全轮超轻量级分组密码PFP的相关密钥差分分析  

作　　者：严智广 韦永壮[1,2] 叶涛 YAN Zhiguang;WEI Yongzhuang;YE Tao(Guangxi Key Laboratory of Cryptography and information Security,Guilin University of Electronic Technology,Guilin 541004,China;State Key Laboratory of Cryptology,Beijing 100878,China)

机构地区：[1]桂林电子科技大学广西密码学与信息安全重点实验室,桂林541000 [2]密码科学技术国家重点实验室,北京100878

出　　处：《电子与信息学报》2025年第3期729-738,共10页Journal of Electronics & Information Technology

基　　金：国家自然科学基金(62162016,62402132)。

摘　　要：2017年,PFP作为一种超轻量级分组密码被提出,而因其卓越的实现性能备受业界广泛关注。该算法不仅硬件开销需求低(仅需约1355 GE(等效门))、功耗小,而且加解密速度快(其速度甚至比国际著名算法PRESENT的实现速度快1.5倍),非常适合在物联网环境中使用。在PFP算法的设计文档中,作者声称该算法具有足够的能力抵御差分攻击、线性攻击及不可能差分攻击等多种密码攻击方法。然而该算法是否存在未知的安全漏洞是目前研究的难点。该文基于可满足性模理论(SMT),结合PFP算法轮函数特点,构建两种区分器自动化搜索模型。实验测试结果表明:该算法在32轮加密中存在概率为2^(–62)的相关密钥差分特征。由此,该文提出一种针对全轮PFP算法的相关密钥恢复攻击,即只需2^(63)个选择明文和2^(48)次全轮加密便可破译出80 bit的主密钥。这说明该算法无法抵抗相关密钥差分攻击。Objective In 2017,the PFP algorithm was introduced as an ultra-lightweight block cipher to address the demand for efficient cryptographic solutions in constrained environments,such as the Internet of Things(IoT).With a hardware footprint of approximately 1355 GE and low power consumption,PFP has attracted attention for its ability to deliver high-speed encryption with minimal resource usage.Its encryption and decryption speeds outperform those of the internationally recognized PRESENT cipher by a factor of 1.5,making it highly suitable for real-time applications in embedded systems.While the original design documentation asserts that PFP resists various traditional cryptographic attacks,including differential,linear,and impossible differential attacks,the possibility of undiscovered vulnerabilities remains unexplored.This study evaluates the algorithm's resistance to related-key differential attacks,a critical cryptanalysis method for lightweight ciphers,to determine the actual security level of the PFP algorithm using formal cryptanalysis techniques.Methods To evaluate the security of the PFP algorithm,Satisfiability Modulo Theories(SMT)is used to model the cipher's round function and automate the search for distinguishers indicating potential design weaknesses.SMT,a formal method increasingly applied in cryptanalysis,facilitates automated attack generation and the detection of cryptographic flaws.The methodology involved constructing mathematical models of the cipher's rounds,which are tested for differential characteristics under various key assumptions.Two distinguisher models are developed:one based on single-key differentials and the other on related-key differentials,the latter being the focus of this analysis.These models automated the search for weak key differentials that could enable efficient key recovery attacks.The analysis leveraged the nonlinear substitution-permutation structure of the PFP round function to systematically identify vulnerabilities.The results are examined to estimate the probabili

关 键 词：轻量级分组密码算法 差分密码分析 密钥恢复攻击 可满足性模理论 

分 类 号：TN918[电子电信—通信与信息系统] TP309[电子电信—信息与通信工程]