引用本文
  • 熊智诚,刘美成.轻量级密码Schwaemm的差分线性攻击[J].信息安全学报,已采用    [点击复制]
  • XIONG Zhicheng,LIU Meicheng.A differential-linear attack of Lightweight Cipher Schwaemm[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 1099次   下载 0  
轻量级密码Schwaemm的差分线性攻击
熊智诚, 刘美成
0
(中国科学院信息工程研究所)
摘要:
Sparkle是LWC第三轮胜选算法之一。其算法家族包括认证加密算法Schwaemm、杂凑函数Esch和可扩展的输出函数,均使用基于ARX结构Alzette设计的Sparkle置换。设计者Beierle等人使用数据折中攻击和猜测确定攻击,针对认证加密算法Schwaemm128-128/192-192/256-256的初始化算法给出了3.5轮分析结果,并且给出了Schwaemm128-128/192-192/256-256的4.5轮生日差分攻击结果,但是由于4.5轮的攻击复杂度太大,不属于有效攻击。本文给出了Sparkle256的4轮差分-线性路径,对Schwaemm128-128的初始化算法进行区分攻击和密钥恢复攻击。首先,通过理论分析给出4轮差分-线性路径模型。然后,使用Matsui搜索算法结合中间路径计算算法,得到符合模型的4轮差分-线性路径。最后,计算4轮差分-线性路径的概率。使用差分路径值计算算法,在轮常数为c[0]的情况下,得到了192对随机数使得4轮差分-线性路径的概率为2^-6。实验结果表明,在轮常数为c[0]的情况下,对4轮Schwaemm128-128的初始化算法进行区分攻击成功概率为98.5%,对4.5轮Schwaemm128-128的初始化算法进行密钥恢复攻击,具有12比特优势,成功概率为77.0%。然而,Schwaemm128-128的输入包含128比特密钥,设计者声称安全比特为120比特。我们的研究表明,在轮常数为c[0]的情况下,4.5轮Schwaemm128-128的初始化算法的安全比特低于116比特。
关键词:  轻量级密码  Schwaemm  Sparkle  ARX  Matsui 搜索算法  差分-线性  区分攻击  密钥恢复  
DOI:
投稿时间:2022-12-07修订日期:2023-01-30
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目)
A differential-linear attack of Lightweight Cipher Schwaemm
XIONG Zhicheng, LIU Meicheng
(Institute of Information Engineering,Chinese Academy of Sciences)
Abstract:
Sparkle is one of the winning algorithms in the third round of LWC. Its algorithm family includes the authenticated encryption algorithm Schwaemm, the hash function Esch and extendable-output function, all of which use the Sparkle permutation designed based on the ARX structure Alzette. The designer Beierle et al. used data trade-off attack and guess and determine attack, and gave 3.5 rounds of analysis results for the initialization algorithm of the authentication encryption algorithm Schwaemm128-128/192-192/256-256, and gave 4.5 rounds of birthday differential attack results of Schwaemm128-128/192-192/256-256, but because the 4.5 rounds of attack complexity is too large, it is not an effective attack. This paper presents a 4-round differential-linear trail of Sparkle256, and performs distinguish attack and key recovery attack on the initialization algorithm of Schwaemm128-128. First, a 4-round difference-linear trail model is given through theo-retical analysis. Then, using the Matsui’s search algorithm combined with the middle trail calculation algorithm, a 4-round difference-linear trail conforming to the model is obtained. Finally, calculate the probability for the 4-round difference-linear trail. When the round constant is c[0], we use the differential trail value calculation algorithm, 192 pairs of nonces are obtained so that the probability of the 4-round difference-linear trail being established is 2^-6. The experimental results show that when the round constant is c[0], the success probability of distinguishing attack on the initialization algorithm of Schwaemm128-128 for four rounds is 98.5%, and the key recovery attack on the initialization algorithm of Schwaemm128-128 for 4.5 rounds has a 12-bit advantage, and the success probability is 77.0%. However, the input to the Schwaemm128-128 contains a 128-bit key, and the designers claim a security bit of 120 bits. Our research shows that security bit of the initialization algorithm of Schwaemm128-128 with 4.5 rounds is less than 116 bits when the round constant is c[0].
Key words:  lightweight cipher  Schwaemm  Sparkle  ARX  Matsui’s search algorithm  differential linear  distinguish at- tack  key recovery