面向ACORN v3消息认证码的随机差分故障分析  被引量：2

作　　者：张国双 陈晓 王安 刘凤梅 ZHANG Guo-Shuang;CHEN Xiao;WANG An;LIU Feng-Mei(State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China;School of Computer Science,Beijing Institute of Technology,Beijing 100081,China;Data Communication Technology Research Institute,Beijing 100191,China)

机构地区：[1]中国科学院信息工程研究所信息安全国家重点实验室,北京100093 [2]中国科学院大学网络空间安全学院,北京100049 [3]北京理工大学计算机学院,北京100081 [4]数据通信技术研究所,北京100191

出　　处：《密码学报》2021年第3期498-520,共23页Journal of Cryptologic Research

基　　金：国家自然科学基金(61872040);北京市自然科学基金(4202070)。

摘　　要：轻量级认证加密算法ACORN v3作为CAESAR竞赛最终胜出的代表算法之一,其新颖的设计和轻量化高效实现的特点受到国内外密码学界的广泛关注.本文根据差分故障攻击模型,对ACORN v3用于认证时的抗差分故障攻击能力进行了分析:针对MAC长度有限造成唯一定位故障概率不高的问题,给出了提高唯一定位故障概率的交互验证策略和改进的高概率优先策略;证明了认证比特差分代数表达式具有特定的规律,据此将每次故障注入的猜测复杂度由49 bit降至0.713 bit;利用差分代数方法,给出了由认证比特差分建立相关内部状态低次方程的算法和基于方程求解的状态恢复攻击,攻击所需的计算复杂度为2^(0.713·n+0.415·N 3)·c,其中,n为故障注入次数,N3为需要线性化的方程个数,c是求解342比特变元线性方程组的复杂度,数据复杂度和存储复杂度可以忽略不计.ACORN v3,a lightweight authenticated stream cipher,is a final portfolio of the CAESAR competition.It has been widely concerned by cryptographists for its novel design and lightweight efficient implementation.In this study,according to the differential fault attack model,the ability of resisting differential fault attack is analyzed when ACORN v3 is used for authentication.Aiming at the problem that the probability of determining the fault location uniquely is not high due to the limited length of MAC,the interactive verification strategy and the improved high probability priority strategy are proposed to improve the probability of determining the fault location uniquely.It is proved that the algebraic expression of the authentication bit’s difference has specific rules.Accordingly,the guessing complexity of each fault injection is reduced from 49 bits to 0.713 bits.By using the differential-algebra method,the algorithm of establishing the lower order equation of the internal state by the difference of authentication bit and the state recovery attack based on equation solving are given.The time complexity of the attack is 2^(0.713·n+0.415·N3)·c,where n is the number of fault injection,N 3 is the number of equations to be linearized,and c is the complexity of solving 342-bit linear equation system.The data complexity and the storage complexity are negligible.

关 键 词：认证加密算法 密码分析 ACORN 差分故障分析 

分 类 号：TN918.1[电子电信—通信与信息系统]