分组密码算法uBlock积分攻击的改进  

作　　者：王晨[1,3] 崔佳敏 李木舟 王美琴 WANG Chen;CUI Jiamin;LI Muzhou;WANG Meiqin(School of Cyber Science and Technology,Shandong University,Qingdao 266237,China;Quan Cheng Shandong Laboratory,Jinan 250100,China;Key Laboratory of Cryptologic Technology and Information Security,Ministry of Education,Shandong University,Jinan 250100,China)

机构地区：[1]山东大学网络空间安全学院(研究院),青岛266237 [2]泉城实验室,济南250100 [3]山东大学密码技术与信息安全教育部重点实验室,济南250100

出　　处：《电子与信息学报》2024年第5期2149-2158,共10页Journal of Electronics & Information Technology

基　　金：国家重点研发计划(2018YFA0704702);国家自然科学基金(62032014);山东省自然科学基金重大基础研究项目(ZR202010220025);青岛创新项目(QDBSH20230101008)。

摘　　要：积分攻击是由Daemen等人(doi:10.1007/BFb0052343)于1997年提出的一种密码分析方法,是继差分分析和线性分析之后最有效的密码分析方法之一。作为2018年全国密码算法设计竞赛分组算法的获胜算法,uB-lock抵抗积分攻击的能力受到较多的关注。为了重新评估uBlock家族密码算法抵抗积分攻击的安全性,该文利用单项式传播技术,结合混合整数线性规划(MILP)工具搜索积分区分器,并利用部分和技术进行密钥恢复攻击。对于uBlock-128/128和uBlock-128/256,基于搜索到的9轮积分区分器分别进行了首个11轮和12轮攻击,数据复杂度为2~(127)选择明文,时间复杂度分别为2~(127.06)和2~(224)次加密,存储复杂度分别为2~(44.58)和2~(138)字节;对于uBlock-256/256,基于搜索到的10轮积分区分器进行了首个12轮攻击,数据复杂度为2~(253)选择明文,时间复杂度为2~(253.06)次加密,存储复杂度为2~(44.46)字节。与之前uBlock的最优积分攻击结果相比,uBlock-128/128和uBlock-256/256的攻击轮数分别提高2轮,uBlock-128/256的攻击轮数提高3轮。本文的攻击说明,uBlock针对积分攻击依然有足够的安全冗余。Integral attack is one of the most powerful cryptanalytic methods after differential and linear cryptanalysis,which was presented by Daemen et al.in 1997(doi:10.1007/BFb0052343).As the winning block cipher of China’s National Cipher Designing Competition in 2018,the security strength of uBlock against integral attack has received much attention.To better understand the integral property,this paper constructs the Mixed Integer Linear Programming(MILP)models for monomial prediction to search for the integral distinguishers and uses the partial sum techniques to perform key-recovery attacks.For uBlock-128/128 and uBlock-128/256,this paper gives the first 11 and 12-round attacks based on a 9-round integral distinguisher,respectively.The data complexity is chosen plaintexts.The time complexities are and times encryptions,respectively.The memory complexities are and Byte,respectively.For uBlock-256/256,this paper gives the first 12-round attack based on a 10-round integral distinguisher.The data complexity is chosen plaintexts.The time and memory complexities are times encryptions and 244:46 Byte,respectively.The number of attacked rounds for uBlock-128/128 and uBlock-256/256 are improved by two rounds compared with the previous best ones.Besides,the number of attacked rounds for uBlock-128/256 is improved by three rounds.The results show that uBlock has enough security margin against integral attack.

关 键 词：密码分析 分组密码 uBlock 积分攻击 

分 类 号：TN918.4[电子电信—通信与信息系统] TP309.7[电子电信—信息与通信工程]