PRESENT轻量级密码的中间相遇统计故障分析  被引量：3

作　　者：李玮[1,2,3,4] 朱晓铭 谷大武 李嘉耀[1] 蔡天培 LI Wei;ZHU Xiao-Ming;GU Da-Wu;LI Jia-Yao;CAI Tian-Pei(School of Computer Science and Technology,Donghua University,Shanghai 201620;Department of Computer and Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240;Shanghai Key Laboratory of Scalable Computing and System,Shanghai 200240;Shanghai Key Laboratory of Integrate Administration Technologies for Information Security,Shanghai 200240)

机构地区：[1]东华大学计算机科学与技术学院,上海201620 [2]上海交通大学计算机科学与工程系,上海200240 [3]上海市可扩展计算与系统重点实验室,上海200240 [4]上海市信息安全综合管理技术研究重点实验室,上海200240

出　　处：《计算机学报》2023年第2期353-370,共18页Chinese Journal of Computers

基　　金：国家自然科学基金项目(61772129,61932014);国家密码发展基金目(MMJJ201801001);上海市自然科学基金(21YF1401200);上海市可扩展计算与系统重点实验室开放课题、上海市信息安全综合管理技术研究重点实验室开放课题和中央高校基本科研业务费专项资金资助.

摘　　要：PRESENT算法是于2007年在国际密码硬件与嵌入式系统会议提出的一种轻量级分组密码,2012年成为国际轻量级算法标准ISO/IEC-29192-2,适用于物联网中射频识别标签、网络传感器、智能卡等设备的数据保护.本文结合PRESENT密码的设计结构和实现特点,基于统计分析和中间相遇分析策略,提出了一种中间相遇统计故障分析方法,设计了皮尔逊相关系数-汉明重量、库尔贝克莱布勒散度-汉明重量区分器和杰卡德相似系数-汉明重量-极大似然估计等区分器,可以分别破译PRESENT密码全部版本的80比特和128比特原始密钥.该方法攻击轮数更深,故障数和耗时更少,有效地扩展了攻击范围,提升了攻击能力.结果表明,中间相遇统计故障分析对PRESENT密码构成了严重威胁.该研究为轻量级密码的实现安全研究提供了有价值的参考.The lightweight block cipher PRESENT was presented at the International Conference on Cryptographic Hardware and Embedded Systems(CHES)in 2007,and it has become a standard of ISO/IEC-29192-2 for lightweight cryptosystems since 2012.Within the environment of the Internet of Things,this cipher is applicable to Radio Frequency Identification,network sensors,and smart cards.Its secret key can be either 80 or 128 bits long,while the block is 128 bits long.Since the publication of the PRESENT,numerous forms of cryptanalysis have been developed in order to evaluate its level of security.Some examples of these attacks include the differential attack,the linear attack,the integral attack,the algebraic attack,the fault attack,the side-cube attack,and the Biclique attack.All of these cryptanalyses are on the basis of the assumption that an attack using a chosen plaintext or an attack using a known plaintext would occur.In order to carry out a chosen-plaintext attack,an attacker must have the ciphertexts along with the plaintexts that go along with them,whereas a known-plaintext attack requires a significant quantity of plaintexts and ciphertexts.The ciphertext-only attack is distinct from the chosen-plaintext attack and the known-plaintext attack,which require the ciphertext only in order to be successful.In this sense,the ciphertext-only attack is relevant in a range of scenarios.There is no research that has been released yet regarding PRESENT's resilience to the ciphertext-only attack.This study presents a novel meet-in-the-middle statistical fault analysis using the approach of statistical analysis and meet-in-the-middle attack of PRESENT.This analysis is able to decrypt the 80-bit and 128-bit secret keys of PRESENT with a series of new distinguishers that include the Pearson correlation coefficient-Hamming weight,the Kullback Leibler divergence-Hamming weight,and the Jaccard similarity coefficient-Hamming weight-maximum likelihood estimation,respectively.Furthermore,it examines the meet-in-the-middle statistical fault

关 键 词：轻量级密码 PRESENT 故障分析 中间相遇分析 密码分析 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]