數(shù)字視頻廣播通用加擾算法的不可能差分分析

沈璇; 孫兵; 劉國強(qiáng); 李超

doi:10.11999/JEIT180245

數(shù)字視頻廣播通用加擾算法的不可能差分分析

doi: 10.11999/JEIT180245 cstr: 32379.14.JEIT180245

沈璇^{1, 2},
孫兵^{1, 2},
劉國強(qiáng)¹,
李超^1, ,

1.
國防科技大學(xué)文理學(xué)院 ??長沙 ??410073
2.
湖南警察學(xué)院網(wǎng)絡(luò)偵查技術(shù)湖南省重點實驗室 ??長沙 ??410073

基金項目: 國家重點研發(fā)計劃(2017YFB0802000)，國家自然科學(xué)基金(61672530, 61702537, 61772545)，湖南省教育廳優(yōu)秀青年項目(16B086)，網(wǎng)絡(luò)偵查技術(shù)湖南省重點實驗室開放基金(2016WLZC018)

詳細(xì)信息

作者簡介:
沈璇：男，1990年生，博士生，研究方向為分組密碼的安全性分析

孫兵：男，1981年生，講師，研究方向為對稱密碼的設(shè)計與分析

劉國強(qiáng)：男，1986年生，講師，研究方向為對稱密碼的設(shè)計與分析

李超：男，1966年生，博士生導(dǎo)師，教授，研究方向為編碼密碼理論及其應(yīng)用

通訊作者:
李超　academic_lc@163.com

中圖分類號: TN918.1
計量
- 文章訪問數(shù): 2414
- HTML全文瀏覽量: 1086
- PDF下載量: 117
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-03-16
- 修回日期: 2018-07-25
- 網(wǎng)絡(luò)出版日期: 2018-08-06
- 刊出日期: 2019-01-01

Impossible Differential Cryptanalysis of the Digital Video Broadcasting-common Scrambling Algorithm

Xuan SHEN^{1, 2},
Bing SUN^{1, 2},
Guoqiang LIU¹,
Chao LI^{1
, ,}

1.
College of Liberal Arts and Sciences, National University of Defense Technology, Changsha 410073, China
2.
Hunan Provincial Key Laboratory of Network Investigational Technology, Changsha 410073, China

Funds: The National Key R&D Program of China (2017YFB0802000), The National Natural Science Foundation of China (61672530, 61702537, 61772545), The Project of Hunan Province Department of Education (16B086), The Open Research Fund of Hunan Provincial Key Laboratory of Network Investigational Technology (2016WLZC018)

摘要

摘要:
數(shù)字視頻廣播通用加擾算法(DVB-CSA)是一種混合對稱加密算法，由分組密碼加密和流密碼加密兩部分組成。該算法通常用于保護(hù)視訊壓縮標(biāo)準(zhǔn)(MPEG-2)中的信號流。主要研究DVB-CSA分組加密算法(DVB-CSA-Block Cipher, CSA-BC)的不可能差分性質(zhì)。通過利用S盒的具體信息，該文構(gòu)造了CSA-BC的22輪不可能差分區(qū)分器，該區(qū)分器的長度比已有最好結(jié)果長2輪。進(jìn)一步，利用構(gòu)造的22輪不可能差分區(qū)分器，攻擊了縮減的25輪CSA-BC，該攻擊可以恢復(fù)24 bit種子密鑰。攻擊的數(shù)據(jù)復(fù)雜度、時間復(fù)雜度和存儲復(fù)雜度分別為2^53.3個選擇明文、2^32.5次加密和2²⁴個存儲單元。對于CSA-BC的不可能差分分析，目前已知最好結(jié)果能夠攻擊21輪的CSA-BC并恢復(fù)16 bit的種子密鑰量。就攻擊的長度和恢復(fù)的密鑰量而言，該文的攻擊結(jié)果大大改進(jìn)了已有最好結(jié)果。
- 混合對稱密碼 /
- 分組密碼 /
- 數(shù)字視頻廣播通用加擾算法 /
- 不可能差分分析
Abstract:
The Digital Video Broadcasting-Common Scrambling Algorithm (DVB-CSA) is a hybrid symmetric cipher. It is made up of the block cipher encryption and the stream cipher encryption. DVB-CSA is often used to protect MPEG-2 signal streams. This paper focuses on impossible differential cryptanalysis of the block cipher in DVB-CSA called CSA-BC. By exploiting the details of the S-box, a 22-round impossible differential is constructed, which is two rounds more than the previous best result. Furthermore, a 25-round impossible differential attack on CSA-BC is presented, which can recover 24 bit key. For the attack, the data complexity, the computational complexity and the memory complexity are 2^53.3 chosen plaintexts, 2^32.5 encryptions and 2²⁴ units, respectively. For impossible differential cryptanalysis of CSA-BC, the previous best result can attack 21-round CSA-BC and recover 16 bit key. In terms of the round number and the recovered key, the result significantly improves the previous best result.
- Hybrid symmetric cipher /
- Block cipher /
- Digital Video Broadcasting-Common Scrambling Algorithm (DVB-CSA) /
- Impossible differential cryptanalysis

HTML全文

圖 1 CSA的整體結(jié)構(gòu)

下載: 全尺寸圖片幻燈片

圖 2 CSA-BC加密的輪函數(shù)

下載: 全尺寸圖片幻燈片

圖 3 CSA-BC的25輪不可能差分攻擊

下載: 全尺寸圖片幻燈片

表 1 算法1：CSA-BC的加密流程

輸入：明文${{M}} = ({M_0},{M_1},{M_2},{M_3},{M_4},{M_5},{M_6},{M_7})$

輸出：密文${{C}} = ({C_0},{C_1},{C_2},{C_3},{C_4},{C_5},{C_6},{C_7})$

(1)　${{{S}}^0} = {{M}}$;

(2)　for r=0 to 55

(3)　　${{{S}}^{r + 1}} = f({{{S}}^r},(k_{8r}^E,k_{8r + 1}^E, \cdots ,k_{8r + 7}^E))$;

(4)　end for

(5)　${{C}} = {{{S}}^{56}}$.

下載: 導(dǎo)出CSV

表 2 加密方向的差分傳播規(guī)律

輪數(shù)	差分傳播	約束條件
0	$(0\|0\|0\|0\|0\|0\|u\|0)$
1	$(0\|0\|0\|0\|0\|u\|0\|0)$
2	$(0\|0\|0\|0\|u\|0\|0\|0)$
3	$(0\|0\|0\|u\|0\|0\|0\|0)$
4	$(0\|0\|u\|0\|0\|0\|0\|0)$
5	$(0\|u\|0\|0\|0\|0\|0\|0)$
6	$(u\|0\|0\|0\|0\|0\|0\|0)$
7	$(0\|u\|u\|u\|0\|0\|0\|u)$
8	$(u\|u\|u\|0\|0\|{{P}}{u_1}\|u\|{u_1})$	${u_1} \in \Delta S(u)$
9	$(u\|0\|u\|u\|{{P}}{u_1}\|u \oplus {{P}}{u_2}\|{u_1}\|u \oplus {u_2})$	${u_2} \in \Delta S({u_1})$
10	$(0\|0\|0\|u \oplus {{P}}{u_1}\|u \oplus {{P}}{u_2}\|{u_1} \oplus {{P}}{u_3}\|u \oplus {u_2}\|u \oplus {u_3})$	${u_3} \in \Delta S(u \oplus {u_2})$
11	$(0\|0\|u \oplus {{P}}{u_1}\|u \oplus {{P}}{u_2}\|{u_1} \oplus {{P}}{u_3}\|u \oplus {u_2} \oplus {{P}}{u_4}\|u \oplus {u_3}\|{u_4})$	${u_4} \in \Delta S(u \oplus {u_3})$
12	$(0\|u \oplus {{P}}{u_1}\|u \oplus {{P}}{u_2}\|{u_1} \oplus {{P}}{u_3}\|u \oplus {u_2} \oplus {{P}}{u_4}\|u \oplus {u_3} \oplus {{P}}{u_5}\|{u_4}\|{u_5})$	${u_5} \in \Delta S({u_4})$
13	$(u \oplus {{P}}{u_1}\|u \oplus {{P}}{u_2}\|{u_1} \oplus {{P}}{u_3}\|u \oplus {u_2} \oplus {{P}}{u_4}\|u \oplus {u_3} \oplus {{P}}{u_5}\|{u_4} \oplus {{P}}{u_6}\|{u_5}\|{u_6})$	${u_6} \in \Delta S({u_5})$
14	$\begin{aligned} (u \oplus {{P}}{u_2}\|{u_1} \oplus {{P}}{u_3} \oplus u \oplus {{P}}{u_1}\|{u_2} \oplus {{P}}{u_4} \oplus {{P}}{u_1}\|\\ {u_3} \oplus {{P}}{u_5} \oplus {{P}}{u_1}\|{u_4} \oplus {{P}}{u_6}\|{u_5} \oplus {{P}}{u_7}\|{u_6}\|u \oplus {{P}}{u_1} \oplus {u_7}) \end{aligned} $	${u_7} \in \Delta S({u_6})$

下載: 導(dǎo)出CSV

表 3 解密方向的差分傳播規(guī)律

輪數(shù)	差分傳播	約束條件
22	$(0\|v\|v\|v\|0\|0\|0\|v)$
21	$(v\|0\|0\|0\|0\|0\|0\|0)$
20	$(0\|v\|0\|0\|0\|0\|0\|0)$
19	$(0\|0\|v\|0\|0\|0\|0\|0)$
18	$(0\|0\|0\|v\|0\|0\|0\|0)$
17	$(0\|0\|0\|0\|v\|0\|0\|0)$
16	$(0\|0\|0\|0\|0\|v\|0\|0)$
15	$(0\|0\|0\|0\|0\|0\|v\|0)$
14	$({v_1}\|0\|{v_1}\|{v_1}\|{v_1}\|0\|{{P}}{v_1}\|v)$	${v_1} \in \Delta S(v)$

下載: 導(dǎo)出CSV

表 4 本文結(jié)果與已有最好結(jié)果比較

區(qū)分器長度	攻擊長度	恢復(fù)密鑰量	數(shù)據(jù)復(fù)雜度	時間復(fù)雜度	存儲復(fù)雜度	來源
20輪	21輪	16 bit	${2^{44.5}}$	${2^{22.7}}$	${2^{10.5}}$	文獻(xiàn)[6]
22輪	25輪	24 bit	${2^{53.3}}$	${2^{32.5}}$	${2^{24}}$	本文

下載: 導(dǎo)出CSV

參考文獻(xiàn)(15)

WEINMANN R P and WIRT K. Analysis of the DVB common scrambling algorithm[C]. International Federation for Information Processing, Boston, USA, 2005: 195–207.

WIRT K. Fault attack on the DVB common scrambling algorithm[C]. Computational Science and Its Applications, Singapore, 2005: 511–517.

SIMPSON L, HENRICKSEN M, and YAP W S. Improved cryptanalysis of the common scrambling algorithm stream cipher[C]. The 14th Australasian Conference on Information Security and Privacy, Brisbane, Australia, 2009: 108–121.

TEWS E, WALDE J, and WEINER M. Breaking DVB-CSA[C]. West European Workshop on Research in Cryptography, Weimar, Germany, 2011: 41–45.

ZHANG Kai and GUAN Jie. Distinguishing attack on common scrambling algorithm[J]. The International Arab Journal of Information Technology, 2015, 12(4): 410–414.

ZHANG Kai, GUAN Jie, and HU Bin. Impossible differential cryptanalysis on DVB-CSA[J]. KSII Transactions on Internet and Information Systems, 2016, 10(3): 1944–1956. doi: 10.3837/tiis.2016.04.027

SUN Siwei, HU Lei, WANG Peng, et al. Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers[C]. International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, China, 2014: 158–178.

李俊志, 關(guān)杰. 一種基于完全性的不可能差分區(qū)分器構(gòu)造方法[J]. 電子與信息學(xué)報, 2018, 40(2): 430–437. doi: 10.11999/JEIT170422

LI Junzhi and GUAN Jie. A method of constructing impossible differential distinguishers based on completeness[J]. Journal of Electronics &Information Technology, 2018, 40(2): 430–437. doi: 10.11999/JEIT170422

徐洪, 蘇鵬暉, 戚文峰. 減輪SPECK算法的不可能差分分析[J]. 電子與信息學(xué)報, 2017, 39(10): 2479–2486. doi: 10.11999/JEIT170049

XU Hong, SU Penghui, and QI Wenfeng. Impossible differential cryptanalysis of reduced-round SPECK[J]. Journal of Electronics &Information Technology, 2017, 39(10): 2479–2486. doi: 10.11999/JEIT170049

付立仕, 崔霆, 金晨輝. 嵌套SP網(wǎng)絡(luò)的New-Structure系列結(jié)構(gòu)的零相關(guān)線性逼近與不可能差分性質(zhì)研究[J]. 電子學(xué)報, 2017, 45(6): 1367–1374. doi: 10.3969/j.issn.0372-2112.2017.06.013

FU Lishi, CUI Ting, and JIN Chenhui. Zero correlation linear approximations and impossible differentials of New-Structure series with SP networks[J]. Acta Electronica Sinica, 2017, 45(6): 1367–1374. doi: 10.3969/j.issn.0372-2112.2017.06.013

SUN Bing, LIU Meicheng, GUO Jian, et al. Provable security evaluation of structures against impossible differential and zero correlation linear cryptanalysis[C]. Advances in Cryptology – EUROCRYPT 2016, Vienna, Austrian, 2016: 196–213.

SHEN Xuan, LI Ruilin, SUN Bing, et al. Dual relationship between impossible differentials and zero correlation linear hulls of SIMON-like ciphers[C]. Information Security Practice and Experience, Melbourne, Australia, 2017: 237–255.

BOURA C, LALLEMAND V, PLASENCIA M N, et al. Making the impossible possible[J]. Journal of Cryptology, 2018, 31(1): 101–133. doi: 10.1007/s00145-016-9251-7

KNUDSEN L. DEAL-A 128-bit block cipher[R]. Department of Informatics, University of Bergen, Norway, 1998.

BIHAM E, BIRYUKOV A, and SHAMIR A. Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials[C]. Advances in Cryptology – EUROCRYPT 1999, Prague, Czech, 1999: 12–23.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計