轻量级分组密码SIMON和SIMECK安全性分析

发布时间：2018-03-26 16:18

本文选题：轻量级分组密码　切入点：线性密码分析　出处：《山东师范大学》2017年硕士论文

【摘要】：轻量级分组密码是分组密码领域的一个重要分支,以消耗资源少、执行效率高等优点被广泛应用于RFID等资源受限的硬件设备上,因此轻量级分组密码的安全性分析也成为当前密码学研究的热点之一。基于差分分析以及线性密码分析这两种传统的分析方法,密码学者相继提出了多种扩展方法,如截断差分分析方法、高阶差分分析方法、不可能差分分析方法、多线性分析方法、非线性分析方法、多维线性分析方法、差分-线性分析方法等,这些工作极大地推动了轻量级分组密码的发展,不仅提高了密码的设计要求,同时促进了信息安全的发展。本文主要做了以下三个方面工作:首先以Simon32算法为例,对轻量级分组密码算法抗线性密码分析的能力进行了研究。尽管针对该算法的线性分析已有较多的相关文献,但还没有相关文献分析线性路径成功的概率。因此,本文分别针对Simon32算法的3轮、7轮和10轮的线性路径成功的概率进行了详细的分析和计算,为进一步地研究分析该算法提供了方法和数据的参考。其次研究了Simon32算法抵抗差分-线性密码分析的能力,提出了15轮的差分-线性特征,分别进行17轮、18轮和19轮的攻击。17轮的攻击结果只需要猜测6比特子密钥,18轮的攻击结果需要猜测19比特密钥,19轮的攻击结果需要猜测35比特子密钥。与之相比,利用线性密码分析对Simon32算法进行18轮的攻击,结果需要猜测32比特子密钥。分析结果充分证明了差分-线性密码分析方法的优越性。最后研究了轻量级分组密码算法Simeck32抗不可能差分分析的能力。利用中间相遇技术找到Simeck32算法11轮不可能差分路径,然后基于11轮不可能差分路径向前解密4轮,以及向后加密4轮,对Simeck32算法进行19轮攻击,分析结果只需要猜测29比特子密钥。然而利用零相关线性分析进行20轮的攻击需要猜测52比特子密钥。因此,不可能差分攻击比零相关线性分析更有优越性。此外,我们利用中间相遇技术搜索到了Simon32算法的所有的11轮不可能差分路径。密码破译分为理论上破译和实践上破译两种,前者指把运算复杂度降到密码设计者所声称的复杂度以下,后者则指把运算复杂度降至目前计算机计算能力之内。理论破译对高性能计算机的依赖性还很强。因此,我们在掌握了基本的密码分析方法之后,下一步工作是针对新型密码算法进行实践破译。
[Abstract]:Lightweight block cipher is an important branch of block cipher field. It is widely used in hardware devices with limited resource such as RFID because of the advantages of low resource consumption and high execution efficiency. Therefore, the security analysis of lightweight block ciphers has become one of the hot topics in cryptography. Based on the two traditional analysis methods, differential analysis and linear cryptography analysis, cryptographers have proposed a variety of extended methods. Such as truncated difference analysis method, high order difference analysis method, impossible difference analysis method, multilinear analysis method, nonlinear analysis method, multidimensional linear analysis method, difference linear analysis method, etc. These works greatly promote the development of lightweight block cipher, not only improve the design requirements of cryptography, but also promote the development of information security. This paper mainly does the following three aspects: first, take Simon32 algorithm as an example, This paper studies the ability of lightweight block cipher algorithm to resist linear cipher analysis. Although there are many related literatures on linear analysis of this algorithm, there is no related literature to analyze the probability of success of linear path analysis. In this paper, we analyze and calculate the probability of linear path success of Simon32 algorithm in 3 rounds, 7 rounds and 10 rounds, respectively. The method and data reference are provided for further study and analysis of the algorithm. Secondly, the ability of Simon32 algorithm to resist differential linear cipher analysis is studied, and a 15 round differential linear characteristic is proposed. 17 rounds of attack 18 rounds and 19 rounds of attacks .17 rounds of attack results only need to guess 6 bits of subkey and 18 rounds of attack results need to guess 19 bits of key and 19 rounds of attack results need to guess 35 bits of sub-keys. Using linear cryptographic analysis to attack the Simon32 algorithm for 18 rounds, The results show that the advantages of differential linear cipher analysis method are fully proved. Finally, the ability of lightweight block cipher algorithm Simeck32 to resist impossible differential analysis is studied, and the mesophase is used. When the technology finds the Simeck32 algorithm 11 rounds impossible differential path, Then, based on 11 rounds of impossible differential path, 4 rounds of forward decryption and 4 rounds of backward encryption, 19 rounds of attacks on Simeck32 algorithm are carried out. The analysis results only need to guess 29 bits subkeys. However, it is necessary to guess 52 bit subkeys for 20 rounds of attacks using zero correlation linear analysis. Therefore, it is impossible to use differential attack to be more superior than zero correlation linear analysis. We have found all 11 impossibility differential paths of the Simon32 algorithm by using the intermediate encounter technique. Cryptographic decoding can be divided into two types: theoretical decoding and practical decoding, in which the computational complexity is reduced to less than the complexity claimed by the cryptographic designer. The latter refers to reducing the computational complexity to the current computer computing power. Theoretical decoding is still very dependent on high performance computers. Therefore, after we have mastered the basic cryptographic analysis methods, The next step is to decode the new cipher algorithm.
【学位授予单位】：山东师范大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TN918.1

【参考文献】