【作者】 陈杰；

【导师】 胡予濮；

【作者基本信息】 西安电子科技大学 ， 密码学， 2007， 博士

【摘要】 现代密码学理论和密码技术是信息安全的重要基础。分组密码是密码学的一个重要分支，它具有速度快、易于标准化和便于软硬件实现等特点，通常是信息与网络安全中实现数据加密、数字签名、认证及密钥管理的核心体制。论文对高级加密标准AES等分组算法的分析方法进行了研究。得到如下主要研究结果：1．利用不可能差分特性，构造一个4轮AES的不可能差分分析的区分器，在此区分器的基础上给出一种不可能差分分析6轮AES的新方法。整个攻击过程需要2^99.5选择明文，约2⁸⁵的6轮AES运算，所需的存储空间为2⁵⁷分组。2．利用AES-192和AES-256的密钥编排方案，提出不可能差分分析7轮AES-192和8轮AES-256的方法。分析7轮AES-192共需要2¹⁰⁶选择明文，约2¹⁵⁷的7轮AES-192加密，所需的存储空间为2¹²⁹分组；分析8轮AES-256共需要2¹⁰³选择明文，约2²⁴⁴的8轮AES-256加密，所需的存储空间为2²¹⁷分组。3．分析了我国官方公布的第一个商用分组密码算法SMS4，根据SMS4每一轮输入输出对差分的变化，给出一个14轮SMS4的不可能差分，并提出一种不可能差分分析17轮SMS4的方法。分析17轮的SMS4，需要2¹⁰³选择明文，2¹²⁴的17轮加密以及2⁸⁹分组的存储空间，猜测密钥的错误概率仅为2^-88.7。4．利用AES-192密钥扩展算法的特点，并选择合适的相关密钥，结合Square攻击分别给出了一个相关密钥Square攻击7轮和8轮AES-192的新方法。在分析8轮AES-192时，利用密钥扩展算法确定了在特定相关密钥差分下的前8轮子密钥所有确切差分值。新方法攻击8轮AES-192仅需2⁴⁵选择明文，2⁴⁰存储以及2¹⁶⁷的8轮AES-192加密。5．利用AES-128密钥扩展算法的特点，并选择合适的相关密钥，结合矩形攻击，首次给出相关密钥矩形攻击7轮AES-128的方法。该方法攻击7轮AES-128需要2¹¹⁵选择明文（256个相关密钥）以及2¹¹⁵的7轮AES-128加密，成功恢复密钥的概率约为95．8％。6．利用模式的局部差分恒等原理，针对PMAC和TMAC-V两种基于分组密码的工作模式，给出一种新的随机消息伪造攻击。该攻击可对随机消息的PMAC和TMAC-V进行伪造，伪造的成功概率均为86．5％，高于已有文献中63％的成功概率。对PMAC输出无截断的攻击复杂度为[0，2^n/2+1，1，0]，输出有截断的攻击复杂度为[0，2^n/2+1，「n/τ（?）,2^n-τ]；对TMAC-V的攻击复杂度为[0，2^n/2+1，1，0]。更多还原

【Abstract】 Modern cryptological theory and technology are important basis of information security. Block cipher is an important branch of cryptology, and it has many attractive features such as high rates, easy for standardization, and efficient for both software and hardware implementations. Block cipher is usually core components in information and Internet security for data encryption, data signature, authentication and key management. This dissertation investigates the techniques for cryptanalysis of block ciphers, with emphasis on Advanced Encryption Standard （AES）. The author obtains main results as follows:1.An impossible differential property for 4-round AES is determined. Based on this property, a new method is proposed for cryptanalyzing the 6-round AES. This attack on the reduced 6-round AES requires about 2^99.5 chosen plaintexts, performs 2⁸⁵ 6-round AES encryptions, and demands 2⁵⁷ words of memory.2.Two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 are presented, by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 2¹⁰⁶ chosen plaintexts, performs 2¹⁵⁷ 7-round AES-192 encryptions, and demands 2¹²⁹ words of memory. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2¹⁰³ chosen plaintexts, performs 2²⁴⁴ 8-round AES-256 encryptions, and demands 2²¹⁷ words of memory.3.SMS4 is the first commercial block cipher published by our government. By analyzing the changes of its difference between input and output pairs in each round, an impossible differential is presented for 14-round SMS4. Based on this property, a new method is proposed for cryptanalyzing the 17-round SMS4. This attack on the reduced 17-round SMS4 requires about 2¹⁰³ chosen plaintexts, performs 2¹²⁴ 17-round SMS4 encryptions, and demands 2⁸⁹ words of memory. Furthermore, it is only 2^-88.7 of the probability to fail to recover the secret key.4.Two new methods are presented for related-key Square attack on 7-round and 8-round AES-192, by exploiting appropriate related-key differences of AES-192 and weaknesses in their key schedule. When the related-key of AES-192 is appointed, the exact difference of subkey is determined in the first 8 rounds using the property of its key schedule. This attack on the reduced to 8-round AES-192 requires only about 2⁴⁵ chosen plaintexts, demands 2⁴⁰ memory, performs 2¹⁶⁷ 8-round AES-192 encryptions.5.A method for related-key rectangle attack on 7-round AES-128 is firstly proposed, by exploiting appropriate related-key differences of AES-128 and weaknesses in their key schedule. This attack on the reduced to 7-round AES-128 requires about 2¹¹⁵ chosen plaintexts with 256 related keys, performs 2¹¹⁵ 7-round AES-128 encryptions. Furthermore, the probability is about 95.8% to succeed in recovering the secret key.6.A new forgery attack on PMAC and TMAC-V based on block ciphers with random message is presented, which make use of the principle of differential identical in part of the mode. The new attack can forge the PMAC and TMAC-V of random message, with a probability of 86.5% higher than 63% in the known reference. The complexity of this new attack is [0, 2^n/2+1, 1, 0] for PMAC where no truncation is performed. For PMAC where truncation is performed, the complexity of this attack is [0, 2^n/2+1,[n/τ],2^n-τ]. And thecomplexity of this attack is [0, 2^n/2+1,1, 0] for TMAC-V.更多还原