摘要: |
分组密码Pilsung采用SPN结构, 分组长度是128比特, 轮密钥长度是128比特, 迭代轮数是10轮。该密码算法是朝鲜红星操作系统3.0版本内核模块中使用的加密算法, 加密过程中使用密钥相关的S盒与置换。本文以张帆等人提出的持久性故障攻击为基础, 研究Pilsung在持久性故障攻击下的安全性。我们对Pilsung加密过程使用的S盒中的元素注入持久性故障, 利用密文的统计特征, 最终恢复白化密钥与最后一轮轮密钥。每注入一个故障能够减少轮密钥8比特的熵。特别地, 在第一轮攻击下, 我们翻转16个S盒中随机位置的元素各1个比特, 使用4096个明文恢复128比特白化密钥, 成功概率为1。在最后一轮攻击下, 我们翻转16个S盒中随机位置的元素各1个比特, 平均使用不超过1600个明文恢复最后一轮128比特轮密钥。最后一轮候选轮密钥的数量与该轮使用的置换类型, 注入故障的位置有关。在任意S盒的第82号位置和第125号位置注入任意值的故障均能够获得唯一的轮密钥。在不考虑置换类型与注入故障的位置的情况下, 最后一轮候选轮密钥不超过512个的概率为98.1%。这两种攻击方式均能够在实际时间内恢复主密钥。本文提出的攻击是首个针对使用密钥相关的S盒的密码算法的故障攻击, 同时也是首个针对Pilsung密码算法的故障攻击。 |
关键词: 分组密码 Pilsung 持久性故障攻击 比特翻转 统计特征 |
DOI: |
投稿时间:2020-11-12修订日期:2020-12-30 |
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
Persistent Fault Attack on Pilsung Block Cipher |
DAI Zhengyi, WANG Wenhao, LIN Dongdai
|
(State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences) |
Abstract: |
Pilsung is a 10-round SP-network with a 128-bit block length and a 128-bit round key. The encryption algorithm is used in the Korean Red Star operating system version 3.0 kernel module, and the S-box and permutation related to the key are used in the encryption process. Based on the persistent fault attack proposed by Zhang Fan et al., we investigate the security of Pilsung against persistent fault attack. We inject persistent faults into the elements of the S-box used in the Pilsung encryption process, and use the statistical characteristics of the ciphertexts to restore the whiten key and the last round key. Each fault injected can reduce the entropy of the round key by 8 bits. In particular, in the first-round attack, we flip 1 bit each of the elements at random positions in the 16 S-boxes, and use 4096 plaintexts to recover the 128-bit whiten key. The probability of success is 1. In the last-round attack, we flip 1 bit each of the elements at random positions in the 16 S-boxes, and use no more than 1600 plaintexts on average to recover the 128-bit last round key. The number of candidate keys in the last round is related to the type of permutation and the location of the fault injection. A unique round key can be obtained by injecting faults of any value at the 82nd and 125th positions of any S-box. Regardless of the type of permutation and the location of the fault injection, the probability that the number of candidate keys in the last round does not exceed 512 is 98.1%. Both of these attack methods can recover the master key in practical time. This paper presents the first fault attack on the cryptographic algorithm with the S-box related to the key, and also the first fault attack on the Pilsung encryption algorithm. |
Key words: block cipher Pilsung persistent fault attack bit flip statistical characteristics |