节点文献
若干分组密码算法的故障攻击研究
Research on the Fault Analysis of Some Block Ciphers
【作者】 李玮;
【导师】 谷大武;
【作者基本信息】 上海交通大学 , 计算机科学与技术, 2009, 博士
【摘要】 分组密码是密码学的重要内容,是实现信息保密的核心体制,其安全性分析也一直是密码研究中非常活跃的课题。随着集成电路和智能卡技术的发展,以及嵌入式系统的大规模应用,单纯从分组密码算法的数学结构研究安全性能已远远不够,从算法的实现角度来考虑安全问题已成为必需。在实际应用领域中,密码算法通常使用各种芯片来实现,如智能卡、加密存储卡、加密机芯片、手机芯片和网络路由器芯片等,这些芯片在运行时有可能泄漏某些中间状态信息(出错消息、执行时间、功耗、电磁辐射等),使得攻击者有机会采集与密钥相关的关键信息,从而发现明文或密钥。旁路攻击正是在这种背景下被提出的,由于其成功的攻击效果和潜在的发展前景,已经引起了国内外从事密码和微电子的研究学者的极大关注,并成为密码分析和密码工程领域发展最为迅速的方向之一。本文针对几种国际上比较流行的分组密码算法和密码结构,重点研究了旁路攻击中有较大威胁的故障攻击技术,在不同的故障模型下,基于差分分析原理,提出了有效的故障攻击和故障检测方法,并进行了软件模拟验证。同时,本文也对时序攻击和功耗分析进行了部分研究。文章的创新性研究工作主要有:(1)提出了差分故障攻击ARIA算法的方法。ARIA算法是韩国官方2004年公布的分组密码标准算法,主要用于轻量级环境实现和硬件系统实现。目前,关于ARIA算法抗故障攻击的安全性研究,国内外还未有公开发表的结果。本文提出并讨论了差分故障攻击ARIA密码的方法。该攻击方法采用面向字节的随机故障模型,并且结合差分技术,仅需要45个故障密文即可恢复ARIA密码的128比特原始密钥。该方法也为故障攻击其它分组密码提供了一种较通用的分析手段。基于此攻击方法,本文提出了一种新的故障检测方法—基于模式的技术,它不仅能够以更小的时空代价检测到故障,而且可以同时应用到软件和硬件实现中。(2)提出了差分故障攻击CLEFIA算法的新方法。CLEFIA算法是在2007年FSE(Fast Software Encryption)会议上,由索尼公司开发并提出的一种新的分组密码。虽然前人的工作表明CLEFIA算法不能抵抗差分故障攻击,但是其攻击代价较大。本文提出并讨论了一种新的差分故障攻击方法,它采用面向字节的随机故障模型,通过改变故障诱导的轮数位置,分别仅需要12、30和30个故障密文即可分别恢复CLEFIA密码的128比特、192比特和256比特原始密钥。在故障诱导的实施难度相同的情况下,本文提出的新方法不仅提高了故障诱导的攻击成功率,而且减少了故障密文数。(3)提出了故障攻击SMS4算法的新方法。SMS4算法是用于无线局域网安全标准WAPI的分组密码,是国内官方公布的第一个商用密码算法。前人的研究成果仅限于导入故障在SMS4密码的加密算法中,并且故障密文数较多,攻击效率不高。本文提出并讨论了故障攻击SMS4密码的新方法。新方法采用面向字节的随机故障模型,通过改变故障诱导的位置,可恢复SMS4密码的128比特原始密钥。在故障诱导的实施难度相同的情况下,本文提出的新方法扩展了故障攻击SMS4算法的种类,降低了故障攻击的代价。(4)压缩UFN型结构是分组密码中的一种重要结构,本文提出了差分故障攻击压缩UFN型结构的通用方法,并应用到SMS4算法和MacGuffin算法中。该攻击方法采用面向字节的随机故障模型,并且结合差分技术,根据故障诱导的不同位置,分别提出了两个故障模型,均可破译具有压缩UFN型结构的算法。因而,该攻击方法为故障攻击UFN型结构的分组密码提供了一种通用的分析手段。理论分析和实验结果表明,MacGuffin算法不能抵抗差分故障攻击,在两个故障模型下,分别需要355个故障密文和165个故障密文,即可恢复MacGuffin算法的原始密钥。另外,此方法可以应用到SMS4算法中,在两个不同的故障模型下,分别需要20个故障密文和4个故障密文,即可恢复SMS4密码的原始密钥。(5)针对对称密码抗旁路攻击的安全性进行了初步研究。本文将完善保密性引入到密码系统抗旁路攻击的研究中,定义了密码算法达到完善保密的实现安全,从而使可防御旁路攻击的密码系统有了信息论解释。并且,本文讨论了密码算法实现可证明安全性的安全语义,通过归约建立了不同安全语义之间的联系。这些新的安全语义包括UB—SCA (旁路攻击下的密钥完全不可破), IND—CPA—SCA (选择明文攻击和旁路攻击下的消息不可区分性)以及IND—CCA—SCA (选择密文攻击和旁路攻击下的消息不可区分性)。基于这些定义,通过归约证明了UB—SCA ^IND—CPA ?IND—C PA—S CA,以及UB—S CA ^IND—C CA ?IND—CCA—SCA,从而为对称密码抗旁路攻击提供了理论模型,并简化了对称密码系统抗旁路攻击的安全性分析。(6)提出了差分功耗分析数字视频广播加扰算法的方法。在数字视频压缩技术国际通用标准MPEG—2中,使用数字视频广播加扰算法是一种加强传播流安全性的主要方法。目前,针对加扰算法的攻击仅限于故障攻击。基于前人的研究工作,本文提出了差分功耗分析数字视频广播加扰算法的方法,可获得其原始密钥。该工作扩大了原有功耗分析的研究对象,从单纯的分组密码算法,覆盖至包含分组密码部分的混合加密体制。
【Abstract】 The block cipher is a core component of cryptology, and its security analysis is always a very active branch in cryptanalysis. With the development of integrate circuits, smart cards and embedded systems, a new class of attack, called side channel attack, on cryptographic devices has become public. When more and more cryptosystems being applied to different chips, such as smart cards, cryptographic storage card, encryptor chip, network router chip etc, some important information about the internal states may be leaked. For example, the information includes fault information, execution time, power consumption and electromagnetic radiation and so on. Examples show that a leak of very small amount of side channel information will be enough to break block ciphers completely. Therefore, it has drawn much attention in both domestic and overseas, and become one of the fastest growing research areas in the fields of cryptanalysis and cryptography engineering.As one type of side channel attacks, fault analysis is a popular cryptanalysis. This dissertation discusses fault analysis of some block ciphers and the related structures. In different fault models, on the basis of differential analysis, we present several effective fault analysis and fault detection, and validate the results by software simulation. Furthermore, other side channel attacks, including timing attack and power analysis, are described in this dissertation. The main contributions of the dissertation are listed as follows:(1) The ARIA algorithm is a Korean Standard block cipher, which is optimized for lightweight and hardware environments. On the basis of the byte–oriented model and the differential analysis principle, we propose a differential fault attack on the ARIA algorithm. Mathematical analysis and simulating experiment show that our attack can recover its 128– bit secret key by introducing 45 faulty ciphertexts. Simultaneously, we also present a fault detection technique for protecting ARIA against this proposed analysis. We believe that our results in this study will also be beneficial to the analysis and protection of the same type of other iterated block ciphers.(2) CLEFIA is a new 128–bit block cipher, which was proposed by SONY Corporation in FSE’2007. The previous attack shows that CLEFIA is vulnerable to differential fault analysis. However, its efficiency is not high and the attacking scope is limited. This dissertation studies the security of CLEFIA against differential fault analysis. On the basis of the byte–oriented fault model, our method only requires 12 faulty ciphertexts for the 128–bit secret key, and 30 faulty ciphertexts for the 192–bit and 256–bit secret keys of CLEFIA. Compared with the previous techniques, our work not only expands the fault locations, but also improves the efficiency of fault injection, and decreases the number of faulty ciphertexts.(3) This dissertation presents several new approaches for fault analysis on the cryptographic algorithm SMS4. The previous research focuses on injecting faults into the encryption of SMS4. However, its efficiency is not high and the attacking scope is limited. Thus, we propose several techniques which pay attention to different locations of occurring faults. Our proposed techniques make use of the byte–oriented fault model and chosen plaintext attacks. Under the same assumption, the 128–bit master key for SMS4 can be obtained. Thus, our work not only expands the locations of occurring fault, but also decreases the attacking cost.(4) This dissertation studies the security of the contracting UFN structure against differential fault analysis (DFA). The contracting unbalanced Feistel networks (UFN) is a particular structure of the block ciphers, where the“left half”and the“right half”are not of equal size, and the size of the domain is larger than that of the range. We propose two basic byte–oriented fault models and two corresponding attacking methods. Then we implement the attack on two instances of the contracting UFN structure, the block ciphers MacGuffin and SMS4. MacGuffin is breakable with 355 and 165 faulty ciphertexts in the two fault models, respectively. Under similar hypothesis, the experiments require 20 and 4 faulty ciphertexts to recover the 128–bit secret key of SMS4, respectively. So our work not only builds up a general model of DFA on the contracting UFN structure and ciphers, but also provides a new reference for fault analysis on other block ciphers.(5) This dissertation defines perfect security against side channel attacks for a cryptosystem implementation, and discusses the implication of secure notions for a cryptosystem in provable security. Then we give some security notions for symmetric encryption against side channel attacks, UB—SCA (unbreakability in side channel attacks), IND—CPA—SCA (indistinguishability of chosen plaintext attacks and side channel attacks) and IND—CCA—SCA (indistinguishability of chosen ciphertext attacks and side channel attacks). On the basis of these definitions, we propose and prove that UB—SCA ^IND—CPA ? IND—C PA—S CAand UB—SCA ^IND—C CA ?IND—C CA—SCA by reduction. It sets up a model for symmetric ciphers against side channel attacks in theory.(6) The Common Scrambling Algorithm (CSA) is used to encrypt streams of video data in the Digital Video Broadcasting (DVB) system. To date, CSA is secure against classical attacks, but vulnerable to fault analysis. This dissertation presents a differential power analysis, one of side channel attacks, on DVB CSA. By decrypting the block cipher part, the common key of the whole algorithm can be derived. Thus, our method expands the attacking scope of differential power analysis.
【Key words】 side channel attacks; block ciphers; fault analysis; timing attack; power analysis; ARIA; CLEFIA; MacGuffin; SMS4;