一种针对碰撞攻击的白盒SM4改进方案  

作　　者：李科慧 陈杰[1,2] 刘君 LI Kehui;CHEN Jie;LIU Jun(School of Telecommunications Engineering,Xidian University,Xi’an 710071,China;Henan Key Laboratory of Network Cryptography Technology,Zhengzhou 450001,China;School of Computer Science,Shaanxi Normal University,Xi’an 710119,China)

机构地区：[1]西安电子科技大学通信工程学院,西安710071 [2]河南省网络密码技术重点实验室,郑州450001 [3]陕西师范大学计算机科学学院,西安710119

出　　处：《信息网络安全》2024年第12期1871-1881,共11页Netinfo Security

基　　金：国家自然科学基金[62302285];河南省网络密码技术重点实验室研究课题[LNCT2022-A08]。

摘　　要：在白盒攻击模型中,攻击者能够访问密码算法的实现过程,观察或修改密码算法的内部细节。基于白盒密码的概念,姚-陈白盒SM4方案探讨了一种扩充内部状态的白盒SM4设计思路,但此方案未能抵抗碰撞攻击,且恢复密钥的时间复杂度仅为O(2^(23.02))。为了保证白盒SM4在碰撞攻击环境中正常运行,文章提出一种针对碰撞攻击的白盒SM4改进方案。该改进方案引入较多随机仿射变换和随机向量,以复杂化内部编码,从而抵抗碰撞攻击。通过反证法证明,改进方案的轮加密函数不能被转化为碰撞函数,因此无法进行碰撞攻击分析。此外,还论证了该方案可以抵抗BGE攻击、代码提取攻击以及结合差分分析和求解方程组的攻击。针对调整仿射常数的差分分析的攻击方法,该改进方案的密钥空间大小为61200×2^(128),且对仿射等价攻击的时间复杂度为O(2^(97))。In a white-box attack model,the attacker can access the implementation process of the cryptographic algorithm,observe or modify the internal details of the cryptographic algorithm.Based on the concept of white-box cryptography,Yao-Chen’s white-box SM4 scheme presents a design idea for expanding the internal state of white-box SM4,but the scheme fails to resist the analysis of collision attack,and the time complexity of recovering the key is only O(2^(23.02)).In order to ensure the normal operation of white-box SM4 in the collision attack context,this paper proposed a white-box improvement scheme of SM4 for collision attack.This improvement scheme introduced more random affine transformations and random vectors to complicate the internal encoding to resist the collision attack.By using the counter proof method,it was proven that the round encryption function of the improved scheme couldn’t be converted into a collision function,and the analysis of collision attack couldn’t be carried out.In addition,this paper demonstrated that the scheme can also resist BGE attack,code extraction attacks and a combination of differential analysis and methods for solving systems of equations.For the attack method of differential analysis with adjusted affine constant,the key space size of the improved scheme was 61200×2^(128),and the time complexity for affine equivalent attack was O(2^(97)).

关 键 词：白盒攻击环境 白盒密码 碰撞攻击 复杂化编码 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]