摘要侧信道攻击,特别是差分功耗分析(differential power analysis,DPA)是对芯片中运行的分组密码算法进行安全性分析的主要手段之一。该文主要研究针对硬件实现的SM4算法的DPA攻击。合理地对明文进行选择,可以使SM4线性变换层有变化的输入比特尽可能少地影响输出比特,从而对硬件实现的SM4算法进行有效的侧信道攻击。通过分析线性变换层的比特关系,该文发现了选择明文模型下8个比特依赖关系。在此基础上,将这些比特依赖关系结合已有的比特关系,建立分析模型、更充分地利用轮输出的比特信息,对现有的SM4选择明文DPA攻击进行了改进。实验结果表明:该方法能有效提高SM4算法选择明文DPA攻击的成功率。
Abstract:Since differential power analysis (DPA) is one of most important side-channel attacks on block ciphers implemented in chips, this paper revisits the DPA attack on hardware-implemented SM4. Reasonably choosing the plaintexts minimizes the affection of the variable input bits on the output bits, of the linear transformation of SM4, which leads to effective side-channel attacks on SM4. This paper deduces 8 bit-relationship in the chosen-plaintext setting by going into the linear transformation of SM4. Incorporating the bit-relationship with the known ones, this paper improves the previous chosen-plaintext DPA attacks on SM4, by proposing an analyzing module that makes better use of the side-channel information of the round-output bits. Experimental results show that the proposed manner improves the success rate of the chosen-plaintext DPA attacks on SM4.
Kocher P, Jaffe J, Jun B. Differential power analysis[C]//Proc CRYPTO' 99. Berlin Heidelberg:Springer-Verlag, 1999:388-397.
[2]
Brier E, Clavier C, Olivier F. Correlation power analysis with a leakage model[C]//Proc CHES 2004. Berlin Heidelberg:Springer-Verlag, 2004:16-29.
[3]
Mangard S, Oswald E, Popp T. Power Analysis Attacks:Revealing the Secrets of Smart Cards[M]. New York:Springer, 2007.
[4]
国家商用密码管理办公室. 无线局域网产品使用的SMS4密码算法[Z/OL].[2016-05-03]. http://www.oscca.gov.cn/UpFile/200621016423197990.pdf. Office of State Commercial Cryptography Administration. Specification of SMS4, block cipher for WLAN products-SMS4[Z/OL].[2016-05-03]. http://www.oscca.gov.cn/UpFile/200621016423197990.pdf. (in Chinese)
[5]
Mangard S, Pramstaller N, Oswald E. Successfully attacking masked AES hardware implementations[C]//Proc CHES 2005. Berlin Heidelberg:Springer-Verlag, 2005:157-171.
[6]
Wang S T, Gu D W, Liu J R, et al. A power analysis on SMS4 using the chosen plaintext method[C]//Proc CIS 2013. New York:IEEE, 2013:748-752.
[7]
Shan W J, Wang L H, Li Q, et al. A chosen-plaintext method of CPA on SM4 block cipher[C]//Proc CIS 2014. New York:IEEE, 2014:363-366.
[8]
王敏, 杜之波, 吴震, 等. 针对SMS4轮输出的选择明文能量分析攻击[J]. 通信学报, 2015, 36(1):142-148.WANG Min, DU Zhibo, WU Zhen, et al. Chosen-plaintext power analysis attack against SMS4 with the round-output as the intermediate data[J]. Journal on Communications, 2015, 36(1):142-148. (in Chinese)
[9]
杜之波, 吴震, 王敏, 等. 针对SM4轮输出的改进型选择明文功耗分析攻击[J]. 通信学报, 2015, 36(10):85-91.DU Zhibo, WU Zhen, WANG Min, et al. Improved chosen-plaintext power analysis attack against SM4 at the round-output[J]. Journal on Communications, 2015, 36(10):85-91. (in Chinese)
[10]
Gierlichs B, Batina L, Tuyls P, et al. Mutual information analysis:A generic side-channel distinguisher[C]//Proc CHES 2008. Berlin Heidelberg:Springer-Verlag, 2008:426-442.
[11]
Mangard S, Oswald E, Standaert F X. One for all-all for one:Unifying standard differential power analysis attacks[J]. IET Information Security, 2011, 5(2):100-110.
[12]
Goodwill G, Jun B, Jaffe J, et al. A testing methodology for side channel resistance validation[Z/OL].[2016-05-03]. http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf