Lai-Massey模型的差分和线性可证明安全性
Differential and Linear Provable Security of Lai-Massey Scheme

DOI：

 作者 单位 E-mail 付立仕 解放军信息工程大学, 河南 郑州 450001 15036018167@163.com 金晨辉 解放军信息工程大学, 河南 郑州 450001

1991年，Lai 和Massey 设计了IDEA算法.该算法首次用到了Lai-Massey模型.1999年，Vaudenay在Lai-Massey模型中引入正形置换或几乎非正形置换，证明了该Lai-Massey 模型满足Luby-Rackoff定理.主要对Lai-Massey模型的差分和线性可证明安全性进行研究.首先，给出了Lai-Massey模型中差分活动F 函数个数的下确界.其次，证明了当F函数是正形置换时，Lai-Massey模型的差分活动F函数个数下确界与Feistel模型中活动F函数个数的下确界一样.最后，通过引入对偶模型，证明了Lai-Massey模型的差分传递链和组合传递链在结构上的对偶性，并基于该对偶性直接给出了Lai-Massey模型的线性可证明安全性.

Lai and Massey designed IDEA in 1991 when Lai-Massey scheme was first used in the algorithm. Vaudenay in 1999 added a function σ which has the orthomorphic or α-almost orthomorphic property in Lai-Massey scheme, and proved that this construction could make Lai-Massey scheme satisfy the Luby-Rackoff theorem. In this paper, the provable security of Lai-Massey scheme against differential and linear cryptanalysis is investigated. Firstly, the infimum of the number of differentially active F-functions in Lai-Massey scheme is given no matter if F is an orthomorphism or not. Secondly, the results in this paper indicate that when F is an orthomorphism, the infimum of the number of differentially active F-functions is the same as that of Feistel scheme. Finally, a dual model is introduced to study the duality between the differential characteristic chains and linear approximation chains in Lai-Massey scheme, which can be used to obtain similar results of linear cryptanalysis for Lai-Massey scheme directly.
HTML  下载PDF全文  查看/发表评论  下载PDF阅读器