论文部分内容阅读
FASER是一个由Chaza等人设计的认证加密方案并提交到CAESAR竞赛.FASER使用两个具有相同长度的状态寄存器,一个用来加密另一个用来认证.FASER的状态寄存器可以分成两个部分,一部分由线性FSR更新另一部分由非线性FSR进行更新.一个滤波布尔函数用来产生密钥流,这个滤波布尔函数是由MAJ和MIX两个函数组成.我们主要评估了FASER加密过程的安全性,也就是密钥流生成阶段.我们指出FASER的最大缺陷就是线性FSR和非线性FSR直接不相互影响.因此通过线性逼近MAJ函数,可能寻找到只包含密钥流比特和线性FSR状态比特的线性关系式.对于FASER128和FASER256我们寻找到了许多这样的线性逼近等式,这些逼近等式的相关系数都是2-1.利用这个缺陷我们利用相关攻击来恢复线性FSR的内部状态,在预计算阶段寻找低重量倍式的时间复杂度是2-36,在线的复杂度是可以忽略不计的,它是线性FSR长度的多项式.攻击所需的数据量不超过2-36.此外,利用MAJ函数的性质,我们利用连续两步密钥流之间的关系构造了许多区分器,对于FASER128和FASER256这些区分器都具有2-2的相关系数.因此我们分别只需要16个FASER128或者FASER256的密钥流就可区分出密钥流和随机序列.这些区分器都没有利用MIX函数的设计缺陷,即使FASER的设计者修改了MIX函数的缺陷,我们的区分攻击依然起作用.我们还给出了在假设线性逼近中包含一个非线性FSR的状态比特的条件下如何恢复的内部状态的方法.
FASER is a certified encryption scheme designed by Chaza et al. And submitted to the CAESAR competition. FASER uses two status registers of equal length, one for encrypting the other for authentication. The status register for FASER can be divided into two parts, part Updated by a linear FSR and updated by a nonlinear FSR. A filtered Boolean function is used to generate the keystream, which is composed of two functions, MAJ and MIX. We mainly evaluate the security of FASER encryption and Is the keystream generation stage.We pointed out that the biggest drawback of FASER is that the linear FSR and the nonlinear FSR directly do not affect each other.So by linear approximation of the MAJ function it is possible to find a linear relation that contains only the bits of the keystream and the bits of the linear FSR state For FASER128 and FASER256 we find many such linear approximation equations, all of which have a correlation coefficient of 2-1. Using this flaw, we exploit the correlation attack to recover the internal state of the linear FSR, looking for a low The time complexity of the weight ratio is 2-36, the on-line complexity is negligible and it is the linear FSR length The amount of data required for the attack does not exceed 2-36. In addition, using the nature of the MAJ function, we construct a number of differentiators using the relationship between two successive keystreams, and for both the FASER128 and FASER256 these discriminators have 2-2 so we only need 16 FASER128 or FASER256 key stream to distinguish between the key stream and random sequence these discriminators are not used MIX function design flaw, even if the FASER designer to modify The drawbacks of the MIX function, our differential attack still works, we also give a method of how to recover the internal state under the assumption that a linear FSR contains the status bits of a nonlinear FSR.