一类模加差分方程系统解个数的期望与方差

模2~n加法是一个非常重要的密码运算部件,它已经被广泛用于各种对称密码算法的设计,如MD5、SNOW 3G、SPECK和ZUC等.差分故障攻击是针对密码算法实现的一种通用的安全性分析方法,该攻击假设攻击者能在算法运行过程中动态注入故障.在对采用模加运算的密码算法进行差分故障分析时,攻击者往往会导出一个模加差分方程系统,该方程系统中,方程的个数恰好等于法注入故障的次数,其与方程系统的解个数密切相关.由于注入故障次数和方程系统解个数是评估故障攻击复杂度的两个关键参数,因此,研究它们之间的关系非常有意义.本文讨论了上述模加差分方程系统中一类特殊方程系统(即模加差分相互独立且服从均匀分布)的解个数的统计特性.作为结果,本文给出了它们的期望和方差.本文的结果表明,对一般的模加差分方程系统,平均意义下,需要注入大约log_2(n)+5个故障可以确定方程系统的候选解.     

三维热传导方程的紧交替方向差分格式

本文研究了三维热传导方程的紧交替方向隐式差分格式.利用算子方法导出了紧交替方向隐式差分格式,并利用Fourier分析方法证明了差分格式的收敛性和绝对稳定性,Richardson外推法外推一次得到具有O(T3+h6)阶精度的近似解.本文方法是对二维热传导方程问题的推广,同样适用于多维的情形.     

一类推广的离散分数阶Gronwall不等式

离散不等式,特别是离散的Gronwall不等式已被广泛应用于差分方程的研究.近年来,分数阶微分方程引起很多学者的关注.因此,利用一种新的分数阶和分的定义和不等式的方法,讨论一类更一般的离散分数阶Gronwall不等式.     

两个无对的无证书代理环签名方案的替换公钥攻击及改进

无证书公钥密码系统是当前最先进的公钥密码系统,无证书签名是当前的研究热点之一分别对王等人和张等人提出的无双线性对的无证书代理环签名方案分别进行了安全性分析,发现这两个签名方案存在替换公钥攻击的威胁,分别给出了具体的攻击方法并分析了存在这种攻击的根本原因,最后给出了克服这种攻击的改进方法,所给出的攻击和改进方法对于同类代理环签名方案的设计具有借鉴意义.     

粘性流动有限差分计算的新策略 *

对粘性流动计算 ,提出有限离散单元流动的流体分析 (理论 )和耦合离散流体理论(CDFT)的差分格式 .利用CDFT差分格式计算Burgers方程和计算激波边界层干扰流动的数值实验表明 :对计算精度和计算效率的提高 ,CDFT格式比提高常用差分格式 (即离散流体力学方程得到的格式 )精度和改进常用格式形式等更有效 ,且运算量小 .     

一类新的非线性和差分不等式及其应用

由于差分不等式是研究差分方程解的存在性、有界性、唯一性、稳定性等定性性质的重要工具,许多数学家不仅研究Gronwall类积分不等式的各种推广形式及其应用,而且研究差分不等式及其应用.该文建立了一类新的非线性和差分不等式,利用分析技巧给出了不等式中未知函数的上界估计.将得到的结果应用到时滞差分方程的边值问题,得到了差分方程解的估计.     

粘附弹性体切变的定解问题及其差分解法

两刚性平行平面之间粘附长条弹性体(其横截面为矩形),在上下两面相反方向切向力的作用下,弹性体将发生变形.在导出这种变形的数学模型的基础上,给出了一种新的差分解法.对于具有奇性的边界条件,进行了详细的分析和推导,给出了一种合理而有效的新的离散边界条件.模拟计算表明,其结果与定性分析相吻合.因此对该类问题的研究提供了新的实用的数值解法和数值分析方法.     

一种抗高阶旁路攻击的LED密码算法

LED密码算法是2011年提出的超轻量级密码算法,主要是为资源受限下物联网加密应用研发的.轻量级密码算法结构相对简单,更容易被旁路攻击成功.随机掩码是一种有效抗旁路攻击的方法,在深入LED密码算法结构研究的基础上,提出一种全随机掩码的LED密码算法CMLED.论述了CMLED算法的设计方法,从形式化方面给出了抗高阶旁路攻击选择掩码的原则.同时,对全随机掩码的CMLED与原始算法进行了硬件资源占用与加密效率对比,实验表明CMLED仍然可以高效地在智能卡上实现.     

差分格式的余项效应分析及其应用

本文对已有的差分格的色散关系和群速度效应的Ｆｏｕｒｉｅｒ分析提出了置疑，指出症结所在并予以纠正，并且利用差分格式的Ｍｏｄｉｆｉｅｄ ＰＤＥ思想，提出了一种新的构造性差分格式分析方法－差分格式余项效应分析。这种方法基于差分格式的耗散关系和色散关系的，人有明显的构造性和现实意义。     

广义对称正则长波方程的守恒差分格式

文章考虑了具有齐次边界条件的广义对称正则长波方程的有限差分格式.提出了一个守恒并且线性非耦合的三层有限差分格式,由于格式在计算中只需要解三对角线性方程组,从而避免了其中的迭代计算.文中先讨论了一个离散守恒量,然后我们利用离散泛函分析方法证明了格式的收敛性和稳定性,从理论上得到了收敛阶为O(h~2+τ~2).通过数值试验表明,所提的方法是可靠有效的.     

The (related-key) impossible boomerang attack and its application to the AES block cipher

The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers.     

Impossible differential cryptanalysis using matrix method

The general strategy of impossible differential cryptanalysis is to first find impossible differentials and then exploit them for retrieving subkey material from the outer rounds of block ciphers. Thus, impossible differentials are one of the crucial factors to see how much the underlying block ciphers are resistant to impossible differential cryptanalysis. In this article, we introduce a widely applicable matrix method to find impossible differentials of block cipher structures whose round functions are bijective. Using this method, we find various impossible differentials of known block cipher structures: Nyberg’s generalized Feistel network, a generalized CAST256-like structure, a generalized MARS-like structure, a generalized RC6-like structure, Rijndael structures and generalized Skipjack-like structures. We expect that the matrix method developed in this article will be useful for evaluating the security of block ciphers against impossible differential cryptanalysis, especially when one tries to design a block cipher with a secure structure.     

Resistance of a CAST-Like Encryption Algorithm to Linear and Differential Cryptanalysis

Linear cryptanalysis and differential cryptanalysis are two recently introduced, powerful methodologies for attacking private-key block ciphers. In this paper, we examine the application of these two cryptanalysis techniques to a CAST-like encryption algorithm. It is shown that, when randomly generated substitution boxes (s-boxes) are used in a CAST-like encryption algorithm, the resulting cipher is resistant to both the linear attack and the differential attack.     

Aggregated differentials and cryptanalysis of PP-1 and gost

In this paper we look at the security of two block ciphers which were both claimed in the published literature to be secure against differential crypt-analysis (DC). However, a more careful examination shows that none of these ciphers is very secure against... differential cryptanalysis, in particular if we consider attacks with sets of differentials. For both these ciphers we report new perfectly periodic (iterative) aggregated differential attacks which propagate with quite high probabilities. The first cipher we look at is GOST, a well-known Russian government encryption standard. The second cipher we look at is PP-1, a very recent Polish block cipher. Both ciphers were designed to withstand linear and differential cryptanalysis. Unhappily, both ciphers are shown to be much weaker than expected against advanced differential attacks. For GOST, we report better and stronger sets of differentials than the best currently known attacks presented at SAC 2000 [32] and propose the first attack ever able to distinguish 16 rounds of GOST from random permutation. For PP-1 we show that in spite of the fact, that its S-box has an optimal theoretical security level against differential cryptanalysis [17], [29], our differentials are strong enough to allow to break all the known versions of the PP-1 cipher.     

Notions and relations for RKA-secure permutation and function families

The theory of designing block ciphers is mature, having seen significant progress since the early 1990s for over two decades, especially during the AES development effort. Nevertheless, interesting directions exist, in particular in the study of the provable security of block ciphers along similar veins as public-key primitives, i.e. the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore, recent cryptanalytic progress has shown that block ciphers well designed against known cryptanalysis techniques including related-key attacks (RKA) may turn out to be less secure against RKA than expected. The notion of provable security of block ciphers against RKA was initiated by Bellare and Kohno, and subsequently treated by Lucks. Concrete block cipher constructions were proposed therein with provable security guarantees. In this paper, we are interested in the security notions for RKA-secure block ciphers. In the first part of the paper, we show that secure tweakable permutation families in the sense of strong pseudorandom permutation (SPRP) can be transformed into secure permutation families in the sense of SPRP against some classes of RKA (SPRP–RKA). This fact allows us to construct a secure SPRP–RKA cipher which is faster than the Bellare–Kohno PRP–RKA cipher. We also show that function families of a certain form secure in the sense of a pseudorandom function (PRF) can be transformed into secure permutation families in the sense of PRP against some classes of RKA (PRP–RKA). We can exploit it to get various constructions secure against some classes of RKA from known MAC algorithms. Furthermore, we discuss how the key recovery (KR) security of the Bellare–Kohno PRP–RKA, the Lucks PRP–RKA and our SPRP–RKA ciphers relates to existing types of attacks on block ciphers like meet-in-the-middle and slide attacks. In the second part of the paper, we define other security notions for RKA-secure block ciphers, namely in the sense of indistinguishability (IND) and non-malleability, and show the relations between these security notions. In particular, we show that secure tweakable permutation families in the sense of IND (resp. non-malleability) can be transformed into RKA-secure permutation families in the sense of IND (resp. non-malleability).     

Key-Dependent S-Boxes and Differential Cryptanalysis

Key-dependent S-boxes gained some prominence in block cipher design when Twofish became an AES finalist. In this paper we make some observations on how the cryptanalyst might work with key-dependent S-boxes, we begin to develop a framework for the differential cryptanalysis of key-dependent S-boxes, and we introduce some basic techniques that were used in an analysis of reduced-round Twofish.     

Upper bound of the length of truncated impossible differentials for AES

On the provable security of a block cipher against impossible differential cryptanalysis, the maximal length of impossible differentials is an essential aspect. Most previous work on finding impossible differentials for AES, omits the non-linear component (S-box), which is important for the security. In EUROCRYPT 2016, Sun et al. showed how to bound the length of impossible differentials of a SPN “structure” using the primitive index of its linear layer. They proved that there do not exist impossible differentials longer than four rounds for the AES “structure”, instead of the AES cipher. Since they do not consider the details of the S-box, their bound is not feasible for a concrete cipher. With their result, the upper bound of the length of impossible differentials for AES, is still unknown. We fill this gap in our paper. By revealing some important properties of the AES S-box, we further prove that even though the details of the S-box are considered, there do not exist truncated impossible differentials covering more than four rounds for AES, under the assumption that round keys are independent and uniformly random. Specially, even though the details of the S-box and key schedule are both considered, there do not exist truncated impossible differentials covering more than four rounds for AES-256.     

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 ^n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.     

Zero-correlation linear cryptanalysis of reduced-round LBlock

Zero-correlation linear attack is a new method developed by Bogdanov et al. (ASIACRYPT 2012. LNCS, Springer, Berlin, 2012) for the cryptanalysis of block ciphers. In this paper we adapt the matrix method to find zero-correlation linear approximations. Then we present several zero-correlation linear approximations for 14 rounds of LBlock and describe a cryptanalysis for a reduced 22-round version of LBlock. After biclique attacks on LBlock revealed weaknesses in its key schedule, its designers presented a new version of the cipher with a revised key schedule. The attack presented in this paper does not exploit the structure of the key schedule or S-boxes used in the cipher. As a result, it is applicable to both variants of the LBlock as well as the block ciphers with analogous structures like TWINE. Moreover, we performed simulations on a small variant LBlock and present the first experimental results on the theoretical model of the multidimensional zero-correlation linear cryptanalysis method.     

Zero-correlation attacks: statistical models independent of the number of approximations

Multiple and multidimensional zero-correlation linear cryptanalysis have been two of the most powerful cryptanalytic techniques for block ciphers, and it has been shown that the differentiating factor of these two statistical models is whether distinct plaintexts are assumed or not. Nevertheless, questions remain regarding how these analyses can be universalized without any limitations and can be used to accurately estimate the data complexity and the success probability. More concretely, the current models for multiple zero-correlation (MPZC) and multidimensional zero-correlation (MDZC) cryptanalysis are not valid in the setting with a limited number of approximations and the accuracy of the estimation for data complexity can not be guaranteed. Besides, in a lot of cases, using too many approximations may cause an exhaustive search when we want to launch key-recovery attacks. In order to generalize the original models using the normal approximation of the \(\chi ^2\)-distribution, we provide a more accurate approach to estimate the data complexity and the success probability for MPZC and MDZC cryptanalysis without such approximation. Since these new models directly rely on the \(\chi ^{2}\)-distribution, we call them the \(\chi ^{2}\) MPZC and MDZC models. An interesting thing is that the chi-square-multiple zero-correlation (\(\chi ^{2}\)-MPZC) model still works even though we only have a single zero-correlation linear approximation. This fact puts an end to the situation that the basic zero-correlation linear cryptanalysis requires the full codebook under the known-plaintext attack setting. As an illustration, we apply the \(\chi ^{2}\)-MPZC model to analyze TEA and XTEA. These new attacks cover more rounds than the previous MPZC attacks. Moreover, we reconsider the multidimensional zero-correlation (MDZC) attack on 14-round CLEFIA-192 by utilizing less zero-correlation linear approximations. In addition, some other ciphers which already have MDZC analytical results are reevaluated and the data complexities under the new model are all less than or equal to those under the original model. Some experiments are conducted in order to verify the validity of the new models, and the experimental results convince us that the new models provide more precise estimates of the data complexity and the success probability.