Research On The Automatic Analysis Techniques Of The Core Components Of Symmetric Encryption Algorithms

With the rapid development of 5G,Internet of Things and big data technology,human have more convenience in all the aspects of work,study and life,but the issue of data security has become a focus of concern.As the mainstream information encryption system,symmetric encryption algorithm plays a very important role in data encryption and authentication because of its advantages of fast encryption and decryption,high security,and easy standardization.In particular,due to the characteristics of low power consumption,low latency and low resource consumption,lightweight symmetric encryption algorithm is very suitable for data security in resource-constrained environments,such as data protection of mobile device in Internet of Things.Therefore,the problem of design and security analysis of lightweight symmetric encryption algorithm has been the focus of international discussions.In recent years,security analysis of cryptographic algorithms with automated search tools such as Mixed Integer Linear Programming（MILP）has become a hot research topic in academia.However,different automated analysis models will affect both the efficiency and the accuracy of cryptanalysis.In fact,these models are closely related to the decomposition of the core components of symmetric encryption algorithm.How to build an efficient and high-precision automated analysis model for the core components of symmetric encryption algorithm appears to be a difficult task.This thesis focuses on the automated analysis method of core components of symmetric encryption algorithm and its application in security evaluation.The main content includes:Some new automated analysis tools（MILP models）for the core cryptographic components are respectively designed via nonlinear component S-boxes,linear permutation components,and nonlinear Boolean systems.Basing on the automated analysis tools above,some new distinguishers for lightweight symmetric encryption algorithm such as KNOT,ACE,MORUS,i SCREAM variants,and Midori64 variants are constructed,such as zero-sum distinguisher,integral distinguisher,impossible difference distinguisher and so on.In particular,some new security evaluation results of these algorithms above are also given.The main results are listed as follows.（1）A new method to model division property propagations of S-box is proposed,and the resistance of lightweight symmetric encryption algorithm KNOT against Zero-sum distinguishing attack is also evaluated.Based on the flag technique of division property,a method to describe division property propagations of S-box is proposed.Moreover,the model of division property propagations for KNOT is established by using this method in combination with the structural characteristics and component properties of KNOT-256permutation,so that an automated search tool of Zero-sum distinguisher for KNOT is also given.The experiment results show that there exists 30-round zero-sum distinguisher for KNOT-256 permutations,where the data complexity of this distinguisher is about 2²⁴⁸chosen data.Compared with the previous results,the round number of distinguisher obtained is the highest.Although the distinguisher cannot practical threaten the security of the KNOT authenticated encryption algorithm（the number of initialization rounds is 52 for KNOT-256）,this work confirms that the new search tool of zero-sum distinguisher is novel and effective.（2）A new method for inequality description of word-oriented trail propagation in linear components is proposed,and then the security of both ACE cipher and its variants are automatically evaluated by using this method.Based on the characteristics of XOR and linear permutation operation,a mathematical description method of word-oriented trail is given.Moreover,the automated searches of integral distinguisher and impossible difference distinguisher are transformed into MILP problems so that their automatic search tools are designed.The security of both ACE permutation and its variants are evaluated by using this tool.The experiment results illustrate that impossible differential distinguisher and integral distinguisher of ACE permutation can cover up to 12 steps,which is 4-step higher than the previous known results in the original design document.Futhermore,it is also shown that the security of ACE variant algorithm against integral attacks and impossible difference attacks are all stronger than the original version when the linear permutation in ACE is undated by（4,2,3,0,1）rule.（3）A new automated method of existence terms detection in superpoly recovery phase is proposed,and then the security of MORUS cipher is evaluated.Based on both the cube attack and division property,a new existence terms detection method in superpoly recovery phase is proposed.Compared with the previous methods,the new one can reduce the number of times using the solver,thus the time complexity of cube attack can be further reduced.Moreover,the experiment results illustrate that the key recovery attacks can be applied to 6/7-step MORUS-640-128（The best key recovery attack available for MORUS-640-128 is 5.5 steps）.Furthermore,some integral distinguishers of 7-step MORUS-640-128 and MORUS-1280-256 are also achieved.（4）A new method to automatically calculate the nonlinear invariant functions of nonlinear layer is proposed,and then the security of both i SCREAM variant cipher and Midori-64 variant cipher against generalized nonlinear invariant attack are evaluated.By adding a pair of constants to the input of the nonlinear invariant function,a new method for solving the generalized nonlinear invariant function of S-box is given.In the first place,the security of i SCREAM variant cipher is evaluated by using this method.Simulation results show that the variant of full-round i SCREAM cannot resist to generalized nonlinear invariant attack,where the cardinality of the class of weak keys is about 2⁸⁰.Significantly,the original nonlinear invariant attacks cannot be performed on this variant of i SCREAM for a full-round attack.This indicates that generalized nonlinear invariant attack is novel and effective.Moreover,in order to enhance the resistance of block cipher against generalized nonlinear invariant attack,the concept of closed-loop invariants of the S-box is proposed,and the relationship between robust round constants and the closed-loop invariants is also described.