一种SM4算法S盒的门限实现方案
|
摘要
侧信道攻击自诞生以来,对密码算法的实现安全产生了巨大的威胁.以DPA攻击为代表的功耗攻击作为典型的侧信道攻击方法之一,由于具有攻击性强,实施简单的特点,已成为侧信道攻击领域研究最多,应用最广的攻击方法. SM4算法作为我国的分组密码标准,自公布之日起就受到了业界的广泛关注,其安全性也迅速成为密码算法领域的研究热点.在SM4算法公布后不久,即被业内学者利用DPA攻击成功破解密钥, SM4算法的实现安全面临重大挑战.本文针对SM4算法如何防御二阶DPA攻击的问题,提出了一种基于门限实现理论抵抗二阶DPA攻击的新方案.该方案通过利用正规基将S盒的输入变换到复合域中求逆,再结合门限实现理论构造了一个新型S盒.新的S盒通过将输入分成3组,保证了本文方案具有抵抗二阶DPA攻击的能力;通过引入环掩码结构和分解法求逆,减小了方案的实现面积.经过安全性分析,本文方案所构造的S盒可以有效地抵御二阶DPA攻击.实验结果表明,与常规复合域掩码方案相比,本文方案的面积减小6%,所需随机掩码数处于较低水平.
Since its birth,side channel attack has posed a great threat to the security of cryptographic algorithms.As one of the typical side channel attack methods,DPA attack has become the most popular and widely used attack method in the field of side channel attack because of its high effectiveness and simple implementation.As a block cipher standard in China,SM4 algorithm has attracted wide attention,and its security has become a research hotspot.Shortly after the publication of SM4 algorithm,it was successfully cracked by the industry scholars using DPA attack.The security of SM4 algorithm in its implementation is facing severe challenges.In this study,a new threshold implementation scheme of SM4 is proposed to resist second-order DPA attack.In this scheme,the input of S-box is transformed into composite field by normal basis,and then a new S-box is constructed by combining threshold implementation theory.By dividing the input into three groups,the new S-box guarantees the resistance against second-order DPA attacks,and reduces the implementation area of the scheme by introducing ring mask structure and decomposition method for inversion.Analysis shows that the S-box constructed in this scheme can effectively resist second-order DPA attack.The experimental results show that the area of the proposed scheme is reduced by 6% and the required number of random masks is at a low level compared with the conventional masking schemes based on composite field.
Since its birth,side channel attack has posed a great threat to the security of cryptographic algorithms.As one of the typical side channel attack methods,DPA attack has become the most popular and widely used attack method in the field of side channel attack because of its high effectiveness and simple implementation.As a block cipher standard in China,SM4 algorithm has attracted wide attention,and its security has become a research hotspot.Shortly after the publication of SM4 algorithm,it was successfully cracked by the industry scholars using DPA attack.The security of SM4 algorithm in its implementation is facing severe challenges.In this study,a new threshold implementation scheme of SM4 is proposed to resist second-order DPA attack.In this scheme,the input of S-box is transformed into composite field by normal basis,and then a new S-box is constructed by combining threshold implementation theory.By dividing the input into three groups,the new S-box guarantees the resistance against second-order DPA attacks,and reduces the implementation area of the scheme by introducing ring mask structure and decomposition method for inversion.Analysis shows that the S-box constructed in this scheme can effectively resist second-order DPA attack.The experimental results show that the area of the proposed scheme is reduced by 6% and the required number of random masks is at a low level compared with the conventional masking schemes based on composite field.
引文
[1]NIKOVA S,RECHBERGER C,RIJMEN V.Threshold implementations against side-channel attacks and glitches[C].In:Information and Communications Security-ICICS 2006.Springer Berlin Heidelberg,2006:529-545.[DOI:10.1007/11935308_38]
[2]MORADI A,POSCHMANN A,LING S,et al.Pushing the limits:A very compact and a threshold implementation of AES[C].In:Advances in Cryptology-EUROCRYPT 2011.Springer Berlin Heidelberg,2011:69-88.[DOI:10.1007/978-3-642-20465-4_6]
[3]BILGIN B,GIERLICHS B,NIKOVA S,et al.A more efficient AES threshold implementation[C].In:Progress in Cryptology-AFRICACRYPT 2014.Springer Cham,2014:267-284.[DOI:10.1007/978-3-319-06734-6_17]
[4]BILGIN B,GIERLICHS B,NIKOVA S,et al.Higher-order threshold implementations[C].In:Advances in Cryptology-ASIACRYPT 2014.Springer Berlin Heidelberg,2014:326-343.[DOI:10.1007/978-3-662-45608-8_18]
[5]DE CNUDDE T,BILGIN B,REPARAZ O,et al.Higher-order threshold Implementation of the AES S-box[C].In:Smart Card Research and Advanced Applications-CARDIS 2015.Springer Cham,2015:259-272.[DOI:10.1007/978-3-319-31271-2_16]
[6]LIN T T,LAI X J.Efficient attack to white-box SMS4 implementation[J].Journal of Software,2013,24(9):2238-2249.[DOI:10.3724/SP.J.1001.2013.04356]林婷婷,来学嘉.对白盒SMS4实现的一种有效攻击[J].软件学报,2013,24(9):2238-2249.[DOI:10.3724/SP.J.1001.2013.04356]
[7]LIU F,JI W,Hu L,et al.Analysis of the SMS4 block cipher[C].In:Information Security and Privacy-ACISP2007.Springer Berlin Heidelberg,2007:158-170.[DOI:10.1007/978-3-540-73458-1_13]
[8]BAI X F,GUO L,LI T.Differential power analysis attack on SMS4 block cipher[C].In:Proceedings of 20084th IEEE International Conference on Circuits&Systems for Communications.IEEE,2008:613-617.[DOI:10.1109/ICCSC.2008.136]
[9]BAI X F,XU Y H,GUO L.Securing SMS4 cipher against differential power analysis and its VLSI implementation[C].In:Proceedings of 2008 11th IEEE Singapore International Conference on Communication Systems.IEEE,2009:167-172.[DOI:10.1109/ICCS.2008.4737165]
[10]LIANG H,WU L,ZHANG X,et al.Design of a masked S-box for SM4 based on composite field[C].In:Proceedings of Tenth International Conference on Computational Intelligence and Security.IEEE,2014:387-391.[DOI:10.1109/CIS.2014.59]
[11]PEI C.A method of masking SM4 and analysis against DPA attacks[J].Journal of Cryptologic Research,2016,3(1):79-90.[DOI:10.13868/j.cnki.jcr.000111]裴超.一种SM4掩码方法和抗DPA攻击分析[J].密码学报,2016,3(1):79-90.[DOI:10.13868/j.cnki.jcr.000111]
[12]CORON J.Resistance against differential power analysis for elliptic curve cryptosystems[C].In:Cryptographic Hardware and Embedded Systems-CHES 1999.Springer Berlin Heidelberg,1999:292-302.[DOI:10.1007/3-540-48059-5_25]
[13]LI T S,TAN W,CHENG Z H,et al.A quantitative analysis method for security risk against DPA attack on password chip[J].Computer Applications and Software,2016,33(5):317-320.[DOI:10.3969/j.issn.1000-386x.2016.05.078]李廷顺,谭文,程志华,等.一种针对密码芯片DPA攻击的安全风险量化分析方法[J].计算机应用与软件,2016,33(5):317-320.[DOI:10.3969/j.issn.1000-386x.2016.05.078]
[14]UENO R,H OMMA N,AOKI T.A systematic design of tamper-resistant Galois-field arithmetic circuits based on threshold implementation with(d+1)input shares[C].In:Proceedings of International Symposium on Multiplevalued Logic.IEEE,2017:136-141.[DOI:10.1109/ISMVL.2017.35]
[15]DE CNUDDE T,REPARAZ O,NIKOVA S,et al.Masking AES with d+1 shares in hardware[C].In:Cryptographic Hardware and Embedded Systems-CHES 2016.Springer Berlin Heidelberg,2016:194-212.[DOI:10.1145/2996366.2996428]
[16]ZHONG W D,MENG Q Q,ZHANG S W,et al.Implementation and optimization of S-box on AES based on secret sharing[J].Advanced Engineering Sciences,2017,49(1):191-196.[DOI:10.15961/j.jsuese.2017.01.025]钟卫东,孟庆全,张帅伟,等.基于秘密共享的AES的S盒实现与优化[J].工程科学与技术,2017,49(1):191-196.[DOI:10.15961/j.jsuese.2017.01.025]
[2]MORADI A,POSCHMANN A,LING S,et al.Pushing the limits:A very compact and a threshold implementation of AES[C].In:Advances in Cryptology-EUROCRYPT 2011.Springer Berlin Heidelberg,2011:69-88.[DOI:10.1007/978-3-642-20465-4_6]
[3]BILGIN B,GIERLICHS B,NIKOVA S,et al.A more efficient AES threshold implementation[C].In:Progress in Cryptology-AFRICACRYPT 2014.Springer Cham,2014:267-284.[DOI:10.1007/978-3-319-06734-6_17]
[4]BILGIN B,GIERLICHS B,NIKOVA S,et al.Higher-order threshold implementations[C].In:Advances in Cryptology-ASIACRYPT 2014.Springer Berlin Heidelberg,2014:326-343.[DOI:10.1007/978-3-662-45608-8_18]
[5]DE CNUDDE T,BILGIN B,REPARAZ O,et al.Higher-order threshold Implementation of the AES S-box[C].In:Smart Card Research and Advanced Applications-CARDIS 2015.Springer Cham,2015:259-272.[DOI:10.1007/978-3-319-31271-2_16]
[6]LIN T T,LAI X J.Efficient attack to white-box SMS4 implementation[J].Journal of Software,2013,24(9):2238-2249.[DOI:10.3724/SP.J.1001.2013.04356]林婷婷,来学嘉.对白盒SMS4实现的一种有效攻击[J].软件学报,2013,24(9):2238-2249.[DOI:10.3724/SP.J.1001.2013.04356]
[7]LIU F,JI W,Hu L,et al.Analysis of the SMS4 block cipher[C].In:Information Security and Privacy-ACISP2007.Springer Berlin Heidelberg,2007:158-170.[DOI:10.1007/978-3-540-73458-1_13]
[8]BAI X F,GUO L,LI T.Differential power analysis attack on SMS4 block cipher[C].In:Proceedings of 20084th IEEE International Conference on Circuits&Systems for Communications.IEEE,2008:613-617.[DOI:10.1109/ICCSC.2008.136]
[9]BAI X F,XU Y H,GUO L.Securing SMS4 cipher against differential power analysis and its VLSI implementation[C].In:Proceedings of 2008 11th IEEE Singapore International Conference on Communication Systems.IEEE,2009:167-172.[DOI:10.1109/ICCS.2008.4737165]
[10]LIANG H,WU L,ZHANG X,et al.Design of a masked S-box for SM4 based on composite field[C].In:Proceedings of Tenth International Conference on Computational Intelligence and Security.IEEE,2014:387-391.[DOI:10.1109/CIS.2014.59]
[11]PEI C.A method of masking SM4 and analysis against DPA attacks[J].Journal of Cryptologic Research,2016,3(1):79-90.[DOI:10.13868/j.cnki.jcr.000111]裴超.一种SM4掩码方法和抗DPA攻击分析[J].密码学报,2016,3(1):79-90.[DOI:10.13868/j.cnki.jcr.000111]
[12]CORON J.Resistance against differential power analysis for elliptic curve cryptosystems[C].In:Cryptographic Hardware and Embedded Systems-CHES 1999.Springer Berlin Heidelberg,1999:292-302.[DOI:10.1007/3-540-48059-5_25]
[13]LI T S,TAN W,CHENG Z H,et al.A quantitative analysis method for security risk against DPA attack on password chip[J].Computer Applications and Software,2016,33(5):317-320.[DOI:10.3969/j.issn.1000-386x.2016.05.078]李廷顺,谭文,程志华,等.一种针对密码芯片DPA攻击的安全风险量化分析方法[J].计算机应用与软件,2016,33(5):317-320.[DOI:10.3969/j.issn.1000-386x.2016.05.078]
[14]UENO R,H OMMA N,AOKI T.A systematic design of tamper-resistant Galois-field arithmetic circuits based on threshold implementation with(d+1)input shares[C].In:Proceedings of International Symposium on Multiplevalued Logic.IEEE,2017:136-141.[DOI:10.1109/ISMVL.2017.35]
[15]DE CNUDDE T,REPARAZ O,NIKOVA S,et al.Masking AES with d+1 shares in hardware[C].In:Cryptographic Hardware and Embedded Systems-CHES 2016.Springer Berlin Heidelberg,2016:194-212.[DOI:10.1145/2996366.2996428]
[16]ZHONG W D,MENG Q Q,ZHANG S W,et al.Implementation and optimization of S-box on AES based on secret sharing[J].Advanced Engineering Sciences,2017,49(1):191-196.[DOI:10.15961/j.jsuese.2017.01.025]钟卫东,孟庆全,张帅伟,等.基于秘密共享的AES的S盒实现与优化[J].工程科学与技术,2017,49(1):191-196.[DOI:10.15961/j.jsuese.2017.01.025]