对智能卡进行微分功耗分析攻击的方法研究

详细阐述了对通用密码系统实施微分功耗分析攻击(DPA)的理论基础和对DES算法攻击的特定理论，并提出了对DPA的改进算法。在分析功耗信号的噪声特点以后，提出了一个信噪比(SNR)的建模方法和相应理论的证明。最后，给出了算法的一个实验结果。     

Dynamic inhomogeneous S-Boxes design for efficient AES masking mechanisms

It is an important challenge to implement a lowcost power analysis immune advanced encryption standard （AES） circuit. The previous study proves that substitution boxes （S-Boxes） in AES are prone to being attacked, and hard to mask for its non-linear characteristic. Besides, large amounts of circuit resources in chips and power consumption are spent in protecting S-Boxes against power analysis. Thus, a novel power analysis immune scheme is proposed, which divides the data-path of AES into two parts： inhomogeneous S-Boxes instead of fixed S-Boxes are selected randomly to disturb power and logic delay in the non-linear module; at the same time, the general masking strategy is applied in the linear part of AES. This improved AES circuit was synthesized with united microelectronics corporation （UMC） 0.25 μm 1.8 V complementary metal-oxide-semiconductor （CMOS） standard cell library, and correlation power analysis experiments were executed. The results demonstrate that this secure AES implementation has very low hardware cost and can enhance the AES security effectually against power analysis.     

Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box

Cryptographic substitution boxes (S-boxes) are an integral part of modern block ciphers like the Advanced Encryption Standard (AES). There exists a rich literature devoted to the efficient implementation of cryptographic S-boxes, wherein hardware designs for FPGAs and standard cells received particular attention. In this paper we present a comprehensive study of different standard-cell implementations of the AES S-box with respect to timing (i.e. critical path), silicon area, power consumption, and combinations of these cost metrics. We examine implementations which exploit the mathematical properties of the AES S-box, constructions based on hardware look-up tables, and dedicated low-power solutions. Our results show that the timing, area, and power properties of the different S-box realizations can vary by up to almost an order of magnitude. In terms of area and area-delay product, the best choice are implementations which calculate the S-box output. On the other hand, the hardware look-up solutions are characterized by the shortest critical path. The dedicated low-power implementations do not only reduce power consumption by a large degree, but they also show good timing properties and offer the best power-delay and power-area product, respectively.     

AES-Based Security Coprocessor IC in 0.18-$muhbox m$CMOS With Resistance to Differential Power Analysis Side-Channel Attacks

Security ICs are vulnerable to side-channel attacks (SCAs) that find the secret key by monitoring the power consumption or other information that is leaked by the switching behavior of digital CMOS gates. This paper describes a side-channel attack resistant coprocessor IC fabricated in 0.18-$muhbox m$CMOS consisting of an Advanced Encryption Standard (AES) based cryptographic engine, a fingerprint-matching engine, template storage, and an interface unit. Two functionally identical coprocessors have been fabricated on the same die. The first coprocessor was implemented using standard cells and regular routing techniques. The second coprocessor was implemented using a logic style called wave dynamic differential logic (WDDL) and a layout technique called differential routing to combat the differential power analysis (DPA) side-channel attack. Measurement-based experimental results show that a DPA attack on the insecure coprocessor requires only 8000 encryptions to disclose the entire 128-bit secret key. The same attack on the secure coprocessor does not disclose the entire secret key even after 1 500 000 encryptions.     

Differential Side Channel Analysis Attacks on FPGA Implementations of ARIA

In this paper, we first investigate the side channel analysis attack resistance of various FPGA hardware implementations of the ARIA block cipher. The analysis is performed on an FPGA test board dedicated to side channel attacks. Our results show that an unprotected implementation of ARIA allows one to recover the secret key with a low number of power or electromagnetic measurements. We also present a masking countermeasure and analyze its second‐order side channel resistance by using various suitable preprocessing functions. Our experimental results clearly confirm that second‐order differential side channel analysis attacks also remain a practical threat for masked hardware implementations of ARIA.     

差分功耗分析中选择函数的研究

在差分功耗分析（DPA）中,人们对于选择函数的关注更多的集中在多比特DPA的使用上,而对于采用不同比特作为选择函数所带来的分析结果的差异却鲜有提及。文中对此进行了详细的讨论,并得出选择函数的有效定义对于结果分析有着较大的促进作用。利用AT89C51单片机仿真AES加密系统并对其进行差分功耗分析,而得出的结果证实了结论的正确性。     

AES加密设备的差分能量攻击原理与仿真

旁路攻击是目前信息安全技术领域一个备受瞩目的热点,绕过传统的密码分析方法,利用加密解密设备在进行数据处理时泄露出来的信息比,如运行时间、功耗等对密码系统进行分析和攻击.而DPA（differential power analysis）攻击是较为常见的一种旁路攻击.文中对DPA攻击和AES加密算法进行简单介绍,并在此基础上进行标准DPA攻击的仿真,为能量攻击分析提供一定的理论依据和实验数据.     

Power analysis attack resilient block cipher implementation based on 1-of-4 data encoding

Side-channel attacks pose an inevitable challenge to the implementation of cryptographic algorithms, and it is important to mitigate them. This work identifies a novel data encoding technique based on 1-of-4 codes to resist differential power analysis attacks, which is the most investigated category of side-channel attacks. The four code words of the 1-of-4 codes, namely (0001, 0010, 1000, and 0100), are split into two sets: set-0 and set-1. Using a select signal, the data processed in hardware is switched between the two encoding sets alternately such that the Hamming weight and Hamming distance are equalized. As a case study, the proposed technique is validated for the NIST standard AES-128 cipher. The proposed technique resists differential power analysis performed using statistical methods, namely correlation, mutual information, difference of means, and Welch's t-test based on the Hamming weight and distance models. The experimental results show that the proposed countermeasure has an area overhead of 2.3× with no performance degradation comparatively.     

Dual-Voltage Single-Rail Dynamic DPA-Resistant Logic Based on Charge Sharing Mechanism

Differential power analysis (DPA) has become a major system security concern.To achieve high levels of security with low power and die area costs,a novel Dual-voltage single-rail dynamic logic (DSDL) design is proposed.The proposed scheme can reduce power dissipation and obtain extremely well-balanced power consumption.The charge sharing mechanism is used for voltage transfer in the internal nodes during the evaluation of the design.Dual power supply voltages are used with positive feedback to speed up the evaluation process.A 4-bit micro Substitution box (SBOX) of the Advanced encryption standard (AES) algorithm has been implemented to verify the security of the proposed logic design.The experimental results proved the security and the efficiency of the proposed DSDL,which can reduce power dissipation by up to 20％ and occupies at most 83％ of the silicon area when compared with previous state-of-the-art countermeasures.     

智能卡差分能量分析实验平台实现与数据优化

随着密码学和密码芯片的广泛应用,针对密码芯片的攻击也日益增多.差分能量分析（Differential Power Analysis,DPA）攻击是最常见的一种侧信道攻击方法.DPA攻击者无须了解加密算法的具体细节,而只通过密码设备的能量迹分析即可破解出设备的密钥.因此,研究DPA攻击十分必要.实现了智能卡DPA实验系统,并对于此系统的能量迹测量数据进行优化处理,从而更有利于针对此类攻击的分析和相应防御措施的设计.     

An Overview of Power Analysis Attacks Against Field Programmable Gate Arrays

Since their introduction by Kocher in 1998, power analysis attacks have attracted significant attention within the cryptographic community. While early works in the field mainly threatened the security of smart cards and simple processors, several recent publications have shown the vulnerability of hardware implementations as well. In particular, field programmable gate arrays are attractive options for hardware implementation of encryption algorithms,but their security against power analysis is a serious concern, as we discuss in this paper. For this purpose, we present recent results of attacks attempted against standard encryption algorithms, provide a theoretical estimation of these attacks based on simple statistical parameters and evaluate the cost and security of different possible countermeasures.     

物理可观测下DES的安全性研究

利用物理观测效应进行的旁路攻击,是通过对密码设备工作时泄漏的时间、功耗等信息的分析,获取密码系统的密钥或相关秘密信息.已有大量防护对策但并没有从根本上阻止攻击.本文在AT89C52上加载了DES算法,并在该平台上对差分功耗旁路攻击与防护方法进行了实验和验证.根据Micali和Reyzin建立的物理观测密码术理论模型,将该模型具体化,对可以抵抗黑盒攻击的密码要素进行修正以抵抗基于物理泄漏的旁路攻击,将RO(random oracle)模型用于物理观测现实世界的安全性证明,给出了对称加密方案物理可观测下安全性定义,并对DES定义了在DPA攻击下的安全性.     

Aiding Side-Channel Attacks on Cryptographic Software With Satisfiability-Based Analysis

Cryptographic algorithms, irrespective of their theoretical strength, can be broken through weaknesses in their implementations. The most successful of these attacks are side-channel attacks which exploit unintended information leakage, e.g., timing information, power consumption, etc., from the implementation to extract the secret key. We propose a novel framework for implementing side-channel attacks where the attack is modeled as a search problem which takes the leaked information as its input, and deduces the secret key by using a satisfiability solver, a powerful Boolean reasoning technique. This approach can substantially enhance the scope of side-channel attacks by allowing a potentially wide range of internal variables to be exploited (not just those that are trivially related to the key). The proposed technique is particularly suited for attacking cryptographic software implementations which may inadvertently expose the values of intermediate variables in their computations (even though, they are very careful in protecting secret keys through the use of on-chip key generation and storage). We demonstrate our attack on standard software implementations of three popular cryptographic algorithms: DES, 3DES, and AES. Our attack technique is automated and does not require mathematical expertise on the part of the attacker     

Low‐Power Design of Hardware One‐Time Password Generators for Card‐Type OTPs

Since card‐type one‐time password (OTP) generators became available, power and area consumption has been one of the main issues of hardware OTPs. Because relatively smaller batteries and smaller chip areas are available for this type of OTP compared to existing token‐type OTPs, it is necessary to implement power‐efficient and compact dedicated OTP hardware modules. In this paper, we design and implement a low‐power small‐area hardware OTP generator based on the Advanced Encryption Standard (AES). First, we implement a prototype AES hardware module using a 350 nm process to verify the effectiveness of our optimization techniques for the SubBytes transform and data storage. Next, we apply the optimized AES to a real‐world OTP hardware module which is implemented using a 180 nm process. Our experimental results show the power consumption of our OTP module using the new AES implementation is only 49.4% and 15.0% of those of an HOTP and software‐based OTP, respectively.     

Low-swing current mode logic (LSCML): A new logic style for secure and robust smart cards against power analysis attacks

A new logic style called low-swing current mode logic (LSCML) is presented. It features a dynamic and differential structure and a low-swing current mode operation. The LSCML logic style may be used for hardware implementation of secure smart cards against differential power analysis (DPA) attacks but also for implementation of self-timed circuits thanks to its self-timed operation. Electrical simulations of the Khazad S-box have been carried out in 0.13 μm PD (partially depleted) SOI CMOS technology. For comparison purpose, the Khazad S-box was implemented with the LSCML logic and two other dynamic differential logic styles previously reported. Simulation results have shown an improved reduction of the data-dependent power signature when using LSCML circuits. Indeed the LSCML based Khazad S-box has shown a power consumption standard deviation more than two times smaller than the one in DyCML and almost two times smaller than the one in DDCVSL.     

防DPA攻击的标准单元库的设计与实现

给出了一个功耗恒定标准单元库的设计实现方法,并利用该标准单元库实现了DES密码算法中的S-盒。实验结果表明,这种标准单元库能够很好地起到防DPA攻击的作用。     

基于FPGA加密芯片的DPA实现与防御研究

差分功耗分析是破解AES密码算法最为有效的一种攻击技术,为了防范这种攻击技术本文基于FPGA搭建实验平台实现了对AES加密算法的DPA攻击,在此基础上通过掩码技术对AES加密算法进行优化与改进。通过实验证明改进后的AES算法能有效的防范DPA的攻击。     

DES芯片抵御高阶差分功耗分析攻击方法研究

分析独特的屏蔽方法及改进方法的不足,提出了逻辑层和算法层相结合抵御高阶差分功耗分析攻击的新方法,并给出芯片半定制设计流程.芯片关键部分电路采用自定义功耗恒定逻辑单元实现,非关键部分电路采用CMOS逻辑以减少功耗和面积.整体电路采用独特的屏蔽方法自定义轮实现.结果表明芯片能够抵御高阶差分功耗分析攻击,运算速度与现有方法相当,而所需资源比现有方法少.     

Vulnerability modeling of cryptographic hardware to power analysis attacks

Designers and manufacturers of cryptographic devices are always worried about the vulnerability of their implementations in the presence of power analysis attacks. This article can be categorized into two parts. In the first part, two parameters are proposed to improve the accuracy of the latest hypothetical power consumption model, so-called toggle-count model, which is used in power analysis attacks. Comparison between our proposed model and the toggle-count model demonstrates a great advance, i.e., 16%, in the similarity of hypothetical power values to the corresponding values obtained by an analog simulation. It is supposed that the attacker would be able to build such an accurate power model. Thus, in the second part of this article we aim at evaluating the vulnerability of implementations to power analysis attacks which make use of our proposed power model. Simple power analysis, various types of differential power analysis, and correlation power analysis are taken into account. Then, some techniques are proposed to examine the vulnerability of implementations to such kinds of power analysis attacks.     

Practical Second‐Order Correlation Power Analysis on the Message Blinding Method and Its Novel Countermeasure for RSA

Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary‐with‐random‐initial‐point algorithm on elliptical curve cryptosystems. It is known to be secure against first‐order differential power analysis (DPA); however, it is susceptible to second‐order DPA. Although second‐order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second‐order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.