西安电子科技大学学报 ›› 2021, Vol. 48 ›› Issue (1): 76-86.doi: 10.19665/j.issn1001-2400.2021.01.009

• • 上一篇    下一篇

KNOT认证加密算法的零和区分器分析

叶涛1,2(),韦永壮2,3(),李灵琛2()   

  1. 1.桂林电子科技大学 信息与通信学院,广西壮族自治区 桂林 541004
    2.桂林电子科技大学 广西密码学与信息安全重点实验室,广西壮族自治区 桂林 541004
    3.密码科学技术国家重点实验室,北京 100878
  • 收稿日期:2020-07-31 出版日期:2021-02-20 发布日期:2021-02-03
  • 通讯作者: 韦永壮
  • 作者简介:叶 涛(1991—),男,桂林电子科技大学博士研究生,E-mail: fendouyetao@163.com|李灵琛(1988—),女,博士,E-mail: 814980156@qq.com|叶 涛(1991—),男,桂林电子科技大学博士研究生,E-mail: fendouyetao@163.com|李灵琛(1988—),女,博士,E-mail: 814980156@qq.com
  • 基金资助:
    国家自然科学基金项目(61872103);国家自然科学基金项目(62062026);广西创新研究团队项目(2019GXNSFGA245004);广西青年创新人才科研专项(桂科AD20238082);国家自然科学基金项目(61872103);国家自然科学基金项目(62062026);广西创新研究团队项目(2019GXNSFGA245004);广西青年创新人才科研专项(桂科AD20238082)

Analysis of zero-sum distinguisher of the KNOT authenticated encryption algorithm

YE Tao1,2(),WEI Yongzhuang2,3(),LI Lingchen2()   

  1. 1. School of Information and Communication,Guilin University of Electronic Technology,Guilin 541004,China
    2. Guangxi Key Laboratory of Cryptography and Information Security,Guilin University of Electronic Technology,Guilin 541004,China
    3. State Key Laboratory of Cryptology,P.O.Box 5159,Beijing 100878,China
  • Received:2020-07-31 Online:2021-02-20 Published:2021-02-03
  • Contact: Yongzhuang WEI

摘要:

KNOT认证加密算法是国际轻量级密码算法征集竞赛活动第2轮入围的候选算法之一。该算法具有软硬件实现快、资源消耗低等特点,其安全性受到了全球广泛的关注。基于标志位技术,提出了密码S盒的新可分性模型构建方法。同时,利用KNOT-256的算法结构,构建了KNOT-256密码算法新的可分性的混合整数线性规划模型,并由此设计了该算法零和区分器的自动化新搜索方法。研究结果表明:KNOT-256置换存在30轮的零和区分器,尽管该区分器对KNOT认证加密算法(分组长度为256的版本的初始化轮数是52轮)的安全性没有造成实际的威胁,但得到的结果证实了新的零和区分器构造方法是有效的。

关键词: 分组密码, 零和区分器, KNOT认证加密算法, 混合整数线性规划, 分组密码, 零和区分器, KNOT认证加密算法, 混合整数线性规划

Abstract:

As one of the second round candidates of the lightweight crypto standardization process,KNOT has the advantages of fast implementation in software and hardware,low hardware area and software memory.Currently,the security of KNOT has received extensive attention.In this paper,based on the flag technique,a new method to design the model of division property for S-box is proposed.Moreover,by using the structure of KNOT,a new Mixed Integer Linear Programming (MILP) model of division property for KNOT is constructed.The automated search method of zero-sum distinguisher of KNOT-256 is also further presented.It is illustrated that there exists a 30-round zero-sum distinguisher of KNOT-256 permutation.Although the security of the KNOT authenticated encryption algorithm (whose 256-bit block size version has 52 rounds in the initialization process) is not practically threatened via this distinguisher,the result verifies that the method of constructing zero-sum distinguisher is valid.

Key words: block cipher, zero-sum distinguisher, KNOT authenticated encryption algorithm, mixed integer linear programming, block cipher, zero-sum distinguisher, KNOT authenticated encryption algorithm, mixed integer linear programming

中图分类号: 

  • TN918.4