| The analysis on Lai-Massey scheme is one of the focuses in cryptography nowadays. X.Laiand J.Massey proposed Lai-Massey scheme, based on which they designed IDEA. In2004,Serge Vaudenay designed FOX by using Lai-Massey scheme. FOX have high performances onvarious platforms.The results of this dissertation contribute to the provable security of Lai-Massey scheme inthree directions. Firstly, this paper studies the principle of the function σ in Lai-MasseyScheme, which is described by its resistance to differential attack and linear attack. Secondly,this paper observes the differential and linear security of Lai-Massey scheme, and mainly focuseson the infimum of the number of active F-functions in the differential characteristic chain andlinear approximation chain. Finally, this paper gives the differential and linear provable securityof Lai-Massey scheme with SPS network as its F-function. The infimum of the number ofdifferentially and linearly active S-boxes in Lai-Massey scheme with SPS network is mainlyobserved and the practical security of FOX is presented in this paper.This paper shows that for Lai-Massey scheme on a finite abel group, if σ is affine, then itshould be designed as an orthomorphism but not an α-almost orthomorphism, orelse there exista differential characteristic with probability1and a linear approximation with correlationcoefficient1for any t-round. So ifσ is affine, it should not be designed as an α-almostorthomorphism.When studying the differential and linear provable security of Lai-Massey scheme, thispaper gives the periodic differential characteristic chain, and shows that there are at least t2active F-functions in a t-round differential characteristic chain for Lai-Massey scheme. Besides,a kind of chain with the infimum number of active F-functions is presented in this paper.Moreover, when F is an orthomorphism, this paper obtains that the infimum of the number ofactive F-functions in the n-round differential characteristic chain is the same as that of Feistelscheme. For the linear security of Lai-Massey scheme, this paper introduces a dual model of oneLai-Massey scheme, and proves that there exists a dual property between the differentialcharacteristic chain and linear approximation chain of its dual model. Therefore, thecorresponding results of linear provable security of Lai-Massey scheme are given directlyaccording to the results of differential provable security of Lai-Massey.For Lai-Massey scheme with SPS network as its F-function, this paper mainly gives the infimum of the number of differentially and linearly active s-boxes when both the differentialnumber and linear branch number of P are odd. Based on those results, this paper shows thatthere doesn’t exist any useful differential characteristic chain and linear approximation chainafter6rounds for FOX64, which is better than the previous results that there doesn’t exist anyuseful differential characteristic chain and linear approximation chain after8rounds for FOX64. |
PDF Full Text Request