分析欧洲序列密码候选算法ABC的安全性,提炼出两类与安全性密切相关的具有概率优势的线性表达式。两个概率优势反映了模加法运算之间的两种线性相关性。利用每类表达式及其概率优势都可以推导出ABC算法的大量弱密钥。在弱密钥条件下,可以计算出算法的1 257 bit初始密钥,从而导致了算法的有效破解方法。第一类表达式反映了两个模加法方程普遍存在的一种线性相关性,第二类表达式反映了三个模加法方程的比特进位之间的线性相关性。其中,第二类中一个典型的表达式最初是由Wu和Preneel发现,并由此得到2~(96)个弱密钥,但他们只是通过测试试验数据得到了该表达式的概率优势估计值,并未给出严格证明。文中给出两类表达式的概率优势的严格证明。模加运算被广泛应用于对称密码的设计中,相信这两类线性表达式的概率优势不仅可以用来分析其它对称密码算法,而且对于设计安全的对称密码算法也是非常重要的。 This paper analyzes the security of ABC in European sequence cipher candidate algorithm, and extracts two types of linear expressions with probability advantage which are closely related to security. Two probability advantages reflect the two linear correlations between modulo-addition operations. Using each type of expression and its probabilistic advantages, a large number of weak keys of the ABC algorithm can be deduced. Under the condition of weak key, we can calculate the algorithm’s 1 257 bit initial key, which leads to an effective method to crack the algorithm. The first type of expression reflects a ubiquitous linear dependence of the two modular addition equations and the second type of expression reflects the linear dependence of the bit-carry of the three modular addition equations. Among them, a typical expression in the second category was originally discovered by Wu and Preneel, and thus 2 ~ (96) weak keys were obtained, but they obtained the probability predictor of the expression simply by testing the experimental data , Did not give strict proof. The paper gives the strict proof of the probability advantage of two kinds of expressions. Modulo-addition operations are widely used in the design of symmetric ciphers. It is believed that the probability advantages of these two types of linear expressions can be used not only to analyze other symmetric cipher algorithms, but also to design secure symmetric cipher algorithms.