若干分组密码算法的故障攻击研究
详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
摘要
分组密码是密码学的重要内容,是实现信息保密的核心体制,其安全性分析也一直是密码研究中非常活跃的课题。随着集成电路和智能卡技术的发展,以及嵌入式系统的大规模应用,单纯从分组密码算法的数学结构研究安全性能已远远不够,从算法的实现角度来考虑安全问题已成为必需。在实际应用领域中,密码算法通常使用各种芯片来实现,如智能卡、加密存储卡、加密机芯片、手机芯片和网络路由器芯片等,这些芯片在运行时有可能泄漏某些中间状态信息(出错消息、执行时间、功耗、电磁辐射等),使得攻击者有机会采集与密钥相关的关键信息,从而发现明文或密钥。旁路攻击正是在这种背景下被提出的,由于其成功的攻击效果和潜在的发展前景,已经引起了国内外从事密码和微电子的研究学者的极大关注,并成为密码分析和密码工程领域发展最为迅速的方向之一。
     本文针对几种国际上比较流行的分组密码算法和密码结构,重点研究了旁路攻击中有较大威胁的故障攻击技术,在不同的故障模型下,基于差分分析原理,提出了有效的故障攻击和故障检测方法,并进行了软件模拟验证。同时,本文也对时序攻击和功耗分析进行了部分研究。文章的创新性研究工作主要有:
     (1)提出了差分故障攻击ARIA算法的方法。ARIA算法是韩国官方2004年公布的分组密码标准算法,主要用于轻量级环境实现和硬件系统实现。目前,关于ARIA算法抗故障攻击的安全性研究,国内外还未有公开发表的结果。本文提出并讨论了差分故障攻击ARIA密码的方法。该攻击方法采用面向字节的随机故障模型,并且结合差分技术,仅需要45个故障密文即可恢复ARIA密码的128比特原始密钥。该方法也为故障攻击其它分组密码提供了一种较通用的分析手段。基于此攻击方法,本文提出了一种新的故障检测方法—基于模式的技术,它不仅能够以更小的时空代价检测到故障,而且可以同时应用到软件和硬件实现中。
     (2)提出了差分故障攻击CLEFIA算法的新方法。CLEFIA算法是在2007年FSE(Fast Software Encryption)会议上,由索尼公司开发并提出的一种新的分组密码。虽然前人的工作表明CLEFIA算法不能抵抗差分故障攻击,但是其攻击代价较大。本文提出并讨论了一种新的差分故障攻击方法,它采用面向字节的随机故障模型,通过改变故障诱导的轮数位置,分别仅需要12、30和30个故障密文即可分别恢复CLEFIA密码的128比特、192比特和256比特原始密钥。在故障诱导的实施难度相同的情况下,本文提出的新方法不仅提高了故障诱导的攻击成功率,而且减少了故障密文数。
     (3)提出了故障攻击SMS4算法的新方法。SMS4算法是用于无线局域网安全标准WAPI的分组密码,是国内官方公布的第一个商用密码算法。前人的研究成果仅限于导入故障在SMS4密码的加密算法中,并且故障密文数较多,攻击效率不高。本文提出并讨论了故障攻击SMS4密码的新方法。新方法采用面向字节的随机故障模型,通过改变故障诱导的位置,可恢复SMS4密码的128比特原始密钥。在故障诱导的实施难度相同的情况下,本文提出的新方法扩展了故障攻击SMS4算法的种类,降低了故障攻击的代价。
     (4)压缩UFN型结构是分组密码中的一种重要结构,本文提出了差分故障攻击压缩UFN型结构的通用方法,并应用到SMS4算法和MacGuffin算法中。该攻击方法采用面向字节的随机故障模型,并且结合差分技术,根据故障诱导的不同位置,分别提出了两个故障模型,均可破译具有压缩UFN型结构的算法。因而,该攻击方法为故障攻击UFN型结构的分组密码提供了一种通用的分析手段。理论分析和实验结果表明,MacGuffin算法不能抵抗差分故障攻击,在两个故障模型下,分别需要355个故障密文和165个故障密文,即可恢复MacGuffin算法的原始密钥。另外,此方法可以应用到SMS4算法中,在两个不同的故障模型下,分别需要20个故障密文和4个故障密文,即可恢复SMS4密码的原始密钥。
     (5)针对对称密码抗旁路攻击的安全性进行了初步研究。本文将完善保密性引入到密码系统抗旁路攻击的研究中,定义了密码算法达到完善保密的实现安全,从而使可防御旁路攻击的密码系统有了信息论解释。并且,本文讨论了密码算法实现可证明安全性的安全语义,通过归约建立了不同安全语义之间的联系。这些新的安全语义包括UB—SCA (旁路攻击下的密钥完全不可破), IND—CPA—SCA (选择明文攻击和旁路攻击下的消息不可区分性)以及IND—CCA—SCA (选择密文攻击和旁路攻击下的消息不可区分性)。基于这些定义,通过归约证明了UB—SCA ^IND—CPA ?IND—C PA—S CA,以及UB—S CA ^IND—C CA ?IND—CCA—SCA,从而为对称密码抗旁路攻击提供了理论模型,并简化了对称密码系统抗旁路攻击的安全性分析。
     (6)提出了差分功耗分析数字视频广播加扰算法的方法。在数字视频压缩技术国际通用标准MPEG—2中,使用数字视频广播加扰算法是一种加强传播流安全性的主要方法。目前,针对加扰算法的攻击仅限于故障攻击。基于前人的研究工作,本文提出了差分功耗分析数字视频广播加扰算法的方法,可获得其原始密钥。该工作扩大了原有功耗分析的研究对象,从单纯的分组密码算法,覆盖至包含分组密码部分的混合加密体制。
The block cipher is a core component of cryptology, and its security analysis is always a very active branch in cryptanalysis. With the development of integrate circuits, smart cards and embedded systems, a new class of attack, called side channel attack, on cryptographic devices has become public. When more and more cryptosystems being applied to different chips, such as smart cards, cryptographic storage card, encryptor chip, network router chip etc, some important information about the internal states may be leaked. For example, the information includes fault information, execution time, power consumption and electromagnetic radiation and so on. Examples show that a leak of very small amount of side channel information will be enough to break block ciphers completely. Therefore, it has drawn much attention in both domestic and overseas, and become one of the fastest growing research areas in the fields of cryptanalysis and cryptography engineering.
     As one type of side channel attacks, fault analysis is a popular cryptanalysis. This dissertation discusses fault analysis of some block ciphers and the related structures. In different fault models, on the basis of differential analysis, we present several effective fault analysis and fault detection, and validate the results by software simulation. Furthermore, other side channel attacks, including timing attack and power analysis, are described in this dissertation. The main contributions of the dissertation are listed as follows:
     (1) The ARIA algorithm is a Korean Standard block cipher, which is optimized for lightweight and hardware environments. On the basis of the byte–oriented model and the differential analysis principle, we propose a differential fault attack on the ARIA algorithm. Mathematical analysis and simulating experiment show that our attack can recover its 128– bit secret key by introducing 45 faulty ciphertexts. Simultaneously, we also present a fault detection technique for protecting ARIA against this proposed analysis. We believe that our results in this study will also be beneficial to the analysis and protection of the same type of other iterated block ciphers.
     (2) CLEFIA is a new 128–bit block cipher, which was proposed by SONY Corporation in FSE’2007. The previous attack shows that CLEFIA is vulnerable to differential fault analysis. However, its efficiency is not high and the attacking scope is limited. This dissertation studies the security of CLEFIA against differential fault analysis. On the basis of the byte–oriented fault model, our method only requires 12 faulty ciphertexts for the 128–bit secret key, and 30 faulty ciphertexts for the 192–bit and 256–bit secret keys of CLEFIA. Compared with the previous techniques, our work not only expands the fault locations, but also improves the efficiency of fault injection, and decreases the number of faulty ciphertexts.
     (3) This dissertation presents several new approaches for fault analysis on the cryptographic algorithm SMS4. The previous research focuses on injecting faults into the encryption of SMS4. However, its efficiency is not high and the attacking scope is limited. Thus, we propose several techniques which pay attention to different locations of occurring faults. Our proposed techniques make use of the byte–oriented fault model and chosen plaintext attacks. Under the same assumption, the 128–bit master key for SMS4 can be obtained. Thus, our work not only expands the locations of occurring fault, but also decreases the attacking cost.
     (4) This dissertation studies the security of the contracting UFN structure against differential fault analysis (DFA). The contracting unbalanced Feistel networks (UFN) is a particular structure of the block ciphers, where the“left half”and the“right half”are not of equal size, and the size of the domain is larger than that of the range. We propose two basic byte–oriented fault models and two corresponding attacking methods. Then we implement the attack on two instances of the contracting UFN structure, the block ciphers MacGuffin and SMS4. MacGuffin is breakable with 355 and 165 faulty ciphertexts in the two fault models, respectively. Under similar hypothesis, the experiments require 20 and 4 faulty ciphertexts to recover the 128–bit secret key of SMS4, respectively. So our work not only builds up a general model of DFA on the contracting UFN structure and ciphers, but also provides a new reference for fault analysis on other block ciphers.
     (5) This dissertation defines perfect security against side channel attacks for a cryptosystem implementation, and discusses the implication of secure notions for a cryptosystem in provable security. Then we give some security notions for symmetric encryption against side channel attacks, UB—SCA (unbreakability in side channel attacks), IND—CPA—SCA (indistinguishability of chosen plaintext attacks and side channel attacks) and IND—CCA—SCA (indistinguishability of chosen ciphertext attacks and side channel attacks). On the basis of these definitions, we propose and prove that UB—SCA ^IND—CPA ? IND—C PA—S CAand UB—SCA ^IND—C CA ?IND—C CA—SCA by reduction. It sets up a model for symmetric ciphers against side channel attacks in theory.
     (6) The Common Scrambling Algorithm (CSA) is used to encrypt streams of video data in the Digital Video Broadcasting (DVB) system. To date, CSA is secure against classical attacks, but vulnerable to fault analysis. This dissertation presents a differential power analysis, one of side channel attacks, on DVB CSA. By decrypting the block cipher part, the common key of the whole algorithm can be derived. Thus, our method expands the attacking scope of differential power analysis.
引文
[1] C. E. Shannon. Communication Theory of Secrecy System. Bell System Technical Journal, 28, 1949, pp. 656–715.
    [2] Data Encryption Standard. FIPS PUB 46, National Bureau of Standards, Washington, D.C., 1977.
    [3] W. Diffie, M. E. Hellman. New Directions in Cryptography. IEEE Transactionson Information Theory, 22(6), 1976, pp. 644–654.
    [4] R. L. Rivest, A. Shamir, L. M. Adleman. A Method for Obtaining Digital Signature and Public–key Cryptosystems. Communications of the ACM, 21, 1978, pp. 120–126.
    [5] A. C. Yao. Theory and Applications of Trapdoor Functions. Proceeding of the IEEE 23rd Annual Symposium on the Foundations of Computer Science, IEEE computer society, 1982, pp. 80–91.
    [6] A. C. Yao. Protocols for Secure Computations. Proceeding of the IEEE 23rd Annual Symposium on the Foundations of Computer Science, IEEE computer society, 1982, pp. 160–164.
    [7] G. J. Simmons. Authentication Theory/coding Theory. Advances in Cryptology– CRYPTO’84, LNCS, Berlin, Springer–Verlag, 1985, pp. 411–431.
    [8] T. ELGamal. A Public–key Cryptosystem and a Signature Scheme Based on Discrete Logarihms. Advances in Cryptology–CRYPTO’84, Springer–Verlag, 1985; IEEE Transaction on Information Theory, Vol. IT–31, No. 4, pp. 469–472.
    [9] S. Goldwasser, S. Micali, C. Rackoff. The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing, 18, 1989, pp.186–208.
    [10] V. S. Miller. Use of Elliptic Curves in Cryptography. Advances in cryptology–CR YPTO’85, LNCS, Berlin, Springer—Verlag, vol. 218, 1986, pp. 417–426.
    [11] E. Biham, A. Shamir, Differential Cryptanalysis of DES–like Cryptosystems. Journal of Cryptology, 1(4), 1991, pp. 3–72.
    [12] M. Matsui. Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology—EUROCRYPT, LNCS, Berlin, Springer—Verlag, vol. 765, 1993, pp. 386–397.
    [13] AES. Available at http://www.nist.gov/aes.
    [14] Advanced Encryption Standard. National Institute of Standards and Technology, FIPS 197, 2001.
    [15] NESSIE. Available at https://www.cosic.esat.kuleuven.ac.be/nessie.
    [16] NESSIE Security Report D20, Version 2.0. Feb, 2003. Available at https://www. cosic. esat. kuleuven.ac.be/nessie.
    [17] CRYPTREC. Available at http://www.ipa.go.jp/security/enc/CRYPTREC/indexe. html.
    [18] D. Kwon, J. Kim, S. Park et al. New Block Cipher: ARIA. Proceedings of the Information Security and Cryptology–ICISC’03, LNCS, Berlin, Springer–Verlag, vol. 2971, 2003, pp. 432–445.
    [19]国家商用密码管理办公室.无线局域网产品使用的SMS4密码算法. http:// www.oscca. gov.cn/UpFile/200621016423197990.pdf
    [20] J. Daemen. Cipher and Hash Function Design Strategies Based on Linear and Differential Cryptanalysis. Doctoral dissertation, K. U. Leuven, 1995.
    [21] R. Anderson, E. Biham, L. R. Knudsen. Serpent: A Proposal for the Advance Encryption Standard, 1998. Available at http://www.cl.cam.ac.uk/~rjal4/serpent.ht ml.
    [22] X. Lai, J. L. Massey. IDEA. Primitive submitted to NESSIE by R.Straub, MediaCrypto AG, Sep. 2000.
    [23] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui et al. Specification of Camellia–A 128–bit Block cipher, 1999. Available at http://info.isl.ntt.co.jp/e2/.
    [24] S. K. Langford, M. E. Hellman. Differential–Linear Cryptanalysis. Proceedings of Crypto’94, LNCS, Springer–Verlag, vol. 839, 1994, pp. 17–26.
    [25] T. Jakobsen, L. Knudsen. The Interpolation Attack against Block Ciphers. Fast Software Encryption–FSE’99, LNCS, Springer–Verlag, vol. 1267, 1999, pp. 28–40.
    [26] E. Biham. New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology, 7(4), 1994, pp. 229–246.
    [27] J. Kelsey, B. Schneier, D. Wagner, et al. Side Channel Cryptanalysis of Product Ciphers. The European Symposium on Research in Computer Security–ESORIC S’98, LNCS, Berlin, Springer–Verlag, vol. 1485, 1998, pp. 97–110.
    [28] P. C. Kocher. Timing Attacks on Implementations of Diffie–Hellman, RSA, DSS, and Other Systems. Advanced in Cryptology–CRYPTO, LNCS, Berlin, Springer–Verlag, vol. 1109, 1996, pp. 104–113.
    [29] P. C. Kocher, J. Jaffe, B. Jun. Differential Power Analysis, Advanced in Cryptology–CRYPTO, LNCS, Berlin, Springer–Verlag, vol. 1666, 1999, pp. 388–397.
    [30] D. Boneh, R. A. DeMillo, R. J. Lipton. On the Importance of Checking Cryptographic Protocols for Faults. Advances in Cryptology—EUROCRYPT, LNCS, Berlin, Springer–Verlag, vol. 1233, 1997, pp. 37–51.
    [31] E. Biham, A. Shamir. Differential Fault Analysis of Secret Key Cryptosystems, Advances in Cryptology–CRYPTO’97, Berlin, Springer–Verlag, LNCS, vol. 1294, 1997, pp. 513–525.
    [32] A. Moradi, M. T. M. Shalmani, M. Salmasizadeh. A Generalized Method of Differential Fault Attack against AES Cryptosystem, Cryptographic Hardware and Embedded Systems–CHES, Berlin, Springer–Verlag, vol. 4249, 2006, pp. 91–100.
    [33] J. Blomer, J. P. Seifert. Fault Based Cryptanalysis of the Advanced Encryption Standard (AES). Financial Cryptography—FC, LNCS, Berlin, Springer–Verlag, vol. 2742, 2003, pp. 162–181.
    [34] C. Giraud. DFA on AES. Advanced Encryption Standard 4–AES 2004. LNCS, Springer–Verlag, vol. 3373, 2005, pp. 27–41.
    [35] C. N. Chen, S. M. Yen. Differential Fault Analysis on AES Key Schedule and Some Countermeasures. Proceedings of the Australasian Conference on Information Security and Privacy–ACISP, LNCS, Springer–Verlag, vol. 2727, 2003, pp. 118–129.
    [36] P. Dusart, G. Letourneux, O. Vivolo. Differential Fault Analysis on A.E.S. Applied Cryptography and Network Security, LNCS, Berlin, Springer–Verlag, vol. 2846, 2003, pp. 293–306.
    [37] P. Gilles, J. J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. Cryptographic Hardwareand Embedded Systems–CHES, LNCS, vol. 2779, 2003, pp. 77–88.
    [38] M. Amir, T. M. S. Mohammad, S. Mahmoud. A Generalized Method of Differential Fault Attack against AES Cryptosystem. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 4249, 2003, pp. 91–100.
    [39] H. Chen, W. Wu, D. Feng. Differential Fault Analysis on CLEFIA, International Conference on Information and Communication Security–ICICS, LNCS, Berlin, Springer–Verlag, vol. 4861, 2007, pp. 284–295.
    [40] L. Breveglieri, I. Koren, P. Maistri. A Fault Attack against the FOX Cipher Family. Fault Diagnosis and Tolerance in Cryptography—FDTC, LNCS, Berlin, Springer–Verlag, vol. 4236, 2006, pp. 98–105.
    [41]张蕾,吴文玲,SMS4密码算法的差分故障攻击,计算机学报,29(9),2006, 1594–1600.
    [42] J. J. Hoch, A. Shamir. Fault Analysis of Stream Ciphers. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 3156, 2004, pp. 240–253.
    [43] E. Biham, L. Granboulan, P. Q. Nguyên, Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4. Fast Software Encryption–FSE 2005, LNCS, Berlin, Springer–Verlag, vol. 3557, 2005, pp. 359–367.
    [44] I. Biehl, B. Meyer, V. Müller. Differential Fault Analysiss on Elliptic Curve Cryptosystems. International Crytology Conference–CRYPTO 2000, Santa Barbara, California, USA, LNCS, Berlin, Springer–Verlag, vol. 1880, 2000, pp. 131–146.
    [45] J. H. Jonathan, A. Shamir. Fault Analysis of Stream Ciphers. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 3156, 2004, pp. 240–253.
    [46] I. C. Lin, C. C. Chang. Security Enhancement for Digital Signature Schemes with Fault Tolerance in RSA. Information Sciences, 177 (19), 2007, pp. 4031–4039.
    [47] L. Hemme. A Differential Fault Analysis against Early Rounds of (Triple–) DES. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol.3156, 2004, pp. 254–267.
    [48] J. Blomer, V. Krummel. Fault Base on Collision Attack on AES. Fault Diagnosisand Tolerance in Cryptography–FDTC 2006, LNCS, Berlin, Springer–Verlag, vol. 4236, 2006, pp. 106–120.
    [49] C. Clavier, B. Gierlichs, I. Verbauwhede. Fault Analysis Study of IDEA. Topics in Cryptology–CT–RSA, LNCS, vol. 4964, 2008, pp. 274–287.
    [50] W. Schindler. A Timing Attack against RSA with the Chinese Remainder Theorem. Cryptographic Hardware and Embedded Systems–CHES, Worcester, MA, USA, 2000, pp. 109–124.
    [51] H. Handschuh, M. H. Heys. Timing Attacks on RC5. Selected Areas in Cryptography–SAC, Kingston, Ontario, 1998, pp. 306–318.
    [52] A. Hevia, M. A. Kiwi. Strength of Two Data Encryption Standard Implementations under Timing Attacks. ACM Transactions on Information and System Security, 2(4), 1999, pp. 416–437.
    [53] F. Koeune, J. Quisquater. Timing Attacks against Rijndael, Technical Report CG–1999/1, Universite catholique de Louvain, 1999, pp. 27–31.
    [54] E. Biham, A. Shamir. Power Analysis of the Key Scheduling of the AES Candidates, Second AES Candidate Conference, Rome, Italy, 1999. Available at http://csrc. nist. gov/CryptoToolkit/aes/round1/conf2/aes2conf.htm
    [55] J. Daemen, V. Rijmen. Resistance against Implementation Attacks. A Compara––tive Study of the AES Proposals, Second AES Conference. Rome, Italy, 1999. Avaliable at http://csrc. nist. gov/Crypto Toolkit/aes/round1/conf2/aes2conf.htm.
    [56] A. Yu, D. S. Brée. A Clock–less Implementation of the AES Resists to Power and Timing Attacks. ITCC (2), 2004, pp. 525–532.
    [57] J. F. Dhem, F. Koeune, P. Alexandre et al. A Practical Implementation of the Timing Attack. CARDIS, Louvain–la–Neuve, Belgium, 1998, pp. 167–182.
    [58] W. Schindler, J. Quisquater, and F. Koeune. Improving Divide and Conquer Attacks against Cryptosystems by Better Error Detection Correction Strategies, Proceeding of 8th IMA International Conference on Cryptography and Coding, 2001, pp. 245–267.
    [59] W. Schindler. A Combined Timing and Power Attack. Public Key Cryptography–PKC, LNCS, Berlin, Springer–Verlag, vol. 2567, 2002, pp. 263–279.
    [60] Y. Sakai, K. Sakurai. Timing Attack Implementation of a Parallel Algorithm forModular Exponentiation, Applied Cryptography and Network Security–ANCS, LNCS, Berlin, Springer–Verlag, vol. 2846, 2003, pp. 319–330.
    [61] W. Schindler, C. D. Walter. More Detail for a Combined Timing and Power Attack against Implementations of RSA. IMA International Conference, Cirencester, UK, 2003, pp.245–263.
    [62] K. Okeya, K. Sakurai. Power Analysis Breaks Elliptic Curve Cryptosystems Even Secure against the Timing Attack. Progress in Cryptology–INDOCRYPT, Calcutta, India, LNCS, Berlin, Springer–Verlag, vol. 1977, 2000, pp. 178–190.
    [63] J. Cathalo, F. Koeune, J. J. Quisquater. A New Type of Timing Attack: Application to GPS. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 2779, 2003, pp. 291–303.
    [64] D. X. Song, D. Wagner, X. Tian. Timing Analysis of Keystrokes and SSH Timing Attacks. Proceedings of the 10th USENIX Security Symposium, IEEE Computer Society, vol.10, 2001, pp. 25-30.
    [65] W. Schindler. Timing Attack Prospect for RSA Cryptanalysts Using Genetic Algorithm Technique, LNCS, Berlin, Springer–Verlag, vol. 965, 2004, pp. 109–124.
    [66] W. Schindler. On the Optimization of Side–channel Attacks by Advanced Stochastic Methods. Public Key Cryptography, Les Diablerets, Switzerland, 2005, pp. 85–103.
    [67] M. Joye, P. Paillier, B. Schoenmakers. On Second–order Differential Power Analysis. Cryptographic Hardware and Embedded Systems–CHES 2004, LNCS, Berlin, Springer–Verlag, vol. 3659, 2005, pp. 293–308.
    [68] E. Biham, A. Shamir. Power Analysis of the Key Scheduling of the AES Candidates. Second AES Candidate Conference.Rome, 1999. Available at http:// csrc. nist. gov /CryptoToolkit/aes/round1/conf2/aes2conf.htm.
    [69] S. Chari, C. Jutla, J. R. Rao, P. Rohatgi. A Cautionary Note Regarding Evaluation of AES Candidates on Smart Cards. Second AES Conference. Rome, Italy, 1999. Available at http://csrc. nist. gov/Crypto Toolkit/aes/round1/conf2/aes2conf.htm.
    [70] S. Mangard. A Simple Power Analysis Attack on Implementation of the AES key Expansion. Information Security and Cryptology–ICISC, LNCS, Berlin, Springer–Verlag, vol. 2587, 2003, pp. 343–358.
    [71] T. S. Messerges. Using Second–order Power Analysis to Attack DPA Resistant Software. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 1965, 2000, pp. 238–251.
    [72] G. Bertoni, L. Breveglieri, I. Koren, et al. Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard, IEEE Transactions on Computers, 52 (4), 2003, pp. 492–505.
    [73] G. Bertoni, L. Breveglieri, I. Koren et al. An Efficient Hardware–based Fault Diagnosis Scheme for AES: Performance and Cost. Proceedings of 19th IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems–DFT, IEEE Computer Society, 2004, pp. 130–138.
    [74] N. Joshi, K. Wu, R. Karry. Concurrent Error Detection Schemes for Involution Ciphers. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 3156, 2004, pp. 400–412.
    [75] R. Karri, M. Gsel. Parity–based Concurrent Error Detection in Symmetric Block Ciphers. International Test Conference–ITC, IEEE Computer Society, 2003, pp. 919–926.
    [76] R. Karri, G. Kuznetsov, M. Glossel. Parity–based Concurrent Error Detection of Substitution–permutation Network Block Ciphers. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 2779, 2003, pp. 113–124.
    [77] M. Karpovsky, K. J. Kulikowski, A. Taubin. Differential Fault Analysis Attack Resistant Architectures for the Advanced Encryption Standard. International Conference on Smart Card Research and Advanced Applications–CARDIS 2004, 2004, pp. 177–192.
    [78] M. Karpovsky, K. J. Kulikowski, A. Taubin. Robust Protection against Fault Injection Attacks on Smart Cards Implementing the Advanced Encryption Standard. International Conference on Dependable Systems and Networks–DSN, IEEE Computer Society, 2004, pp. 93–101.
    [79] R. Karri, K. Wu, P. Mishra, Y. Kim. Concurrent Error Detection Schemes for Fault–based Side–channel Cryptanalysis of Symmetric Block Ciphers, IEEE Transactions on Computer–Aided Design, 21 (12), 2002, pp. 1509–1517.
    [80] T. G. Malkin, F. X. Standaert, M. Yung. A Comparative Cost/security Analysis of Fault Attack Countermeasures. Fault Diagnosis and Tolerance in Cryptography– FDTC 2006, Berlin, Springer–Verlag, vol. 4236, 2006, pp. 159–172.
    [81] K. Wu, R. Karri, G. Kuznetsov, M. Goessel. Low Cost Error Detection for the Advanced Encryption Standard. International Test Conference–ITC 2004, IEEE Computer Society, 2004, pp. 1242–1248.
    [82] W. Wu, W. Zhang, D. Feng. Impossible Differential Cryptanalysis of Reduced– round ARIA and Camellia, Journal of Computer Science and Technology–JCST, 22 (3), 2007, pp. 449–456.
    [83] L. Knudsen. Truncated and Higher Order Differentials, Fast Software Encryption–FSE’95, LNCS, Berlin, Springer–Verlag, vol. 2595, 1995, pp.196–211.
    [84] E. Biham, A. Biryukov, A. Shamir. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials, Advances in Cryptology–EUROCRYPT’99, LNCS, Springer–Verlag, vol. 2595, 1999, pp. 12–23.
    [85] A. Biryukov, D. Wagner. Slide Attacks. Fast Software Encryption–FSE’99, LNCS, Berlin, Springer–Verlag, vol. 1636, 1999, pp. 245–259.
    [86] A. Biryukov, D. Wagner. Advanced Slide Attacks. Advances in Cryptology– EUROCRYPT, LNCS, Berlin, Springer–Verlag, vol. 1807, 2000, pp. 589–606.
    [87] L. Knudsen, D. Wagner. Integral Cryptanalysis (extended abstract). Fast Software Encryption–FSE 2002, LNCS, Berlin, Springer–Verlag, vol. 2595, 2002, pp. 112–127.
    [88] A. Biryukov, C.D. Canniére, J. Lano et al. Security and Performance Analysis of ARIA, 2004. Avaiblabe at http://homes.esat.kuleuven.be/abiryuko/ARIACOSICre port.pdf.
    [89] N. T. Courtois, J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. Advances in Cryptology–ASIACRYPT’02, LNCS, Berlin, Springer–Verlag, vol. 2595, 2002, pp. 267–287.
    [90] C. Kim, M. Schlafer, S. Moon. Differential Side Channel Analysis Attacks on FPGA Implementations of ARIA, ETRI Journal, 30 (2), 2008, pp. 315–325.
    [91] D. Wagner, The Boomerang Attack. Fast Software Encryption–FSE’99, LNCS, Berlin, Springer–Verlag, vol. 1636, 1999, pp. 157–170.
    [92] E. Hess, N. Janssen, B. Meyer, T. Schütze. Information Leakage Attacks against Smart Card Implementations of Cryptographic Algorithms and Countermeasure– a Survey. Proceedings of EUROSMART Security Conference, 2000, pp. 55–64.
    [93] S. M. Yen, M. Joye. Checking before Output May not be Enough against Fault–based Cryptanalysis, IEEE Transactions on Computers, 49(9), 2000, pp. 967–970.
    [94] C. Clavier. Secret External Encodings: Do not Prevent Transient Fault Analysis. Cryptographic Hardware and Embedded Systems–CHES’07, LNCS, Berlin, Springer–Verlag, vol. 4727, 2007, pp. 181–194.
    [95] T. Shirai, K. Shibutani, T. Akishita et al. The 128–bit Block Cipher CLEFIA (extended abstract), Fast Software Encryption–FSE 2007, LNCS, Berlin, Springer–Verlag, vol. 4953, 2007, pp. 181–195.
    [96] Sony Corporation. The 128–bit Blockcipher CLEFIA, Security and Performance Evaluations, Revision 1.0, June 1, 2007. Available at http://www.sony.co.jp/Produ cts/clefia/technical/data/clefia–eval–1.0.pdf.
    [97] Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Saito, T. Suzaki, H. Kubo. Impossible Differential Cryptanalysis of CLEFIA. Fast Software Encryption–FSE 2008, LNCS, Berlin, Springer–Verlag, vol. 5086, 2008, pp. 398–411.
    [98] F. Liu, W. Ji, L.Hu, et al. Analysis of the SMS4 Block Cipher. Proceedings of the Australasian Conference on Information Security and Privacy–ACISP, Berlin, Springer–Verlag, vol. 4586, 2007, pp. 158–170.
    [99] B. Schneier, J. Kelsey. Unbalanced Feistel Networks and Block Ciphers. Fast Software Encryption–FSE’96, LNCS, Berlin, Springer–Verlag, vol. 1039, 1996, pp. 121–144.
    [100] Skipjack and KEA Algorithm Specifications, Version 2.0, 29 May 1998. Available at the National Institute of Standards and Technology’s web page.
    [101] V. Rijmen, B. Preneel. Cryptanalysis of MacGuffin. Fast Software Encryption– FSE, LNCS, Berlin, Springer–Verlag, vol. 1008, 1994, pp. 353–358.
    [102] J. Patarin, V. Nachef, C. Berbain. Generic Attacks on Unbalanced Feistel Schemes with Contracting Functions. Advances in Cryptology–ASIACRYPT, LNCS, Berlin, Springer–Verlag, vol. 4284, 2006, pp. 396–411.
    [103] C. S. Jutla. Generalized Birthday Attacks on Unbalanced Feistel Networks. Advances in Cryptology–CRYPO, LNCS, Berlin, Springer–Verlag, vol. 1462, 1998, pp. 198–199.
    [104] M. Blaze, B. Schneier. The MacGuffin Block Cipher Algorithm. Fast SoftwareEncryption–FSE, LNCS, Berlin, Springer–Verlag, vol. 1008, 1995, pp. 97–100.
    [105] R. P. Weinmann, K. Wirt. Analysis of the Dvd Common Scrambling Algorithm. Eighth IFIP TC–6 TC–11 Conference on Communications and Multimedia Security, CMS 2004 Proceedings, Kluwer Academic Publishers, 2004, pp. 110–123.
    [106] K. Wirt. Fault attack on the DVB Common Scrambling Algorithm. Computation––al Science and its Applications, 2005, pp. 577–584.
    [107] Hagai Bar–El. Introduction of Side Channel Attack. Discretix Technological Ltd. White Paper. Available at http://www.discretix.com.
    [108] Y. Zhou, D. Feng. Side–channel Attacks: Ten Years after Its Publication and the Impacts on Cryptographic Module Security Testing, Cryptology ePrint Archive, Report 2005/388.
    [109] Side Channel Attack Hardening the IDEA Cipher. White paper. Available at http://www.mediacrypt.com.
    [110] J. Daemen, V. Rijmen. The Design of Rijndael: AES–the Advanced Encryption Standard. Berlin, Springer–verlag, 2002.
    [111] D. Chaum. Blind Signatures for Untraceable Payments. Advances in Cryptology, Proceedings of Crypto’82, Plenum Press, 1983, pp. 199–203.
    [112] M. Bellare, A. Desai, D. Pointcheval, P. Rogaway. Relations among Notions of Security for Public–key Encryption Schemes. Advances in Cryptology–Crypto’98 Proceedings, LNCS, vol. 1462, Verlag–Springer, vol. 4249, 1998, pp. 26–45.
    [113] S. Micali, L. Reyzin. Phyiscal Observable Cryptography. Theory of Cryptography Conference–TCC, LNCS, Berlin, Springer–Verlag, vol. 2951, 2004, pp. 278–296.
    [114] M. Bellare, A. Desai, E. Jokipii. A Concrete Security Treatment of Symmetric Encryption, IEEE Symposium on Foundations of Computer Science–FOCS, IEEE Press, Los Alamitos, 1997, pp. 394–405.
    [115] F. X. Standaert, E. Peeters, C. Archambeau, et al. Towards Security Limits in Side–Channel Attacks. Cryptographic Hardware and Embedded Systems–CHES, LNCS, Berlin, Springer–Verlag, vol. 4249, 2006, pp. 30–45.
    [116] F. X. Standaert, T. G. Malkin, M.Yung. A Formal Practice–Oriented Model for the Analysis of Side–Channel Attacks. Cryptology ePrint Archive, Report 2006/139,2006.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700