Grain-128同步流密码的选择初始向量相关性能量攻击

不同于分组密码，序列密码构造相对简单且大量使用线性运算，因此攻击点功耗与其他功耗成分之间往往存在较强的相关性，使得能量分析攻击难以实施。针对上述现状，提出了一种面向Grain-128同步流密码的选择初始向量（IV）相关性能量攻击方案。首先对Grain-128的输出函数h(x)进行了分析，并基于此确定了攻击点表达式；其次通过选取特定的初始向量，消除了攻击点功耗和其他功耗成分之间的相关性，从而解决了能量攻击所面临的关键问题；最后基于功耗分析工具PrimeTimePX对攻击方案进行了验证。结果表明，该方案仅需736个IV样本即可实施23轮攻击，恢复46比特密钥。

Chosen initial vector correlation power attack on synchronous stream cipher Grain-128

Unlike block cipher, stream ciphers are relatively simple and widely use linear operation, so there is often a strong correlation between the power of attack point and other power components, making it difficult to implement power analysis attacks. For the aforementioned situation, a chosen-Initial Vector (IV) correlation power analysis attack on synchronous stream cipher Grain-128 was proposed. First, the attack point and its power consumption model were gotten by analyzing the property of Grain-128's output function h(x). Then the correlation between the power of attack point and other power components was eliminated by choosing specific initial vectors, and the key problem facing the energy attacks was solved. Finally, a verification experiment was conducted based on power analysis tool PrimeTimePX. The results show that the scheme can implement 23 rounds attack and recover 46 bits key with only 736 initial vectors.