分组密码算法能量分析攻击中效率与容错问题研究
|
摘要
分组密码是目前应用最为广泛的密码体制之一,它是一类对称密码算法,使用同一密钥进行加密和解密运算。本质上,分组密码是一种带密钥的置换,它将明文数据划分为多个长度相等的分组,并转换为相同长度的密文。目前主流的分组密码算法在数学结构方面具有较高的安全性,很难被数学分析的方法破解。然而,数学分析方法主要针对明文和密文进行分析,在算法通过密码设备实现的安全性分析方面具有一定局限性。
自从1996年Kocher提出了研究操作时间的计时攻击以来[1],侧信道攻击及防御逐渐成为密码学的一个重要分支。有别于传统的暴力破解,或者针对密码理论的弱点进行研究,侧信道攻击分析密码算法物理实现过程中某些中间值泄露的信息,从而获取密钥。时间、电磁波、乃至声音等信息均可以作为攻击密码系统的侧信道信息,除此之外,能量消耗分析是侧信道攻击最有效的手段之一。在实际应用中,这些攻击通常会借助密码芯片,如微处理器、FPGA (Field-Programmable Gate Array)、ASIC (Application Specific Integrated Circuit)[2]等来实现。1999年,Kocher等人提出了能量分析攻击[3,4],这种攻击能够通过密码芯片执行过程中的瞬时能量消耗来获取中间值信息,从而推导出密钥。之后Chari等人于2002年提出了模板攻击[5]。模板攻击根据密码设备泄露的信息数据以及相关操作的特征来构建模板,寻找与获取的信息最匹配的模板,从而有效缩小密钥搜索空间。2004年,Brier等人提出了相关能量分析,这种攻击建立在差分能量分析的基础上,采用相关系数模型来恢复密钥[6]。
本文重点研究针对分组密码算法的能量分析攻击,以AES(Advanced Encryption Standard)算法为例,提出了比现有攻击方法更为有效的容错线性碰撞攻击和基于二阶距离的比特碰撞攻击。并使用比特碰撞攻击改进容错线性碰撞攻击,进而得到容错比特碰撞攻击。最后针对几种经典算法的S盒结构,进行了相关能量分析、模板攻击、以及比特碰撞攻击的效率研究。
1.容错线性碰撞攻击
相关能量分析[6]和碰撞攻击都是常见的能量分析攻击方法。Bogdanov等人将相关能量分析与碰撞攻击结合,提出了测试链的概念[7],并指出这种方法的攻击效率高于独立的相关能量分析或碰撞攻击。然而,测试链攻击只能纠正相关能量分析部分出现的错误,对碰撞攻击部分出现的错误无能为力。换句话说,一旦在测试链的一条路径中出现错误,它将导致随后连续出现错误,乃至整条路径错误,造成攻击失败。并且由于实际上碰撞攻击的效率低于相关能量分析,这使得Bogdanov等人的方法可能不切实际。
我们以测试链思想为基础,提出了容错链的概念。以AES第一个密钥字节k1为例,容错链选取k1作为唯一的自由变量,即从k1出发,通过碰撞攻击构造k1与其它15个密钥字节之间的关系ki(?)ki=△1.i(2≤i≤16).(1)这15个关系式相互独立,因此如果一个关系式出错,其错误结果不会影响其它关系式。在攻击的具体实现中我们采用相关强化碰撞攻击构造容错链。
在容错线性碰撞攻击中,我们不仅构造一个容错链,同时还采用相关能量分析对密钥候选值进行排序,并给定一个阈值ThCPA’筛选出每个密钥字节的候选值集合。满足容错链关系式(1)且属于密钥候选集合的密钥,可以判定为正确密钥。由于除k1外的其它密钥字节互不影响,因此可以给定一个碰撞攻击部分的阈值ThCA’使得攻击成功返回的密钥可以包含至多ThCA个错误的字节。随后通过少量搜索能够找到正确的密钥。
我们通过仿真实验对容错线性碰撞攻击和测试链攻击进行了效率比对。实验结果表明,当两种攻击的成功率均在90%以上时,容错线性碰撞攻击所需能量迹数量少于测试链攻击。
为了进一步缩小密钥搜索空间,我们给出一个纠错机制,能够较为精确的识别错误密钥字节的位置。随后讨论了错误发生在相关能量分析部分和碰撞攻击部分的可能性,并通过实验给出了ThCPA的取值范围。最后我们分析了ThcpA的取值对攻击成功率的影响,根据实验数据建议ThCPA=10为最有效取值。
2.基于二阶距离的比特碰撞攻击
2010年,Moradi等人提出了针对AES硬件实现的相关强化碰撞攻击。然而,他们的攻击方法在实际操作中存在效率问题。相关强化碰撞攻击按字节进行操作,因此每次攻击至少需要256条平均能量迹。攻击者需要在示波器上对采集的原始能量迹进行平均,然后手动存储;或者将大量原始能量迹存储到计算机中,再使用MATLAB进行平均。其中采集、存储、以及平均能量迹的过程极为繁琐且耗费时间。
攻击者通常希望攻击实现尽可能快速有效,我们以此为出发点提出了较为灵活的基于二阶距离的比特碰撞攻击,它使用能量迹距离模型和逐比特比较的思想区分碰撞。以AES算法为例,选定一个全零明文P0和8个特殊明文Pα(α=1,2,..,8),每个Pα包含16个同样的字节pα,其第α比特为1,其它比特为0。Pα与密钥进行异或运算得到S盒的输入值,每个S盒的输入值即为第α比特发生变化的密钥字节,并且运算前后的汉明重量也随之变化。由于输入P0不会引发任何比特改变,因此输入Pα后,通过比较不同S盒输入值的汉明重量之差是否与输入P0相同,可以推断对应的密钥字节的第α比特是否相等。以P0和P1为例,令ΔHW0和ΔHW1分别表示选择P0或P1前两个S盒输入值汉明重量的差值,可以通过条件(2)和(3)判断k1和k2第一个比特u1和v1是否相等。
●当且仅当u1=v1时,|△HW°-△HW1|=O.(2)
●当且仅当u1≠v1时,|△HW°-△HW1|=2.(3)在实际攻击中,我们使用能量迹距离模型逼近汉明重量模型,因此可以成功区分出碰撞和非碰撞。
本文还给出另外一个距离模型。如果用ΔHW0和ΔHW1表示汉明重量之和,即一阶距离的减法运算替换为加法运算,而二阶距离保持不变,此时同样可以实现比特碰撞攻击。其碰撞与否与上述结论(2)和(3)恰好相反。
我们对比特碰撞攻击进行了实际操作和仿真实验。在实际操作中给出了差分能量迹和二阶距离的比较图示,证明比特碰撞攻击切实有效。仿真实验分别研究了能量迹数量、操作时间以及采样点数量等指标,对比特碰撞攻击与相关强化碰撞攻击进行了效率比对。由实验数据得知,比特碰撞攻击优于相关强化碰撞攻击,尤其在实际操作中,前者所需时间仅为后者的8%。
由于比特碰撞攻击与相关强化碰撞攻击的返回结果均为密钥字节的异或值,而前者效率更高,因此我们使用比特碰撞攻击构造容错链,完成容错线性碰撞攻击中的碰撞攻击部分。改进后的攻击称之为容错比特碰撞攻击。通过实验数据可知,容错比特碰撞攻击的攻击效率高于容错线性碰撞攻击。
3.S盒位宽与能量分析攻击效率的关系研究
数据加密标准DES (Data Encryption Standard)于1976年被美国联邦政府的国家标准局确定为联邦资料处理标准[9,10],其安全性依赖于破解算法的计算难度大和计算时间长。随着计算机与网络技术的发展,目前所拥有的计算能力已经对DES造成了威胁。1997年,美国国家标准和技术研究所发起征集高级加密标准AES的活动,并于2000年确定了Rijndael算法为AES。Serpent算法也是AES的候选算法之一[11]。目前分组密码的设计主要关注于非线性S盒、置换方法以及密钥扩展方案。S盒首次出现于Lucifer算法中,由于DES的深远影响而被广泛应用。S盒是许多分组密码算法中唯一的非线性部件,因此算法的安全强度很大程度上取决于S盒的安全强度。
在一轮运算中,DES使用8个S盒,输入6比特输出4比特;AES使用16个S盒,输入输出均为8比特;Serpent使用32个S盒,输入输出均为4比特。由于实验中使用的AES和Serpent的分组长度为128比特,而DES为64比特,为合理比较攻击效率,我们假设一个DES的扩展结构DES-E,其数据长度为128比特,且一轮使用16个DES结构的S盒。
我们在相同的实验环境下研究三种能量分析攻击方法针对一轮加密算法中单个S盒的攻击效率。假设一轮攻击的成功率高于50%,可以推出:DES单个S盒的成功率应达到0.9170,DES-E和AES单个S盒的成功率应达到0.9576,Serpent单个S盒的成功率应达到0.9786。
在相关能量分析中,S盒打乱了数据的线性规律,其输出值能更好的体现数据相关性,因此选取S盒的输出值作为攻击对象。由于计算相关系数需要多条能量迹,因此每条能量迹上选取1个采样点即可实现攻击。由实验数据得知,达到期望成功率针对Serpent所需能量迹数量最多,其抗攻击性最强。AES抗攻击性最弱,低位宽S盒的安全强度高于高位宽S盒。
在模板攻击中,由于构建模板需要知道精确的汉明重量,因此选取S盒的输入值作为攻击对象。为了较为精确的匹配模板,我们使用简化模板攻击方法并选取10个采样点。由实验数据得知,此时AES抗攻击性最强,DES最弱。
在基于二阶距离的比特碰撞攻击中,由于攻击思想也依赖于中间值具体的汉明重量,因此选取S盒的输入值作为攻击对象。为了衡量能量迹间距离,每条能量迹选取10个采样点。由实验数据得知,此时AES抗攻击性最强,Serpent最弱,高位宽S盒的安全强度高于低位宽S盒。
因此,在不同的能量分析攻击下,不同结构的S盒抗攻击性各有优劣。算法的设计可以酌情考虑在不同攻击方法下S盒的安全强度,以满足特定需求。
The block cipher is one of the most widely used cryptosystems.It is a type of symmetric ciphers, which uses the same key for both encryption and decryption. Es-sentially, a block cipher is a permutation with key. The plaintext is divided into several blocks, and each block yields an output block with the same size. The current ciphers have high security in terms of their mathematical structures, which are strong against the mathematical methods. However, the mathematical methods have some limitations to analysis on the security of cryptoequipment, because they are mostly concerned with plaintexts and ciphertexts.
Since timing attack which observes variations on performing time was proposed by Kocher in1996[1], the field of side-channel attacks and countermeasures has grad-ually become an important branch of cryptography. Side-channel attacks, which pay close attention to the intermediate values, are based on the leakage of information from the physical implementation of a cryptosystem, rather than the traditional meth-ods such as brute force or theoretical weaknesses. Although the information of timing, electromagnetism, or even sound can be exploited to attack a cryptosystem, power con-sumption analysis is one of the most effective means of cryptanalysis. In practice, these techniques are typically implemented on cryptographic chips, such as microprocessor, FPGA, and ASIC[2]. In1999, Kocher et al. presented differential power analysis which can recover secret keys by analyzing the information of instantaneous power consump-tion of cryptographic chips[3,4].Template attack was introduced by Chari et al. in2002. The attacker matches the recorded power traces with the power consumption character-istics which are called templates for different key hypotheses in the template attack[5]. In2004, Brier et al. proposed correlation power analysis which recovers secret keys with the correlation coefficient model[6].
In this dissertation, we focus on the power analysis attack on block ciphers. First, the fault-tolerant linear collision attack and bitwise collision attack are proposed, and performed on AES for example. Second, the fault-tolerant linear collision attack is im-proved, which is named fault-tolerant bitwise collision attack. At last, for the different S-boxes of DES, DES-E, AES and Serpent, we analysis and compare the efficiencies of the correlation power analysis, template attack and bitwise collision attack respectively.
1. Fault-tolerant linear collision attack
The correlation power analysis[6] and collision attack are the common methods of power analysis attack. Bogdanov et al. proposed the concept of test of chain[7], which combines correlation power analysis with collision attack. They specified that their attack is more efficient than either stand-alone correlation power analysis or collision attacks. Although the test of chain discussed the high efficiency of their combined attack, they did not give a practical attack scheme. On the other hand, their method can only correct the errors in correlation power analysis, but can not in the part of collision attack. In other words, once a step error occurs in a path of the chain, it will lead to consecutive errors. And the errors may take place in the entire path, which will result a failed attack. Indeed, the efficiency of typical collision attack is much lower than correlation power analysis, which may lead to the unavailability of Bogdanov's method.
On the basis of test of chain, a concept of fault-tolerant chain is presented. The first key byte k1of AES is taken for example. In the fault-tolerant chain, k1is the only free variable. In other words, the independent relations between k1and the other15key bytes are constructed by collision attack. k1(?)ki=△1,i(2≤i≤16).(4) If one of these expressions is wrong, it does not affect the results of other expressions. In practice, the correlation-enhanced collision attack [F15] is employed for collision detection.
In the process of fault-tolerant linear collision attack, not only is the fault-tolerant chain constructed, but also the correlation power analysis is used to sort and filter the key candidates. A threshold ThCPA is given to obtain the sets of key-byte candidates. If a key in the candidate set satisfies the relation expressions (1), it is mostly the correct key. Since the key bytes are independent of each other, a threshold ThCA can be given to tolerant the errors in collision attack. ThCA is the maximum of wrong key bytes. Then the correct key can be searched.
The efficiencies of fault-tolerant linear collision attack and test of chain attack are compared in simulations. When the success rates of the two attacks are both above90%, the experimental results show that the trace number of our attack is less than that of Bogdanov's attack.
In order to reduce the search space further, the fault-identification mechanism is presented, which can identify the position of wrong key bytes with high probability. We discuss the probabilities of cases in which part errors occur, i.e. whether errors occur in correlation power analysis or in collision attack. At last, we analysis the relation between the success rate and ThCPA, and suggest ThCPA=10, which corresponds to the maximum success rate of our attack.
2. Bitwise collision attack based on second-distance
In2010, Moradi et al. proposed correlation-enhanced collision attack[8] on hard-ware implementation of AES. However, their inefficiency is a serious problem. In practice, due to its bytewise operations, numbers of power traces are needed to acquire256average traces in correlation-enhanced collision attack. The traces are needed to be averaged on a oscilloscope and stored manually. Or all of them are automatically stored, and then handled in MATLAB. But the process of trace acquisition, storage and averaging is complex and time-consuming.
An attack is expected to be fast and efficient as far as possible. So we propose a more flexible attack, which can distinguish the collisions by bit instead of byte based on the trace distance model. Take the bitwise collision attack performed on AES for example. An all-zero plaintext P0and8special plaintexts Pα{α=1,2,...,8) are chosen. Each Pα contains16equal bytes pa. The a-th bit of pα is1, the other bits are0. After pα XORing with key, the inputs of S-box are the changed key bytes whose the ath bits are changed, and their hamming weights are changed too. Since P0will cause no changes, after a comparison between the differences of hamming weights of different inputs with P" and P0, wether the αth bits of different key bytes are equal can be deduced. P0and P1are chosen for example to introduce the basic idea.△HW0and AHW1denote the difference of the hamming weights of inputs of the first two S-boxes with P0or P1. The following conditions (2) and (3) are used to determine whether the first bits of k1and k2are equal:
· If and only if u1-v1,|△HW0-△HWX1|=0.(5)
· If and only if u1(?)v1,|△HW0-△HW1|=2.(6) In practice, the trace distance model is used to approximate the hamming weight model. So the collision and non-collision can be distinguished.
Another distance model is found to implement bitwise collision attack. If the operation of first-order distance is addition instead of substruction, and the second-order distance is unchanged, the conclusions are contrary to those above.
Bitwise collision attack has been implemented on an AT89S52singlechip for prac-tical experiment. The differences of average traces and the second-order distances on8bit positions are shown. We also made some simulations on trace number, opera-tion time and point number to evaluate the efficiency of our attack. The experimental results show that the efficiency of our attack is higher than correlation-enhanced col-lision attack. And in practice, the operation time of our attack is only8%of that of correlation-enhanced collision attack.
The results of bitwise collision attack and correlation-enhanced collision attack are both the XORed value of key bytes. And the bitwise collision attack is more ef-ficient than correlation-enhanced collision attack. So the fault-tolerant chain can be constructed by bitwise collision. The improved fault-tolerant linear collision attack is named fault-tolerant bitwise collision attack. The experimental data show that the fault-tolerant bitwise collision attack is better than the fault-tolerant linear collision attack.
3. The efficiencies of power analysis attack based on S-boxes of block ciphers
In1976, the National Security Agency selected a slightly modified version of DES, which was published as an official Federal Information Processing Standard (FIPS) for the United States[9,10]. The security of DES depends on the difficulty in computational complexity and time consumption. With the development of computer science and network technology, the current ability of calculation has been a threat to DES. In1997, the U.S. National Institute of Standards and Technology (NIST)initiated the solicitation of AES, and the Rijndael cipher was selected in2000. Serpent is also one of the AES candidates[11]. Currently the design of block ciphers focuses on S-box, permutation and key schedule. S-box firstly appeared in Lucifer cipher, and be wide-ly used with DES. S-box is the only nonlinear components of block ciphers, thus the security strength of ciphers are mostly determined by their S-boxes.
In one round, DES uses8S-boxes of which each has6-bit input and4-bit output. AES uses16S-boxes of which each has8-bit input and8-bit output. Serpent uses32S-boxes of which each has4-bit input and4-bit output. The block of DES is64bits, and those of AES and Serpent are both128bits. In order to compare the efficiencies in reason, an expansion of DES named DES-E is assumed, which used128-bit block and16S-boxes in one round.
Under the same experimental environment, we research on the efficiency of attack on a single S-box in one round. Suppose that the success rate of one round is at least0.5, it is easy to deduce that the success rate on a single DES S-box is0.917, and those of DES-E and AES are both0.9576, and that of Serpent is0.9786.
In the correlation power analysis, as S-box disrupts the linear law of data, the at-tack object is the output of S-box. Several traces are needed to compute a correlation coefficient, so one sample point is enough to realize attack. According to the experi-mental results, the most number of traces are needed for Serpent, which is the strongest against correlation power analysis, and AES is the weakest. Thus, low wide S-box is stronger than high wide S-box against power analysis attack.
In the template attack, in order to construct templates, we need to know the ac-curate hamming weight, so the attack object is the input of S-box.10sample points are chosen on one trace to match templates precisely. According to the experimental results, AES is the strongest, and DES is the weakest.
In the bitwise collision attack, the idea depends on the hamming weights of inter-mediate value, so the attack object is the input of S-box.10sample points are chosen to measure the differences between traces. The experimental results show that AES is the strongest and Serpent is the weakest. In this case, high wide S-box is stronger than low wide S-box.
The different S-boxes have advantages and disadvantages against different power analysis attacks. To meet the specific needs, the design of ciphers may follow with interest the security strength of S-boxes under a variety of circumstances.
自从1996年Kocher提出了研究操作时间的计时攻击以来[1],侧信道攻击及防御逐渐成为密码学的一个重要分支。有别于传统的暴力破解,或者针对密码理论的弱点进行研究,侧信道攻击分析密码算法物理实现过程中某些中间值泄露的信息,从而获取密钥。时间、电磁波、乃至声音等信息均可以作为攻击密码系统的侧信道信息,除此之外,能量消耗分析是侧信道攻击最有效的手段之一。在实际应用中,这些攻击通常会借助密码芯片,如微处理器、FPGA (Field-Programmable Gate Array)、ASIC (Application Specific Integrated Circuit)[2]等来实现。1999年,Kocher等人提出了能量分析攻击[3,4],这种攻击能够通过密码芯片执行过程中的瞬时能量消耗来获取中间值信息,从而推导出密钥。之后Chari等人于2002年提出了模板攻击[5]。模板攻击根据密码设备泄露的信息数据以及相关操作的特征来构建模板,寻找与获取的信息最匹配的模板,从而有效缩小密钥搜索空间。2004年,Brier等人提出了相关能量分析,这种攻击建立在差分能量分析的基础上,采用相关系数模型来恢复密钥[6]。
本文重点研究针对分组密码算法的能量分析攻击,以AES(Advanced Encryption Standard)算法为例,提出了比现有攻击方法更为有效的容错线性碰撞攻击和基于二阶距离的比特碰撞攻击。并使用比特碰撞攻击改进容错线性碰撞攻击,进而得到容错比特碰撞攻击。最后针对几种经典算法的S盒结构,进行了相关能量分析、模板攻击、以及比特碰撞攻击的效率研究。
1.容错线性碰撞攻击
相关能量分析[6]和碰撞攻击都是常见的能量分析攻击方法。Bogdanov等人将相关能量分析与碰撞攻击结合,提出了测试链的概念[7],并指出这种方法的攻击效率高于独立的相关能量分析或碰撞攻击。然而,测试链攻击只能纠正相关能量分析部分出现的错误,对碰撞攻击部分出现的错误无能为力。换句话说,一旦在测试链的一条路径中出现错误,它将导致随后连续出现错误,乃至整条路径错误,造成攻击失败。并且由于实际上碰撞攻击的效率低于相关能量分析,这使得Bogdanov等人的方法可能不切实际。
我们以测试链思想为基础,提出了容错链的概念。以AES第一个密钥字节k1为例,容错链选取k1作为唯一的自由变量,即从k1出发,通过碰撞攻击构造k1与其它15个密钥字节之间的关系ki(?)ki=△1.i(2≤i≤16).(1)这15个关系式相互独立,因此如果一个关系式出错,其错误结果不会影响其它关系式。在攻击的具体实现中我们采用相关强化碰撞攻击构造容错链。
在容错线性碰撞攻击中,我们不仅构造一个容错链,同时还采用相关能量分析对密钥候选值进行排序,并给定一个阈值ThCPA’筛选出每个密钥字节的候选值集合。满足容错链关系式(1)且属于密钥候选集合的密钥,可以判定为正确密钥。由于除k1外的其它密钥字节互不影响,因此可以给定一个碰撞攻击部分的阈值ThCA’使得攻击成功返回的密钥可以包含至多ThCA个错误的字节。随后通过少量搜索能够找到正确的密钥。
我们通过仿真实验对容错线性碰撞攻击和测试链攻击进行了效率比对。实验结果表明,当两种攻击的成功率均在90%以上时,容错线性碰撞攻击所需能量迹数量少于测试链攻击。
为了进一步缩小密钥搜索空间,我们给出一个纠错机制,能够较为精确的识别错误密钥字节的位置。随后讨论了错误发生在相关能量分析部分和碰撞攻击部分的可能性,并通过实验给出了ThCPA的取值范围。最后我们分析了ThcpA的取值对攻击成功率的影响,根据实验数据建议ThCPA=10为最有效取值。
2.基于二阶距离的比特碰撞攻击
2010年,Moradi等人提出了针对AES硬件实现的相关强化碰撞攻击。然而,他们的攻击方法在实际操作中存在效率问题。相关强化碰撞攻击按字节进行操作,因此每次攻击至少需要256条平均能量迹。攻击者需要在示波器上对采集的原始能量迹进行平均,然后手动存储;或者将大量原始能量迹存储到计算机中,再使用MATLAB进行平均。其中采集、存储、以及平均能量迹的过程极为繁琐且耗费时间。
攻击者通常希望攻击实现尽可能快速有效,我们以此为出发点提出了较为灵活的基于二阶距离的比特碰撞攻击,它使用能量迹距离模型和逐比特比较的思想区分碰撞。以AES算法为例,选定一个全零明文P0和8个特殊明文Pα(α=1,2,..,8),每个Pα包含16个同样的字节pα,其第α比特为1,其它比特为0。Pα与密钥进行异或运算得到S盒的输入值,每个S盒的输入值即为第α比特发生变化的密钥字节,并且运算前后的汉明重量也随之变化。由于输入P0不会引发任何比特改变,因此输入Pα后,通过比较不同S盒输入值的汉明重量之差是否与输入P0相同,可以推断对应的密钥字节的第α比特是否相等。以P0和P1为例,令ΔHW0和ΔHW1分别表示选择P0或P1前两个S盒输入值汉明重量的差值,可以通过条件(2)和(3)判断k1和k2第一个比特u1和v1是否相等。
●当且仅当u1=v1时,|△HW°-△HW1|=O.(2)
●当且仅当u1≠v1时,|△HW°-△HW1|=2.(3)在实际攻击中,我们使用能量迹距离模型逼近汉明重量模型,因此可以成功区分出碰撞和非碰撞。
本文还给出另外一个距离模型。如果用ΔHW0和ΔHW1表示汉明重量之和,即一阶距离的减法运算替换为加法运算,而二阶距离保持不变,此时同样可以实现比特碰撞攻击。其碰撞与否与上述结论(2)和(3)恰好相反。
我们对比特碰撞攻击进行了实际操作和仿真实验。在实际操作中给出了差分能量迹和二阶距离的比较图示,证明比特碰撞攻击切实有效。仿真实验分别研究了能量迹数量、操作时间以及采样点数量等指标,对比特碰撞攻击与相关强化碰撞攻击进行了效率比对。由实验数据得知,比特碰撞攻击优于相关强化碰撞攻击,尤其在实际操作中,前者所需时间仅为后者的8%。
由于比特碰撞攻击与相关强化碰撞攻击的返回结果均为密钥字节的异或值,而前者效率更高,因此我们使用比特碰撞攻击构造容错链,完成容错线性碰撞攻击中的碰撞攻击部分。改进后的攻击称之为容错比特碰撞攻击。通过实验数据可知,容错比特碰撞攻击的攻击效率高于容错线性碰撞攻击。
3.S盒位宽与能量分析攻击效率的关系研究
数据加密标准DES (Data Encryption Standard)于1976年被美国联邦政府的国家标准局确定为联邦资料处理标准[9,10],其安全性依赖于破解算法的计算难度大和计算时间长。随着计算机与网络技术的发展,目前所拥有的计算能力已经对DES造成了威胁。1997年,美国国家标准和技术研究所发起征集高级加密标准AES的活动,并于2000年确定了Rijndael算法为AES。Serpent算法也是AES的候选算法之一[11]。目前分组密码的设计主要关注于非线性S盒、置换方法以及密钥扩展方案。S盒首次出现于Lucifer算法中,由于DES的深远影响而被广泛应用。S盒是许多分组密码算法中唯一的非线性部件,因此算法的安全强度很大程度上取决于S盒的安全强度。
在一轮运算中,DES使用8个S盒,输入6比特输出4比特;AES使用16个S盒,输入输出均为8比特;Serpent使用32个S盒,输入输出均为4比特。由于实验中使用的AES和Serpent的分组长度为128比特,而DES为64比特,为合理比较攻击效率,我们假设一个DES的扩展结构DES-E,其数据长度为128比特,且一轮使用16个DES结构的S盒。
我们在相同的实验环境下研究三种能量分析攻击方法针对一轮加密算法中单个S盒的攻击效率。假设一轮攻击的成功率高于50%,可以推出:DES单个S盒的成功率应达到0.9170,DES-E和AES单个S盒的成功率应达到0.9576,Serpent单个S盒的成功率应达到0.9786。
在相关能量分析中,S盒打乱了数据的线性规律,其输出值能更好的体现数据相关性,因此选取S盒的输出值作为攻击对象。由于计算相关系数需要多条能量迹,因此每条能量迹上选取1个采样点即可实现攻击。由实验数据得知,达到期望成功率针对Serpent所需能量迹数量最多,其抗攻击性最强。AES抗攻击性最弱,低位宽S盒的安全强度高于高位宽S盒。
在模板攻击中,由于构建模板需要知道精确的汉明重量,因此选取S盒的输入值作为攻击对象。为了较为精确的匹配模板,我们使用简化模板攻击方法并选取10个采样点。由实验数据得知,此时AES抗攻击性最强,DES最弱。
在基于二阶距离的比特碰撞攻击中,由于攻击思想也依赖于中间值具体的汉明重量,因此选取S盒的输入值作为攻击对象。为了衡量能量迹间距离,每条能量迹选取10个采样点。由实验数据得知,此时AES抗攻击性最强,Serpent最弱,高位宽S盒的安全强度高于低位宽S盒。
因此,在不同的能量分析攻击下,不同结构的S盒抗攻击性各有优劣。算法的设计可以酌情考虑在不同攻击方法下S盒的安全强度,以满足特定需求。
The block cipher is one of the most widely used cryptosystems.It is a type of symmetric ciphers, which uses the same key for both encryption and decryption. Es-sentially, a block cipher is a permutation with key. The plaintext is divided into several blocks, and each block yields an output block with the same size. The current ciphers have high security in terms of their mathematical structures, which are strong against the mathematical methods. However, the mathematical methods have some limitations to analysis on the security of cryptoequipment, because they are mostly concerned with plaintexts and ciphertexts.
Since timing attack which observes variations on performing time was proposed by Kocher in1996[1], the field of side-channel attacks and countermeasures has grad-ually become an important branch of cryptography. Side-channel attacks, which pay close attention to the intermediate values, are based on the leakage of information from the physical implementation of a cryptosystem, rather than the traditional meth-ods such as brute force or theoretical weaknesses. Although the information of timing, electromagnetism, or even sound can be exploited to attack a cryptosystem, power con-sumption analysis is one of the most effective means of cryptanalysis. In practice, these techniques are typically implemented on cryptographic chips, such as microprocessor, FPGA, and ASIC[2]. In1999, Kocher et al. presented differential power analysis which can recover secret keys by analyzing the information of instantaneous power consump-tion of cryptographic chips[3,4].Template attack was introduced by Chari et al. in2002. The attacker matches the recorded power traces with the power consumption character-istics which are called templates for different key hypotheses in the template attack[5]. In2004, Brier et al. proposed correlation power analysis which recovers secret keys with the correlation coefficient model[6].
In this dissertation, we focus on the power analysis attack on block ciphers. First, the fault-tolerant linear collision attack and bitwise collision attack are proposed, and performed on AES for example. Second, the fault-tolerant linear collision attack is im-proved, which is named fault-tolerant bitwise collision attack. At last, for the different S-boxes of DES, DES-E, AES and Serpent, we analysis and compare the efficiencies of the correlation power analysis, template attack and bitwise collision attack respectively.
1. Fault-tolerant linear collision attack
The correlation power analysis[6] and collision attack are the common methods of power analysis attack. Bogdanov et al. proposed the concept of test of chain[7], which combines correlation power analysis with collision attack. They specified that their attack is more efficient than either stand-alone correlation power analysis or collision attacks. Although the test of chain discussed the high efficiency of their combined attack, they did not give a practical attack scheme. On the other hand, their method can only correct the errors in correlation power analysis, but can not in the part of collision attack. In other words, once a step error occurs in a path of the chain, it will lead to consecutive errors. And the errors may take place in the entire path, which will result a failed attack. Indeed, the efficiency of typical collision attack is much lower than correlation power analysis, which may lead to the unavailability of Bogdanov's method.
On the basis of test of chain, a concept of fault-tolerant chain is presented. The first key byte k1of AES is taken for example. In the fault-tolerant chain, k1is the only free variable. In other words, the independent relations between k1and the other15key bytes are constructed by collision attack. k1(?)ki=△1,i(2≤i≤16).(4) If one of these expressions is wrong, it does not affect the results of other expressions. In practice, the correlation-enhanced collision attack [F15] is employed for collision detection.
In the process of fault-tolerant linear collision attack, not only is the fault-tolerant chain constructed, but also the correlation power analysis is used to sort and filter the key candidates. A threshold ThCPA is given to obtain the sets of key-byte candidates. If a key in the candidate set satisfies the relation expressions (1), it is mostly the correct key. Since the key bytes are independent of each other, a threshold ThCA can be given to tolerant the errors in collision attack. ThCA is the maximum of wrong key bytes. Then the correct key can be searched.
The efficiencies of fault-tolerant linear collision attack and test of chain attack are compared in simulations. When the success rates of the two attacks are both above90%, the experimental results show that the trace number of our attack is less than that of Bogdanov's attack.
In order to reduce the search space further, the fault-identification mechanism is presented, which can identify the position of wrong key bytes with high probability. We discuss the probabilities of cases in which part errors occur, i.e. whether errors occur in correlation power analysis or in collision attack. At last, we analysis the relation between the success rate and ThCPA, and suggest ThCPA=10, which corresponds to the maximum success rate of our attack.
2. Bitwise collision attack based on second-distance
In2010, Moradi et al. proposed correlation-enhanced collision attack[8] on hard-ware implementation of AES. However, their inefficiency is a serious problem. In practice, due to its bytewise operations, numbers of power traces are needed to acquire256average traces in correlation-enhanced collision attack. The traces are needed to be averaged on a oscilloscope and stored manually. Or all of them are automatically stored, and then handled in MATLAB. But the process of trace acquisition, storage and averaging is complex and time-consuming.
An attack is expected to be fast and efficient as far as possible. So we propose a more flexible attack, which can distinguish the collisions by bit instead of byte based on the trace distance model. Take the bitwise collision attack performed on AES for example. An all-zero plaintext P0and8special plaintexts Pα{α=1,2,...,8) are chosen. Each Pα contains16equal bytes pa. The a-th bit of pα is1, the other bits are0. After pα XORing with key, the inputs of S-box are the changed key bytes whose the ath bits are changed, and their hamming weights are changed too. Since P0will cause no changes, after a comparison between the differences of hamming weights of different inputs with P" and P0, wether the αth bits of different key bytes are equal can be deduced. P0and P1are chosen for example to introduce the basic idea.△HW0and AHW1denote the difference of the hamming weights of inputs of the first two S-boxes with P0or P1. The following conditions (2) and (3) are used to determine whether the first bits of k1and k2are equal:
· If and only if u1-v1,|△HW0-△HWX1|=0.(5)
· If and only if u1(?)v1,|△HW0-△HW1|=2.(6) In practice, the trace distance model is used to approximate the hamming weight model. So the collision and non-collision can be distinguished.
Another distance model is found to implement bitwise collision attack. If the operation of first-order distance is addition instead of substruction, and the second-order distance is unchanged, the conclusions are contrary to those above.
Bitwise collision attack has been implemented on an AT89S52singlechip for prac-tical experiment. The differences of average traces and the second-order distances on8bit positions are shown. We also made some simulations on trace number, opera-tion time and point number to evaluate the efficiency of our attack. The experimental results show that the efficiency of our attack is higher than correlation-enhanced col-lision attack. And in practice, the operation time of our attack is only8%of that of correlation-enhanced collision attack.
The results of bitwise collision attack and correlation-enhanced collision attack are both the XORed value of key bytes. And the bitwise collision attack is more ef-ficient than correlation-enhanced collision attack. So the fault-tolerant chain can be constructed by bitwise collision. The improved fault-tolerant linear collision attack is named fault-tolerant bitwise collision attack. The experimental data show that the fault-tolerant bitwise collision attack is better than the fault-tolerant linear collision attack.
3. The efficiencies of power analysis attack based on S-boxes of block ciphers
In1976, the National Security Agency selected a slightly modified version of DES, which was published as an official Federal Information Processing Standard (FIPS) for the United States[9,10]. The security of DES depends on the difficulty in computational complexity and time consumption. With the development of computer science and network technology, the current ability of calculation has been a threat to DES. In1997, the U.S. National Institute of Standards and Technology (NIST)initiated the solicitation of AES, and the Rijndael cipher was selected in2000. Serpent is also one of the AES candidates[11]. Currently the design of block ciphers focuses on S-box, permutation and key schedule. S-box firstly appeared in Lucifer cipher, and be wide-ly used with DES. S-box is the only nonlinear components of block ciphers, thus the security strength of ciphers are mostly determined by their S-boxes.
In one round, DES uses8S-boxes of which each has6-bit input and4-bit output. AES uses16S-boxes of which each has8-bit input and8-bit output. Serpent uses32S-boxes of which each has4-bit input and4-bit output. The block of DES is64bits, and those of AES and Serpent are both128bits. In order to compare the efficiencies in reason, an expansion of DES named DES-E is assumed, which used128-bit block and16S-boxes in one round.
Under the same experimental environment, we research on the efficiency of attack on a single S-box in one round. Suppose that the success rate of one round is at least0.5, it is easy to deduce that the success rate on a single DES S-box is0.917, and those of DES-E and AES are both0.9576, and that of Serpent is0.9786.
In the correlation power analysis, as S-box disrupts the linear law of data, the at-tack object is the output of S-box. Several traces are needed to compute a correlation coefficient, so one sample point is enough to realize attack. According to the experi-mental results, the most number of traces are needed for Serpent, which is the strongest against correlation power analysis, and AES is the weakest. Thus, low wide S-box is stronger than high wide S-box against power analysis attack.
In the template attack, in order to construct templates, we need to know the ac-curate hamming weight, so the attack object is the input of S-box.10sample points are chosen on one trace to match templates precisely. According to the experimental results, AES is the strongest, and DES is the weakest.
In the bitwise collision attack, the idea depends on the hamming weights of inter-mediate value, so the attack object is the input of S-box.10sample points are chosen to measure the differences between traces. The experimental results show that AES is the strongest and Serpent is the weakest. In this case, high wide S-box is stronger than low wide S-box.
The different S-boxes have advantages and disadvantages against different power analysis attacks. To meet the specific needs, the design of ciphers may follow with interest the security strength of S-boxes under a variety of circumstances.
引文
[1]P. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. CRYPTO'96, LNCS, vol.1109, pp.104-113, Springer Verlag,1996.
[2]N. Ferguson, B. Schneier, T. Kohno, Cryptography Engineering:Design Principles and Practical Applications. Wiley, Hoboken,2010.
[3]P. Kocher, J. Jaffe, B. Jun, Differential Power Analysis. CRYPTO'99, LNCS, vol.1666, pp.388-397, Springer,1999.
[4]S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks:Revealing the Secrets of Smart Cards, pp.256-283, Springer,2007.
[5]S. Chari, J.R. Rao, P. Rohatgi, Template Attacks. CHES 2002, LNCS, vol.2523, pp.13-28. Springer,2003.
[6]E. Brier, C. Clavier, F. Olivier, Correlation Power Analysis with a Leakage Model. CHES 2004, LNCS, vol.3156, pp.16-29, Springer,2004.
[7]A. Bogdanov, Ⅰ. Kizhvatov, Beyond the Limits of DPA:Combined Side-Channel Collision Attacks. IEEE Trans. Computers, vol.61(8), pp.1153-1164, IEEE Computer Society,2012.
[8]A. Moradi, O. Mischke, T. Eisenbarth, Correlation-Enhanced Power Analysis Collision Attack. CHES10, LNCS, vol.6225, pp.125-139, Springer Verlag,2010.
[9]W. F. Ehrsam, C. H. W. Meyer, R. L. Powers, J. L. Smith, W. L. Tuchman. Product Block Cipher System for Data Security. USA:3962539,8th July 1976.
[10]C. Shannon, Communication Theory of Secrecy Systems. Bell System Technical Journal, vol.28 (4), pp.656-715,1949.
[11]吴文玲,冯登国,卿斯汉,简评美国公布的15个AES候选算法.软件学报,vol.10(3),pp.225,1999.
[12]A. Kerckhoffs, La cryptographie militaire. Journal des sciences militaires,1883.
[13]W. Diffie, M.E. Hellman, New Directions in Cryptography. IEEE Trans on Information Theory, IT-22(6), PP.74-84, IEEE Computer Society,1977.
[14]National Bureau of Standards. Data Encryption Standard, FIPS PUB 46.National Bureau of Standards, Washington, D.C., Jan.1977.
[15]R. L. Rivest, A. Shamir, L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, vol.21(2), pp.120-126, ACM, 1978.
[16]E. Oswald, On Side-Channel Attacks and the Application of Algorithmic Counterm-easures. PhD. Dissertation Graz University of Technology, Austria,2004.
[17]P. Grabher, J. GroBschadl, D. Page, Cryptographic Side-Channels from Low-Power Cache Memory. Cryptography and Coding 2007, LNCS vol.4887, pp.170-184, Springer Verlag, 2007.
[18]R. Anderson, M. Kuhn, Low Cost Attacks on Tamper Resistant Devices. Proceedings of the 1997 Security Protocols Workshop, LNCS, vol.1361, pp.125-136, Springer Verlag,1997.
[19]A. Shamir, E. Tromer, Acoustic Cryptanalysis:On Nosy People and Noisy Machines. Eu-rocrypt 2004 Rump Session,2004.
[20]M. Hojsik, B. Rudolf, Differential Fault Analysis of Trivium. FSE 2008, LNCS, vol.5086, pp.158-172, Springer Verlag,2008.
[21]R.M. Sommer, Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smartcards. CHES 2000, LNCS, vol.1965, pp.78-92, Springer Verlag,2000.
[22]T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining Smart-Card Security under the Threat of Power Analysis Attacks. IEEE Transactions on Computers, vol.51(5), pp.541-542, IEEE Computer Society,2002.
[23]T.S. Messerges, E.A. Dabbish, R.H. Sloan, Power Analysis Attacks of Modular Exponenti-ation in Smartcards. CHES 1999, LNCS, vol.1717, pp.144-157, Springer Verlag,1999.
[24]S. Chari, C. Jutla, J.R. Rao, P. Rohatgi, A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. Proceedings of 2nd Advanced Encryption Standard (AES) Candidate Conference, pp.278-296,2004.
[25]E. Oswald, S. Mangard, C. Herbst, S. Tillich, Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers. CT-RSA 2006, LNCS, vol.3860, pp.192-207, Springer Verlag,2006.
[26]A. Hevia, M. Kiwi, Strength of two Data Encryption Standard implementations under tim-ing attacks. LATIN'98:Theoretical Informatics, LNCS, vol.1380, pp.192-205, Springer Verlag,1998.
[27]J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestrre, J.-J. Quisquater, J.-L. Willems, A Practi-cal Implementation of the Timing Attack. Smart Card Research and Applications, LNCS, vol.1820, pp.167-182, Springer Verlag,2000.
[28]B. Canvel, A. Hiltgen, S. Vaudenay, M. Vuagnoux, Password Interception in a SSL/TLS Channel. CRYPTO 2003, LNCS, vol.2729, pp.583-599, Springer Verlag,2003.
[29]D. Brumley, D. Boneh, Remote Timing Attacks are Practical. Proceedings of the 12th con-ference on USENIX Security Symposium, vol.12, pp.1-1,2003.
[30]NESSIE Project, http://www.cryptonessie.org/.
[31]D.X. Song. D. Wagner. X. Tian, Timing Analysis of Keystrokes and Timing Attacks on SSH. Proceedings of the 10th conference on USENIX Security Symposium, vol.10, pp. 25,2001.
[32]K. Sakurai, T. Takagi, A Reject Timing Attack on an IND-CCA2 Public-Key Cryptosystem. ICISC 2002, LNCS, vol.2587, pp.359-374, Springer Verlag,2003.
[33]B. N. Levine, M. K. Reiter, C. Wang, M. Wright, Timing Attacks in Low-Latency Mix Systems. Financial Cryptography 2004, LNCS, vol.3110, pp.251-265, Springer Verlag, 2004.
[34]National Security Agency. NACSIM 5000 Tempest Fundamentals(U). Fort George G. Meade, Maryland, USA. http://cryptome.org/nacsim-5000.htm.
[35]M.G. Kuhn, R.J. Anderson, Soft Tempest:Hidden Data Transmission Using Electromagnet-ic Emanations. Information Hiding 1998, LNCS, vol.1525, pp.124-142, Springer Verlag, 1998.
[36]J.-J. Quisquater, D. Samyde, ElectroMagnetic Analysis (EMA):Measures and Counter-measures for Smart Cards. Smart Card Programming and Security, LNCS, vol.2140, pp. 200-210, Springer Verlag,2001.
[37]K. Gandolfi, C. Mourte, F. Olivier, Electromagnetic Analysis:Concrete Results. CHES 2001, LNCS, vol.2162, pp.251-261, Springer Verlag,2001.
[38]D. Agrawal, B. Archambeault, J.R. Rao, P. Rohatgi, The EM Side-Channel(s). CHES 2002, LNCS, vol.2523, pp.29-45, Springer Verlag,2003.
[39]C. H. Gebotys, B. A. White, EM analysis of a wireless Java-based PDA. ACM Transactions on Embedded Computing Systems, vol.7(4), Artical.44,2008.
[40]D. Boneh, R. A. DeMillo, R. J. Lipton, On the Importance of Checking Cryptographic Protocols for Faults. EUROCRYPT'97, LNCS, vol.1233, pp.37-51, Springer Verlag, 1997.
[41]D. Boneh, R. A. Demillo, R. J. Lipton, On the Importance of Eliminating Errors in Crypto-graphic Computations. Journal of Cryptology, vol.14, pp.101-109,2001.
[42]M. Joye, A. K. Lenstra, J.-J. Quisquater, Chinese Remaindering Based Cryptosystems in the Presence of Faults. Journal of Cryptology, vol.12, pp.241-245,1999.
[43]S.-M. Yen, S. Moon, J.-C. Ha, Hardware Fault Attack on RSA with CRT Revisited. ICISC 2002, LNCS, vol.2587, pp.374-388, Springer Verlag,2003.
[44]D. Vigilant, RSA with CRT:A New Cost-Effective Solution to Thwart Fault Attacks. CHES 2008, LNCS, vol.5154, pp.130-145, Springer Verlag,2008.
[45]F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, T. Ngair, Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. SP'98, LNCS, vol.1361, pp.115-124, Springer Verlag,1998.
[46]I. Biehl, B. Meyer, V. Muller, Differential Fault Attacks on Elliptic Curve Cryptosystems. CRYPTO 2000, LNCS, vol.1880, pp.131-146, Springer Verlag,2000.
[47]E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems. CRYPTO'97, LNCS, vol.1294, pp.513-525, Springer Verlag,1997.
[48]J. Kelsey, B. Schneier, D. Wagner, C. Hall, Side Channel Cryptanalysis of Product Ciphers. Journal of Computer Security, vol.8(2-3), pp.141-158,2000.
[49]D. Page, Defending Against Cache Based Side Channel Attacks. Information Security Tech-nical Report, vol.8(1), pp.30-44,2003.
[50]D. Page, Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Available at http://www.cs.bi-s.ac.uk/Publications/Papers/1000625.pdf.
[51]Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, Cryptanalysis of Block Ciphers Im-plemented on Computers with Cache. ISITA 2002,2002.
[52]Y. Tsunoo, T. Saito, T. Suzaki, M. Shigeri, H. Miyauchi, Cryptanalysis of DES Implemented on Computers with Cache. CHES 2003, LNCS, vol.2779, pp.62-76, Springer Verlag,2003.
[53]J. Fournier, M. Tunstall, Cache Based Power Analysis Attacks on AES Abstract. ACISP 2006, LNCS, vol.4058, pp.17-28, Springer Verlag,2006.
[54]O. Aciicmez, W. Schindler, A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL. CT-RSA 2008, LNCS, vol.4964, pp. 256-273, Springer Verlag,2008.
[55]K. G. Paterson, A. Yau, Padding Oracle Attacks on the ISO CBC Mode Encryption Stan-dard. CT-RSA 2004, LNCS, vol.2964, pp.305-323, Springer Verlag,2004.
[56]A. K. L. Yau, K. G. Paterson, C. J. Mitchell, Padding Oracle Attacks on CBC-Mode En-cryption with Secret and Random IVs. FSE 2005 LNCS, vol.3557, pp.299-319, Springer Verlag,2005.
[57]M. Bellare, P. Rogaway, Optimal Asymmetric Encryption-How to Encrypt with RSA. EUOCRYPT 94, LNCS, vol.950, pp.92-111, Springer Verlag,1994.
[58]J. Manger, A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS # 1 v2.0. CRYPTO 2001, LNCS, vol.2139, pp.230-238, Springer Verlag,2001.
[59]D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryp-tion standard PKCS # 1. CRYPTO'98, LNCS, vol.1462, pp.1-12, Springer Verlag,1998.
[60]V. Shoup, OAEP Reconsidered. CRYPTO 2001, LNCS, vol.2139, pp.239-259, Springer Verlag,2001.
[61]E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP Is Secure under the RSA Assumption. CRYPTO 2001, LNCS, vol.2139, pp.260-274, Springer Verlag,2001.
[62]V. Klima, T. Rosa, Further Results and Considerations on Side Channel Attacks on RSA. CHES 2002, LNCS, vol.2523, pp.244-259, Springer Verlag,2003.
[63]V. Klima, O. Pokorny, T. Rosa, Attacking RSA-Based Sessions in SSL/TLS. CHES 2003, LNCS, vol.2779, pp.426-440, Springer Verlag,2003.
[64]B. Yang, K. Wu, R. Karri, Scan based side channel attack on dedicated hardware imple-mentations of Data Encryption Standard. ITC 2004, Charlotte,2004.
[65]J. Lee, M. Tehranipoor, C. Patel, J. Plusquellic, Securing Designs against Scan-Based Side-Channel Attacks. IEEE Transactions on Dependable and Secure Computing, vol.4(4), pp. 325-336, IEEE Computer Society,2007.
[66]D. Hely, F. Bancel, M.-L. Flottes, B. Rouzeyre, Securing Scan Control in Crypto Chips. Journal of Electronic Testing, vol.23(5) pp.457-464,2007.
[67]M. Kuhn, Optical Time-Domain Eavesdropping Risks of CRT Displays. IEEE Symposium on Security and Privacy, pp.3-18, IEEE Computer Society,2002.
[68]J. Loughry, D. A. Umphress, Information Leakage from Optical Emanations. ACM Trans-actions on Information and System Security, vol.5, pp.262-289,2002.
[69]C. C. Tiu, A New Frequency-Based Side Channel Attack for Embedded Systems. Master Degree Thesis, Department of Electrical and Computer Engineerin, University og Waterloo, Waterloo, Ontario, Canada,2005.
[70]F.-X. Standaert, C. Archambeau, Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages. CHES 2008, LNCS, vol.5154, pp.411-425, Springer Verlag,2008.
[71]W. Schindler, A Combined Timing and Power Attack. PKC 2002, LNCS, vol.2274, pp. 263-279, Springer Verlag,2002.
[72]C. D. Walter, S. Thompson, Distinguishing Exponent Digits by Observing Modular Sub-tractions. CT-RSA 2001, LNCS, vol.2020, pp.192-207, Springer Verlag,2001.
[73]W. Schindler, C. D. Walter, More Detail for a Combined Timing and Power Attack against Implementations of RSA. Cryptography and Coding 2003, LNCS, vol.2898, pp.245-263, Springer Verlag,2003.
[74]D. Agrawal, J.R. Rao, P. Rohatgi, Multi-channel Attacks. CHES 2003, LNCS, vol.2779, pp.2-16, Springer Verlag,2003.
[75]A. Wang, M. Chen, Z. Wang, Y. Ding, Overcoming Significant Noise:Correlation-Template-Induction Attack.8th Information Security Practice and Experience Conference (ISPEC 2012), LNCS, vol.7232, pp.393-404, Springer Verlag,2012.
[76]S. Kunz-Jacques, F. Muller, F. Valette, The Davies-Murphy Power Attack. ASIACRYPT 2004, LNCS, vol.3329, pp.451-467, Springer Verlag,2004.
[77]R. Novak, SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation. PKC 2002, LNCS, vol.2274, pp.252-262, Springer Verlag,2002.
[78]C.D. Walter, Sliding Windows Succumbs to Big Mac Attack. CHES 2001, LNCS, vol.2162, pp.286-299, Springer Verlag,2001.
[79]J.-S. Coron, Resistance Against Differential Power Analysis For Elliptic Curve Cryptosys-tems. CHES 1999, LNCS, vol.1717, pp.292-302, Springer Verlag,1999.
[80]J. Jaffe, More Differential Power Analysis:Selected DPA Attacks. Summer School on Cryp-tographic Hardware, Side-Channel and Fault Attacks,2006.
[81]S. Mangard, A Simple Power-Analysis (SPA) Attack on Implementations of the AES Kye Expansion. ICISC 2002, LNCS, vol.2587, pp.343-358, Springer Verlag,2003.
[82]K. Lemke, K. Schramm, C. Paar, DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction. CHES 2004, LNCS, vol. 3156, pp.205-219, Springer Verlag,2004.
[83]J. Lano, N. Mentens, B. Preneel, I. Verbauwhede, Power Analysis of Synchronous Stream Ciphers with Resynchronization Mechanism. ECRYPT Workshop, SASC-The State of the Art of Stream Ciphers,2004.
[84]C.H. Gebotys, R.J. Gebotys, Secure Elliptic Curve Implementations:An Analysis of Re-sistance to Power-Attacks in a DSP Processor. CHES 2002, LNCS, vol.2523, pp.114-128, Springer Verlag,2003.
[85]D. May, H.L. Muller, N.P. Smart, Non-deterministic Processors. ACISP 2001, LNCS, vol. 2119, pp.115-129, Springer Verlag,2001.
[86]G. Bertoni, V. Zaccaria, AES power attack based on induced cache miss and countermea-sure. Proceedings of IEEE ITCC 2005, vol.1, pp.586-591,2005.
[87]M.-L. Akkar, R. Bevan, P. Dischamp, D. Moyart, Power Analysis, What Is Now Possible.. ASIACRYPT 2000, LNCS, vol.1976, pp.489-502, IEEE Computer Society,2000.
[88]J.-S. Coron, P. Kocher, D. Naccache, Statistics and Secret Leakage. ACM Transactions on Embedded Computing Systems, vol.3(3), pp.492-508,2004.
[89]C. Karlof, D. Wagner, Hidden Markov Model Cryptanalysis. CHES 2003, LNCS, vol.2779, pp.17-34, Springer Verlag,2003.
[90]P. Wright, SpyCatcher:The Candid Autobiography of a Senior Intelligence. Viking Press, 1987.
[91]L. Batina, B. Gierlichs, L.-R. Kerstin, Comparative Evaluation of Rank Correlation Based DPA on an AES Prototype Chip. ISC 2008, LNCS, vol.5222, pp.341-354, Springer Verlag, 2008.
[92]P.J. Green, R. Noad, N.P. Smart, Further Hidden Markov Model Cryptanalysis. CHES2005, LNCS, vol.3659, pp.61-74, Springer Verlag,2005.
[93]T. Plos, Susceptibility of UHF RFID Tags to Electromagnetic Analysis. CT-RSA 2008, LNCS, vol.4964, pp.288-300, Springer Verlag,2008.
[94]R. Anderson, M. Kuhn, Tamper Resistance-A Cautionary Note. Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp.1-11,1996.
[95]F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, T. Ngair, Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. SP'98, LNCS, vol.1361, pp.115-124, Springer Verlag,1998.
[96]S.-M. Yen, S. Kim, S. Lim, S. Moon, A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack. ICISC 2001, LNCS, vol.2288, pp.414-427, Springer Verlag, 2002.
[97]P.-Y. Liardet, N. P. Smart, Preventing SPA/DPA in ECC Systems Using the Jacobi Form. CHES 2001, LNCS, vol.2162, pp.391-401, Springer Verlag,2001.
[98]E. Brier, M. Joye, Weierstraβ Elliptic Curves and Side-Channel Attacks. PKC 2002, LNCS, vol.2274, pp.335-345, Springer Verlag,2002.
[99]M. Joye, J.-J. Quisquater, Hessian Elliptic Curves and Side-Channel Attacks. CHES 2001, LNCS, vol.2162, pp.402-410, Springer Verlag,2001.
[100]S. Chari, C.S. Jutla, J.R. Rao, P. Rohatgi, Towards Sound Approaches to Counteract Power-Analysis Attacks. CRYPTO'99, LNCS, vol.1666, pp.398-412, Springer Verlag,1999.
[101]S. Chiyangwa, M. Kwiatkowska, A Timing Analysis of AODV. FMOODS 2005, LNCS, vol.3535, pp.306-321, Springer Verlag,2005.
[102]L. Goubin, A Sound Method for Switching between Boolean and Arithmetic Masking. CHES 2001, LNCS, vol.2162, pp.3-15, Springer Verlag,2001.
[103]L. Goubin, J. Patarin, DES and Differential Power Analysis. CHES 1999, LNCS, vol.1717, pp.158-172, Springer Verlag,1999.
[104]S.A. Crosby, D.S. Wallach, R.H. Riedi, Opportunities and Limits of Remote Timing At-tacks. ACM Transactions on Information and System Security, vol.12(3), Article 17,2009.
[105]K. Tiri, Ⅰ. Verbauwhede, A Digital Design Flow for Secure Integrated Circuits. IEEE Trans-actions on computer-aided design of integrated circuits and systems, vol.25(7), pp.1197-1208, IEEE Computer Society,2006.
[106]K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, Ⅰ. Verbauwhede, Prototype IC with WDDL and Differential Routing-DPA Resistance Assessment. CHES 2005, LNCS, vol.3659, pp.354-365, Springer Verlag,2005.
[107]J.-S. Coron, A. Tchulkine, A New Algorithm for Switching from Arithmetic to Boolean Masking. CHES 2003, LNCS, vol.2779, pp.89-97, Springer Verlag,2003.
[108]A. Wiemers, Kollisionsattacken beim Comp128 auf Smartcards. ECC-Brainpool Workshop on Side-Channel-Attacks on Cryptographic Algorithms, Bonn, Germany, December,2001.
[109]K. Schramm, T. Wollinger, C. Paar, A New Class of Collision Attacks and Its Application to DES. FSE 2003, LNCS, vol.2887, pp.206-222, Springer Verlag,2003.
[110]K. Schramm, G. Leander, P. Felke, C. Paar, A Collision-Attack on AES:Combining Side Channel-and Differential-Attack. CHES 2004, LNCS, vol.3156, pp.163-175, Springer Verlag,2004.
[111]H. Ledig, F. Muller, F. Valette, Enhancing Collision Attacks. CHES 2004, LNCS, vol.3156, pp.176-190. Springer,2004.
[112]A. Biryukov, D. Khovratovich, Two New Techniques of Side-Channel Cryptanalysis. CHES 2007, LNCS, vol.4727, pp.195-208, Springer Verlag,2007.
[113]A. Bogdanov, Improved Side-Channel Collision Attacks on AES. SAC 2007, LNCS, vol. 4876, pp.84-95, Springer Verlag,2007.
[114]A. Bogdanov, Multiple-Differential Side-Channel Collision Attacks on AES. CHES 2008. LNCS, vol.5154, pp.30-44, Springer Verlag,2008.
[115]C. Clavier, B. Feix, G. Gagnerot, M. Roussellet, V. Verneuil, Improved Collision-Correlation Power Analysis on First Order Protected AES. CHES 2011, LNCS, vol.6917, pp.49-62. Springer,2011.
[116]M.F. Witteman, J.G.J. van Woudenberg, F. Menarini, Defeating RSA multiply-always and message blinding countermeasures. CT-RSA 2011, LNCS, vol.6558, pp.77-88, Springer Verlag,2011.
[117]N. Homma, A. Miyamoto, T. Aoki, A. Satoh, A. Shamir, Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs. CHES 2008, LNCS, vol.5154, pp.15-29, Springer Verlag,2008.
[118]B. Gerard, F.X. Standaert, Unified and Optimized Linear Collision Attacks and Their Ap-plication in a Non-prfiled Setting. CHES 2012, LNCS, vol.7428, pp.175-192, Springer Verlag,2012.
[119]冯登国,吴文玲,张文涛,分组密码的设计与分析.清华大学出版社,北京,2009.
[120]E. Biham, A. Shamir, Differential Cryptanalysis of DES-like Cryptosystems. CRYPTO'90, LNCS, vol.537, pp.2-21, Springer Verlag,1991.
[121]M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard. CRYP-TO'94, LNCS, vol.839, pp.1-11, Springer Verlag,1994.
[122]J. M. Rabaey, A. Chandrakasan, B. Nikolic, Digital Integrated Circuits-A Design Perspec-tive. Electronics and VLSI Series, Pearson Academic,2nd International edition,2003.
[123]C. Carlet, On Highly Nonlinear S-Boxes and Their Inability to Thwart DPA Attacks. IN-DOCRYPT 2005, LNCS, vol.3797, pp.49-62, Springer Verlag,2005.
[124]S.-M. Yen, M. Joye, Checking Before Output May Not Be Enough. Against Fault-Based Cryptanalysis. IEEE Transaction on Computers, vol.49, pp.967-970, IEEE Computer So-ciety,2000.
[125]曾永红,叶旭明.抗差分功耗分析攻击的AES S盒电路设计.计算机工程,vol.36(9),pp.20-22,2010.
[126]张鹏,邓高明,邹程,等.差分功率分析攻击中的信号处理与分析.微电子学与计算机,vol.26(11),pp.1-4,2009.
[127]李志强,严迎建,段二朋.差分能量攻击样本选取方法.计算机应用,vol.32(1),pp.92-94,2012.
[128]严迎建,郭建飞,李默然等.分组密码DPA汉明重量区分函数选择方法.微电子学,vol.43(5),pp.690-693,2013.
[129]段二朋,严迎建,刘凯.针对AES密码芯片的CPA攻击点选择研究.计算机工程与应用,vol.49(4),pp.91-94,2013.
[2]N. Ferguson, B. Schneier, T. Kohno, Cryptography Engineering:Design Principles and Practical Applications. Wiley, Hoboken,2010.
[3]P. Kocher, J. Jaffe, B. Jun, Differential Power Analysis. CRYPTO'99, LNCS, vol.1666, pp.388-397, Springer,1999.
[4]S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks:Revealing the Secrets of Smart Cards, pp.256-283, Springer,2007.
[5]S. Chari, J.R. Rao, P. Rohatgi, Template Attacks. CHES 2002, LNCS, vol.2523, pp.13-28. Springer,2003.
[6]E. Brier, C. Clavier, F. Olivier, Correlation Power Analysis with a Leakage Model. CHES 2004, LNCS, vol.3156, pp.16-29, Springer,2004.
[7]A. Bogdanov, Ⅰ. Kizhvatov, Beyond the Limits of DPA:Combined Side-Channel Collision Attacks. IEEE Trans. Computers, vol.61(8), pp.1153-1164, IEEE Computer Society,2012.
[8]A. Moradi, O. Mischke, T. Eisenbarth, Correlation-Enhanced Power Analysis Collision Attack. CHES10, LNCS, vol.6225, pp.125-139, Springer Verlag,2010.
[9]W. F. Ehrsam, C. H. W. Meyer, R. L. Powers, J. L. Smith, W. L. Tuchman. Product Block Cipher System for Data Security. USA:3962539,8th July 1976.
[10]C. Shannon, Communication Theory of Secrecy Systems. Bell System Technical Journal, vol.28 (4), pp.656-715,1949.
[11]吴文玲,冯登国,卿斯汉,简评美国公布的15个AES候选算法.软件学报,vol.10(3),pp.225,1999.
[12]A. Kerckhoffs, La cryptographie militaire. Journal des sciences militaires,1883.
[13]W. Diffie, M.E. Hellman, New Directions in Cryptography. IEEE Trans on Information Theory, IT-22(6), PP.74-84, IEEE Computer Society,1977.
[14]National Bureau of Standards. Data Encryption Standard, FIPS PUB 46.National Bureau of Standards, Washington, D.C., Jan.1977.
[15]R. L. Rivest, A. Shamir, L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, vol.21(2), pp.120-126, ACM, 1978.
[16]E. Oswald, On Side-Channel Attacks and the Application of Algorithmic Counterm-easures. PhD. Dissertation Graz University of Technology, Austria,2004.
[17]P. Grabher, J. GroBschadl, D. Page, Cryptographic Side-Channels from Low-Power Cache Memory. Cryptography and Coding 2007, LNCS vol.4887, pp.170-184, Springer Verlag, 2007.
[18]R. Anderson, M. Kuhn, Low Cost Attacks on Tamper Resistant Devices. Proceedings of the 1997 Security Protocols Workshop, LNCS, vol.1361, pp.125-136, Springer Verlag,1997.
[19]A. Shamir, E. Tromer, Acoustic Cryptanalysis:On Nosy People and Noisy Machines. Eu-rocrypt 2004 Rump Session,2004.
[20]M. Hojsik, B. Rudolf, Differential Fault Analysis of Trivium. FSE 2008, LNCS, vol.5086, pp.158-172, Springer Verlag,2008.
[21]R.M. Sommer, Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smartcards. CHES 2000, LNCS, vol.1965, pp.78-92, Springer Verlag,2000.
[22]T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining Smart-Card Security under the Threat of Power Analysis Attacks. IEEE Transactions on Computers, vol.51(5), pp.541-542, IEEE Computer Society,2002.
[23]T.S. Messerges, E.A. Dabbish, R.H. Sloan, Power Analysis Attacks of Modular Exponenti-ation in Smartcards. CHES 1999, LNCS, vol.1717, pp.144-157, Springer Verlag,1999.
[24]S. Chari, C. Jutla, J.R. Rao, P. Rohatgi, A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. Proceedings of 2nd Advanced Encryption Standard (AES) Candidate Conference, pp.278-296,2004.
[25]E. Oswald, S. Mangard, C. Herbst, S. Tillich, Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers. CT-RSA 2006, LNCS, vol.3860, pp.192-207, Springer Verlag,2006.
[26]A. Hevia, M. Kiwi, Strength of two Data Encryption Standard implementations under tim-ing attacks. LATIN'98:Theoretical Informatics, LNCS, vol.1380, pp.192-205, Springer Verlag,1998.
[27]J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestrre, J.-J. Quisquater, J.-L. Willems, A Practi-cal Implementation of the Timing Attack. Smart Card Research and Applications, LNCS, vol.1820, pp.167-182, Springer Verlag,2000.
[28]B. Canvel, A. Hiltgen, S. Vaudenay, M. Vuagnoux, Password Interception in a SSL/TLS Channel. CRYPTO 2003, LNCS, vol.2729, pp.583-599, Springer Verlag,2003.
[29]D. Brumley, D. Boneh, Remote Timing Attacks are Practical. Proceedings of the 12th con-ference on USENIX Security Symposium, vol.12, pp.1-1,2003.
[30]NESSIE Project, http://www.cryptonessie.org/.
[31]D.X. Song. D. Wagner. X. Tian, Timing Analysis of Keystrokes and Timing Attacks on SSH. Proceedings of the 10th conference on USENIX Security Symposium, vol.10, pp. 25,2001.
[32]K. Sakurai, T. Takagi, A Reject Timing Attack on an IND-CCA2 Public-Key Cryptosystem. ICISC 2002, LNCS, vol.2587, pp.359-374, Springer Verlag,2003.
[33]B. N. Levine, M. K. Reiter, C. Wang, M. Wright, Timing Attacks in Low-Latency Mix Systems. Financial Cryptography 2004, LNCS, vol.3110, pp.251-265, Springer Verlag, 2004.
[34]National Security Agency. NACSIM 5000 Tempest Fundamentals(U). Fort George G. Meade, Maryland, USA. http://cryptome.org/nacsim-5000.htm.
[35]M.G. Kuhn, R.J. Anderson, Soft Tempest:Hidden Data Transmission Using Electromagnet-ic Emanations. Information Hiding 1998, LNCS, vol.1525, pp.124-142, Springer Verlag, 1998.
[36]J.-J. Quisquater, D. Samyde, ElectroMagnetic Analysis (EMA):Measures and Counter-measures for Smart Cards. Smart Card Programming and Security, LNCS, vol.2140, pp. 200-210, Springer Verlag,2001.
[37]K. Gandolfi, C. Mourte, F. Olivier, Electromagnetic Analysis:Concrete Results. CHES 2001, LNCS, vol.2162, pp.251-261, Springer Verlag,2001.
[38]D. Agrawal, B. Archambeault, J.R. Rao, P. Rohatgi, The EM Side-Channel(s). CHES 2002, LNCS, vol.2523, pp.29-45, Springer Verlag,2003.
[39]C. H. Gebotys, B. A. White, EM analysis of a wireless Java-based PDA. ACM Transactions on Embedded Computing Systems, vol.7(4), Artical.44,2008.
[40]D. Boneh, R. A. DeMillo, R. J. Lipton, On the Importance of Checking Cryptographic Protocols for Faults. EUROCRYPT'97, LNCS, vol.1233, pp.37-51, Springer Verlag, 1997.
[41]D. Boneh, R. A. Demillo, R. J. Lipton, On the Importance of Eliminating Errors in Crypto-graphic Computations. Journal of Cryptology, vol.14, pp.101-109,2001.
[42]M. Joye, A. K. Lenstra, J.-J. Quisquater, Chinese Remaindering Based Cryptosystems in the Presence of Faults. Journal of Cryptology, vol.12, pp.241-245,1999.
[43]S.-M. Yen, S. Moon, J.-C. Ha, Hardware Fault Attack on RSA with CRT Revisited. ICISC 2002, LNCS, vol.2587, pp.374-388, Springer Verlag,2003.
[44]D. Vigilant, RSA with CRT:A New Cost-Effective Solution to Thwart Fault Attacks. CHES 2008, LNCS, vol.5154, pp.130-145, Springer Verlag,2008.
[45]F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, T. Ngair, Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. SP'98, LNCS, vol.1361, pp.115-124, Springer Verlag,1998.
[46]I. Biehl, B. Meyer, V. Muller, Differential Fault Attacks on Elliptic Curve Cryptosystems. CRYPTO 2000, LNCS, vol.1880, pp.131-146, Springer Verlag,2000.
[47]E. Biham, A. Shamir, Differential fault analysis of secret key cryptosystems. CRYPTO'97, LNCS, vol.1294, pp.513-525, Springer Verlag,1997.
[48]J. Kelsey, B. Schneier, D. Wagner, C. Hall, Side Channel Cryptanalysis of Product Ciphers. Journal of Computer Security, vol.8(2-3), pp.141-158,2000.
[49]D. Page, Defending Against Cache Based Side Channel Attacks. Information Security Tech-nical Report, vol.8(1), pp.30-44,2003.
[50]D. Page, Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Available at http://www.cs.bi-s.ac.uk/Publications/Papers/1000625.pdf.
[51]Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, Cryptanalysis of Block Ciphers Im-plemented on Computers with Cache. ISITA 2002,2002.
[52]Y. Tsunoo, T. Saito, T. Suzaki, M. Shigeri, H. Miyauchi, Cryptanalysis of DES Implemented on Computers with Cache. CHES 2003, LNCS, vol.2779, pp.62-76, Springer Verlag,2003.
[53]J. Fournier, M. Tunstall, Cache Based Power Analysis Attacks on AES Abstract. ACISP 2006, LNCS, vol.4058, pp.17-28, Springer Verlag,2006.
[54]O. Aciicmez, W. Schindler, A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL. CT-RSA 2008, LNCS, vol.4964, pp. 256-273, Springer Verlag,2008.
[55]K. G. Paterson, A. Yau, Padding Oracle Attacks on the ISO CBC Mode Encryption Stan-dard. CT-RSA 2004, LNCS, vol.2964, pp.305-323, Springer Verlag,2004.
[56]A. K. L. Yau, K. G. Paterson, C. J. Mitchell, Padding Oracle Attacks on CBC-Mode En-cryption with Secret and Random IVs. FSE 2005 LNCS, vol.3557, pp.299-319, Springer Verlag,2005.
[57]M. Bellare, P. Rogaway, Optimal Asymmetric Encryption-How to Encrypt with RSA. EUOCRYPT 94, LNCS, vol.950, pp.92-111, Springer Verlag,1994.
[58]J. Manger, A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS # 1 v2.0. CRYPTO 2001, LNCS, vol.2139, pp.230-238, Springer Verlag,2001.
[59]D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryp-tion standard PKCS # 1. CRYPTO'98, LNCS, vol.1462, pp.1-12, Springer Verlag,1998.
[60]V. Shoup, OAEP Reconsidered. CRYPTO 2001, LNCS, vol.2139, pp.239-259, Springer Verlag,2001.
[61]E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP Is Secure under the RSA Assumption. CRYPTO 2001, LNCS, vol.2139, pp.260-274, Springer Verlag,2001.
[62]V. Klima, T. Rosa, Further Results and Considerations on Side Channel Attacks on RSA. CHES 2002, LNCS, vol.2523, pp.244-259, Springer Verlag,2003.
[63]V. Klima, O. Pokorny, T. Rosa, Attacking RSA-Based Sessions in SSL/TLS. CHES 2003, LNCS, vol.2779, pp.426-440, Springer Verlag,2003.
[64]B. Yang, K. Wu, R. Karri, Scan based side channel attack on dedicated hardware imple-mentations of Data Encryption Standard. ITC 2004, Charlotte,2004.
[65]J. Lee, M. Tehranipoor, C. Patel, J. Plusquellic, Securing Designs against Scan-Based Side-Channel Attacks. IEEE Transactions on Dependable and Secure Computing, vol.4(4), pp. 325-336, IEEE Computer Society,2007.
[66]D. Hely, F. Bancel, M.-L. Flottes, B. Rouzeyre, Securing Scan Control in Crypto Chips. Journal of Electronic Testing, vol.23(5) pp.457-464,2007.
[67]M. Kuhn, Optical Time-Domain Eavesdropping Risks of CRT Displays. IEEE Symposium on Security and Privacy, pp.3-18, IEEE Computer Society,2002.
[68]J. Loughry, D. A. Umphress, Information Leakage from Optical Emanations. ACM Trans-actions on Information and System Security, vol.5, pp.262-289,2002.
[69]C. C. Tiu, A New Frequency-Based Side Channel Attack for Embedded Systems. Master Degree Thesis, Department of Electrical and Computer Engineerin, University og Waterloo, Waterloo, Ontario, Canada,2005.
[70]F.-X. Standaert, C. Archambeau, Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages. CHES 2008, LNCS, vol.5154, pp.411-425, Springer Verlag,2008.
[71]W. Schindler, A Combined Timing and Power Attack. PKC 2002, LNCS, vol.2274, pp. 263-279, Springer Verlag,2002.
[72]C. D. Walter, S. Thompson, Distinguishing Exponent Digits by Observing Modular Sub-tractions. CT-RSA 2001, LNCS, vol.2020, pp.192-207, Springer Verlag,2001.
[73]W. Schindler, C. D. Walter, More Detail for a Combined Timing and Power Attack against Implementations of RSA. Cryptography and Coding 2003, LNCS, vol.2898, pp.245-263, Springer Verlag,2003.
[74]D. Agrawal, J.R. Rao, P. Rohatgi, Multi-channel Attacks. CHES 2003, LNCS, vol.2779, pp.2-16, Springer Verlag,2003.
[75]A. Wang, M. Chen, Z. Wang, Y. Ding, Overcoming Significant Noise:Correlation-Template-Induction Attack.8th Information Security Practice and Experience Conference (ISPEC 2012), LNCS, vol.7232, pp.393-404, Springer Verlag,2012.
[76]S. Kunz-Jacques, F. Muller, F. Valette, The Davies-Murphy Power Attack. ASIACRYPT 2004, LNCS, vol.3329, pp.451-467, Springer Verlag,2004.
[77]R. Novak, SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation. PKC 2002, LNCS, vol.2274, pp.252-262, Springer Verlag,2002.
[78]C.D. Walter, Sliding Windows Succumbs to Big Mac Attack. CHES 2001, LNCS, vol.2162, pp.286-299, Springer Verlag,2001.
[79]J.-S. Coron, Resistance Against Differential Power Analysis For Elliptic Curve Cryptosys-tems. CHES 1999, LNCS, vol.1717, pp.292-302, Springer Verlag,1999.
[80]J. Jaffe, More Differential Power Analysis:Selected DPA Attacks. Summer School on Cryp-tographic Hardware, Side-Channel and Fault Attacks,2006.
[81]S. Mangard, A Simple Power-Analysis (SPA) Attack on Implementations of the AES Kye Expansion. ICISC 2002, LNCS, vol.2587, pp.343-358, Springer Verlag,2003.
[82]K. Lemke, K. Schramm, C. Paar, DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction. CHES 2004, LNCS, vol. 3156, pp.205-219, Springer Verlag,2004.
[83]J. Lano, N. Mentens, B. Preneel, I. Verbauwhede, Power Analysis of Synchronous Stream Ciphers with Resynchronization Mechanism. ECRYPT Workshop, SASC-The State of the Art of Stream Ciphers,2004.
[84]C.H. Gebotys, R.J. Gebotys, Secure Elliptic Curve Implementations:An Analysis of Re-sistance to Power-Attacks in a DSP Processor. CHES 2002, LNCS, vol.2523, pp.114-128, Springer Verlag,2003.
[85]D. May, H.L. Muller, N.P. Smart, Non-deterministic Processors. ACISP 2001, LNCS, vol. 2119, pp.115-129, Springer Verlag,2001.
[86]G. Bertoni, V. Zaccaria, AES power attack based on induced cache miss and countermea-sure. Proceedings of IEEE ITCC 2005, vol.1, pp.586-591,2005.
[87]M.-L. Akkar, R. Bevan, P. Dischamp, D. Moyart, Power Analysis, What Is Now Possible.. ASIACRYPT 2000, LNCS, vol.1976, pp.489-502, IEEE Computer Society,2000.
[88]J.-S. Coron, P. Kocher, D. Naccache, Statistics and Secret Leakage. ACM Transactions on Embedded Computing Systems, vol.3(3), pp.492-508,2004.
[89]C. Karlof, D. Wagner, Hidden Markov Model Cryptanalysis. CHES 2003, LNCS, vol.2779, pp.17-34, Springer Verlag,2003.
[90]P. Wright, SpyCatcher:The Candid Autobiography of a Senior Intelligence. Viking Press, 1987.
[91]L. Batina, B. Gierlichs, L.-R. Kerstin, Comparative Evaluation of Rank Correlation Based DPA on an AES Prototype Chip. ISC 2008, LNCS, vol.5222, pp.341-354, Springer Verlag, 2008.
[92]P.J. Green, R. Noad, N.P. Smart, Further Hidden Markov Model Cryptanalysis. CHES2005, LNCS, vol.3659, pp.61-74, Springer Verlag,2005.
[93]T. Plos, Susceptibility of UHF RFID Tags to Electromagnetic Analysis. CT-RSA 2008, LNCS, vol.4964, pp.288-300, Springer Verlag,2008.
[94]R. Anderson, M. Kuhn, Tamper Resistance-A Cautionary Note. Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp.1-11,1996.
[95]F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, T. Ngair, Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. SP'98, LNCS, vol.1361, pp.115-124, Springer Verlag,1998.
[96]S.-M. Yen, S. Kim, S. Lim, S. Moon, A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack. ICISC 2001, LNCS, vol.2288, pp.414-427, Springer Verlag, 2002.
[97]P.-Y. Liardet, N. P. Smart, Preventing SPA/DPA in ECC Systems Using the Jacobi Form. CHES 2001, LNCS, vol.2162, pp.391-401, Springer Verlag,2001.
[98]E. Brier, M. Joye, Weierstraβ Elliptic Curves and Side-Channel Attacks. PKC 2002, LNCS, vol.2274, pp.335-345, Springer Verlag,2002.
[99]M. Joye, J.-J. Quisquater, Hessian Elliptic Curves and Side-Channel Attacks. CHES 2001, LNCS, vol.2162, pp.402-410, Springer Verlag,2001.
[100]S. Chari, C.S. Jutla, J.R. Rao, P. Rohatgi, Towards Sound Approaches to Counteract Power-Analysis Attacks. CRYPTO'99, LNCS, vol.1666, pp.398-412, Springer Verlag,1999.
[101]S. Chiyangwa, M. Kwiatkowska, A Timing Analysis of AODV. FMOODS 2005, LNCS, vol.3535, pp.306-321, Springer Verlag,2005.
[102]L. Goubin, A Sound Method for Switching between Boolean and Arithmetic Masking. CHES 2001, LNCS, vol.2162, pp.3-15, Springer Verlag,2001.
[103]L. Goubin, J. Patarin, DES and Differential Power Analysis. CHES 1999, LNCS, vol.1717, pp.158-172, Springer Verlag,1999.
[104]S.A. Crosby, D.S. Wallach, R.H. Riedi, Opportunities and Limits of Remote Timing At-tacks. ACM Transactions on Information and System Security, vol.12(3), Article 17,2009.
[105]K. Tiri, Ⅰ. Verbauwhede, A Digital Design Flow for Secure Integrated Circuits. IEEE Trans-actions on computer-aided design of integrated circuits and systems, vol.25(7), pp.1197-1208, IEEE Computer Society,2006.
[106]K. Tiri, D. Hwang, A. Hodjat, B. Lai, S. Yang, P. Schaumont, Ⅰ. Verbauwhede, Prototype IC with WDDL and Differential Routing-DPA Resistance Assessment. CHES 2005, LNCS, vol.3659, pp.354-365, Springer Verlag,2005.
[107]J.-S. Coron, A. Tchulkine, A New Algorithm for Switching from Arithmetic to Boolean Masking. CHES 2003, LNCS, vol.2779, pp.89-97, Springer Verlag,2003.
[108]A. Wiemers, Kollisionsattacken beim Comp128 auf Smartcards. ECC-Brainpool Workshop on Side-Channel-Attacks on Cryptographic Algorithms, Bonn, Germany, December,2001.
[109]K. Schramm, T. Wollinger, C. Paar, A New Class of Collision Attacks and Its Application to DES. FSE 2003, LNCS, vol.2887, pp.206-222, Springer Verlag,2003.
[110]K. Schramm, G. Leander, P. Felke, C. Paar, A Collision-Attack on AES:Combining Side Channel-and Differential-Attack. CHES 2004, LNCS, vol.3156, pp.163-175, Springer Verlag,2004.
[111]H. Ledig, F. Muller, F. Valette, Enhancing Collision Attacks. CHES 2004, LNCS, vol.3156, pp.176-190. Springer,2004.
[112]A. Biryukov, D. Khovratovich, Two New Techniques of Side-Channel Cryptanalysis. CHES 2007, LNCS, vol.4727, pp.195-208, Springer Verlag,2007.
[113]A. Bogdanov, Improved Side-Channel Collision Attacks on AES. SAC 2007, LNCS, vol. 4876, pp.84-95, Springer Verlag,2007.
[114]A. Bogdanov, Multiple-Differential Side-Channel Collision Attacks on AES. CHES 2008. LNCS, vol.5154, pp.30-44, Springer Verlag,2008.
[115]C. Clavier, B. Feix, G. Gagnerot, M. Roussellet, V. Verneuil, Improved Collision-Correlation Power Analysis on First Order Protected AES. CHES 2011, LNCS, vol.6917, pp.49-62. Springer,2011.
[116]M.F. Witteman, J.G.J. van Woudenberg, F. Menarini, Defeating RSA multiply-always and message blinding countermeasures. CT-RSA 2011, LNCS, vol.6558, pp.77-88, Springer Verlag,2011.
[117]N. Homma, A. Miyamoto, T. Aoki, A. Satoh, A. Shamir, Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs. CHES 2008, LNCS, vol.5154, pp.15-29, Springer Verlag,2008.
[118]B. Gerard, F.X. Standaert, Unified and Optimized Linear Collision Attacks and Their Ap-plication in a Non-prfiled Setting. CHES 2012, LNCS, vol.7428, pp.175-192, Springer Verlag,2012.
[119]冯登国,吴文玲,张文涛,分组密码的设计与分析.清华大学出版社,北京,2009.
[120]E. Biham, A. Shamir, Differential Cryptanalysis of DES-like Cryptosystems. CRYPTO'90, LNCS, vol.537, pp.2-21, Springer Verlag,1991.
[121]M. Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard. CRYP-TO'94, LNCS, vol.839, pp.1-11, Springer Verlag,1994.
[122]J. M. Rabaey, A. Chandrakasan, B. Nikolic, Digital Integrated Circuits-A Design Perspec-tive. Electronics and VLSI Series, Pearson Academic,2nd International edition,2003.
[123]C. Carlet, On Highly Nonlinear S-Boxes and Their Inability to Thwart DPA Attacks. IN-DOCRYPT 2005, LNCS, vol.3797, pp.49-62, Springer Verlag,2005.
[124]S.-M. Yen, M. Joye, Checking Before Output May Not Be Enough. Against Fault-Based Cryptanalysis. IEEE Transaction on Computers, vol.49, pp.967-970, IEEE Computer So-ciety,2000.
[125]曾永红,叶旭明.抗差分功耗分析攻击的AES S盒电路设计.计算机工程,vol.36(9),pp.20-22,2010.
[126]张鹏,邓高明,邹程,等.差分功率分析攻击中的信号处理与分析.微电子学与计算机,vol.26(11),pp.1-4,2009.
[127]李志强,严迎建,段二朋.差分能量攻击样本选取方法.计算机应用,vol.32(1),pp.92-94,2012.
[128]严迎建,郭建飞,李默然等.分组密码DPA汉明重量区分函数选择方法.微电子学,vol.43(5),pp.690-693,2013.
[129]段二朋,严迎建,刘凯.针对AES密码芯片的CPA攻击点选择研究.计算机工程与应用,vol.49(4),pp.91-94,2013.