机构地区:[1]Engineering Research Center of Optical Instrument and System, Ministry of Education, Shanghai Key Lab of Modern Optical System, University of Shanghai for Science and Technology [2]State Key Laboratory of Cryptology [3]Department of Computer Science and Engineering, Shanghai Jiao Tong University [4]School of Computer Science and Technology, Donghua University [5]Shanghai Key Laboratory of Scalable Computing and Systems [6]Shanghai Key Laboratory of Integrated Administration Technologies for Information Security [7]Science and Technology on Information Assurance Laboratory
出 处:《Science China(Information Sciences)》2019年第3期1-14,共14页中国科学(信息科学)(英文版)
基 金:supported by National Natural Science Foundation of China (Grant Nos. 61402288, 61772129, 61601292, 61672347, 61472250);Foundation of Science and Technology on Information Assurance Laboratory (Grant No. KJ-17-008);Shanghai Natural Science Foundation (Grant Nos. 15ZR1400300, 16ZR1401100);Opening Project of the Shanghai Key Laboratory of Integrated Administration Technologies for Information Security (Grant No. AGK201703);Opening Project of the Shanghai Key Laboratory of Scalable Computing and Systems;National Cryptography Development Fund, and Fundamental Research Funds for the Central Universities
摘 要:Rijndael is a substitution-permutation network(SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256,that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2^(244.4) chosen plaintexts, 2^(240.1) encryptions, and 2^(181.4) blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2^(214.4) chosen plaintexts, 2^(241.3) encryptions, and 2^(183.4) blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2^(214.4) chosen plaintexts, 2^(113.4) encryptions, and 2^(87.4) blocks,respectively, or 2^(206.6) chosen plaintexts, 2^(153.6) encryptions, and 2^(111.6) blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.Rijndael is a substitution-permutation network(SPN) block cipher for the AES development process. Its block and key sizes range from 128 to 256 bits in steps of 32 bits, which can be denoted by Rijndael-b-k, where b and k are the block and key sizes, respectively. Among them, Rijndael-128-128/192/256,that is, AES, has been studied by many researchers, and the security of other large-block versions of Rijndael has been exploited less frequently. However, more attention has been paid to large-block versions of block ciphers with the fast development of quantum computers. In this paper, we propose improved impossible differential attacks on 10-round Rijndael-256-256, 10-round Rijndael-224-256, and 9-round Rijndael-224-224 using precomputation tables, redundancies of key schedules, and multiple impossible differentials. For 10-round Rijndael-256-256, the data, time, and memory complexities of our attack were approximately 2^(244.4) chosen plaintexts, 2^(240.1) encryptions, and 2^(181.4) blocks, respectively. For 10-round Rijndael-224-256, the data, time, and memory complexities of our attack were approximately 2^(214.4) chosen plaintexts, 2^(241.3) encryptions, and 2^(183.4) blocks, respectively. For 9-round Rijndael-224-224, the data, time, and memory complexities of our attack are approximately 2^(214.4) chosen plaintexts, 2^(113.4) encryptions, and 2^(87.4) blocks,respectively, or 2^(206.6) chosen plaintexts, 2^(153.6) encryptions, and 2^(111.6) blocks, respectively. To the best of our knowledge, our results are currently the best on Rijndael-256-256 and Rijndael-224-224/256.
关 键 词:block cipher RIJNDAEL precomputation tables impossible differentials multiple impossible differential attacks
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
