一种分组密码S盒抗Glitch攻击的方案

伴随着网络信息时代的飞速发展,各种电子产品应运而生,人们的生活变得越来越智能,越来越便捷,然而在便捷的背后却隐藏着重大的安全隐患。密码芯片是保障信息安全的重要手段之一,所以提高密码芯片的安全性迫在眉睫。以Stefan等人的针对分组密码芯片S盒的Glitch攻击为模型背景,通过加入一组同步寄存器提出基于FPGA的一种针对分组密码S盒抗Glitch攻击的方案,并通过CMOS器件的属性和Altera公司在QuatusⅡ软件中嵌入的Signal Tap功能,从理论和仿真两方面分别验证了该方案不但能够大幅度减少Glitch的个数,还能够减少各级电路产生Glitch的相关性,从而降低了攻击的成功率,提高了分组密码S盒实现的安全性,为后续FPGA密码芯片的防护提供了依据。     

Rijndael分组密码与差分攻击

深入研究了Rijndael分组密码,将字节代替变换中的有限域GF(28)上模乘求逆运算和仿射变换归并成了一个8×8的S盒,将圈中以字节为单位进行的行移位、列混合、密钥加三种运算归并成了一个广义仿射变换.基于归并将Rijndael密码算法了进行简化,结果表明Rijndael密码实质上是一个形如仿射变换Y=A(?)S(X)(?)K的非线性迭代算法,并以分组长度128比特、密钥长度128比特作为特例,给出了二轮Rijndael密码的差分攻击.文中还给出了Rijndael密码算法的精简描述,并指出了算法通过预计算快速实现的有效方法.     

针对分组密码的攻击方法研究

为提升旁路攻击对分组密码算法硬件实现电路的攻击效果,增大正确密钥与错误密钥间的区分度,提出一种针对分组密码的旁路攻击方法。结合差分功耗分析(DPA)攻击和零值攻击的特点,通过分类来利用尽可能多的功耗分量,以攻击出全部密钥。在FPGA上实现AES硬件电路并进行实验,结果表明,在20万条全随机明文曲线中,该方法恢复出了全部密钥,相比DPA攻击方法,其正确密钥与错误密钥间的区分度更大。     

针对AES分组密码S盒的差分故障分析

研究了AES分组密码对差分故障攻击的安全性,攻击采用面向字节的随机故障模型,结合差分分析技术,通过在AES第8轮列混淆操作前导入随机单字节故障,一次故障导入可将AES密钥搜索空间由2128降低到232.3,在93.6%的概率下,两次故障导入无需暴力破解可直接恢复128位AES密钥.数学分析和实验结果表明:分组密码差分S盒取值的不完全覆盖性为差分故障分析提供了可能性,而AES密码列混淆操作良好的扩散特性极大的提高了密钥恢复效率,另外,本文提出的故障分析模型可适用于其它使用S盒的分组密码算法.     

一类分组密码的S盒重组算法

S盒是许多分组密码唯一的非线性部件,它的密码强度决定了整个密码算法的安全强度.足够大的S盒是安全的,但为了便于实现,分组密码多采用若干小S盒拼凑.针对一类分组密码算法,通过将S盒与密钥相关联,给出了S盒重组算法,丰富了S盒的应用模式,有效提高了分组密码的安全强度.     

一种针对分组密码的抗能量攻击电路设计

为提高分组密码算法电路的抗能量攻击能力,参考掩码技术的思想,基于取反的基本操作提出了反向交错的概念,对反向交错的关键性质进行了证明,以此为依据设计了一种反向交错的电路结构,并通过加入一级寄存器的方式打乱时序对齐,得到了优化的电路结构,通过功耗随机化的方法提升了算法的抗能量攻击能力。最后将该结构应用到AES-128算法电路中并进行了加解密功能、防护功能和运算性能三方面的验证,结果表明本文设计的电路结构能正确进行加解密,且具有较好的防护效果和运算性能。     

一种快速求解密码S盒差分均匀度下界的新方法

密码S盒是对称密码算法的核心部件,其代数性质通常决定着密码算法整体的安全强度.密码S盒的差分均匀度是度量其抵御差分密码分析的能力.对于n比特输入及n比特输出的密码S盒,传统求解其差分均匀度的方法需要大约O(2³ⁿ)次运算;而当n较大时(比如n>15),因搜索空间较大,从而导致花销时间太长(甚至计算不可行)等问题.如何快速判定(大状态)密码S盒的差分均匀度是目前的研究难点之一.本文基于密码S盒的循环差分特性,提出了一种求解其差分均匀度下界的新方法：通过统计循环差分对出现的次数,快速评估其解存在的个数,并由此给出密码S盒差分均匀度的下界.该方法所需的时间复杂度仅为O(2ⁿ)次运算.实验结果证实：对于4比特、5比特、7比特、8比特、9比特及多个16比特的S盒,利用该求解算法捕获的差分均匀度下界与真实的差分均匀度值是完全一致的.特别地,针对PRESENT、Keccak、MISTY-7、AES、MISTY-9、NBC及其变体使用的密码S盒,该方法求解其差分均匀度下界时所花销的时间均比传统算法节省82%以上.该方法为进一步评估大状态密码S盒的代数性...     

分组密码Cache攻击技术研究

近年来,Cache攻击已成为微处理器上分组密码实现的最大安全威胁,相关研究是密码旁路攻击的热点问题.对分组密码Cache攻击进行了综述.阐述了Cache工作原理及Cache命中与失效旁路信息差异,分析了分组密码查表Cache访问特征及泄露信息,从攻击模型、分析方法、研究进展3个方面评述了典型的分组密码Cache攻击技术,并对Cache攻击的发展特点进行了总结,最后指出了该领域研究存在的问题,展望了未来的研究方向.     

针对PRESENT分组密码算法的代数分析*

本文研究针对PRESENT分组密码的代数分析。通过使用S盒的表达式形式,构建出多轮PRESENT加密中的代数方程组。这种构建方程的方法被推广到具有小型S盒的典型SPN型分组密码算法的方程构建问题中。文中还对简化的PRESENT算法进行了攻击实验。采用MiniSAT作为攻击过程中的求解工具,对4轮、6轮PRESENT加密进行实际攻击。可以在一分钟之内恢复4轮加密的所有密钥,数小时内恢复6轮加密的密钥。并且通过引入了差分思想,首次将有效攻击轮数提高到8轮。     

分组密码S盒的可重构设计方案

对两种可行的S盒可重构设计方案进行了分析与比较,在此基础上提出采用查找表方式来对可重构S盒进行设计.以6×4模式的S盒为基础,对6×4和8×8的S盒的可重构设计进行了详细讨论.通过分析,该设计模型能对4×4和8×32的S盒进行很好的重构支持.从而便完成了对4×4、6×4、8×8、8×32这4种模式的S盒的可重构设计.设计结果表明,该模型能灵活地实现4种不同模式的S盒变换,并能使资源得到充分利用,减少资源的消耗.     

DBST: a lightweight block cipher based on dynamic S-box

IoT devices have been widely used with the advent of 5G. These devices contain a large amount of private data during transmission. It is primely important for ensuring their security. Therefore, we proposed a lightweight block cipher based on dynamic S-box named DBST. It is introduced for devices with limited hardware resources and high throughput requirements. DBST is a 128-bit block cipher supporting 64-bit key, which is based on a new generalized Feistel variant structure. It retains the consistency and significantly boosts the diffusion of the traditional Feistel structure. The SubColumns of round function is implemented by combining bit-slice technology with subkeys. The S-box is dynamically associated with the key. It has been demonstrated that DBST has a good avalanche effect, low hardware area, and high throughput. Our S-box has been proven to have fewer differential features than RECTANGLE S-box. The security analysis of DBST reveals that it can against impossible differential attack, differential attack, linear attack, and other types of attacks.     

基于非S盒变换的DES分组密码的改进

通过对分组密码安全性设计的分析,针对DES分组密码的不足进行改进,设计了一种基于非S盒变换的变种DES,用随机数产生S盒的排列顺序,通过对密钥和S盒顺序的交替移位,使所有的明文采用不同的密钥加密或不同的S盒处理,任意两组相同的明文加密后都会产生不同的密文,从而实现牢不可破的"一次一密"的密码体制.     

轻型分组密码LED代数故障攻击方法

针对CHES 2011会议上提出的轻型分组密码LED,给出了一种代数故障攻击方法。首先利用代数攻击方法建立密码算法等效布尔代数方程组;然后基于单比特故障模型根据算法故障密文得到差分故障信息,并转换为额外的代数方程组;最后利用CryptoMiniSAT解析器求解密钥。实验结果表明,针对LED算法代数故障攻击优于传统的差分故障分析,第30轮一次故障注入即可在122 s内恢复LED 64 bit完整密钥。     

SNAKE(2)分组密码的积分攻击

针对目前对SNAKE算法的安全性分析主要是插值攻击及不可能差分攻击,评估了SNAKE(2)算法对积分攻击的抵抗能力。利用高阶积分的思想,构造了一个8轮区分器,利用该区分器,对SNAKE(2)算法进行了9轮、10轮积分攻击。攻击结果表明,SNAKE(2)算法对10轮积分攻击是不免疫的。     

轻量级分组密码Piccolo的积分攻击

针对Piccolo-80算法提出了一种5轮积分区分器,并将其向解密方向扩展了2轮,得到了7轮区分器。使用5轮区分器对无白化密钥的Piccolo-80进行了7轮和8轮的攻击,使用7轮区分器进行了9轮的攻击。其中,最好的攻击结果是使用7轮区分器,对有白化密钥的Piccolo-80进行9轮攻击,可恢复32比特相关轮密钥,需要的数据复杂度为2的48次方个明文,时间复杂度为2的52.237方次9轮加密。     

What is the effective key length for a block cipher: an attack on every practical block cipher

Recently,several important block ciphers are considered to be broken by the brute-force-like cryptanalysis,with a time complexity faster than the exhaustive key search by going over the entire key space but performing less than a full encryption for each possible key.Motivated by this observation,we describe a meetin-the-middle attack that can always be successfully mounted against any practical block ciphers with success probability one.The data complexity of this attack is the smallest according to the unicity distance.The time complexity can be written as 2k(1-),where>0 for all practical block ciphers.Previously,the security bound that is commonly accepted is the length k of the given master key.From our result we point out that actually this k-bit security is always overestimated and can never be reached because of the inevitable loss of the key bits.No amount of clever design can prevent it,but increments of the number of rounds can reduce this key loss as much as possible.We give more insight into the problem of the upper bound of effective key bits in block ciphers,and show a more accurate bound.A suggestion about the relationship between the key size and block size is given.That is,when the number of rounds is fixed,it is better to take a key size equal to the block size.Also,effective key bits of many well-known block ciphers are calculated and analyzed,which also confirms their lower security margins than thought before.The results in this article motivate us to reconsider the real complexity that a valid attack should compare to.     

Differential attack on nine rounds of the SEED block cipher

The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously known one on SEED, and present a differential cryptanalysis attack on a 9-round reduced version of SEED. The attack requires a memory of 2^69.71 bytes, and has a time complexity of 2^126.36 encryptions with a success probability of 99.9% when using 2¹²⁵ chosen plaintexts, or a time complexity of 2^125.36 encryptions with a success probability of 97.8% when using 2¹²⁴ chosen plaintexts. Our result is better than any previously published cryptanalytic results on SEED in terms of the numbers of attacked rounds, and it suggests for the first time that the safety margin of SEED decreases below half of the number of rounds.     

SCARE and power attack on AES-like block ciphers with secret S-box

Despite Kerckhoff's principle, there are secret ciphers with unknown components for diplomatic or military usages. The side-channel analysis of reverse engineering (SCARE) is developed for analyzing secret ciphers. Considering the side-channel leakage, SCARE attacks enable the recovery of some secret parts of a cryptosystem, e.g., the substitution box table. However, based on idealized leakage assumption, most of these attacks have a few limitations on prior knowledge or implementations. In this paper, we focus on AES-like block ciphers with a secret S-box and demonstrate an attack which recovers both the secret key and the secret S-box. On the one hand, the key is recovered under profiled circumstance by leakage analysis and collision attack. On the other hand, the SCARE attack is based on mathematical analysis. It relies on Hamming weight of MixColumns intermediate results in the first round, which can restore the secret S-box. Experiments are performed on real power traces from a software implementation of AES-like block cipher. Moreover, we evaluate the soundness and efficiency of our method by simulations and compare with previous approaches. Our method has more advantages in intermediate results location and the required number of traces. For simulated traces with gaussian noise, our method requires 100000 traces to fully restore the secret S-box, while the previous method requires nearly 300000 traces to restore S-box.