@techreport{oai:ipsj.ixsq.nii.ac.jp:00237147,
 author = {中田, 和磨 and 石川, 達也 and 阪本, 光星 and 峯松, 一彦 and 五十部, 孝典 and Kazuma, Nakata and Tatsuya, Ishikawa and Kosei, Sakamoto and Kazuhiko, Minematsu and Takanori, Isobe},
 issue = {26},
 month = {Jul},
 note = {ブロック暗号 Midori は，SPN 構造を持つ低遅延ブロック暗号である．CSS 2023 において，ラウンドによって異なる複数線形層を用いることで，差分・線形攻撃の安全性の指標である Active S-box 評価において Midori よりも良い性質を持つ構成が示された．低遅延実装においては，全てのラウンドを実装するアンロール実装が一般的であり，本研究の複数のセル置換の利用は遅延や回路規模に関しての実装上のオーバーヘッドはほとんどない．本研究では，複数線形層と非線形層を適切に組み合わせることで，差分/線形攻撃に対する安全性の観点で Midori よりも良い性能をもつ構成を提案する．具体的には，複数線形層と低遅延で実装可能な 3 種類の非線形層の組み合わせを検討することで，差分/線形攻撃に対する安全性の観点で全ラウンドにおいて Midori 以上の安全性を保証可能な構成を示す．特に， Midori に対するもっとも効果的な攻撃である線形攻撃に対しては Midori よりも低いラウンドで安全性を保証可能な構成である．また，3 種類の非線形層のうち 2 種類については Midori128 で使用されている S-box よりも遅延性能が高いため，Midori128 よりも安全性と遅延性能がともに高い構成となっている．, Midori is a low-latency block cipher with an SPN (Substitution-Permutation Network) structure. At CSS 2023, a design that uses multiple linear layers differing by rounds was presented, demonstrating better properties in terms of Active S-box evaluation―a measure of resistance to differential and linear attacks―compared to Midori. In low-latency implementations, it is common to use an unrolled implementation where all rounds are implemented, and the use of multiple cell permutations in this study incurs minimal implementation overhead in terms of latency and circuit size. In this study, by appropriately combining multiple linear layers and nonlinear layers, we propose a design that achieves better performance than Midori in terms of security against differential and linear attacks. Specifically, by considering combinations of multiple linear layers and three types of nonlinear layers that can be implemented with low latency, we demonstrate a design that guarantees higher security than Midori against differential and linear attacks in all rounds. In particular, for the most effective attack against Midori, the linear attack, we propose a design that can guarantee security with fewer rounds than Midori. Additionally, for two of the three types of nonlinear layers, which have higher latency performance than the S-box used in Midori128, the proposed design achieves both higher security and latency performance compared to Midori128.},
 title = {複数線形層を用いた低遅延ブロック暗号の設計},
 year = {2024}
}