全轮Shadow算法的差分和线性特征分析  

作　　者：项勇 李艳俊 黄丁韫 陈愚 谢惠琴 XIANG Yong;LI Yanjun;HUANG Dingyun;CHEN Yu;XIE Huiqin(Information Industry Information Security Evaluation Center,The 15th Research Institute of China Electronics Technology Group Corporation,Beijing 100083,China;Department of Cryptographic Science and Technology,Beijing Electronic Science and Technology Institute,Beijing 100070,China)

机构地区：[1]中国电子科技集团公司第十五研究所信息产业信息安全测评中心,北京100083 [2]北京电子科技学院密码科学与技术系,北京100070

出　　处：《计算机应用》2024年第12期3839-3843,共5页journal of Computer Applications

基　　金：北京市自然科学基金资助项目(4234084)。

摘　　要：随着射频识别(RFID)技术、无线传感器的应用越来越广泛,为了保护这类资源受限设备存储和传输的数据,轻量级密码应运而生。轻量级密码的密钥长度较短、轮数较少,因此在正式投入使用前,有必要对轻量级密码进行精确的安全性分析。针对轻量级密码安全需求,分析全轮Shadow算法的差分和线性特征。首先,提出一种二次差分的概念,从而更清楚地刻画差分特征,证明该算法存在概率为1的全轮差分特征,并通过实验验证差分特征的正确性;其次,给出全轮线性特征,即证明给定一组Shadow-32(或Shadow-64)的明密文,可以获取8(或16)比特的密钥信息,并通过实验验证以上说法的正确性;再次,基于明文、密文和轮密钥之间的线性等式关系估计2次布尔函数的方程数和自变量数,再得到求解初始密钥的计算复杂度为263.4;最后,总结Shadow算法的结构特点,并提出下一步的研究重点。此外,全轮Shadow算法的差分和线性特征的分析工作对其他轻量级密码的差分和线性分析具有一定的借鉴作用。As Radio Frequency IDentification(RFID)technology and wireless sensors become increasingly common,the need of secure data transmitted and processed by such devices with limited resources leads to the emergence and growth of lightweight ciphers.Characterized by their small key sizes and limited number of encryption rounds,precise security evaluation of lightweight ciphers is needed before putting into service.The differential and linear characteristics of full-round Shadow algorithm were analyzed for lightweight ciphers’security requirements.Firstly,a concept of second difference was proposed to describe the differential characteristic more clearly,the existence of a full-round differential characteristic with probability 1 in the algorithm was proved,and the correctness of differential characteristic was verified through experiments.Secondly,a full-round linear characteristic was provided.It was proved that with giving a set of Shadow-32(or Shadow-64)plain ciphertexts,it is possible to obtain 8(or 16)bits of key information,and its correctness was experimentally verified.Thirdly,based on the linear equation relationship between plaintexts,ciphertexts and round keys,the number of equations and independent variables of the quadratic Boolean function were estimated.After that,the computational complexity of solving the initial key was calculated to be.Finally,the structural features of Shadow algorithm were summarized,and the focus of future research was provided.Besides,differential and linear characteristic analysis of full-round Shadow algorithm provides preference for the differential and linear analysis of other lightweight ciphers.

关 键 词：Shadow算法 轻量级分组密码 差分特征 线性特征 密钥恢复 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]