电子学报 ›› 2018, Vol. 46 ›› Issue (9): 2102-2107.DOI: 10.3969/j.issn.0372-2112.2018.09.009

• 学术论文 • 上一篇    下一篇

AEGIS算法的弱状态分析

施泰荣1, 关杰1, 刘文哲2   

  1. 1. 信息工程大学, 河南郑州 450001;
    2. 61415 部队, 内蒙古呼伦贝尔 021009
  • 收稿日期:2016-08-16 修回日期:2018-02-17 出版日期:2018-09-25
    • 作者简介:
    • 施泰荣 女,1992年生于山东临沂.信息工程大学硕士研究生.研究方向为对称密码设计与分析.E-mail:strwanzi@163.com;关杰 女,1974年生于河南郑州,信息工程大学教授、博士生导师,研究方向为密码学与信息安全.E-mail:guanjie007@163.com;刘文哲 男,1992年生于内蒙古赤峰,研究方向为密码学.
    • 基金资助:
    • 国家自然科学基金 (No.61572516,No.61602514)

Analysis on the Weak States of AEGIS

SHI Tai-rong1, GUAN Jie1, LIU Wen-zhe2   

  1. 1.Information Engineering University, Zhengzhou, Henan 450001, China;
    2.No. 61415 Troops, Hulunbuir, Inner Mongolia 021009, China
  • Received:2016-08-16 Revised:2018-02-17 Online:2018-09-25 Published:2018-09-25
    • Supported by:
    • National Natural Science Foundation of China (No.61572516, No.61602514)

摘要: AEGIS算法是进入CAESAR竞赛(Competition for Authenticated Encryption:Security,Applicability,and Robustness)第三轮评选的认证加密算法.根据内部状态和密钥长度的不同,设计者推荐了三个AEGIS系列算法:AEGIS-128、AEGIS-256和AEGIS-128L.本文分别给出AEGIS-256和AEGIS-128L算法一组新的弱状态,对应出现的概率远优于现有分析结果.在此基础上,针对AEGIS-256算法,本文实现了对算法的伪造攻击,并给出内部状态与各自的明文对应,使得产生的认证标签为全0;针对AEGIS-128L算法,本文得到了算法在弱状态下的信息泄漏规律.最后对AEGIS系列算法弱状态的成因进行分析,给出了具体的设计及使用建议.目前,除设计报告外尚无对AEGIS算法的弱状态的分析,因此该文对CAESAR竞选有重要意义.

关键词: CAESAR竞赛, AEGIS算法, 弱状态, 伪造攻击

Abstract: AEGIS, an authenticated stream cipher, is one of fifteen third-round candidates of CAESAR competition (Competition for Authenticated Encryption: Security, Applicability, and Robustness). Three AEGIS versions: AEGIS-128、AEGIS-256 and AEGIS-128L are recommended in different internal state and key sizes. This paper proposes two types of weak state for AEGIS-256 and AEGIS-128L respectively. The probabilities of these types of weak state are greater than the existing results. And based on those analyses, a forgery attack on AEGIS-256 is introduced. Indeed, we present internal states with the corresponding plaintexts, in which the tags are 0. As for AEGIS-128L, we attain the information leakage of encryption. Finally, we give brief analysis of what is responsible for weak states. To the best of our knowledge, except for design document, there is no cryptanalysis on weak state of AEGIS proposed until now. Therefore, our work is significant for CAESAR competition.

Key words: CAESAR, AEGIS, weak states, forgery attack

中图分类号: