Research On Differential And Linear Clustering Effect And Related-Key Distinguisher Of Block Ciphers

With the continuous development and convergence of 5G,industrial Internet,and Internet of Things technologies,the protection of personal and commercial privacy information has attracted widespread attention.The block cipher is an encryption system in which both communication parties hold the same secret key to protect the transmission of information in the open channel.It has the advantages of high encryption efficiency and high throughput.Block ciphers are widely used in network transmission and computer storage,so their security needs to be thoroughly evaluated.A secure block cipher must have properties that can resist known cryptanalysis methods,such as differential cryptanalysis,linear cryptanalysis,impossible differential cryptanalysis,and zero-correlation linear cryptanalysis.This work focuses on the security analysis of the block cipher.Firstly,aiming at the tweakable block cipher designed in recent years that is focused on the construction of encryption mode,we exploit the influence of tweak and key schedule on the security of cipher,then propose a zero-correlation linear approximation to obtain the longer distinguisher by treating the public and secret inputs such as plaintext,tweak,and key equally.This method is applied to the bit level.By precisely modeling the linear mask propagation,a new automatic search framework of zero-correlation linear approximation based on SAT is proposed.Secondly,for AEAD scheme ESTATE,the second round candidate of the NIST lightweight AEAD competition,we study the influence of the short tweak of the tweakable primitive TweAES in this scheme.We also find the error of security analysis in the design document,and propose the optimal 8-round related-tweak impossible differential key recovery attack.Finally,since SIMON is vulnerable to differential/linear clustering effect,we propose a dynamic-window based differential/linear hull probability estimation method.Then,we propose the optimal differential/linear key recovery attack of different versions of SIMON.For SIMON-like cipher.with different rotation constant,the influence of the rotation constant on their resistance to clustering effect is further evaluated.Proposing zero-correlation linear cryptanalysis with equal treatment for plaintexts,keys,and tweaks and the SAT-based automated search.The contradiction of zero-correlation linear approximation proposed by Ankele et al.occurs in the tweak schedule,and their method is only applicable to ciphers with linear tweak schedule.Moreover,the search for linear approximation is manually deduced and thus cannot provide detailed analysis results.On the other hand,the explicit description of the mask settings for the output mask of the tweak schedule is not provided.Thus,the mask setting of the newly introduced inputs,such as keys and tweaks,and constructing a unified framework for the zero-correlation linear approximation is essential for proposing the SATbased antomated search model.By introducing some bits of plaiiitext,key,and tweaks in linear approximation,and sotting mask zero in the output of key and tweak schedule,we propose an unified framework of zero-correlation linear approximation.In this framework,all the public and secret inputs of the target cipher are treated equally,which expands the search space of zero-correlation linear approxiniation and has the potential to obtain a longer distinguisher.Based on this framework,we propose an automated search method based on SAT/SMT working in bit level,which makes the automatic search model suitable for ciphers with linear and nonlinear key(tweak)schedule.With this method,the longest distinguisher of TWINE-80 and TWINE-128 are increased by two rounds and one,respectively.We improve zero-correlation linear distinguisher of LBlock by one round.We also improve the zero-correlation linear distinguisher of SKINNY-64/128 and SKINNY-64/192 by one round.Proposing the best related-tweak impossible differential cryptanalysis of reduced-round TweAES.The addition of the tweak will not only affect the zero-correlation linear cryptanalysis,but also lengthen the impossible differential distinguisher.TweAES.as a tweakable variant of AES-128.provides a more efficient way to handle the need for domain separation when encrypting short messages.We study the property of the newly added 4-bit short tweak.and from this find that the related-tweak impossible differential attack against 8-round TweAES proposed in the design document is invalid.To further evaluate the security of TweAES against impossible differential,we utilize the automatic solver STP to search more efficient 5.5-round impossible differential distinguisher,and propose an optimal 8-round TweAES key recovery attack.The complexity of our 7-round TweAES key recovery attack is much lower than the 6-round attack in the design document.The attack is the first third-party cryptanalysis result against TweAES.Proposing the dynamic-window-based differential/linear hull probability evaluation method and improving differential and linear cryptanalysis on round-reduced SIMON.In differential cryptanalysis and linear cryptanalysis,it is computationally hard to estimate the differential probability and the linear capacity of the linear hull because a differential and linear hull contains a large number of differential trails and linear trails.How to accurately estimate the probability/capacity of a differential/linear hull is still an open problem.In ASIACRYPT 2021,Leurent et al.proposed a difference/linear hull probability estimation method based on a transition matrix.The method applied to SIMECK improved its optimal attack by several rounds.However,they indicated that there has potential for improvement when applied to SIMON.Different from Leurent et al.’s method with fixed positions(w least significant bits)in each round when constructing the difference/linear transition matrix,we select the window dynamically according to the diffusion of input difference/mask in each round.However,how to select these windows for SIMON has also become the research target.Focusing on this problem,we propose the dynamic window(DW)strategy.To take advantage of the input difference/mask diffusion,we propose the minimum loss window(MLW)strategy based on the active probability test and link window in the middle(LWIM)strategy to build dynamic windows.Based on these heuristic window-chosen strategies,better differentials and linear hulls are obtained.These newly obtained distinguishers have been improved in terms of Hamming weight of input and output difference/mask,number of rounds and probability/capacity.Based on them,we propose the best differential/linear key recovery attack on reduced-round SIMON.Specifically,we improve two rounds of differential/linear attacks against SIMON48 and SIMON64 with small block size.For SIMON96/96,the linear attack reduces the security margin from 17.3%to 15.4%.When applied to SIMON-like ciphers with different rotation constants,we observe that dynamic windows can not only approach the lower bound of DP or ELP faster but also apply to variants with some special rotation constants,namely(c>a,b).It is worth noting that the static window method proposed by Leurent et al.is a special case of the dynamic window method,that is,each round of window selects the lowest w-bit significant bits.