of Advances in Cryptology-ASIACRYPT 2010, volume 6477 of Lecture Notes in Computer Science. Springer,2010.158-176.
    [9]Derbez P, Fouque P A, Jean J. Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting. In:Johansson T, Nguyen P Q, (eds.). Proceedings of EUROCRYPT, volume 7881 of Lecture Notes in Computer Science. Springer,2013.371-387.
    [10]Bogdanov A, Khovratovich D, Rechberger C. Biclique Cryptanalysis of the Full AES. In: Lee D H, Wang X, (eds.). Proceedings of Advances in Cryptology-ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer Science. Springer,2011.344-371.
    [11]Bogdanov A, Geng H, Wang M, et al. Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA. In:Lange T, Lauter K, Lisonek P, (eds.). Proceedings of SAC 2013,2013.
    [12]International Standardization of Organization (ISO). International Standard-ISO/IEC 29192-2, Information technology-Security techniques-Lightweight cryptography-Part 2: Block ciphers.2011.
    [13]Takanori I, Kyoji S. Generic Key Recovery Attack on Feistel Scheme. In:Sako K, Sarkar P, (eds.). Proceedings of Advances in Cryptology-ASIACRYPT 2013, volume 8269 of Lecture Notes in Computer Science. Springer,2013.464-485.
    [14]Gilbert H, Minier M. A Collision Attack on 7 Rounds of Rijndael. Proceedings of AES Candidate Conference,2000.230-241.
    [15]Aoki K, Ichikawa T, Kanda M, et al. Camellia:A 128-Bit Block Cipher Suitable for Multiple Platforms-Design and Analysis. In:Stinson D R, Tavares S E, (eds.). Proceedings of SAC 2000, volume 2012 of Lecture Notes in Computer Science. Springer,2001.39-56.
    [16]Koc C K. Cryptographic Engineering. Boston, MA:Springer US,2009.
    [17]National Bureau of Standards. Data Encryption Standard. Proceedings of In FIPS PUB 46, Federal Information Processing Standards Publication,1977.
    [18]Diffie W, Hellman M E. New directions in cryptography. IEEE Transactions on Information Theory,1976,22(6):644-654.
    [19]Biham E, Shamir A. Differential Cryptanalysis of DES-like Cryptosystems. In:Menezes A, Vanstone S A, (eds.). Proceedings of Advances in Cryptology-CRYPTO 90, volume 537 of Lecture Notes in Computer Science. Springer,1991.2-21.
    [20]Matsui M. Linear Cryptoanalysis Method for DES Cipher. In:Helleseth T, (eds.). Pro-ceedings of Advances in Cryptology-EUROCRYPT'93, volume 765 of Lecture Notes in Computer Science. Springer,1994.386-397.
    [21]Matsui M. New Block Encryption Algorithm MISTY. In:Biham E, (eds.). Proceedings of FSE 1997, volume 1267 of Lecture Notes in Computer Science. Springer,1997.54-68.
    [22]Handschuh H, Naccache D. SHACAL, Proceedings of first open NESSIE workshop.2000. https://www.cosic.esat.kuleuven.be/nessie/workshop/submissions.html.
    [23]NIST Special Publication 800-67 (version 1). Recommendation for the Triple Data Encryp-tion Algorithm (TDEA) Block Cipher.2004.
    [24]Adams C. RFC2144:The CAST-128 Encryption Algorithm.1997.
    [25]KISA. A Design and Analysis of SEED.1998. https://www.kisa.or.kr/technology/subl/128-seed.pdf.
    [26]Hong D, Sung J, Hong S, et al. HIGHT:A New Block Cipher Suitable for Low-Resource Device. In:Goubin L, Matsui M, (eds.). Proceedings of CHES 2006, volume 4249 of Lecture Notes in Computer Science. Springer,2006.46-59.
    [27]Bogdanov A, Knudsen L R, Leander G, et al. PRESENT:An Ultra-Lightweight Block Cipher. In:Paillier P, Verbauwhede I, (eds.). Proceedings of CHES, volume 4727 of Lecture Notes in Computer Science. Springer,2007.450-466.
    [28]Daemen J, Knudsen L R, Rijmen V. The Block Cipher Square. In:Biham E, (eds.). Pro-ceedings of FSE 1997, volume 1267 of Lecture Notes in Computer Science. Springer,1997. 149-165.
    [29]Daemen J, Rijmen V. AES proposal:Rijndael. Proceedings of First Advanced Encryption Standard (AES) Conference,1998.
    [30]Ferguson N, Kelsey J, Lucks S, et al. Improved Cryptanalysis of Rijndael. In:Schneier B, (eds.). Proceedings of Fast Software Encryption 2000, volume 1978 of Lecture Notes in Computer Science. Springer,2000.213-230.
    [31]Biham E, Keller N. Cryptanalysis of reduced variants of Rijndael. Proceedings of 3rd AES Conference, New York, USA,2000.
    [32]Bahrak B, Aref M R. Impossible differential attack on seven-round AES-128. Information Security, IET,2008,2(2):28-32.
    [33]Lu J, Dunkelman O, Keller N, et al. New Impossible Differential Attacks on AES. In: Chowdhury D R, Rijmen V, Das A, (eds.). Proceedings of Progress in Cryptology-IN-DOCRYPT 2008, volume 5365 of Lecture Notes in Computer Science. Springer,2008.279-293.
    [34]Zhang W, Wu W, Feng D. New Results on Impossible Differential Cryptanalysis of Reduced AES. In:Nam K H, Rhee G, (eds.). Proceedings of ICISC 2007, volume 4817 of Lecture Notes in Computer Science. Springer,2007.239-250.
    [35]Mala H, Dakhilalian M, Rijmen V, et al. Improved impossible differential cryptanalysis of 7-round AES-128. In:Gong G, Gupta K C, (eds.). Proceedings of INDOCRYPT 2010. Springer,2010:282-291.
    [36]Mendel F, Rechberger C, Schlaffer M, et al. The Rebound Attack:Cryptanalysis of Reduced Whirlpool and Gr(?0stl. In:Dunkelman O, (eds.). Proceedings of Fast Software Encryption 2009, volume 5665 of Lecture Notes in Computer Science. Springer,2009.260-276.
    [37]Bouillaguet C, Derbez P, Fouque P A. Automatic Search of Attacks on Round-Reduced AES and Applications. In:Rogaway P, (eds.). Proceedings of CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science. Springer,2011.169-187.
    [38]Derbez P, Fouque P A, Jean J. Exahusting demirici-Selcuk Meet-in-the-Middle Attacks against Reduced-Round AES. Proceedings of FSE 2013,2013.
    [39]Derbez P, Fouque P A, Leresteux D. Meet-in-the-Middle and Impossible Differential Fault Analysis on AES. In:Preneel B, Takagi T, (eds.). Proceedings of CHES, volume 6917 of Lecture Notes in Computer Science. Springer,2011.274-291.
    [40]Kim J, Hong S, Preneel B. Related-Key Rectangle Attacks on Reduced AES-192 and AES-256. In:Biryukov A, (eds.). Proceedings of FSE, volume 4593 of Lecture Notes in Computer Science. Springer,2007.225-241.
    [41]Biham E, Dunkelman O, Keller N. Related-Key Impossible Differential Attacks on 8-Round AES-192. In:Pointcheval D, (eds.). Proceedings of CT-RSA, volume 3860 of Lecture Notes in Computer Science. Springer,2006.21-33.
    [42]Jakimoski G, Desmedt Y. Related-Key Differential Cryptanalysis of 192-bit Key AES Vari-ants. In:Matsui M, Zuccherato R J, (eds.). Proceedings of Selected Areas in Cryptography, volume 3006 of Lecture Notes in Computer Science. Springer,2003.208-221.
    [43]Zhang W, Zhang L, Wu W, et al. Related-Key Differential-Linear Attacks on Reduced AES-192. In:Srinathan K, Rangan C P, Yung M, (eds.). Proceedings of INDOCRYPT, volume 4859 of Lecture Notes in Computer Science. Springer,2007.73-85.
    [44]Zhang W, Wu W, Zhang L, et al. Improved Related-Key Impossible Differential Attacks on Reduced-Round AES-192. In:Biham E, Youssef A M, (eds.). Proceedings of Selected Areas in Cryptography, volume 4356 of Lecture Notes in Computer Science. Springer,2006. 15-27.
    [45]Biryukov A, Dunkelman O, Keller N, et al. Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds. In:Gilbert H, (eds.). Proceedings of EURO-CRYPT 2010, volume 6110 of Lecture Notes in Computer Science. Springer,2010.299-319.
    [46]Biryukov A, Khovratovich D. Related-Key Cryptanalysis of the Full AES-192 and AES-256. In:Matsui M, (eds.). Proceedings of ASIACRYPT 2009, volume 5912 of Lecture Notes in Computer Science. Springer,2009.1-18.
    [47]Biryukov A, Khovratovich D, Nikolic I. Distinguisher and Related-Key Attack on the Full AES-256. In:Halevi S, (eds.). Proceedings of CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science. Springer,2009.231-249.
    [48]Fouque P A, Jean J, Peyrin T. Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128. In:Canetti R, Garay J A, (eds.). Proceedings of CRYPTO, volume 8042 of Lecture Notes in Computer Science. Springer,2013.183-203.
    [49]Lei D, Li C, Feng K. Square Like Attack on Camellia. In:Qing S, Imai H, Wang G, (eds.). Proceedings of ICICS 2007, volume 4861 of Lecture Notes in Computer Science. Springer, 2007.269-283.
    [50]Lee S, Hong S, Lee S, et al. Truncated Differential Cryptanalysis of Camellia. In:Kim K, (eds.). Proceedings of ICISC 2001, volume 2288 of Lecture Notes in Computer Science. Springer,2002.32-38.
    [51]Lu J, Kim J, Keller N, et al. Improving the Efficiency of Impossible Differential Cryptanal-ysis of Reduced Camellia and MISTY1. In:Malkin T, (eds.). Proceedings of CT-RSA 2008, volume 4964 of Lecture Notes in Computer Science. Springer,2008.370-386.
    [52]Mala H, Shakiba M, Dakhilalian M, et al. New Results on Impossible Differential Crypt-analysis of Reduced-Round Camellia-128. In:Jr M J J, Rijmen V, Safavi-Naini R, (eds.). Proceedings of SAC 2009, volume 5867 of Lecture Notes in Computer Science. Springer, 2009.281-294.
    [53]Shirai T. Differential, linear, boomerang and rectangle Cryptanalysis of Reduced-Round Camellia. Proceedings of the Third NESSIE Workshop,2002.
    [54]Sugita M, Kobara K, Imai H. Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis. In:Boyd C, (eds.). Proceedings of Advances in Cryptology-ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science. Springer,2001.193-207.
    [55]Wu W, Zhang W, Feng D. Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia. J. Comput. Sci. Technol.,2007,22(3):449-456.
    [56]Wu W, Feng D, Chen H. Collision Attack and Pseudorandomness of Reduced-Round Camellia. In:Handschuh H, Hasan M A, (eds.). Proceedings of SAC 2004, volume 3357 of Lecture Notes in Computer Science. Springer,2004.252-266.
    [57]Lu J, Wei Y, Fouque P A, et al. Cryptanalysis of reduced versions of the Camellia block cipher. IET Information Security,2012,6(3):228-238.
    [58]Lei D, Li C, Feng K. New Observation on Camellia. In:Preneel B, Tavares S E, (eds.). Proceedings of SAC 2005, volume 3897 of Lecture Notes in Computer Science. Springer, 2006.51-64.
    [59]Hatano Y, Sekine H, Kaneko T. Higher Order Differential Attack of Camellia (Ⅱ). In: Nyberg K, Heys H M, (eds.). Proceedings of SAC 2002, volume 2595 of Lecture Notes in Computer Science. Springer,2003.129-146.
    [60]Chen J, Jia K, Yu H, et al. New Impossible Differential Attacks of Reduced-Round Camellia-192 and Camellia-256. In:Parampalli U, Hawkes P, (eds.). Proceedings of ACISP 2011, volume 6812 of Lecture Notes in Computer Science. Springer,2011.16-33.
    [61]Bai D, Li L. New Impossible Differential Attacks on Camellia. In:Ryan M D, Smyth B, Wang G, (eds.). Proceedings of ISPEC 2012, volume 7232 of Lecture Notes in Computer Science. Springer,2012.80-96.
    [62]Liu Y, Li L, Gu D, et al. New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia. In:Canteaut A, (eds.). Proceedings of Fast Software Encryption 2012, volume 7549 of Lecture Notes in Computer Science. Springer,2012.90-109.
    [63]Chen J. Cryptanalysis of Severial Block Ciphers.2013.
    [64]Lu J, Wei Y, Kim J, et al. The Higher-Order Meet-in-the-Middle Attack and Its Application to the Camellia Block Cipher. In:Galbraith S D, Nandi M, (eds.). Proceedings of Progress in Cryptology-INDOCRYPT 2012, volume 7668 of Lecture Notes in Computer Science. Springer,2012.244-264.
    [65]Lu J, Wei Y, Pasalic E, et al. Meet-in-the-Middle Attack on Reduced Versions of the Camel-lia Block Cipher. Proceedings of IWSEC 2012, volume 7631 of Lecture Notes in Computer Science. Springer,2012.197-215.
    [66]Chen J, Li L. Low Data Complexity Attack on Reduced Camellia-256. In:Susilo W, Mu Y, Seberry J, (eds.). Proceedings of ACISP 2012, volume 7372 of Lecture Notes in Computer Science. Springer,2012.101-114.
    [67]Wang W, Wang X. Improved Impossible Differential Cryptanalysis of CLEFIA. IACR Cryptology ePrint Archive,2007,2007:466.
    [68]Tsunoo Y, Tsujihara E, Shigeri M, et al. Impossible Differential Cryptanalysis of CLEFIA. In:Nyberg K, (eds.). Proceedings of FSE 2008, volume 5086 of Lecture Notes in Computer Science. Springer,2008.398-411.
    [69]Mala H, Dakhilalian M, Shakiba M. Impossible Differential Attacks on 13-Round CLEFIA-128. J. Comput. Sci. Technol.,2011,26(4):744-750.
    [70]Tang X, Sun B, Li R, et al. Impossible Differential Cryptanalysis of 13-Round CLEFIA-128. Journal of Systems and Software,2011,84(7):1191-1196.
    [71]Tezcan C. The Improbable Differential Attack:Cryptanalysis of Reduced Round CLEFIA. In:Gong G, Gupta K C, (eds.). Proceedings of Progress in Cryptology-INDOCRYPT 2010, volume 6498 of Lecture Notes in Computer Science. Springer,2010.197-209.
    [72]Blondeau C. Improbable Differential from Impossible Differential:On the Validity of the Model. In:Paul G, Vaudenay S, (eds.). Proceedings of INDOCRYPT, volume 8250 of Lecture Notes in Computer Science. Springer,2013.149-160.
    [73]Li Y, Wu W, Zhang L. Improved Integral Attacks on Reduced-Round CLEFIA Block Cipher. In:Jung S, Yung M, (eds.). Proceedings of WISA 2011, volume 7115 of Lecture Notes in Computer Science. Springer,2011.28-39.
    [74]Sasaki Y, Wang L. Meet-in-the-Middle Technique for Integral Attacks against Feistel Ci-phers. In:Knudsen L R, Wu H, (eds.). Proceedings of Selected Areas in Cryptography-SAC 2012, volume 7707 of Lecture Notes in Computer Science. Springer,2012.234-251.
    [75]Wang W, Wang X. Saturation cryptanalysis of CLEFIA. Journal on Communications,2008, 29(10):88-92.
    [76]Li L, Jia K, Wang X. Improved Single-Key attacks on 9-Round AES-192/256. Pre-proceding of FSE 2014,2014.
    [77]Li L, Chen J, Jia K. New Impossible Differential Cryptanalysis of Reduced-Round Camellia. In:Lin D, Tsudik G, Wang X, (eds.). Proceedings of CANS 2011, volume 7092 of Lecture Notes in Computer Science. Springer,2011.26-39.
    [78]Shannon C E. Communication Theory of Secrecy Systems. Bell Systems Technical Journal, 1949,28:656-715.
    [79]Kerckhoffs A. La cryptographie militaire. Journal des sciences militaires,1883, IX:5-83.
    [80]Gilbert H, Peyrin T. Super-Sbox Cryptanalysis:Improved Attacks for AES-Like Permuta-tions. In:Hong S, Iwata T, (eds.). Proceedings of Fast Software Encryption 2010, volume 6147 of Lecture Notes in Computer Science. Springer,2010.365-383.
    [81]Knudsen L R, Rijmen V. Known-Key Distinguishers for Some Block Ciphers. In:Kurosawa K, (eds.). Proceedings of ASIACRYPT, volume 4833 of Lecture Notes in Computer Science. Springer,2007.315-324.
    [82]Biham E, Shamir A. Differential Cryptanalysis of DES-like Cryptosystems. J. Cryptology, 1991,4(1):3-72.
    [83]Biham E, Biryukov A, Shamir A. Cryptanalysis of Skipjack Reduced to 31 Rounds Us-ing Impossible Differentials. In:Stern J, (eds.). Proceedings of Advances in Cryptology-EUROCRYPT'99, volume 1592 of Lecture Notes in Computer Science. Springer,1999. 12-23.
    [84]Knudsen L R, Wagner D. Integral Cryptanalysis. In:Daemen J, Rijmen V, (eds.). Pro-ceedings of FSE 2002, volume 2365 of Lecture Notes in Computer Science. Springer,2002. 112-127.
    [85]Diffie W, Hellman M E. Special Feature Exhaustive Cryptanalysis of the NBS Data Encryp-tion Standard. Computer,1977,10:74-84.
    [86]Lai X. Higher Order Derivatives and Differential Cryptanalysis. In:Blahut R E, Jr D J C, Maurer U, et al., (eds.). Proceedings of Communications and Cryptography:Two Sides of One Tapestry. Kluwer Academic Publishers,1994.227-233.
    [87]Wang X, Lai X, Feng D, et al. Cryptanalysis of the Hash Functions MD4 and RIPEMD. In:Cramer R, (eds.). Proceedings of Advances in Cryptology-EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science. Springer,2005.1-18.
    [88]Wang X, Yu H. How to Break MD5 and Other Hash Functions. In:Cramer R, (eds.). Proceedings of Advances in Cryptology-EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science. Springer,2005.19-35.
    [89]Wang X, Yin Y L, Yu H. Finding Collisions in the Full SHA-1. In:Shoup V, (eds.). Proceedings of Advances in Cryptology-CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science. Springer,2005.17-36.
    [90]Selcuk A A. On Probability of Success in Linear and Differential Cryptanalysis. J. Cryptol-ogy,2008,21(1):131-147.
    [91]Wagner D. The Boomerang Attack. In:Knudsen L R, (eds.). Proceedings of Fast Software Encryption-FSE 1999, volume 1636 of Lecture Notes in Computer Science. Springer,1999. 156-170.
    [92]Blondeau C, Gerard B. Multiple Differential Cryptanalysis:Theory and Practice. In:Joux A, (eds.).Proceedings of Fast Software Encryption-FSE 2011, volume 6733 of Lecture Notes in Computer Science. Springer,2011.35-54.
    [93]Biham E. On Matsui's Linear Cryptanalysis. In:Santis A D, (eds.). Proceedings of Advances in Cryptology-EUROCRYPT'94, volume 950 of Lecture Notes in Computer Science. Springer,1995.341-355.
    [94]Nyberg K. Linear Approximation of Block Ciphers. In:Santis A D, (eds.). Proceedings of Advances in Cryptology-EUROCRYPT'94, volume 950 of Lecture Notes in Computer Science. Springer,1995.439-444.
    [95]Biryukov A, Canniere C D, Quisquater M. On Multiple Linear Approximations. In:Franklin M K, (eds.). Proceedings of Advances in Cryptology-CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science. Springer,2004.1-22.
    [96]Bogdanov A, Rijmen V. Zero-Correlation Linear Cryptanalysis of Block Ciphers. IACR Cryptology ePrint Archive,2011,2011:123.
    [97]Knudsen L R. Truncated and Higher Order Differentials. In:Preneel B, (eds.). Proceed-ings of Fast Software Encryption-FSE 1994, volume 1008 of Lecture Notes in Computer Science. Springer,1995.196-211.
    [98]Kanda M, Matsumoto T. Security of Camellia against Truncated Differential Cryptanalysis. In:Matsui M, (eds.). Proceedings of Fast Software Encryption-FSE 2002, volume 2355 of Lecture Notes in Computer Science. Springer,2001.286-299.
    [99]Knudsen L. DEAL-A 128-bit Block Cipher.1998.
    [100]Hellman M E. A cryptanalytic time-memory trade-off. Information Theory, IEEE Transac-tions on,1980,26(4):401-406.
    [101]Yuval G. How to Swindle Rabin. Cryptologia,1979,3:187-189.
    [102]Borghoff J,Canteaut A, Giineysu T, et al. PRINCE-A Low-Latency Block Cipher for Perva-sive Computing Applications-Extended Abstract. In:Wang X, Sako K, (eds.). Proceedings of ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science. Springer,2012. 208-225.
    [103]Kiihn U. Improved Cryptanalysis of MISTY1. In:Daemen J, Rijmen V, (eds.). Proceed-ings of Fast Software Encryption-FSE 2002, volume 2365 of Lecture Notes in Computer Science. Springer,2002.61-75.
    [104]Wu W, Zhang L, Zhang W. Improved Impossible Differential Cryptanalysis of Reduced-Round Camellia. In:Avanzi R M, Keliher L, Sica F, (eds.). Proceedings of SAC 2008, volume 5381 of Lecture Notes in Computer Science. Springer,2008.442-456.
    [105]Cryptographic Competitions. Accessed on February 17,2014., February.2014.
    [106]Guo J, Peyrin T, Poschmann A, et al. The LED Block Cipher. In:Preneel B, Takagi T, (eds.). Proceedings of CHES, volume 6917 of Lecture Notes in Computer Science. Springer,2011. 326-341.
    [107]Gerard B, Grosso V, Naya-Plasencia M, et al. Block Ciphers That Are Easier to Mask:How Far Can We Go? In:Bertoni G, Coron J S, (eds.). Proceedings of CHES, volume 8086 of Lecture Notes in Computer Science. Springer,2013.383-399.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700