加密算法Simpira v2的不可能差分攻击  被引量：1

作　　者：刘亚[1,2] 宫佳欣 赵逢禹 LIU Ya;GONG Jiaxin;ZHAO Fengyu(School of Optical-Electrical and Computer Engineering,University of Shanghai for Science and Technology,Shanghai 200093,China;State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China)

机构地区：[1]上海理工大学光电信息与计算机工程学院,上海200093 [2]中国科学院信息工程研究所信息安全国家重点实验室,北京100093

出　　处：《西安电子科技大学学报》2022年第5期201-212,共12页Journal of Xidian University

基　　金：“十三五”密码发展基金理论课题(MMJJ20180202)。

摘　　要：评估适用于各类应用场景中,对称加密算法的安全强度对系统中数据机密性至关重要。Simpira v2是2016年在亚密会上发布可以实现高吞吐量的密码置换算法族,非常适用于信息系统中保护数据的机密性。Simpira-6是Simpira v2族加密算法中6分支的情形,分组长度为128 b比特(bit)。研究了Simpira-6作为Even-Mansour结构下的置换加密算法的安全强度,使用不可能差分攻击基本原理,首先构造一条当前最长的9轮Simpira-6不可能差分链,但基于此攻击需要的复杂度超过穷尽搜索;其次,在Simpira v2的安全性声明下,攻击7轮Simpira-6恢复384位主密钥,攻击需要数据和时间复杂度分别为2^(57.07)个选择明文和2^(57.07)次加密;最后,在Even-Mansour安全性声明下对8轮Simpira-6进行不可能差分攻击,恢复768位主密钥,攻击需要数据和时间复杂度分别为2^(168)个选择明文和2^(168)次加密。首次对Simpira v26分支情形的不可能差分攻击,为未来运用Simpira v2保护数据机密性提供重要的理论依据。It is important to evaluate the security of symmetric encryption algorithms used in various application scenarios for protecting data securely.Simpira v2 is a family of cryptographic permutations with a high throughput proposed in ASIACRYPT 2016.It is very suitable for protecting the confidentiality of data in the information system.Simpira-6 is the case of 6 branches in the Simpira v2 encryption algorithm family,and its block length supports bits.This paper studies the security analysis of Simpira-6 as the permutation algorithm of Even-Mansour structure against impossible differential attacks.First,we propose the longest 9-round impossible differential for Simpira-6 currently,on the basis of which the adversary executes the impossible differential attack,whose time complexity is higher than that of the exhaustive search.Second,under the security claim of Simpira v2,we present a 7-round impossible differential attack on Simpira-6 to recover the 384-bit master key.The data and time complexities of this attack are 2^(57.07) chosen plaintexts and 2^(57.07)7-round Simpira-6 encryptions,respectively.Third,under the security claim of Even-Mansour,we present an 8-round impossible differential attack on Simpira-6 to recover all 768 bits keys.The data and time complexities are 2^(168) chosen plaintexts and 2^(168)8-round Simpira-6 encryptions.Those attacks are the first analytical result on Simpira-6 against the impossible differential attack.These results provide an important theoretical foundation for the application of Simpira v2 in future.

关 键 词：分组密码加密系统 不可能差分攻击 安全性分析 Simpira v2 广义Feistel结构 Even-Mansour结构 安全性声明 

分 类 号：TN918.4[电子电信—通信与信息系统]