轻量级分组密码GIFT的差分故障攻击
|
摘要
差分故障攻击是一种通过利用注入故障前后状态差分,进行密钥信息恢复的一种方法.它是针对轻量级密码算法具有严重威胁的攻击之一.在CHES 2017上, Subhadeep Banik等人提出的新型轻量级密码算法GIFT具有结构设计简单、实现效率高等优点,备受业界广泛关注.目前已经有学者用线性密码分析、差分密码分析等传统的数学攻击手段对GIFT算法进行研究,获得了许多研究结果,然而它能否有效地抵抗差分故障攻击仍待进一步探索.本文根据GIFT算法轮函数特点,运用差分故障基本思想,提出两种差分故障攻击方法.第一种攻击方法,分别在第28、27、26、25轮中间状态注入1比特故障,理论上平均需要192个错误密文即可恢复主密钥信息.第二种攻击方法,分别在第26、25、24、23轮中间状态注入1比特故障,理论上平均需要32个错误密文可恢复主密钥信息.因此,在不加防护的条件下,本文所提出的攻击方法能有效地攻击GIFT算法.
Differential fault analysis is one of the most powerful attacks to lightweight ciphers,which uses the differences between the fault free states and the fault states to recover the secret keys.Lightweight block cipher GIFT was designed by Subhadeep Banik et al. at CHES 2017. Due to its concise design and efficient implementation, GIFT has attracted extensive attention. So far, many researchers have obtained many attack results about GIFT by using traditional mathematical analyses,such as linear cryptanalysis and differential cryptanalysis. However, the resistance of GIFT against DFA attack appears to be an unsolved problem. In this study, two DFAs on GIFT are proposed by using the structure of round function and the basic idea behind differential fault analysis. More precisely, in the first attack mode, one-bit fault is induced in the states of the 28th round, the 27th round, the 26th round, and the 25th round, respectively. It is shown that the attack requires 192 fault ciphertexts on average and the entire secret keys can be recovered. In the second attack mode,one-bit fault is also induced in the states of the 26th round, the 25th round, the 24th round, and the 23rd round, respectively. It is shown that the attack only requires 32 fault ciphertexts on average.The results show that the attacks proposed in this study are effective in breaking GIFT without any protection.
Differential fault analysis is one of the most powerful attacks to lightweight ciphers,which uses the differences between the fault free states and the fault states to recover the secret keys.Lightweight block cipher GIFT was designed by Subhadeep Banik et al. at CHES 2017. Due to its concise design and efficient implementation, GIFT has attracted extensive attention. So far, many researchers have obtained many attack results about GIFT by using traditional mathematical analyses,such as linear cryptanalysis and differential cryptanalysis. However, the resistance of GIFT against DFA attack appears to be an unsolved problem. In this study, two DFAs on GIFT are proposed by using the structure of round function and the basic idea behind differential fault analysis. More precisely, in the first attack mode, one-bit fault is induced in the states of the 28th round, the 27th round, the 26th round, and the 25th round, respectively. It is shown that the attack requires 192 fault ciphertexts on average and the entire secret keys can be recovered. In the second attack mode,one-bit fault is also induced in the states of the 26th round, the 25th round, the 24th round, and the 23rd round, respectively. It is shown that the attack only requires 32 fault ciphertexts on average.The results show that the attacks proposed in this study are effective in breaking GIFT without any protection.
引文
[1]WU C K.An overview on the security techniques and challenges of the Internet of things[J].Journal of Cryptologic Research,2015,2(1):40-53.[DOI:10.13686/j.cnki.jcr.000059]武传坤.物联网安全关键技术与挑战[J].密码学报,2015,2(1):40-53.[DOI:10.13686/j.cnki.jcr.000059]
[2]CAO X,KOU W,DU X.A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges[J].Information Sciences,2010,180(15):2895-2903.[DOI:10.1016/j.ins.2010.04.002]
[3]TENG J K,WU C K.An identity-based group key agreement protocol for low power mobile devices[J].Chinese Journal of Electronics,2016,25(4):726-733.[DOI:10.1049/cje.2016.06.038]
[4]BANIK S,PANDEY S K,PEYRIN T,et al.GIFT:A small present[C].In:Cryptographic Hardware and Embedded Systems-CHES 2017.Springer Cham,2017:321-345.[DOI:10.1007/978-3-319-66787-4_16]
[5]BOGDANOV A,KNUDSEN L R,LEANDER G,et al.PRESENT:An ultra-lightweight block cipher[C].In:Cryptographic Hardware and Embedded Systems-CHES 2007.Springer Berlin Heidelberg,2007:450-466.[DOI:10.1007/978-3-540-74735-2_31]
[6]BANIK S,BOGDANOV A,ISOBE T,et al.Midori:A block cipher for low energy[C].In:Advances in Cryptology-ASIACRYPT 2015,Part II.Springer Berlin Heidelberg,2015:411-436.[DOI:10.1007/978-3-662-48800-3_17]
[7]BORGHOFF J,CANTEAUT A,GüNEYSU T,et al.PRINCE-A low-latency block cipher for pervasive computing applications[C].In:Advances in Cryptology-ASIACRYPT 2012.Springer Berlin Heidelberg,2012:208-225.[DOI:10.1007/978-3-642-34961-4_14]
[8]WU W,ZHANG L.LBLOCK:A lightweight block cipher[C].In:Applied Cryptography and Network SecurityACNS 2011.Springer Berlin Heidelberg,2011:327-344.[DOI:10.1007/978-3-642-21554-4_19]
[9]GUO J,PEYRIN T,POSCHMANN A,et al.The LED block cipher[C].In:Cryptographic Hardware and Embedded Systems-CHES 2011.Springer Berlin Heidelberg,2011:326-341.[DOI:10.1007/978-3-642-23951-9_22]
[10]IZADI M,SADEGHIYAN B,SADEGHIAN S S,et al.MIBS:A new lightweight block cipher[C].In:Cryptology and Network Security-CANS 2009.Springer Berlin Heidelberg,2009:334-348.[DOI:10.1007/978-3-642-10433-6_22]
[11]KOBAYASHI E,SUZAKI T,MINEMATSU K,et al.TWINE:A lightweight block cipher for multiple platforms[C].In:Selected Areas in Cryptography-SAC 2012.Springer Berlin Heidelberg,2012:339-354.[DOI:10.1007/978-3-642-35999-6_22]
[12]BEAULIEU R,TREATMAN-CLARK S,SHORS D,SMITH J.The SIMON and SPECK lightweight block ciphers[C].In:Proceedings of 2015 52nd ACM/EDAC/IEEE Design Automation Conference(DAC).IEEE,2015:1-6.[DOI:10.1145/2744769.2747946]
[13]BEIERLE C,JEAN J.The SKINNY family of block ciphers and its low-latency variant MANTIS[C].In:Advances in Cryptology-CRYPTO 2016,Part II.Springer Berlin Heidelberg,2016:123-153.[DOI:10.1007/978-3-662-53008-5_5]
[14]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C].In:Advances in CryptologyCRYPTO’97.Springer Berlin Heidelberg,1997:513-525.[DOI:10.1007/BFb0052259]
[15]WANG Y D,ZHAO X J,ZHANG F,et al.Security evaluation for fault attacks on lightweight block cipher Midori[J].Journal of Cryptologic Research,2017,4(1):58-78.[DOI:10.13868/j.cnki.jcr.000163]王艺迪,赵新杰,张帆,等.Midori算法抗故障攻击安全性评估[J].密码学报,2017,4(1):58-78.[DOI:10.13868/j.cnki.jcr.000163]
[16]LAC B,BEUNARDEAU M,CANTEAUT A,et al.A first DFA on PRIDE:From theory to practice[C].In:Risks and Security of Internet and Systems-CRiSIS 2016.Springer Cham,2016:214-238.[DOI:10.1007/978-3-319-54876-0_17]
[17]BAGHERI N,EBRAHIMPOUR R,GHAEDI N.New differential fault analysis on PRESENT[J].EURASIPJournal on Advances in Signal Processing,2013,2013(1):145.[DOI:10.1186/1687-6180-2013-145]
[18]HUANG J,ZHAO X J,ZHANG F,et al.Improvement and evaluation for algebraic fault attacks on PRESENT[J].Journal on Communications,2016,37(8):144-156.[DOI:10.11959/j.issn.1000-436x.2016165]黄静,赵新杰,张帆,等.PRESENT代数故障攻击的改进与评估[J].通信学报,2016,37(8):144-156.[DOI:10.11959/j.issn.1000-436x.2016165]
[19]WU W L,FENG D G,ZHANG W T.Design and Analysis of Block Ciphers[M].2nd Edition.Beijing:Tsinghua University Press,2009:99-104.吴文玲,冯登国,张文涛.分组密码的设计与分析[M].第2版.北京:清华大学出版社,2009:99-104.
[2]CAO X,KOU W,DU X.A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges[J].Information Sciences,2010,180(15):2895-2903.[DOI:10.1016/j.ins.2010.04.002]
[3]TENG J K,WU C K.An identity-based group key agreement protocol for low power mobile devices[J].Chinese Journal of Electronics,2016,25(4):726-733.[DOI:10.1049/cje.2016.06.038]
[4]BANIK S,PANDEY S K,PEYRIN T,et al.GIFT:A small present[C].In:Cryptographic Hardware and Embedded Systems-CHES 2017.Springer Cham,2017:321-345.[DOI:10.1007/978-3-319-66787-4_16]
[5]BOGDANOV A,KNUDSEN L R,LEANDER G,et al.PRESENT:An ultra-lightweight block cipher[C].In:Cryptographic Hardware and Embedded Systems-CHES 2007.Springer Berlin Heidelberg,2007:450-466.[DOI:10.1007/978-3-540-74735-2_31]
[6]BANIK S,BOGDANOV A,ISOBE T,et al.Midori:A block cipher for low energy[C].In:Advances in Cryptology-ASIACRYPT 2015,Part II.Springer Berlin Heidelberg,2015:411-436.[DOI:10.1007/978-3-662-48800-3_17]
[7]BORGHOFF J,CANTEAUT A,GüNEYSU T,et al.PRINCE-A low-latency block cipher for pervasive computing applications[C].In:Advances in Cryptology-ASIACRYPT 2012.Springer Berlin Heidelberg,2012:208-225.[DOI:10.1007/978-3-642-34961-4_14]
[8]WU W,ZHANG L.LBLOCK:A lightweight block cipher[C].In:Applied Cryptography and Network SecurityACNS 2011.Springer Berlin Heidelberg,2011:327-344.[DOI:10.1007/978-3-642-21554-4_19]
[9]GUO J,PEYRIN T,POSCHMANN A,et al.The LED block cipher[C].In:Cryptographic Hardware and Embedded Systems-CHES 2011.Springer Berlin Heidelberg,2011:326-341.[DOI:10.1007/978-3-642-23951-9_22]
[10]IZADI M,SADEGHIYAN B,SADEGHIAN S S,et al.MIBS:A new lightweight block cipher[C].In:Cryptology and Network Security-CANS 2009.Springer Berlin Heidelberg,2009:334-348.[DOI:10.1007/978-3-642-10433-6_22]
[11]KOBAYASHI E,SUZAKI T,MINEMATSU K,et al.TWINE:A lightweight block cipher for multiple platforms[C].In:Selected Areas in Cryptography-SAC 2012.Springer Berlin Heidelberg,2012:339-354.[DOI:10.1007/978-3-642-35999-6_22]
[12]BEAULIEU R,TREATMAN-CLARK S,SHORS D,SMITH J.The SIMON and SPECK lightweight block ciphers[C].In:Proceedings of 2015 52nd ACM/EDAC/IEEE Design Automation Conference(DAC).IEEE,2015:1-6.[DOI:10.1145/2744769.2747946]
[13]BEIERLE C,JEAN J.The SKINNY family of block ciphers and its low-latency variant MANTIS[C].In:Advances in Cryptology-CRYPTO 2016,Part II.Springer Berlin Heidelberg,2016:123-153.[DOI:10.1007/978-3-662-53008-5_5]
[14]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C].In:Advances in CryptologyCRYPTO’97.Springer Berlin Heidelberg,1997:513-525.[DOI:10.1007/BFb0052259]
[15]WANG Y D,ZHAO X J,ZHANG F,et al.Security evaluation for fault attacks on lightweight block cipher Midori[J].Journal of Cryptologic Research,2017,4(1):58-78.[DOI:10.13868/j.cnki.jcr.000163]王艺迪,赵新杰,张帆,等.Midori算法抗故障攻击安全性评估[J].密码学报,2017,4(1):58-78.[DOI:10.13868/j.cnki.jcr.000163]
[16]LAC B,BEUNARDEAU M,CANTEAUT A,et al.A first DFA on PRIDE:From theory to practice[C].In:Risks and Security of Internet and Systems-CRiSIS 2016.Springer Cham,2016:214-238.[DOI:10.1007/978-3-319-54876-0_17]
[17]BAGHERI N,EBRAHIMPOUR R,GHAEDI N.New differential fault analysis on PRESENT[J].EURASIPJournal on Advances in Signal Processing,2013,2013(1):145.[DOI:10.1186/1687-6180-2013-145]
[18]HUANG J,ZHAO X J,ZHANG F,et al.Improvement and evaluation for algebraic fault attacks on PRESENT[J].Journal on Communications,2016,37(8):144-156.[DOI:10.11959/j.issn.1000-436x.2016165]黄静,赵新杰,张帆,等.PRESENT代数故障攻击的改进与评估[J].通信学报,2016,37(8):144-156.[DOI:10.11959/j.issn.1000-436x.2016165]
[19]WU W L,FENG D G,ZHANG W T.Design and Analysis of Block Ciphers[M].2nd Edition.Beijing:Tsinghua University Press,2009:99-104.吴文玲,冯登国,张文涛.分组密码的设计与分析[M].第2版.北京:清华大学出版社,2009:99-104.