AES的边带信道分析及防范方法研究
|
摘要
传统的分组密码分析技术局限于算法的数学结构,其攻击效果往往不佳。国内外密码学界都在加强基于算法实现的分析方法研究,边带信道分析技术作为一种新的密码分析方法迅速成为研究热点。在AES的功耗分析与故障攻击及防范方法这一研究领域,本文完成的主要研究工作如下:
首先研究S盒抗DPA能力指标,求出一个新的S盒抗DPA能力下界,以此下界为基础,可以计算出不同非线性度布尔函数的下界,其值较以前的计算结果更为精确。给出了加密算法非线性度的大小与S盒抗DPA能力的关系,得出了加密算法非线性度的大小与其防范功耗分析的能力成反比的结论并仿真实验验证了该结论的正确性。
此后对AES的故障攻击方法进行了研究,利用S盒非线性运算成功实现了针对AES的差分故障攻击,对已有算法进行改进,降低了计算复杂度,并利用符号化方法将针对AES的故障分析方法一体化。
最后综合分析了防范功耗分析和故障攻击的方法,提出了一种针对使用AES的密码芯片的防范功耗分析和故障分析的安全算法,阐述了其对防御时间分析也能起到一定的作用,建立了防范边带信道分析的一体化防御方案。
Traditional block-cipher cryptanalysis mainly focuses on the mathematical structure of cipher systems, and has not exploited well effectiveness. Recently, much work has been done in cryptanalysis based on the implementation of the cipher systems from the cryptographic community. The side channel analysis, as a newly proposed cryptanalysis technique, is the current hot spot. This paper mainly concentrates on the Power Analysis, Fault Attack on AES, as well as their countermeasures. The main work is listed as follows:
Firstly, the S-box's capability index of DPA resistance is studied, and a new lower bound of the S-box's capability of DPA resistance is deduced. Base on this bound, the lower bounds of Boolean functions with different nonlineanty can be calculated. Then the relationship between the nonlinearity and the S-box's capability of DPA resistance is described in detail, and the conclusion that S-box's capability of DPA resistance will grow inversely with the nonlinearity of the cipher system is proposed, which is verified by our simulation.
Secondly, fault attack on Advanced Encryption Standard is studied, fault attack on AES through the S-box's nonlinear operation is successfully implemented. And then by using symbolical methods these approaches are systemized, which will provide an effective channel to further research on provable security.
Finally, the methods of preventing the power analysis and fault attack are discussed, and a security algorithm against the power analysis and the fault attack is proposed, as well as the timing analysis, on chip cards implementing AES cipher. The defense against side channel analysis can be established.
首先研究S盒抗DPA能力指标,求出一个新的S盒抗DPA能力下界,以此下界为基础,可以计算出不同非线性度布尔函数的下界,其值较以前的计算结果更为精确。给出了加密算法非线性度的大小与S盒抗DPA能力的关系,得出了加密算法非线性度的大小与其防范功耗分析的能力成反比的结论并仿真实验验证了该结论的正确性。
此后对AES的故障攻击方法进行了研究,利用S盒非线性运算成功实现了针对AES的差分故障攻击,对已有算法进行改进,降低了计算复杂度,并利用符号化方法将针对AES的故障分析方法一体化。
最后综合分析了防范功耗分析和故障攻击的方法,提出了一种针对使用AES的密码芯片的防范功耗分析和故障分析的安全算法,阐述了其对防御时间分析也能起到一定的作用,建立了防范边带信道分析的一体化防御方案。
Traditional block-cipher cryptanalysis mainly focuses on the mathematical structure of cipher systems, and has not exploited well effectiveness. Recently, much work has been done in cryptanalysis based on the implementation of the cipher systems from the cryptographic community. The side channel analysis, as a newly proposed cryptanalysis technique, is the current hot spot. This paper mainly concentrates on the Power Analysis, Fault Attack on AES, as well as their countermeasures. The main work is listed as follows:
Firstly, the S-box's capability index of DPA resistance is studied, and a new lower bound of the S-box's capability of DPA resistance is deduced. Base on this bound, the lower bounds of Boolean functions with different nonlineanty can be calculated. Then the relationship between the nonlinearity and the S-box's capability of DPA resistance is described in detail, and the conclusion that S-box's capability of DPA resistance will grow inversely with the nonlinearity of the cipher system is proposed, which is verified by our simulation.
Secondly, fault attack on Advanced Encryption Standard is studied, fault attack on AES through the S-box's nonlinear operation is successfully implemented. And then by using symbolical methods these approaches are systemized, which will provide an effective channel to further research on provable security.
Finally, the methods of preventing the power analysis and fault attack are discussed, and a security algorithm against the power analysis and the fault attack is proposed, as well as the timing analysis, on chip cards implementing AES cipher. The defense against side channel analysis can be established.
引文
[1]卢开澄.计算机密码学--计算机网络中的数据保密与安全(第三版)[M].北京:清华大学出版社,2003.
[2]C.E.Shannon.A Mathematical Theory of Communication[J].The Bell System Technical Journal,1984,27(4):379-423.
[3]E.Diffie,W.Hellman.New direction in cryptography[J].IEEE Trans.on Information Theory,1976,IT-22(6):644-654.
[4]冯登国.国内外密码学研究现状及发展趋势[J].通信学报,2002,23(5):18-26.
[5]U.S.Department OF COMMERCE/National Institute of Standards and Technology.FIPS PUB 46-3[S].Data Encryption Standard(DES).USA:FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION,1999.10.25.
[6]J.Daemen,V.Rijmen.AES proposal:Rijndael(2nd version)[A].In:The First Advanced Encryption Standard Candidate Conference[C].1998.
[7]H.Bar-Ei.Introduction to Side Channel Attacks[EB/OL].Available on the intemet,http://www.hbarel.com/publications/.
[8]P.Kocher.Timing Attacks on Implementations of Diffe-Hellman,RSA,DSS and Other Systems[A].In:S.Barbara.Advances in Cryptology-CRYPTO '96[C].LNCS,Springer-Verlag,August 1996:104-113.
[9]D.Boneh,R.Lipton.On the Importance of Checking Cryptographic Protocols for Faults[A].In:Advances in Cryptology-EUROCRYPT '97[C].LNCS,Springer Verlag,1997:37-51.
[10]M.A.Hasan.Power Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems[A].In:Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems[C].2000:93-100.
[11]J.F.Dhem,P.A.Leroux.A Practical Implementation of the Timing Attack[J].1998.
[12]A.Hevia.Strength of Two Data Encryption Standard Implementation Under Timing Attacks[J].ACM Transactions on Information and System Security,November 1999,416-437.
[13]W.Schindler.A Timing Attack against RSA with the Chinese Remainder Theorem[A].In:Cryptographic Hardware and Embedded Systems[C].CHES,Springer-Verlag,August 2000:109-124.
[14]J.A.Muir.Techniques of Side Channel Cryptanalysis[D]:Waterloo:Department of Mathematics,2001.
[15]晏楠,谷大武,丁宁.RSA体制下使用随机算法防御时间攻击的方法[J].计算机工程,2006,32(11):174-176.
[16]P Kocher,J Jaffe,B Jun.Introduction to Differential Power Analysis and Related Attacks[EB/OL].Available on the intemet,http://www.cryptography.com/dpa/technical/,1998.
[17]P Kocher,J Jaffe,B Jun.Differential Power Analysis[A].In:Advanced in Cryptology-CRYPTO'99[C].California,USA:Springer Verlag,1999:388-397.
[18]S B Ors,F Gurkaynak,E Oswald,et al.Power-Analysis Attack on an ASIC AES Implementation[A].In:In Proceedings of the 2004 International Symposium on Information Technology[C].LasVegas NV,USA:IEEE Computer Society,2004.
[19]Eri Baler,Christophe Clavier,Francis Olivier.Optimal Statistical Power Analysis[EB/OL].Available on the intemet,http://eprint.iacr.org./2003/152.
[20]J Daemen,V Rijmen.Resistance Against Implementation Attacks:A Comparative Study of the AES Proposals[A].In Proceedings of the Second AES Candidate Conference(AES2)[C].Rome,Italy:1999.
[21]E.Trichina.Combinational logic design for aes subbyte transformation on masked data[EB/OL].IACR.Available on the intemet,http://eprint.iacr.org/2003/236,2003.
[22]M.L.Akkar,C.Giraud.An implementation of DES and AES's secure against some attacks[A].In:LNCS 2162[C].Berlin:Springer-Verlag:2001:309-318.
[23]J D.Golic,C Tymen.Multiplicative Masking and Power Analysis of AES[A].B.S.Kaliski Jr.,C.K.Koc,C.Paar(Ed).In:Cryptographic Hardware and Embedded Systems-CHES 2002,LNCS 2523[C].Berlin:Springer-Verlag,2003:198-212.
[24]蒋惠萍,毛志刚.抗侧沟道泄漏信息攻击的安全RSA-CRT算法研究[J].哈尔滨工业大学学报,2004,36(12):1695-1698.
[25]蒋惠萍,毛志刚.一种抗差分功耗攻击的改进DES算法及其硬件实现[J].计算机学报,2004,27(3):334-338.
[26]吴文玲,蒙杨,冯登国,卿斯汉.SERPENT和SAFER密码算法的能量攻击[J].电子学报,2001,29(1):90-92.
[27]谢满德,沈海斌,竺红卫.对智能卡进行微分功耗分析攻击的方法研究[J].微电子学,2004,34(6):609-613.
[28]蒋惠萍,毛志刚.防止差分功耗分析的安全DES模块的MASK技术研究[J].电子器件,2003,26(2):169-172.
[29]肖国镇,白恩健,刘晓娟.AES密码分析的若干新进展[J].电子学报,2003,31(10):1549-1554.
[30]Wu Wen-Ling,He Ye-Ping.Power Attack of MARS and Rjjndael[J].Journal of Software,2002,13(4):532-536.
[31]吴文玲,冯登国,卿斯汉.简评美国公布的15个AES候选算法[J].软件学报,1999,10(3):225-230.
[32]王治.AES算法的能量分析研究及其软件仿真[D]:[硕士学位论文].成都:电子科技大学,2006.
[33]D.Boneh,R.A.Demillo.On the Importantance of Checking Cryptographic Protocols for Faults(Extended Abstract)[A].In:Advances in Cryrtology-EUROCRYPTO 1997[C].Lecture Notes in Computer Science,Springer-Verlag,1997:37-51.
[34]Biham,Shamir.Differential fault analysis of secret key cryptosystems[A].In:CRYPTO97[C].Santa Barbara,USA:1997:513-525.
[35]M.Biehl I.,Muller V.Differential fault attacks on elliptic curve cryptosystems[A].In:CRYPTO'2000[C].Santa Barbara,USA:2000:131-146.
[36]L.Hemme.A differential fault attack against early rounds of Triple-DES[A].In:Cryptographic Hardware and Embedded Systems CHES 2004[C].Berlin:Springer-Verlag,2004:254-267.
[37]Hoch Jonat.Fault analysis of stream ciphers[A].In:Cryptographic Hardware and Embedded Systems CHES 2004[C].Berlin:Springer-Verlag,2004:240-253.
[38]G.L.Biham E.,Nguyen P.Q.Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4[A].In:Fast SoftWare Encryption FSE 2005[C].Berlin:Springer-Verlay,2005:359-367.
[39]Yen Chen.A DFA on Rijndael[A].In:Information Security Conference[C].Taiwan:2002.
[40]Chen Chien Ning.Differential fault analysis on AES key schedule and some countermeasures[A].In:Information Security and Privacy ACISP 2003[C].Wollongong,Australia:2003:118-129.
[41]Piret G.A differential fault attack technique against spn strunctures,with application to the aes khazad[A].In:CHES 2005[C].LNCS 2779,2005:78-89.
[42]J Blomer.Fault based cryptanalysis of the Advanced Encryption Standard[A].In:Financial Cryptography'03[C].LNCS.Springer,2003.
[43]L.G.Dusart,Vivolo O.Differential fault analysis on AES[A].In:Cryptography and Network Security ACNS 2003[C].Berlin:Springer-Verlag,2003:293-306.
[44]Giraud C.DFA on AES[A].In:CRYPTO'05[C].Santa Barbara,USA:2005:127-153.
[45]A.Moradi,M.T.M.Shalmani.A Generalized Method of Differential Fault Attack Against AES Cryptosystem[A].In:CHES 2006[C].LNCS 4249,Springer,2006:91-100.
[46]Karri R.Parity Based Concurrent Error Detection of Substitution-Permutation Network Block Cipher[A].In:CHES 2003[C].LNCS 2799,2003:110-123.
[47]Bertoni G.Concurrent fault detection in a hardware implementation of the RC5encryption algorithm[A].In:Application Specific Systems,ASAP'2003[C].Berlin:2003:201-248.
[48]A.Shamir.How to Check Modular Exponentiation[A].In:EUROCRYPT'97[C].BERLIN:1997:145-232.
[49]Y.S.Joye.Checking Before Output may not be Enough Against Fault based Cryptanalysis[A].In:IEEE Transactions on Computers[C].USA:2000:967-970.
[50]叶世芬.安全芯片物理防护研究[D]:[硕士学位论文].杭州:浙江大学,2005.
[51]张蕾,吴文玲.SMS4密码算法的差分故障攻击[J].计算机学报,2006,9(9):123-145.
[52]杜育松,王大星.一种对AES-128的差分错误分析原理[J].计算机工程,2006,32(23):174-176.
[53]T.S.Messerges.Using Second-Order Power Analysis to Attack DPA Resistant Software[A].In:CHES 2000,LNCS 1965[C].Berlin Heidelberg:Springer-Verlag,2000:238-251.
[54]Eric Brier,Christophe Clavier,Francis Olivier.Correlation Power Analysis with a Leakage Model[J].CHES 2004,LNCS 3156,2004,16-29.
[55]M.Thomas,J.Robert.Examining Smart-Card Security under the Therat of Power Analysis Attacks[A].In:IEEE Transactions on Computers[C].April 2002.
[56]温巧燕,钮心忻,杨义先.现代密码学中的布尔函数[M].北京:科学出版社,2000.
[57]C.Carlet.On highly nonlinear S-boxes and their inability to thwart DPA attacks[A].In:Progress in Cryptology-INDOCRYPT 2005[C].Paris,France:Springer-Verlag,2005:125-143.
[58]刘连浩,崔杰,刘上力.一种AES S盒改进方案的设计[J].中南大学学报:自然科学版,2007,38(2):339-344.
[59]E.Prouff.DPA Attacks and S-Boxes[A].In:Fast Software Encryption:12th International Workshop[C].Pads:Springer Berlin/Heidelberg,2005:424-441.
[60]刘上力.高级数据加密标准的功耗分析及防范方法研究[D]:[硕士学位论文].长沙:中南大学,2007.
[61]顾晓东.物理攻击密码系统的防御研究--改进的防御差异能量攻击AES 密码系统的定值遮盖法及其安全性能分析[D]:[博士后学位论文].北京:中国科学院自动化研究所,2005.
[62]Messerges,Thomas S.Using Second-Order Power Analysis to Attack DPA Resistant Software[A].CHES 2005,LNCS[C].BERLIN:Springer-Verlag,2005.
[63]K.Itoh,Naoya.DPA Countermeasure Based on the "Masking Method"[A].In:International Conference Information,Communications and Signal Processing ICICS 2001,LNCS 2288[C].BERLIN Heidelberg:Springer-Verlag,2002.
[64]M.-L.A.C.Giraud.An Implementation of DES and AES,Secure against Some attacks[A].In:Workshop on Cryptographic Hardware and Embedded Systems-CHES 2005,LNCS 2162[C].Berlin:Springer-Vedag,2005:309-318.
[65]Bertoni G Error analysis and detection procedures for a hardware implementation of the Advanced Encryption Standard[A].In:IEEE Transactions on Computers[C].2003:492-503.
[2]C.E.Shannon.A Mathematical Theory of Communication[J].The Bell System Technical Journal,1984,27(4):379-423.
[3]E.Diffie,W.Hellman.New direction in cryptography[J].IEEE Trans.on Information Theory,1976,IT-22(6):644-654.
[4]冯登国.国内外密码学研究现状及发展趋势[J].通信学报,2002,23(5):18-26.
[5]U.S.Department OF COMMERCE/National Institute of Standards and Technology.FIPS PUB 46-3[S].Data Encryption Standard(DES).USA:FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION,1999.10.25.
[6]J.Daemen,V.Rijmen.AES proposal:Rijndael(2nd version)[A].In:The First Advanced Encryption Standard Candidate Conference[C].1998.
[7]H.Bar-Ei.Introduction to Side Channel Attacks[EB/OL].Available on the intemet,http://www.hbarel.com/publications/.
[8]P.Kocher.Timing Attacks on Implementations of Diffe-Hellman,RSA,DSS and Other Systems[A].In:S.Barbara.Advances in Cryptology-CRYPTO '96[C].LNCS,Springer-Verlag,August 1996:104-113.
[9]D.Boneh,R.Lipton.On the Importance of Checking Cryptographic Protocols for Faults[A].In:Advances in Cryptology-EUROCRYPT '97[C].LNCS,Springer Verlag,1997:37-51.
[10]M.A.Hasan.Power Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems[A].In:Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems[C].2000:93-100.
[11]J.F.Dhem,P.A.Leroux.A Practical Implementation of the Timing Attack[J].1998.
[12]A.Hevia.Strength of Two Data Encryption Standard Implementation Under Timing Attacks[J].ACM Transactions on Information and System Security,November 1999,416-437.
[13]W.Schindler.A Timing Attack against RSA with the Chinese Remainder Theorem[A].In:Cryptographic Hardware and Embedded Systems[C].CHES,Springer-Verlag,August 2000:109-124.
[14]J.A.Muir.Techniques of Side Channel Cryptanalysis[D]:Waterloo:Department of Mathematics,2001.
[15]晏楠,谷大武,丁宁.RSA体制下使用随机算法防御时间攻击的方法[J].计算机工程,2006,32(11):174-176.
[16]P Kocher,J Jaffe,B Jun.Introduction to Differential Power Analysis and Related Attacks[EB/OL].Available on the intemet,http://www.cryptography.com/dpa/technical/,1998.
[17]P Kocher,J Jaffe,B Jun.Differential Power Analysis[A].In:Advanced in Cryptology-CRYPTO'99[C].California,USA:Springer Verlag,1999:388-397.
[18]S B Ors,F Gurkaynak,E Oswald,et al.Power-Analysis Attack on an ASIC AES Implementation[A].In:In Proceedings of the 2004 International Symposium on Information Technology[C].LasVegas NV,USA:IEEE Computer Society,2004.
[19]Eri Baler,Christophe Clavier,Francis Olivier.Optimal Statistical Power Analysis[EB/OL].Available on the intemet,http://eprint.iacr.org./2003/152.
[20]J Daemen,V Rijmen.Resistance Against Implementation Attacks:A Comparative Study of the AES Proposals[A].In Proceedings of the Second AES Candidate Conference(AES2)[C].Rome,Italy:1999.
[21]E.Trichina.Combinational logic design for aes subbyte transformation on masked data[EB/OL].IACR.Available on the intemet,http://eprint.iacr.org/2003/236,2003.
[22]M.L.Akkar,C.Giraud.An implementation of DES and AES's secure against some attacks[A].In:LNCS 2162[C].Berlin:Springer-Verlag:2001:309-318.
[23]J D.Golic,C Tymen.Multiplicative Masking and Power Analysis of AES[A].B.S.Kaliski Jr.,C.K.Koc,C.Paar(Ed).In:Cryptographic Hardware and Embedded Systems-CHES 2002,LNCS 2523[C].Berlin:Springer-Verlag,2003:198-212.
[24]蒋惠萍,毛志刚.抗侧沟道泄漏信息攻击的安全RSA-CRT算法研究[J].哈尔滨工业大学学报,2004,36(12):1695-1698.
[25]蒋惠萍,毛志刚.一种抗差分功耗攻击的改进DES算法及其硬件实现[J].计算机学报,2004,27(3):334-338.
[26]吴文玲,蒙杨,冯登国,卿斯汉.SERPENT和SAFER密码算法的能量攻击[J].电子学报,2001,29(1):90-92.
[27]谢满德,沈海斌,竺红卫.对智能卡进行微分功耗分析攻击的方法研究[J].微电子学,2004,34(6):609-613.
[28]蒋惠萍,毛志刚.防止差分功耗分析的安全DES模块的MASK技术研究[J].电子器件,2003,26(2):169-172.
[29]肖国镇,白恩健,刘晓娟.AES密码分析的若干新进展[J].电子学报,2003,31(10):1549-1554.
[30]Wu Wen-Ling,He Ye-Ping.Power Attack of MARS and Rjjndael[J].Journal of Software,2002,13(4):532-536.
[31]吴文玲,冯登国,卿斯汉.简评美国公布的15个AES候选算法[J].软件学报,1999,10(3):225-230.
[32]王治.AES算法的能量分析研究及其软件仿真[D]:[硕士学位论文].成都:电子科技大学,2006.
[33]D.Boneh,R.A.Demillo.On the Importantance of Checking Cryptographic Protocols for Faults(Extended Abstract)[A].In:Advances in Cryrtology-EUROCRYPTO 1997[C].Lecture Notes in Computer Science,Springer-Verlag,1997:37-51.
[34]Biham,Shamir.Differential fault analysis of secret key cryptosystems[A].In:CRYPTO97[C].Santa Barbara,USA:1997:513-525.
[35]M.Biehl I.,Muller V.Differential fault attacks on elliptic curve cryptosystems[A].In:CRYPTO'2000[C].Santa Barbara,USA:2000:131-146.
[36]L.Hemme.A differential fault attack against early rounds of Triple-DES[A].In:Cryptographic Hardware and Embedded Systems CHES 2004[C].Berlin:Springer-Verlag,2004:254-267.
[37]Hoch Jonat.Fault analysis of stream ciphers[A].In:Cryptographic Hardware and Embedded Systems CHES 2004[C].Berlin:Springer-Verlag,2004:240-253.
[38]G.L.Biham E.,Nguyen P.Q.Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4[A].In:Fast SoftWare Encryption FSE 2005[C].Berlin:Springer-Verlay,2005:359-367.
[39]Yen Chen.A DFA on Rijndael[A].In:Information Security Conference[C].Taiwan:2002.
[40]Chen Chien Ning.Differential fault analysis on AES key schedule and some countermeasures[A].In:Information Security and Privacy ACISP 2003[C].Wollongong,Australia:2003:118-129.
[41]Piret G.A differential fault attack technique against spn strunctures,with application to the aes khazad[A].In:CHES 2005[C].LNCS 2779,2005:78-89.
[42]J Blomer.Fault based cryptanalysis of the Advanced Encryption Standard[A].In:Financial Cryptography'03[C].LNCS.Springer,2003.
[43]L.G.Dusart,Vivolo O.Differential fault analysis on AES[A].In:Cryptography and Network Security ACNS 2003[C].Berlin:Springer-Verlag,2003:293-306.
[44]Giraud C.DFA on AES[A].In:CRYPTO'05[C].Santa Barbara,USA:2005:127-153.
[45]A.Moradi,M.T.M.Shalmani.A Generalized Method of Differential Fault Attack Against AES Cryptosystem[A].In:CHES 2006[C].LNCS 4249,Springer,2006:91-100.
[46]Karri R.Parity Based Concurrent Error Detection of Substitution-Permutation Network Block Cipher[A].In:CHES 2003[C].LNCS 2799,2003:110-123.
[47]Bertoni G.Concurrent fault detection in a hardware implementation of the RC5encryption algorithm[A].In:Application Specific Systems,ASAP'2003[C].Berlin:2003:201-248.
[48]A.Shamir.How to Check Modular Exponentiation[A].In:EUROCRYPT'97[C].BERLIN:1997:145-232.
[49]Y.S.Joye.Checking Before Output may not be Enough Against Fault based Cryptanalysis[A].In:IEEE Transactions on Computers[C].USA:2000:967-970.
[50]叶世芬.安全芯片物理防护研究[D]:[硕士学位论文].杭州:浙江大学,2005.
[51]张蕾,吴文玲.SMS4密码算法的差分故障攻击[J].计算机学报,2006,9(9):123-145.
[52]杜育松,王大星.一种对AES-128的差分错误分析原理[J].计算机工程,2006,32(23):174-176.
[53]T.S.Messerges.Using Second-Order Power Analysis to Attack DPA Resistant Software[A].In:CHES 2000,LNCS 1965[C].Berlin Heidelberg:Springer-Verlag,2000:238-251.
[54]Eric Brier,Christophe Clavier,Francis Olivier.Correlation Power Analysis with a Leakage Model[J].CHES 2004,LNCS 3156,2004,16-29.
[55]M.Thomas,J.Robert.Examining Smart-Card Security under the Therat of Power Analysis Attacks[A].In:IEEE Transactions on Computers[C].April 2002.
[56]温巧燕,钮心忻,杨义先.现代密码学中的布尔函数[M].北京:科学出版社,2000.
[57]C.Carlet.On highly nonlinear S-boxes and their inability to thwart DPA attacks[A].In:Progress in Cryptology-INDOCRYPT 2005[C].Paris,France:Springer-Verlag,2005:125-143.
[58]刘连浩,崔杰,刘上力.一种AES S盒改进方案的设计[J].中南大学学报:自然科学版,2007,38(2):339-344.
[59]E.Prouff.DPA Attacks and S-Boxes[A].In:Fast Software Encryption:12th International Workshop[C].Pads:Springer Berlin/Heidelberg,2005:424-441.
[60]刘上力.高级数据加密标准的功耗分析及防范方法研究[D]:[硕士学位论文].长沙:中南大学,2007.
[61]顾晓东.物理攻击密码系统的防御研究--改进的防御差异能量攻击AES 密码系统的定值遮盖法及其安全性能分析[D]:[博士后学位论文].北京:中国科学院自动化研究所,2005.
[62]Messerges,Thomas S.Using Second-Order Power Analysis to Attack DPA Resistant Software[A].CHES 2005,LNCS[C].BERLIN:Springer-Verlag,2005.
[63]K.Itoh,Naoya.DPA Countermeasure Based on the "Masking Method"[A].In:International Conference Information,Communications and Signal Processing ICICS 2001,LNCS 2288[C].BERLIN Heidelberg:Springer-Verlag,2002.
[64]M.-L.A.C.Giraud.An Implementation of DES and AES,Secure against Some attacks[A].In:Workshop on Cryptographic Hardware and Embedded Systems-CHES 2005,LNCS 2162[C].Berlin:Springer-Vedag,2005:309-318.
[65]Bertoni G Error analysis and detection procedures for a hardware implementation of the Advanced Encryption Standard[A].In:IEEE Transactions on Computers[C].2003:492-503.