AES不可能差分攻击的进一步改进  

作　　者：闫雪萍 戚文峰[1] 谭林[1] YAN Xue-ping;QI Wen-feng;TAN Lin(School of Cyber Security,Strategic Support Force Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]战略支援部队信息工程大学网络空间安全学院,河南郑州450001

出　　处：《广州大学学报（自然科学版）》2022年第4期12-20,共9页Journal of Guangzhou University:Natural Science Edition

基　　金：国家密码发展基金资助项目(MMJJ20180204,MMJJ20170103)。

摘　　要：AES是目前使用最广泛的分组密码算法。不可能差分密码分析是评估分组密码算法安全性的重要方法之一,目前AES-128的7轮不可能差分密钥恢复攻击是单密钥模式下轮数最长的攻击之一。在不可能差分攻击中,为了获得满足区分器差分的数据,需要进行数据对和猜测密钥的筛选,它们之间有很强的关联性,对攻击复杂度有很大影响。通过对筛选数据对和猜测密钥进行折中可以使不可能差分攻击的时间复杂度较低。目前时间复杂度最低的7轮AES-128不可能差分攻击是2010年Mala等利用筛选数据对和猜测密钥的一个折中提出的,攻击的时间、数据和存储复杂度分别为2^(110.1)、2^(106.2)和2^(94.2)。如果采用只筛选数据对的方法,攻击的数据复杂度和存储复杂度相对较低。2018年,Boura等利用只筛选数据对得到时间、数据和存储复杂度分别为2^(113)、 2^(105.1)和2^(74.1)(原文中的时间复杂度2106.88被更正为2^(113))的7轮AES-128不可能差分攻击。在EUROCRYPT 2021上,Leurent等发现了AES密钥方案的新表示技术,将Boura等攻击的时间复杂度改进到2^(110.9)。文章将Leurent等提出的AES密钥方案的新表示技术应用于Mala等的7轮AES-128不可能差分攻击,利用改进的密钥方案筛选过程将攻击的时间复杂度从2^(110.1)改进到2^(108.96),数据复杂度从2^(106.2)改进到2^(105)。文章给出的7轮AES-128不可能差分攻击的时间复杂度是上述3个攻击算法中最低的。The Advanced Encryption Standard(AES) is currently the most widely used block cipher. Impossible differential cryptanalysis is an important approach to evaluate the security of block ciphers. Currently, impossible differential attacks on 7 rounds of AES-128 are among the attacks with the longest rounds in the single-key setting. In an impossible differential attack, to obtain data that satisfies the difference of the distinguisher, it is necessary to filter data pairs and key guesses, and there is a close correlation between them, which has a great impact on the complexity. By making compromises between filtering data pairs and key guesses, we can reduce time complexity of an impossible differential attack. The impossible differential attack on 7-round AES-128 with the lowest time complexity was proposed by Mala, et al. in 2010 with time, data, and memory complexities of 2^(110.1), 2^(106.2), and 2^(94.2), respectively, using a compromise between filtering data pairs and keys guesses. If we use the method that only filters data pairs, data and memory complexities of the impossible differential attack are low. In 2018, Boura, et al. used filters data pairs to obtain an impossible differential attack on 7-round AES-128 with time, data and memory complexities of 2^(113), 2^(105.1), and 274.1(the time complexity in the original paper 2106.88was corrected to 2^(113)), respectively. In EUROCRYPT 2021, Leurent, et al. discovered new representations of the AES key schedule and improved the time complexity of the attack by Boura, et al. to 2^(110.9). This paper applies new representations of the AES key schedule proposed by Leurent, et al. to the impossible differential attack on 7 rounds of AES-128 proposed by Mala, et al., and improves the time complexity of the attack from 2^(110.1)to 2^(108.96)and the data complexity from 2^(106.2)to 2^(105)by the improved filtering process of key schedule. The time complexity of our attack is the lowest of the three attacks mentioned above.

关 键 词：不可能差分分析 AES 密钥方案 

分 类 号：TN918.1[电子电信—通信与信息系统]