轻量级分组密码算法PFP和SLIM的积分分析  被引量：2

作　　者：刘道瞳 袁征[1,2,3] 魏锦鹏 姜天宇 LIU Dao-Tong;YUAN Zheng;WEI Jin-Peng;JIANG Tian-Yu(Beijing Electronic Science and Technology Institute,Beijing 100070,China;China Satellite Network System Institute Co.Ltd.,Beijing 100029,China;Advanced Cryptography and System Security Key Laboratory of Sichuan Province,Chengdu 610225,China)

机构地区：[1]北京电子科技学院,北京100070 [2]中国星网网络系统研究院有限公司,北京100029 [3]先进密码技术与系统安全四川省重点实验室,成都610225

出　　处：《密码学报》2023年第3期609-621,共13页Journal of Cryptologic Research

基　　金：国家密码发展基金(MMJJ20180217);先进密码技术与系统安全四川省重点实验室开放课题(SKLACSS-202103)。

摘　　要：PFP算法和SLIM算法都是基于Feistel结构而设计的轻量级分组密码算法,在软件及硬件上都具有良好的性能,特别适用于资源受限的环境,目前没有对两个算法进行积分分析的相关研究.本文通过分析PFP算法和SLIM算法的结构特点,结合比特可分性的自动化搜索方法,构建了混合整数线性规划(MILP)模型,通过使用Gurobi优化器求解该模型判断是否存在r轮积分区分器,选用搜索得到的积分区分器对算法进行密钥恢复攻击.首次得到PFP算法的11轮积分区分器,选用搜索得到的10轮积分区分器向后扩展2轮进行12轮密钥恢复攻击,数据复杂度为262.39个选择明文,时间复杂度为2^(63.12)次12轮加密,存储复杂度为2^(40);首次得到SLIM算法的10轮积分区分器,选择9轮积分区分器进行12轮密钥恢复攻击,数据复杂度为231.81个选择明文,时间复杂度为262.42次12轮加密,存储复杂度为2^(40).Both PFP and SLIM are ultra-lightweight block ciphers having Feistel structure,which have good performance both in software and hardware,especially in resource-constrained environ-ments.So far,the integral analysis of the PFP cipher and SLIM cipher has not yet been conducted thoroughly.In this paper,a mixed integer linear programming(MILP)model is constructed by ana-lyzing the structural characteristics of PFP cipher and SLIM cipher,and combining with the automatic search method of bit division property.The Gurobi optimizer is used to establish the model to deter-mine whether there is an r-round integral distinguisher,and the integral distinguisher is selected to carry out key recovery attack on the cipher.The results show that a 11-round integral distinguisher of the PFP cipher is found,and a 12-round key recovery attack is carried out by using 10-round integral distinguisher to extend 2 rounds backward.The data complexity is 262.39 chosen plaintext,time complexity is 2^(63.12) of 12-round encryption,and storage complexity is 2^(40).A 10-round integral distinguisher of SLIM cipher is also found,and a 9-round integral distinguisher is selected to carry out 12-round key recovery attack.The data complexity is 231.81 of chosen plaintext,the time complexity is 262.42 of 12-round encryption,and the storage complexity is 2^(40).

关 键 词：PFP算法 SLIM算法 积分分析 比特可分性 积分区分器 混合整数线性规划 

分 类 号：TN918.1[电子电信—通信与信息系统]