基于字的分组密码的谱值不变子空间  

作　　者：崔霆[1] 周屹东 陈士伟[1] 张奕 CUI Ting;ZHOU Yidong;CHEN Shiwei;ZHANG Yi(Department of Cryptogram Engineering,Information Engineering University of PLA,Zhengzhou 450001,China)

机构地区：[1]解放军信息工程大学密码工程学院,郑州450001

出　　处：《信息网络安全》2024年第12期1845-1854,共10页Netinfo Security

基　　金：国家自然科学基金[62372463,62302518];河南省自然科学基金[222300420100]。

摘　　要：文章将不变子空间的思想与线性密码分析相结合,提出一种谱值不变子空间分析方法,通过考察输入输出线性掩码是否属于同一个非平凡的线性子空间来区分密码算法。首先,证明了如果一个S盒存在谱值不变子空间,则该S盒与多个小规模S盒的并置线性等价。其次,给出S盒谱值不变子空间的高效搜索算法,能够快速给出常见规模S盒的谱值不变子空间。特别地,对于基于字的分组密码,证明了若S盒存在谱值不变子空间,则整体轮函数也存在谱值不变子空间,因此可以构造概率为1的无限轮密码区分器。该方法揭示了S盒特性与安全性之间新的内在联系,为后续密码算法的设计与评估提供了参考。作为谱值不变子空间分析方法的应用,构造了变体Midori128的概率为1的无限轮区分器。This paper combined the idea of invariant subspace attacks with linear cryptanalysis,and proposed a spectral invariant subspace analysis method.This approach leveraged the property of spectral invariant subspaces to distinguish a block cipher by examining whether a pair of input/output linear masks resides within the same non-trivial subspace.Firstly,it demonstrated that if an S-box satisfied the spectral invariant subspace property,it was linearly equivalent to several smaller S-boxes operating in parallel.Secondly,an efficient algorithm for searching spectral invariant subspaces of S-boxes was presented,which proved effective for commonly used sizes of S-boxes.Furthermore,if the S-boxes employed in a word-based block cipher shared the same spectral invariant subspace,then it followed that the entire cipher possesses this characteristic as well.By utilizing this property,an infinite-round distinguisher with probability 1 for the target cipher was constructed.This paper offered new insights into the relationship between S-boxes and block cipher security and provided valuable guidance for designing new block ciphers.As application,an infiniteround distinguisher with probability 1 specifically for variant Midori128 was developed.

关 键 词：线性密码分析 基于字的分组密码 谱值不变子空间 Midori128 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]