动态聚集效应及其在SIMON算法上的应用  

作　　者：牛开路 晁佳豪 王薇[1,2,4] NIU Kai-Lu;CHAO Jia-Hao;WANG Wei(School of Cyber Science and Technology,Shandong University,Qingdao 266237,China;Key Laboratory of Cryptologic Technology and Information Security,Ministry of Education,Shandong University,Jinan 250100,China;School of Software,East China Normal University,Shanghai 200062,China;Quan Cheng Laboratory,Jinan 250103,China)

机构地区：[1]山东大学网络空间安全学院,青岛266237 [2]山东大学密码技术与信息安全教育部重点实验室,济南250100 [3]华东师范大学软件学院,上海200062 [4]泉城实验室,济南250103

出　　处：《密码学报》2023年第4期737-751,共15页Journal of Cryptologic Research

基　　金：国家重点研发计划(2018YFA0704702,2022YFB2701700);山东省自然科学基金面上项目(ZR2020MF053)。

摘　　要：SIMON算法是美国国家安全局(NSA)在2013年发布的轻量级分组密码算法,自提出以来就受到密码学界的广泛关注.本文通过对SIMON的差分/线性掩码传播进行深入分析,根据每轮的输入差分/掩码空间来动态调整窗口内活跃比特的位置,使其尽量位于每轮的输出最密集的w个比特处,同时动态调整窗口外部的比特取值,将静态窗口转化为动态窗口,使其包含更多的差分/线性路径,得到具有更高概率的差分/线性壳.分别以SIMON64、SIMON96和SIMON128为例,进行了差分和线性壳的搜索.在差分分析方面,将已有的SIMON128的区分器提高3轮,得到44轮的高概率差分;在线性分析方面,将已有的SIMON64和SIMON96的区分器提高1轮,分别得到24和34轮的线性壳,将SIMON128提高3轮,得到45轮的线性壳.这是目前对SIMON算法搜索差分/线性区分器的最优结果.SIMON is a lightweight block cipher published by the National Security Agency(NSA)in 2013.Since it was proposed,it has received extensive attention from the cryptography community.This paper analyzes the difference/linear mask propagation of SIMON,adjusts the position of the active bits in the window dynamically according to the input difference/mask space of each round,so that it can be located at the densest w-bit of the output of each round instead of the fixed window.Moreover,the value of the bits outside the window is adjusted dynamically.By doing this,the static window can be converted into is a dynamic one,so that it involves more differential/linear trails,and results in differentials/linear hulls with higher probability.SIMON64,SIMON96 and SIMON128 are taken as examples,their differentials and linear hulls are found using the improved algorithms designed in this paper.With respect to differentials,a 44-round distinguisher of SIMON128 is obtained,which improves the published results by 3 rounds.With respect to linear hulls,the existing distinguishers of SIMON64 and SIMON96 are improved by 1 round,and achieve 24 and 34 rounds,respectively,and a 45-round linear hull for SIMON128 is obtained,which is improved by 3 rounds.

关 键 词：分组密码 SIMON 差分分析 线性分析 聚集效应 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]