对罗卡的一次新颖而独特的攻击

IF 1.5 4区计算机科学 Q3 ENGINEERING, ELECTRICAL & ELECTRONIC

IET Communications Pub Date : 2025-02-04 DOI:10.1049/cmu2.70008

Nan Liu, Chenhui Jin, Junwei Yu, Jie Guan, Ting Cui

{"title":"对罗卡的一次新颖而独特的攻击","authors":"Nan Liu, Chenhui Jin, Junwei Yu, Jie Guan, Ting Cui","doi":"10.1049/cmu2.70008","DOIUrl":null,"url":null,"abstract":"The security of an encryption algorithm often hinges on the indistinguishability between ciphertext and random numbers. In block ciphers, pseudorandomness and super-pseudorandomness are commonly used to depict the indistinguishability between ciphertext and random numbers. Whereas, stream cipher algorithms can be viewed as functions of variables such as the key K, initialization vector IV, and plaintext M. For an ideal stream cipher algorithm, the ciphertext sequences for any two different plaintexts should exhibit good independence across various K-IV pairs. Consequently, the probability of the two ciphertext sequences being equal or having sufficiently long matching segments should be negligible. This study examines a new type of attack that stems from key commitment attacks. By exploiting the independence between the ciphertext sequences, a novel distinguishing attack against the stream cipher is constructed and applied to the encryption of Rocca. Focusing on the authenticated encryption algorithm Rocca, a guess-and-determine method is employed to demonstrate that for any plaintext and two different sets of <math>\n <semantics>\n <mrow>\n <mo>(</mo>\n <mrow>\n <mi>k</mi>\n <mi>e</mi>\n <mi>y</mi>\n <mo>,</mo>\n <mi>N</mi>\n <mi>o</mi>\n <mi>n</mi>\n <mi>c</mi>\n <mi>e</mi>\n <mo>,</mo>\n <mi>A</mi>\n <mi>D</mi>\n </mrow>\n <mo>)</mo>\n </mrow>\n <annotation>$( {key,Nonce,AD} )$</annotation>\n </semantics></math>, another plaintext can be found with a time complexity <math>\n <semantics>\n <mrow>\n <mi>O</mi>\n <mo>(</mo>\n <msup>\n <mn>2</mn>\n <mn>160</mn>\n </msup>\n <mo>)</mo>\n </mrow>\n <annotation>$O( {{{2}^{160}}} )$</annotation>\n </semantics></math>, resulting in identical ciphertext sequences except for the initial <math>\n <semantics>\n <mrow>\n <mn>4</mn>\n <mo>×</mo>\n <mn>256</mn>\n </mrow>\n <annotation>$4 \\times 256$</annotation>\n </semantics></math> bits. Furthermore, it is proved that under chosen plaintext conditions, the time complexity of this distinguishing attack is <math>\n <semantics>\n <mrow>\n <mi>O</mi>\n <mo>(</mo>\n <msup>\n <mn>2</mn>\n <mn>96</mn>\n </msup>\n <mo>)</mo>\n </mrow>\n <annotation>$O( {{{2}^{96}}} )$</annotation>\n </semantics></math>. These findings imply that Rocca does not offer 256-bit security against such distinguishing attacks, providing valuable insights into the design of round update functions for stream ciphers like Rocca.","PeriodicalId":55001,"journal":{"name":"IET Communications","volume":"19 1","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2025-02-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/cmu2.70008","citationCount":"0","resultStr":"{\"title\":\"A novel distinguishing attack on Rocca\",\"authors\":\"Nan Liu, Chenhui Jin, Junwei Yu, Jie Guan, Ting Cui\",\"doi\":\"10.1049/cmu2.70008\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The security of an encryption algorithm often hinges on the indistinguishability between ciphertext and random numbers. In block ciphers, pseudorandomness and super-pseudorandomness are commonly used to depict the indistinguishability between ciphertext and random numbers. Whereas, stream cipher algorithms can be viewed as functions of variables such as the key K, initialization vector IV, and plaintext M. For an ideal stream cipher algorithm, the ciphertext sequences for any two different plaintexts should exhibit good independence across various K-IV pairs. Consequently, the probability of the two ciphertext sequences being equal or having sufficiently long matching segments should be negligible. This study examines a new type of attack that stems from key commitment attacks. By exploiting the independence between the ciphertext sequences, a novel distinguishing attack against the stream cipher is constructed and applied to the encryption of Rocca. Focusing on the authenticated encryption algorithm Rocca, a guess-and-determine method is employed to demonstrate that for any plaintext and two different sets of <math>\\n <semantics>\\n <mrow>\\n <mo>(</mo>\\n <mrow>\\n <mi>k</mi>\\n <mi>e</mi>\\n <mi>y</mi>\\n <mo>,</mo>\\n <mi>N</mi>\\n <mi>o</mi>\\n <mi>n</mi>\\n <mi>c</mi>\\n <mi>e</mi>\\n <mo>,</mo>\\n <mi>A</mi>\\n <mi>D</mi>\\n </mrow>\\n <mo>)</mo>\\n </mrow>\\n <annotation>$( {key,Nonce,AD} )$</annotation>\\n </semantics></math>, another plaintext can be found with a time complexity <math>\\n <semantics>\\n <mrow>\\n <mi>O</mi>\\n <mo>(</mo>\\n <msup>\\n <mn>2</mn>\\n <mn>160</mn>\\n </msup>\\n <mo>)</mo>\\n </mrow>\\n <annotation>$O( {{{2}^{160}}} )$</annotation>\\n </semantics></math>, resulting in identical ciphertext sequences except for the initial <math>\\n <semantics>\\n <mrow>\\n <mn>4</mn>\\n <mo>×</mo>\\n <mn>256</mn>\\n </mrow>\\n <annotation>$4 \\\\times 256$</annotation>\\n </semantics></math> bits. Furthermore, it is proved that under chosen plaintext conditions, the time complexity of this distinguishing attack is <math>\\n <semantics>\\n <mrow>\\n <mi>O</mi>\\n <mo>(</mo>\\n <msup>\\n <mn>2</mn>\\n <mn>96</mn>\\n </msup>\\n <mo>)</mo>\\n </mrow>\\n <annotation>$O( {{{2}^{96}}} )$</annotation>\\n </semantics></math>. These findings imply that Rocca does not offer 256-bit security against such distinguishing attacks, providing valuable insights into the design of round update functions for stream ciphers like Rocca.\",\"PeriodicalId\":55001,\"journal\":{\"name\":\"IET Communications\",\"volume\":\"19 1\",\"pages\":\"\"},\"PeriodicalIF\":1.5000,\"publicationDate\":\"2025-02-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://onlinelibrary.wiley.com/doi/epdf/10.1049/cmu2.70008\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IET Communications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://onlinelibrary.wiley.com/doi/10.1049/cmu2.70008\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"ENGINEERING, ELECTRICAL & ELECTRONIC\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Communications","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/cmu2.70008","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

摘要

加密算法的安全性往往取决于密文和随机数之间的不可区分性。在分组密码中，通常使用伪随机性和超伪随机性来描述密文和随机数之间的不可区分性。然而，流密码算法可以被视为诸如密钥K、初始化向量IV和明文m等变量的函数。对于理想的流密码算法，任何两个不同明文的密文序列应该在各种K-IV对之间表现出良好的独立性。因此，两个密文序列相等或具有足够长的匹配段的概率应该可以忽略不计。本研究探讨了一种源于关键承诺攻击的新型攻击。利用密文序列之间的独立性，构造了一种新的针对流密码的区分攻击方法，并将其应用于Rocca加密。以经过认证的加密算法Rocca为重点，采用一种猜测-确定的方法来证明，对于任何明文和两组不同的（k y， N， N, c, e），AD)$ ({key,Nonce,AD})$，另一个明文可以找到时间复杂度为O(2 160)$ O({{{2}^{160}}})$，产生相同的密文序列，除了初始的4 × 256$ 4 \乘以256$位。进一步证明了在选择明文条件下，该区分攻击的时间复杂度为O(2 96)$ O({{{2}^{96}}})$。这些发现表明，Rocca不能提供256位的安全性来抵御这种明显的攻击，这为像Rocca这样的流密码的轮更新功能的设计提供了有价值的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

A novel distinguishing attack on Rocca

查看原文本刊更多论文

A novel distinguishing attack on Rocca

The security of an encryption algorithm often hinges on the indistinguishability between ciphertext and random numbers. In block ciphers, pseudorandomness and super-pseudorandomness are commonly used to depict the indistinguishability between ciphertext and random numbers. Whereas, stream cipher algorithms can be viewed as functions of variables such as the key K, initialization vector IV, and plaintext M. For an ideal stream cipher algorithm, the ciphertext sequences for any two different plaintexts should exhibit good independence across various K-IV pairs. Consequently, the probability of the two ciphertext sequences being equal or having sufficiently long matching segments should be negligible. This study examines a new type of attack that stems from key commitment attacks. By exploiting the independence between the ciphertext sequences, a novel distinguishing attack against the stream cipher is constructed and applied to the encryption of Rocca. Focusing on the authenticated encryption algorithm Rocca, a guess-and-determine method is employed to demonstrate that for any plaintext and two different sets of $(k e y, N o n c e, A D)$ , another plaintext can be found with a time complexity $O (2^{160})$ , resulting in identical ciphertext sequences except for the initial $4 \times 256$ bits. Furthermore, it is proved that under chosen plaintext conditions, the time complexity of this distinguishing attack is $O (2^{96})$ . These findings imply that Rocca does not offer 256-bit security against such distinguishing attacks, providing valuable insights into the design of round update functions for stream ciphers like Rocca.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IET Communications 工程技术-工程：电子与电气

CiteScore

4.30

自引率

6.20%

发文量

220

审稿时长

5.9 months

期刊介绍： IET Communications covers the fundamental and generic research for a better understanding of communication technologies to harness the signals for better performing communication systems using various wired and/or wireless media. This Journal is particularly interested in research papers reporting novel solutions to the dominating problems of noise, interference, timing and errors for reduction systems deficiencies such as wasting scarce resources such as spectra, energy and bandwidth. Topics include, but are not limited to: Coding and Communication Theory; Modulation and Signal Design; Wired, Wireless and Optical Communication; Communication System Special Issues. Current Call for Papers: Cognitive and AI-enabled Wireless and Mobile - https://digital-library.theiet.org/files/IET_COM_CFP_CAWM.pdf UAV-Enabled Mobile Edge Computing - https://digital-library.theiet.org/files/IET_COM_CFP_UAV.pdf