Cryptanalysis Combined With Statistical Characteristics For Lightweight Block Ciphers

Information society is undergoing a transformation from the Internet to the Internet of Things(Io T),which extends the object of information network connections and services from people to things to achieve"Internet of Everything".In the environment of Io T,related micro-devices usually have the characteristics of weak computing ability and low power consumption,which makes it difficult to apply traditional block cipher algorithms.In order to ensure information security among the devices of Io T,lightweight block ciphers,based on the design of traditional block ciphers,were proposed by cryptographers.These ciphers have the advantages of fewer resource occupation,lower power consumption,higher efficiency and easier implementation,which make them suitable to the Io T devices with limited resources.Many lightweight block ciphers have been proposed recent years and become the focus of cryptanalysis.The research on lightweight block ciphers is beneficial to find the shortcomings of existing algorithms and also provide reference for the design of new algorithms.The designers will always give security analysis against common attacks after a new algorithm is proposed,but usally they do not consider the combination of multiple cryptanalysis methods which has become the main idea of cryptanalysis.Since some block ciphers can be broken completely by the combination method,we should analyze the ciphers comprehensively,no matter from the perspective of design or implementation.In practical analysis,the statistical properties of algorithm-related components are always overlooked,but sometimes they have good auxiliary effects for cryptanalysis.Therefore,it will help to improve the analysis results to summarize the statistical characteristics of algorithm-related components.In this thesis,the security of the GIFT algorithm is analyzed by the method of fault attack.Firstly,the differential diffusion characteristic of the round function used in GIFT is studied.Fault injection in the third round from the end is chosen to maximize the number of active S-boxes.Based on this,a random nibble-based differential fault attack is proposed,then the output difference corresponding to single bit non-zero input difference of S-box is analized statistically.Based on the results of statistical analysis,a key recovery scheme developed on the differential statistical properties is proposed,which can reduce the number of fault injections effectively and make the fault attack easier to implement by recovering some key bits directly with the help of statistical characteristics.Theoretical analysis and a lot of experimental results show that one round key can be retrieved with an average of 20.24 and 44.96 fault injections for GIFT-64 and GIFT-128 respectively.Further statistical analysis for experimental results shows that a certain number of fault injections recover most key bits.So an improved fault attack combined with the method of exhaustive search is proposed,which can reduce the number of fault injections greatly.Specifically,an average of 31 random fault injections can recover the master key of GIFT-64 by performing 2¹⁶ computations,and an average of 32 random fault injections can recover the master key of GIFT-128 by performing 2¹⁷ computations.In this thesis,the secutity of the TWINE algorihtm is also analized by combining the method of related-key cryptanalysis,impossible differential cryptanalysis and boomerang cryptanalysis for the first time.The characteristics of the key schedule in TWINE are studied at first.Then a longer cryptanalysis path is constructed by selecting a specific master key difference and input difference to reduce the number of active S-boxes greatly.In order to make full use of key difference to obtain better attack effect,the method of related-key impossible boomerang cryptanalysis is applied and a related-key impossible boomerang distinguisher consisting of 16-round and 17-round paths is constructed.Based on this distinguisher,an attack on 23-round TWINE is mounted successfully by concatenating 4-round to the beginning and 2-round for the 17-round path and 3-round for the 16-round path to the end respectively.With the help of statistical characteristics of the S-box on the stage of distinguisher extension,all possible values of input and output differences are used to filter out the ciphertext pairs which are not helpful for key recovery,so as to reduce the complexity of cryptanalysis effectively.The attack on 23-round TWINE required data complexity of only 2^62.05 plaintexts and computational complexity of about2^70.49 23-round encryptions.Compared with published cryptanalysis results,the proposed attack has certain advantages.