对21轮SMS4算法的多差分攻击  被引量：1

作　　者：宋何颖秀 高海英[1] 

机构地区：[1]解放军信息工程大学,郑州450004

出　　处：《密码学报》2016年第6期584-595,共12页Journal of Cryptologic Research

基　　金：国家密码发展基金项目(MMJJ201401002);国家自然科学基金资助项目(61272041)

摘　　要：SMS4算法一种是用于WAPI的分组密码算法,也是国内官方公布的第一个商用密码算法,该算法公布后即引起国内外密码学界的分析热潮.SMS4算法的分组长度为128比特,密钥长度为128比特,加密算法与密钥扩展算法都采用32轮迭代结构.本文的分析方法是综合利用了2^(28)个17轮的SMS4的差分特征,采用基于最优区分器思想的多差分攻击方法对21轮的SMS4算法进行攻击和分析,针对每个实验密钥,构造出基于多个差分特征的统计量,根据统计量的大小判决实验密钥是否是正确密钥.给出了多差分分析方法的计算复杂度,分析了正确密钥、错误密钥对应统计量的概率分布规律,在此基础上给出了多差分分析方法的成功率和数据复杂度之间的关系.最终得出结论可以2^(104)的数据复杂度,2^(114)的计算复杂度,来恢复出该算法的128比特圈子密钥.用该结果与目前已知的对21轮SMS4算法的差分攻击结果进行对比我们可以看出,攻击的数据复杂度和计算复杂度都有所降低.基于该研究结果,我们可以得出以下结论,在成功率相同的条件下,基于的差分特征越多,需要的数据复杂度和计算复杂度越小.SMS4 is a block cipher used in the WAPI(WLAN Authentication and Privacy Infrastructure) standard for securing wireless LANs in China, which is also the first commercial cryptographic algorithm in China. SMS4 has a 128-bit block size, a 128-bit user key, and a total of 32 rounds iterations. In this paper, 2^(28) of 17-round differential characteristics are used for the analysis. For each experimental key, a statistic is constructed using multiple differentials, and thus we can determine whether the experimental key is correct according to the statistics. We give the computational complexity of multiple differential cryptanalysis, the probability distribution of statistics corresponding to be correct keys and that corresponding to the incorrect keys, and give the relation of success probability and data complexity Then we use the multiple differential cryptanalysis based on the optimal distinguisher to attack 21-round SMS4 with 2^(104) chosen plaintexts and 2^(114) encryptions. Compared with the existing results of differential cryptanalysis on 21-round SMS4, our data complexity and time complexity are reduced. Example shows that the data complexity can be decreased with more differential characteristics in multiple differential cryptanalysis with the same success probability.

关 键 词：分组密码 SMS4算法 差分特征 多差分攻击 复杂度 成功率 

分 类 号：TN918.1[电子电信—通信与信息系统]