对轻量级分组密码算法LBlock的差分故障攻击
|
摘要
本文首先分析差分故障攻击的故障模型与原理,利用S盒的差分不均匀性,通过建立输入差分、输出差分和可能输入值之间的对应关系,给出差分故障分析的优化方案,实现快速归约,提高差分故障攻击的效率.本文通过对LBlock算法建立对应关系,可以快速直观缩小输入值取值空间,进而快速确定对应扩展密钥.对于不同故障值(输入差分),对应的输出差分和可能输入值均不相同,可以得到二元关系集合.由于轻量级分组密码S盒多为4×4 S盒,该集合中元素较少,注入少量不同故障值,通过查表,对可能输入值取交集即可快速确定唯一可能输入值.将优化方案应用于LBlock轻量级分组密码算法,在最后一轮输入处注入2次宽度为16 bit的故障可恢复最后一轮轮密钥,然后将状态回推一轮,在倒数第二轮输入处注入2次宽度为16 bit的故障可恢复倒数第二轮密钥.根据密钥扩展方案,恢复两轮轮密钥后将恢复主密钥的计算复杂度降为2~(19).
Firstly, this paper analyzes the fault model and principle of differential fault attack. By using the differential inhomogeneity of S-boxes, this paper gives an optimization of differential fault analysis by establishing the corresponding relationship between input differentials, output differentials,and possible input values to improve the efficiency of differential fault attack. In this paper, the corresponding relationship for LBlock algorithm is established, which can be used to effectively reduce the value space of input values, and then quickly determine the corresponding extended key. For different fault values(input differentials), the corresponding output differences, and possible input values are not the same, there exists a set of binary relationships. Since the lightweight S-boxes are mostly 4 × 4 S boxes, there are fewer elements in the set and a small number of different false values are injected. By looking up the table, the only possible input value can be quickly identified by taking the intersection of possible input values. The optimization scheme is applied to the LBlock lightweight block cipher algorithm. In the last round of input, two 16-bit wide faults are recoverable to the last round key, and then the state is pushed one round back. In the second last round, by injecting 2 faults in 16-bit width, the second last round key can be recovered. According to the key expansion scheme,the recovery of two-round key reduces the computational complexity of recovering master key to 2~(19).
Firstly, this paper analyzes the fault model and principle of differential fault attack. By using the differential inhomogeneity of S-boxes, this paper gives an optimization of differential fault analysis by establishing the corresponding relationship between input differentials, output differentials,and possible input values to improve the efficiency of differential fault attack. In this paper, the corresponding relationship for LBlock algorithm is established, which can be used to effectively reduce the value space of input values, and then quickly determine the corresponding extended key. For different fault values(input differentials), the corresponding output differences, and possible input values are not the same, there exists a set of binary relationships. Since the lightweight S-boxes are mostly 4 × 4 S boxes, there are fewer elements in the set and a small number of different false values are injected. By looking up the table, the only possible input value can be quickly identified by taking the intersection of possible input values. The optimization scheme is applied to the LBlock lightweight block cipher algorithm. In the last round of input, two 16-bit wide faults are recoverable to the last round key, and then the state is pushed one round back. In the second last round, by injecting 2 faults in 16-bit width, the second last round key can be recovered. According to the key expansion scheme,the recovery of two-round key reduces the computational complexity of recovering master key to 2~(19).
引文
[1]WU W L,ZHANG L.LBlock:A lightweight block cipher[C].In:Applied Cryptography and Network Security-ACNS 2011.Springer Berlin Heidelberg,2011:327-344.[DOI:10.1007/978-3-642-21554-4_19]
[2]ZCZECHOWIAK P,COLLIER M.TinyIBE:Identity-based encryption for heterogeneous sensor networks.In:Proceedings of International Conference on Intelligent Sensors,Sensor Networks and Information Processing 2009(ISSNIP 2009).Melbourne,VIC,Australia,2009:319-354.[DOI:10.1109/ISSNIP.2009.5416743]
[3]SINGH S,SHARMA P K,MOON S Y,et al.Advanced lightweight encryption algorithms for IoT devices:Survey,challenges and solutions[J].Journal of Ambient Intelligence and Humanized Computing,2017:1-13.[DOI:10.1007/s12652-017-0494-4]
[4]WANG B C,HU Y P.Public key cryptosystem based on two cryptographic assumptions[J].IEE ProceedingsCommunications,2005,152(6):861-865.[DOI:10.1049/ip-com:20045278]
[5]GUERMAZI A,ABID M.An efficient key distribution scheme to secure data-centric routing protocols in hierarchical wireless sensor networks[J].Procedia Computer Science,2011,5:208-215.[DOI:10.1016/j.procs.2011.07.028]
[6]CAO X,KOU W,DU X.A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges[J].Information Sciences,2010,180(15):2895-2903.[DOI:10.1016/j.ins.2010.04.002]
[7]TENG J K,WU C K.An identity-based group key agreement protocol for low power mobile devices[J].Chinese Journal of Electronics,2016,25(4):726-733.[DOI:10.1049/cje.2016.06.038]
[8]KOCHER F.Timing attacks on implementations of Diffie-Hellman,RSA,DSS,and other systems[C].In:Advances in Cryptology-CRYPTO 1996.Springer Berlin Heidelberg,1996:104-113.[DOI:10.1007/3-540-68697-5_9]
[9]BONEH D,DEMILLO R A,LIPTON R J.On the importance of checking cryptographic protocals for faults[C].In:Advances in Cryptology-EUROCRYPT 1997.Springer Berlin Heidelberg,1997:37-51.[DOI:10.1007/3-540-69053-0_4]
[10]KOCHER P,JAFFE J,JUN B.Differential power analysis[C].In:Advances in Cryptology-CRYPTO 1999.Springer Berlin Heidelberg,1999:388-397.[DOI:10.1007/3-540-48405-1_25]
[11]QUISQUATER J J,SAMYDE D.A new tool for non-intrusive analysis of smart cards based on electro-magnetic emissions:The SEMA and DEMA methods[EB/OL].http://www.iacr.org/conferences/eurocrypt2000/posterrump.html,2000.
[12]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C].In:Advances in Cryptology-CRYPTO 1997.Springer Berlin Heidelberg,1997:513-525.[DOI:10.1007/bfb0052259]
[13]BIEHL I,MEYER B,M¨ULLER V.Differential fault analysis on elliptic curve cryptosystems[C].In:Advances in Cryptology-CRYPTO 2000.Springer Berlin Heidelberg,2000:131-146.[DOI:10.1007/3-540-44598-6_8]
[14]DUSART P,LETOURNEUX G,VIVOLO O.Differential fault analysis on A.E.S[C].In:Applied Cryptography and Network Security-ACNS 2003.Springer Berlin Heidelberg,2003:293-306.[DOI:10.1007/978-3-540-45203-4_23]
[15]ZHOU Y B.WU W L,XU N N,et al.Differential fault attack on Camellia[J].Chinese Journal of Electronics,2009,18(1):13-19.[DOI:10.3724/sp.j.1016.2011.00613]
[16]BIHAM E,GRANBOULAN L,NGUYN P Q.Impossible fault analysis of RC4 and differential fault analysis of RC4[C].In:Fast Software Encryption-FSE 2005.Springer Berlin Heidelberg,2005:359-367.[DOI:10.1007/11502760_24]
[17]HOJSIK M,RUDOLF B.Differential fault analysis of Trivium[C].In:Fast Software Encryption-FSE 2008.Springer Berlin Heidelberg,2005:158-172.[DOI:10.1007/978-3-540-71039-4_10]
[18]ZHAO L,NISHIDE T,SAKURAI K.Differential fault analysis of full LBlock[C].In:Constructive Side-Channel Analysis and Secure Design-COSADE 2012.Springer Berlin Heidelberg,2012:135-150.[DOI:10.1007/978-3-642-29912-4_11]
[19]JEONG K,LEE C,LIM J I.Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks[J].Eurasip Journal on Wireless Communications&Networking,2013,2013(1):151.[DOI:10.1186/1687-1499-2013-151]
[20]WEI Y C,RONG Y S,WANG X A.New differential fault attack on lightweight cipher LBlock[C].In:Proceedings of 2016 International Conference on Intelligent Networking and Collaborative Systems(INCoS).Ostrawva,Czech Republic,2016:285-288.[DOI:10.1109/incos.2016.32]
[21]PAN X Z,CHENG L.Differential fault analysis on cipher LBlock based one-round diffusion[J].Journal of Engineering University of PAP,2016,32(6):43-46.潘晓中,程璐.针对LBlock密码单轮扩散的差分故障分析.武警工程大学学报,2016,32(6):43-46.
[2]ZCZECHOWIAK P,COLLIER M.TinyIBE:Identity-based encryption for heterogeneous sensor networks.In:Proceedings of International Conference on Intelligent Sensors,Sensor Networks and Information Processing 2009(ISSNIP 2009).Melbourne,VIC,Australia,2009:319-354.[DOI:10.1109/ISSNIP.2009.5416743]
[3]SINGH S,SHARMA P K,MOON S Y,et al.Advanced lightweight encryption algorithms for IoT devices:Survey,challenges and solutions[J].Journal of Ambient Intelligence and Humanized Computing,2017:1-13.[DOI:10.1007/s12652-017-0494-4]
[4]WANG B C,HU Y P.Public key cryptosystem based on two cryptographic assumptions[J].IEE ProceedingsCommunications,2005,152(6):861-865.[DOI:10.1049/ip-com:20045278]
[5]GUERMAZI A,ABID M.An efficient key distribution scheme to secure data-centric routing protocols in hierarchical wireless sensor networks[J].Procedia Computer Science,2011,5:208-215.[DOI:10.1016/j.procs.2011.07.028]
[6]CAO X,KOU W,DU X.A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges[J].Information Sciences,2010,180(15):2895-2903.[DOI:10.1016/j.ins.2010.04.002]
[7]TENG J K,WU C K.An identity-based group key agreement protocol for low power mobile devices[J].Chinese Journal of Electronics,2016,25(4):726-733.[DOI:10.1049/cje.2016.06.038]
[8]KOCHER F.Timing attacks on implementations of Diffie-Hellman,RSA,DSS,and other systems[C].In:Advances in Cryptology-CRYPTO 1996.Springer Berlin Heidelberg,1996:104-113.[DOI:10.1007/3-540-68697-5_9]
[9]BONEH D,DEMILLO R A,LIPTON R J.On the importance of checking cryptographic protocals for faults[C].In:Advances in Cryptology-EUROCRYPT 1997.Springer Berlin Heidelberg,1997:37-51.[DOI:10.1007/3-540-69053-0_4]
[10]KOCHER P,JAFFE J,JUN B.Differential power analysis[C].In:Advances in Cryptology-CRYPTO 1999.Springer Berlin Heidelberg,1999:388-397.[DOI:10.1007/3-540-48405-1_25]
[11]QUISQUATER J J,SAMYDE D.A new tool for non-intrusive analysis of smart cards based on electro-magnetic emissions:The SEMA and DEMA methods[EB/OL].http://www.iacr.org/conferences/eurocrypt2000/posterrump.html,2000.
[12]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C].In:Advances in Cryptology-CRYPTO 1997.Springer Berlin Heidelberg,1997:513-525.[DOI:10.1007/bfb0052259]
[13]BIEHL I,MEYER B,M¨ULLER V.Differential fault analysis on elliptic curve cryptosystems[C].In:Advances in Cryptology-CRYPTO 2000.Springer Berlin Heidelberg,2000:131-146.[DOI:10.1007/3-540-44598-6_8]
[14]DUSART P,LETOURNEUX G,VIVOLO O.Differential fault analysis on A.E.S[C].In:Applied Cryptography and Network Security-ACNS 2003.Springer Berlin Heidelberg,2003:293-306.[DOI:10.1007/978-3-540-45203-4_23]
[15]ZHOU Y B.WU W L,XU N N,et al.Differential fault attack on Camellia[J].Chinese Journal of Electronics,2009,18(1):13-19.[DOI:10.3724/sp.j.1016.2011.00613]
[16]BIHAM E,GRANBOULAN L,NGUYN P Q.Impossible fault analysis of RC4 and differential fault analysis of RC4[C].In:Fast Software Encryption-FSE 2005.Springer Berlin Heidelberg,2005:359-367.[DOI:10.1007/11502760_24]
[17]HOJSIK M,RUDOLF B.Differential fault analysis of Trivium[C].In:Fast Software Encryption-FSE 2008.Springer Berlin Heidelberg,2005:158-172.[DOI:10.1007/978-3-540-71039-4_10]
[18]ZHAO L,NISHIDE T,SAKURAI K.Differential fault analysis of full LBlock[C].In:Constructive Side-Channel Analysis and Secure Design-COSADE 2012.Springer Berlin Heidelberg,2012:135-150.[DOI:10.1007/978-3-642-29912-4_11]
[19]JEONG K,LEE C,LIM J I.Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks[J].Eurasip Journal on Wireless Communications&Networking,2013,2013(1):151.[DOI:10.1186/1687-1499-2013-151]
[20]WEI Y C,RONG Y S,WANG X A.New differential fault attack on lightweight cipher LBlock[C].In:Proceedings of 2016 International Conference on Intelligent Networking and Collaborative Systems(INCoS).Ostrawva,Czech Republic,2016:285-288.[DOI:10.1109/incos.2016.32]
[21]PAN X Z,CHENG L.Differential fault analysis on cipher LBlock based one-round diffusion[J].Journal of Engineering University of PAP,2016,32(6):43-46.潘晓中,程璐.针对LBlock密码单轮扩散的差分故障分析.武警工程大学学报,2016,32(6):43-46.