3.3 飞去来器攻击及矩形攻击
飞去来器攻击:
- 轮数短但概率高的差分路线
- 需要选择明文和密文
增强飞去来器攻击:
- 通过加大选择明文量来去掉选择密文的要求
- 只选择明文
矩形攻击:
- 同时利用多条短轮路线提升区分器概率
- 降低攻击复杂度
后续研究:
- 更好在错位部分连接
- 加长区分器路线
1.飞去来器攻击:
首先将加密算法分为三部分:
E k ( P ) = E b K b ( E m K m ( E f K f ( P ) ) ) {E_{k}(P)=E_{bK_{b}}(E_{mK_{m}}(E_{fK_{f}}(P)))} Ek(P)=EbKb(EmKm(EfKf(P)))
考虑 E m K m {E_{mK_{m}}} EmKm为基于密钥的线性或仿射变换的情况,不影响差分传播概率, 记为A
设有三条高概率差分:
- 加密方向1 α → E f β , P r ( α → E f β ) = p 1 {\alpha \stackrel{E_{f}}\to \beta,Pr(\alpha \stackrel{E_{f}}\to \beta)=p_{1}} α→Efβ,Pr(α→Efβ)=p1
- 解密方向1 β → E f − 1 α , P r ( β → E f − 1 α ) = p 2 {\beta \stackrel{E_{f}^{-1}}\to \alpha,Pr(\beta \stackrel{E_{f}^{-1}}\to \alpha)=p_{2}} β→Ef−1α,Pr(β→Ef−1α)=p2
- 解密方向2 γ → E b − 1 ϕ , P r ( γ → E b − 1 ϕ ) = q {\gamma \stackrel{E_{b}^{-1}}\to \phi,Pr(\gamma \stackrel{E_{b}^{-1}}\to \phi)=q} γ→Eb−1ϕ,Pr(γ→Eb−1ϕ)=q
为了连接短轮数差分,采用"错位"相连,也就是中间差分值 β ≠ ϕ {\beta \ne \phi} β=ϕ,即一对明文满足中间差分值β,另一对满足Φ
过程:
基于下面的流程:
密文对的平行四边形
⇒ {\Rightarrow } ⇒中间状态的平行四边形
⇒ {\Rightarrow } ⇒明文对的平行四边形
-
选择 ( m 1 , m 2 ) (m_{1},m_{2}) (m1,m2) 满足 m 1 ⊕ m 2 = α {m_{1} \oplus m_{2}=\alpha} m1⊕m2=α
⇒ x 1 ⊕ x 2 = β {\Rightarrow x_{1} \oplus x_{2}=\beta} ⇒x1⊕x2=β P r ( x 1 ⊕ x 2 = β ) = p 1 {Pr(x_{1} \oplus x_{2}=\beta)=p_{1}} Pr(x1⊕x2=β)=p1
-
选择 c 3 = c 1 ⊕ γ , c 4 = c 2 ⊕ γ {c_{3} = c_{1} \oplus \gamma , \ c_{4}=c_{2} \oplus \gamma } c3=c1⊕γ, c4=c2⊕γ
⇒ y 1 ⊕ y 3 = ϕ , y 2 ⊕ y 4 = ϕ {\Rightarrow y_{1} \oplus y_{3}=\phi,y_{2} \oplus y_{4}=\phi} ⇒y1⊕y3=ϕ,y2⊕y4=ϕ
⇒ y 1 ⊕ y 3 ⊕ y 2 ⊕ y 4 = 0 , P r ( y 1 ⊕ y 3 ⊕ y 2 ⊕ y 4 = 0 ) = q 2 {\Rightarrow y_{1} \oplus y_{3}\oplus y_{2} \oplus y_{4}=0,\ Pr(y_{1} \oplus y_{3}\oplus y_{2} \oplus y_{4}=0)=q^{2}} ⇒y1⊕y3⊕y2⊕y4=0, Pr(y1⊕y3⊕y2⊕y4=0)=q2
⇒ x 1 ⊕ x 3 ⊕ x 2 ⊕ x 4 = 0 {\Rightarrow x_{1} \oplus x_{3}\oplus x_{2} \oplus x_{4}=0} ⇒x1⊕x3⊕x2⊕x4=0 //A为仿射变换,概率不改变
⇒ x 3 ⊕ x 4 = β , P r ( x 3 ⊕ x 4 = β ) = p 1 q 2 {\Rightarrow x_{3} \oplus x_{4}=\beta ,\ Pr(x_{3} \oplus x_{4}=\beta)=p_{1}q^{2}} ⇒x3⊕x4=β, Pr(x3⊕x4=β)=p1q2 // x 1 ⊕ x 2 = β {x_{1} \oplus x_{2}=\beta} x1⊕x2=β
-
所以 m 3 ⊕ m 4 = α {m_{3} \oplus m_{4}=\alpha} m3⊕m4=α 的概率为 p 1 p 2 q 2 {p_{1}p_{2}q^{2}} p1p2q2
随机置换构造的 ( m 3 , m 4 ) (m_{3},m_{4}) (m3,m4), P r ( m 3 ⊕ m 4 = α ) = 2 − n {Pr(m_{3} \oplus m_{4}=\alpha)=2^{-n}} Pr(m3⊕m4=α)=2−n
只要 p 1 p 2 q 2 > 2 − n {p_{1}p_{2}q^{2} \gt 2^{-n}} p1p2q2>2−n就可以区分
提高概率:
要使得 y 1 ⊕ y 3 ⊕ y 2 ⊕ y 4 = 0 , 只需要 y 1 ⊕ y 3 = y 2 ⊕ y 4 {y_{1} \oplus y_{3}\oplus y_{2} \oplus y_{4}=0,\ 只需要y_{1} \oplus y_{3}= y_{2} \oplus y_{4}} y1⊕y3⊕y2⊕y4=0, 只需要y1⊕y3=y2⊕y4 ,所以 ϕ {\phi} ϕ可以有多种取值,同理β
- p 1 p 2 = ∑ ∀ β P r ( α → E f β ) P r ( β → E f − 1 α ) {p_{1}p_{2}=\sum \limits_{\forall \beta}\ Pr(\alpha \stackrel{E_{f}}\to\beta )Pr(\beta \stackrel{E_{f}^{-1}}\to\alpha )} p1p2=∀β∑ Pr(α→Efβ)Pr(β→Ef−1α)
- q 2 = ∑ ∀ ϕ P r ( γ → E b − 1 ϕ ) 2 {q^{2}=\sum \limits_{\forall \phi}Pr(\gamma \stackrel{E_{b}^{-1}}\to\phi )^{2}} q2=∀ϕ∑Pr(γ→Eb−1ϕ)2
2.增强的飞去来器攻击模型
(AMPLIFIED BOOMERANG ATTACK)
区别:只选择明文,只能控制 ( x 1 , x 2 ) (x_{1},x_{2}) (x1,x2)的差分,无法控制中间状态 ( y 1 , y 2 ) (y_{1},y_{2}) (y1,y2)的差分
思路:
利用加密方向的高概率差分
- 加密方向1 α → E f β , P r ( α → E f β ) = p {\alpha \stackrel{E_{f}}\to \beta,Pr(\alpha \stackrel{E_{f}}\to \beta)=p} α→Efβ,Pr(α→Efβ)=p
- 加密方向2 ϕ → E b γ , P r ( ϕ → E b γ ) = q {\phi \stackrel{E_{b}}\to \gamma,Pr(\phi \stackrel{E_{b}}\to \gamma)=q} ϕ→Ebγ,Pr(ϕ→Ebγ)=q
过程:
- 首先选择四元组 ( m 1 , m 2 , m 3 , m 4 ) (m_{1},m_{2},m_{3},m_{4}) (m1,m2,m3,m4),满足 m 1 ⊕ m 2 = α , m 3 ⊕ m 4 = α {m_{1} \oplus m_{2}=\alpha,m_{3} \oplus m_{4}=\alpha} m1⊕m2=α,m3⊕m4=α
- 得到相应的密文对 ( c 1 , c 2 ) , ( c 3 , c 4 ) {(c_{1},c_{2}),(c_{3},c_{4})} (c1,c2),(c3,c4)
- x 1 ⊕ x 3 ⊕ x 2 ⊕ x 4 = 0 , P r ( x 1 ⊕ x 3 ⊕ x 2 ⊕ x 4 = 0 ) ≥ p 2 { x_{1} \oplus x_{3}\oplus x_{2} \oplus x_{4}=0,\ Pr(x_{1} \oplus x_{3}\oplus x_{2} \oplus x_{4}=0) \ge p^{2}} x1⊕x3⊕x2⊕x4=0, Pr(x1⊕x3⊕x2⊕x4=0)≥p2
- P r ( y 1 ⊕ y 3 ⊕ y 2 ⊕ y 4 = 0 ) ≥ p 2 {Pr(y_{1} \oplus y_{3}\oplus y_{2} \oplus y_{4}=0) \ge p^{2}} Pr(y1⊕y3⊕y2⊕y4=0)≥p2 //A为仿射变换
- 设以随机概率 2 − n {2^{-n}} 2−n满足 y 1 ⊕ y 3 = ϕ {y_{1} \oplus y_{3}=\phi} y1⊕y3=ϕ,同理 y 2 ⊕ y 4 = ϕ {y_{2} \oplus y_{4}=\phi} y2⊕y4=ϕ
- 则 P r ( y 1 ⊕ y 3 = ϕ , y 2 ⊕ y 4 = ϕ ) ≥ 2 − n p 2 {Pr(y_{1} \oplus y_{3}=\phi,y_{2} \oplus y_{4}=\phi) \ge 2^{-n}p^{2}} Pr(y1⊕y3=ϕ,y2⊕y4=ϕ)≥2−np2
- 则密文对 P r ( c 1 ⊕ c 3 = c 2 ⊕ c 4 = γ ) ≥ 2 − n p 2 q 2 {Pr(c_{1} \oplus c_{3}=c_{2} \oplus c_{4}=\gamma) \ge 2^{-n}p^{2}q^{2}} Pr(c1⊕c3=c2⊕c4=γ)≥2−np2q2
- 随机置换 P r ( c 1 ⊕ c 3 = c 2 ⊕ c 4 = γ ) = 2 − 2 n {Pr(c_{1} \oplus c_{3}=c_{2} \oplus c_{4}=\gamma) = 2^{-2n}} Pr(c1⊕c3=c2⊕c4=γ)=2−2n
- 只要 p q > 2 − n / 2 {pq>2^{-n/2}} pq>2−n/2,就可以区分
提高概率的方法同上。
3.矩形攻击
选择明文攻击,但是区分器包含了更多差分形式。
将 x 1 ⊕ x 3 ⊕ x 2 ⊕ x 4 = 0 放宽为 x 1 ⊕ x 3 ⊕ x 2 ⊕ x 4 = ϵ { x_{1} \oplus x_{3}\oplus x_{2} \oplus x_{4}=0放宽为 x_{1} \oplus x_{3}\oplus x_{2} \oplus x_{4}=\epsilon} x1⊕x3⊕x2⊕x4=0放宽为x1⊕x3⊕x2⊕x4=ϵ
利用如下加密方向高概率差分
- α → E f β {\alpha \stackrel{E_{f}}\to \beta} α→Efβ
- α → E f β ′ {\alpha \stackrel{E_{f}}\to \beta'} α→Efβ′
- ϕ → E b γ {\phi \stackrel{E_{b}}\to \gamma} ϕ→Ebγ
- ϕ ⊕ A ( β ⊕ β ′ ) → E b γ {\phi \oplus A(\beta\oplus \beta')\stackrel{E_{b}}\to \gamma} ϕ⊕A(β⊕β′)→Ebγ
内部状态满足 x 1 ⊕ x 2 = β , x 3 ⊕ x 4 = β ′ { x_{1} \oplus x_{2}=\beta,x_{3} \oplus x_{4}=\beta'} x1⊕x2=β,x3⊕x4=β′,令 ϵ = β ⊕ β ′ {\epsilon = \beta \oplus \beta'} ϵ=β⊕β′
则有 x 1 ⊕ x 3 ⊕ x 2 ⊕ x 4 = ϵ ⇔ y 1 ⊕ y 3 ⊕ y 2 ⊕ y 4 = A ( ϵ ) { x_{1} \oplus x_{3}\oplus x_{2} \oplus x_{4}=\epsilon \Leftrightarrow y_{1} \oplus y_{3}\oplus y_{2} \oplus y_{4}=A(\epsilon )} x1⊕x3⊕x2⊕x4=ϵ⇔y1⊕y3⊕y2⊕y4=A(ϵ)
设 y 1 ⊕ y 2 = ϕ , y 3 ⊕ y 4 = ϕ ⊕ A ( β ⊕ β ′ ) {y_{1} \oplus y_{2}=\phi,y_{3} \oplus y_{4}= \phi \oplus A(\beta \oplus \beta')} y1⊕y2=ϕ,y3⊕y4=ϕ⊕A(β⊕β′)
所以不随机现象的概率为
P r ( c 1 ⊕ c 3 = c 2 ⊕ c 4 = γ ) = ∑ ∀ β , β ′ [ P r ( α → E f β ) P r ( α → E f β ′ ) ⋅ 2 − n ∑ ∀ ϕ P r ( ϕ → E b γ ) P r ( ϕ ⊕ A ( β ⊕ β ′ ) → E b γ ) ] Pr(c_{1} \oplus c_{3}=c_{2} \oplus c_{4}=\gamma) \\= \sum \limits_{\forall\beta,\beta'}\big [Pr(\alpha \stackrel{E_{f}}\to \beta)Pr(\alpha \stackrel{E_{f}}\to \beta')·2^{-n} \sum \limits_{\forall \phi}Pr(\phi \stackrel{E_{b}}\to \gamma)Pr(\phi \oplus A(\beta\oplus \beta')\stackrel{E_{b}}\to \gamma) \big ] Pr(c1⊕c3=c2⊕c4=γ)=∀β,β′∑[Pr(α→Efβ)Pr(α→Efβ′)⋅2−n∀ϕ∑Pr(ϕ→Ebγ)Pr(ϕ⊕A(β⊕β′)→Ebγ)]