一种新的简化AES中间相遇攻击方法

A new 5-round distinguisher of AES with key whitening is presented by using the properties of its round transformation. Based on this distinguisher, we present new meet-inthe-middle attacks on reduced AES considering the key schedule and the time-memory tradeoff approach. New attacks improve the best known meet-in-the-middle attacks on reduced AES presented at FSE2008.We reduce the time complexity of attacks on 7-round AES-192 and 8-round AES-256 by a factor of at least 28. Moreover, the distinguisher can be exploited to develop the attack on 8-round AES-192.     

FOX算法的差分故障攻击

FOX算法是用于欧洲有线电视的分组密码算法,该算法整体采用Lai-Massey结构,其中的圈函数使用SPS结构。FOX算法的设计结构比较典型,实际应用的范围很广,目前对于该算法的分析却并不多见。研究了FOX算法对于差分故障攻击的安全性。提出一种采用面向字节的随机故障模型,并结合差分分析技术的攻击方法。结果显示,差分故障攻击对于FOX算法是有效的;实验结果也验证了这一事实。该攻击方法恢复出全部密钥信息平均需要128个错误密文,计算穷举量为O（215）。     

基于微控制器的AES激光注入攻击研究

密码设备面临故障攻击的威胁,针对密码芯片的故障攻击手段研究是密码学和硬件安全领域的重要研究方向.脉冲激光具有较好的时空分辨性,是一种准确度较高的故障攻击手段.该文详细描述了激光注入攻击的原理和方法,以集成AES-128算法的微控制器(MCU)为例实施了激光注入攻击实验.实验以微控制器的SRAM为攻击目标,分别成功实现了差分故障攻击和子密钥编排攻击,恢复了其16 Byte的完整密钥,其中后一种攻击是目前首次以激光的手段实现.研究表明,激光注入攻击能准确定位关键数据存放的物理位置,并能在任意的操作中引入错误,实现单比特的数据翻转,满足故障攻击模型的需求.激光注入攻击能在较短时间内完成自动攻击和密文收集,攻击过程贴近真实场景,对密码芯片具有极大的威胁.     

基于微控制器的AES激光注入攻击研究

密码设备面临故障攻击的威胁,针对密码芯片的故障攻击手段研究是密码学和硬件安全领域的重要研究方向。脉冲激光具有较好的时空分辨性,是一种准确度较高的故障攻击手段。该文详细描述了激光注入攻击的原理和方法,以集成AES-128算法的微控制器(MCU)为例实施了激光注入攻击实验。实验以微控制器的SRAM为攻击目标,分别成功实现了差分故障攻击和子密钥编排攻击,恢复了其16 Byte的完整密钥,其中后一种攻击是目前首次以激光的手段实现。研究表明,激光注入攻击能准确定位关键数据存放的物理位置,并能在任意的操作中引入错误,实现单比特的数据翻转,满足故障攻击模型的需求。激光注入攻击能在较短时间内完成自动攻击和密文收集,攻击过程贴近真实场景,对密码芯片具有极大的威胁。     

基于冗余有限域算术的AES S盒高效故障检测方案

为使AES S盒的多奇偶校验故障检测方案具备预期故障检测能力,提出了由预期故障覆盖率确定预测奇偶总数的参数计算模型.根据模型确定的预测奇偶总数,为基于冗余有限域算术的S盒定制了两种多分块多奇偶校验的故障检测方案.推导优化了各分块预测奇偶计算公式,并通过穷举搜索找到了使整个电路结构最优的多项式系数与映射矩阵.仿真结果表明两种方案的随机多故障覆盖率均约为97%,验证了参数计算模型的有效性,突发故障覆盖率分别约为61.8%、76.3%,优于已有文献中大部分故障检测方案.综合结果表明,对比于已有文献中具有相似故障检测能力的故障检测S盒电路,所设计电路的面积-延时积最小.     

Conditional Re‐encoding Method for Cryptanalysis‐Resistant White‐Box AES

Conventional cryptographic algorithms are not sufficient to protect secret keys and data in white‐box environments, where an attacker has full visibility and control over an executing software code. For this reason, cryptographic algorithms have been redesigned to be resistant to white‐box attacks. The first white‐box AES (WB‐AES) implementation was thought to provide reliable security in that all brute force attacks are infeasible even in white‐box environments; however, this proved not to be the case. In particular, Billet and others presented a cryptanalysis of WB‐AES with 230 time complexity, and Michiels and others generalized it for all substitution‐linear transformation ciphers. Recently, a collision‐based cryptanalysis was also reported. In this paper, we revisit Chow and others’ first WB‐AES implementation and present a conditional re‐encoding method for cryptanalysis protection. The experimental results show that there is approximately a 57% increase in the memory requirement and a 20% increase in execution speed.     

低轮FOX分组密码的差分碰撞攻击

This paper presents a method for differential collision attack of reduced FOX block cipher based on 4-round distinguishing property. It can be used to attack 5, 6 and 7-round FOX64 and 5-round FOX128. Our attack has a precomputation phase, but it can be obtained before attack and computed once for all. This attack on the reduced to 4-round FOX64 requires only 7 chosen plaintexts, and performs 242 .84-round FOX64 encryptions. It could be extended to 5 (6, 7)-round FOX64 by a key exhaustive search behind the fourth round. The time complexities of 5, 6 and 7-round FOX64 are approximate to 2106 .8, 2170 .8and 2234 .8, respectively. The attack on reduced FOX128 demands 11 chosen plain-texts, requires 2192one round encryptions in precomputation, performs approximately 276 .5 one round encryptions on 4-round FOX128, and is 2204 .5against 5-round FOX128.     

对简化版LBLock算法的相关密钥不可能差分攻击

LBLOCK是吴文玲等人于2011年设计的一种轻量级密码算法。该文利用一个特殊的相关密钥差分特征,对19轮的LBlock算法进行了相关密钥不可能差分攻击,攻击的计算复杂度为O(270.0),所需要的数据量为264。进一步,提出了一种针对21轮LBlock的相关密钥不可能差分攻击,计算复杂度为O(271.5),数据量为263。     

Differential Fault Attack on GIFT

GIFT,a lightweight block cipher proposed at CHES2017,has been widely cryptanalyzed this years.This paper studies the differential diffusion characteristics of round function of GIFT at first,and proposes a random nibble-based differential fault attack.The key recovery scheme is developed on the statistical properties we found for the differential distribution table of the S-box.A lot of experiments had been done and experimental results show that one round key can be retrieved with an average of 20.24 and 44.96 fault injections for GIFT-64 and GIFT-128 respectively.Further analysis shows that a certain number of fault injections recover most key bits.So we demonstrate an improved fault attack combined with the method of exhaustive search,which shows that the master key can be recovered by performing 216 and 217 computations and injecting 31 and 32 faults on an average for GIFT-64 and GIFT-128 respectively.     

AES密码分析的若干新进展

2001年11月,美国国家标准和技术研究所(NIST)确定Rijndael算法为新的数据加密标准-高级数据加密标准(AES).AES的密码分析是目前最受注目的一个研究问题.本综述介绍AES密码分析的一些新进展:包括积分密码分析,功耗分析和代数攻击等.作者就目前国内外的研究现状作了评述,并提出了AES密码分析的一些研究方向,希望能引起大家的重视.     

轻量级分组密码PUFFIN的差分故障攻击

基于代换–置换网络结构的轻量级分组密码算法PUFFIN在资源受限的硬件环境中使用较广泛,差分故障攻击是针对硬件密码算法较为有效的攻击手段。该文针对PUFFIN算法,改进多比特故障模型,通过构建输出差分和可能输入值之间的关系,注入5次故障即可确定单个S盒唯一输入值;在最后一轮加密过程中注入10次故障,成功恢复轮密钥的概率为78.64%,进而可恢复初始密钥。

     

Differential Fault Attack on the Stream Cipher LIZARD

In this paper, we try to give a security evaluation of LIZARD stream cipher in regard to fault attacks, which, to the best of our knowledge, is the first fault analysis on LIZARD. We design a differential engine of LIZARD to track the differential trail of the keystreams. It is shown that the distributions of the keystream differences are heavily biased. Utilizing this characteristic, we propose an improved method to identify the fault location for LIZARD whose success probability approaches 1. Then we use the fault-free keystream and faulty keystreams to generate system of equations in internal state variables and solve it by SAT solver. The result shows that with 100 keystream bits, only 6 different faults are needed to recover the internal state. Finally, the comparison between LIZARD and Grain v1 shows that LIZARD is more resistable than Grain v1 in regard to fault attacks.     

基于故障注入的基准电路故障响应分析

为了提高集成电路的成品率,试图采用更简便有效的方法测试芯片,并获得反映电路特性的故障响应率,在进行电路功能仿真(前仿真)或电路时序仿真(后仿真)的过程中,对电路注入单故障或多故障,然后在电路存在故障的情况下,模拟电路的行为,获得电路的故障响应率.实现了一个通用的数字电路"故障响应分析"程序,他模拟电路注入故障,收集模拟结果,通过分析获取电路的故障响应率.     

Multi-point joint power analysis attack against AES

For the power analysis attack of the AES cryptographic algorithm with the single information leakage point,the traditional attack method does not use as much information as possible in the algorithm and power trace.So there are some problems such as required more power traces,the low utilization rate of information and so on.A novel method of muti-point joint power analysis attack against AES was proposed to solve the problems.And taking the correlation power analysis attack as an example,the detailed attack process was presented.The operations of the round key addition and the SubBytes were chosen as the attack intermediate variable at the same time.Then the joint power leakage function was con-structed for the attack intermediate variable.And the multi-point joint correlation energy analysis attack was given.Aiming at the AES cryptographic algorithm implemented on the smart card,the multi-point joint power analysis attack,the correlation power analysis attack with the single information leakage point in the key addition and the SubBytes were conducted.The measured results validate the proposed method is effective.It also shows that the proposed method has the advantages of high success rate and less power traces comparing with the single information leakage point.     

约减轮数分组密码LEA的差分分析

LEA算法是面向软件的轻量级加密算法,在2019年成为 ISO/IEC 国际标准轻量级加密算法,具有快速加密、占用运算资源少等优点。该文基于多条输入输出差分相同的路径计算了差分概率,首次对LEA-128进行了13轮和14轮的密钥恢复攻击;采用提前抛弃技术,分别在12轮和13轮差分特征后面添加了1轮,恢复了96 bit密钥;其中13轮的密钥恢复攻击数据复杂度为2⁹⁸个明文,时间复杂度为2^86.7次13轮LEA-128解密;14轮的密钥恢复攻击数据复杂度为2¹¹⁸个明文,时间复杂度为2^110.6次14轮LEA-128解密。     

FeW的差分故障攻击

为了评估轻量级分组密码算法FeW的安全性,提出并讨论了一种针对FeW算法的差分故障攻击方法。该方法采用单字节随机故障模型,选择在FeW算法的最后一轮右侧引入单字节随机故障,利用线性扩散函数的特点获取差分信息,并基于S盒差分分布统计规律实现密钥恢复。实验结果表明,平均47.73次和79.55次故障注入可以分别完全恢复FeW-64-80和FeW-64-128的主密钥,若在恢复密钥过程中加入2¹⁰的穷举计算,所需平均故障注入次数分别降至24.90和41.50。该方法可以有效地攻击FeW算法。     

An Effective Differential Fault Analysis on the Serpent Cryptosystem in the Internet of Things

Due to the strong attacking ability, fast speed, simple implementation and other characteristics, differential fault analysis has become an important method to evaluate the security of cryptosystem in the Internet of Things. As one of the AES finalists, the Serpent is a 128-bit Substitution-Permutation Network （SPN） cryptosystem. It has 32 rounds with the variable key length between 0 and 256 bits, which is flexible to provide security in the Internet of Things. On the basis of the byte-oriented model and the differential analysis, we propose an effective differential fault attack on the Serpent cryptosystem. Mathematical analysis and simulating experiment show that the attack could recover its secret key by introducing 48 faulty ciphertexts. The result in this study describes that the Serpent is vulnerable to differential fault analysis in detail. It will be beneficial to the analysis of the same type of other iterated cryptosystems.     

一种针对FPGA位流的自动化故障注入分析方法

理论上通过篡改FPGA位流,利用其实现的密码算法的错误输出可以分析出密钥,但这种攻击通常需要非常了解目标FPGA的内部结构与位流的对应关系。而位流逆向的难度很大,导致此类攻击的实用性不高。文章提出一种针对FPGA位流的自动化故障注入分析方法,不需要逆向位流,结合张帆等人提出的持久性故障分析理论,把因篡改算法常量导致的出错结果作为可利用的故障。并首次在Xilinx-7系列FPGA开发板上利用Spider进行电压故障注入实验,480条错误密文就可以得到AES-128的密钥,且在10 min内可以完成数据的采集和分析。对于加密位流的情况,可以先利用电磁侧信道分析方法得到明文位流,再结合该文的分析方法来进行密钥破解。     

针对AES第一轮的汉明重代数攻击研究

将差分功耗分析的汉明重量模型与传统的代数攻击相结合,实现了针对128位密钥的AES密码算法第一轮的功耗代数攻击.在攻击实验中,改进了汉明重量函数,并证明了利用此函数能够通过进一步计算的相关系数r明显区分出正确密钥字节与错误密钥字节,在最短时间内获得正确的真实的全部密钥字节,对比其他同类研究更具适用性和高效性.