轻量级分组密码SIMON代数故障攻击
|
摘要
针对SIMON现有故障攻击中存在的故障深度小、手工推导复杂等问题,给出一种代数故障攻击(AFA)方法。首先给出SIMON核心运算‘&’代数表示方法并构建全轮正确加密代数方程组;其次注入故障并将故障信息表示为代数方程,提供故障已知和故障未知两种模型,给出两种模型故障表示方法;最后利用Crypto Minisat-2.9.6解析器求解方程组恢复密钥。实验结果表明:利用单比特故障对SIMON32/64进行攻击,故障位置选取第26轮,故障已知和未知模型仅需5个和6个故障即可恢复全轮密钥;利用n比特宽度故障对SIMON128/128进行攻击,故障位置选取第65轮,两种模型均只需2个故障即可恢复全轮密钥。此外,对比故障已知和未知模型发现,随故障数递增密钥求解时间的决定因素将由故障信息量变为方程组计算量。
To solve the problems of small fault depth and complex manual deduction in previous fault attacks on SIMON,an Algebraic Fault Attack( AFA) method was proposed. Firstly, Correct equations of full-round SIMON encryption was established based on the algebraic representation of SIMON core operation &'. Then faults were injected into the internal states and two models were provided for fault representation based on whether attackers knew the exact fault information or not.Finally, a Crypto Minisat-2. 9. 6 solver was used for round-keys recovery. The simulation results show that the fault-known and fault-unknown model need 5 and 6 faults to recover the entire key set with single-bit faults injected in the 26 th round of SIMON32/64. As for SIMON128/128, two models both need only 2 faults to recover the entire key set with n-bit length faults injected in the 65 th round. Moreover, it can be found that the influencing factor of average solving time will change from fault information to computation with fault number growing.
To solve the problems of small fault depth and complex manual deduction in previous fault attacks on SIMON,an Algebraic Fault Attack( AFA) method was proposed. Firstly, Correct equations of full-round SIMON encryption was established based on the algebraic representation of SIMON core operation &'. Then faults were injected into the internal states and two models were provided for fault representation based on whether attackers knew the exact fault information or not.Finally, a Crypto Minisat-2. 9. 6 solver was used for round-keys recovery. The simulation results show that the fault-known and fault-unknown model need 5 and 6 faults to recover the entire key set with single-bit faults injected in the 26 th round of SIMON32/64. As for SIMON128/128, two models both need only 2 faults to recover the entire key set with n-bit length faults injected in the 65 th round. Moreover, it can be found that the influencing factor of average solving time will change from fault information to computation with fault number growing.
引文
[1]BEAULIEU R,SHORS D,SMITH J,et al.The SIMON and speck families of lightweight block ciphers[EB/OL].(2013-06-19)[2017-01-16].http://eprint.iacr.org/2013/404.pdf.
[2]ALIZADEH J,BAGHERI N,GAURAVARAM P,et al.Linear cryptanalysis of round reduced SIMON[EB/OL].(2014-10-16)[2017-01-16].http://eprint.iacr.org/2013/663.pdf.
[3]ALKHZAIMI H A,LAURIDSEN M M.Cryptanalysis of the SIMONfamily of block ciphers[EB/OL].(2013-08-28)[2017-01-16].http://eprint.iacr.org/2013/543.pdf.
[4]ALIZADEH J,ALKHZAIMI H A,AREF M R,et al.Cryptanalysis of SIMON variants with connections[C]//RFIDSec 2014:Proceedings of the 10th Workshop on Radio Frequency Identification:Security and Privacy Issues.Berlin:Springer,2014:90-107.
[5]RADDUM H.Algebraic analysis of the SIMON block cipher family[C]//Latin Crypt 2015:Proceedings of the Fourth International Conference on Cryptology and Information Security in Latin America.Berlin:Springer,2015:157-169.
[6]万刘蝉,韦永壮.简化SIMON类算法的立方测试与分析[J].计算机应用研究,2017,34(1):246-250.(WAN L C,WEI Y Z.Cube test and analysis for reduced SIMON family of block ciphers[J].Application Research of Computers,2017,34(1):246-250.)
[7]BONEH D,DEMILLO R A,LIPTON R J.On the importance of checking cryptographic protocols for faults[C]//EUROCRYPT1997:Proceedings of the 14th Annual EUROCRYPT Conference on the Theory and Applications of Cryptologic Techniques.Berlin:Springer,1997:37-51.
[8]BAR-EL H,CHOUKRI H,NACCACHE D,et al.The sorcerer's apprentice guide to fault attack[EB/OL].(2004-05-07)[2017-01-16].http://eprint.iacr.org/2004/100.pdf.
[9]FUKUNAGA T,TAKAHASHI J.Practical fault attack on a cryptographic LSI with ISO/IEC 18033-3 block ciphers[C]//FDTC2009:Proceedings of the 2009 Fault Diagnosis and Tolerance in Cryptography.New York:ACM,2009:84-92.
[10]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C]//CRYPTO 1997:Proceedings of the 17th Annual International Cryptology Conference.Berlin:Springer,1997:513-525.
[11]COURTOIS N,WARE D,JACKSON K.Fault-algebraic attacks on inner rounds of DES[EB/OL].(2010-09-22)[2017-01-16].http://www.nicolascourtois.com/papers/dfasolv.pdf.
[12]吴克辉,赵新杰,王韬,等.PRESENT密码代数故障攻击[J].通信学报,2012,33(8):85-92.(WU K H,ZHAO X J,WANG T,et al.Algebraic fault attack on PRESENT[J].Journal on Communications,2012,33(8):85-92.)
[13]赵新杰,郭世泽,王韬,等.Piccolo密码代数故障分析研究[J].计算机学报,2013,36(4):882-894.(ZHAO X J,GUO S Z,WANG T,et al.Research of algebraic fault analysis on Piccolo[J].Chinese Journal of Computers,2013,36(4):882-894.)
[14]TUPSAMUDRE H,BISHT S,MUKHOPADHYAY D.Differential fault analysis on the families of SIMON and SPECK ciphers[EB/OL].(2014-05-30)[2017-01-16].http://eprint.iacr.org/2014/267.pdf.
[15]TAKAHASHI J,FUKUNAGA T.Fault analysis on SIMON family of lightweight block ciphers[C]//ICISC 2014:Proceedings of the2014 International Conference on Information Security and Cryptology.Berlin:Springer,2014:175-189.
[16]VáSQUEZ J C G,BORGES F,PORTUGAL R,et al.An efficient one-bit model for differential fault analysis on SIMON family[C]//FDTC 2015:Proceedings of the 2015 Fault Diagnosis and Tolerance in Cryptography.Washington DC:IEEE Computer Society,2015:61-70.
[2]ALIZADEH J,BAGHERI N,GAURAVARAM P,et al.Linear cryptanalysis of round reduced SIMON[EB/OL].(2014-10-16)[2017-01-16].http://eprint.iacr.org/2013/663.pdf.
[3]ALKHZAIMI H A,LAURIDSEN M M.Cryptanalysis of the SIMONfamily of block ciphers[EB/OL].(2013-08-28)[2017-01-16].http://eprint.iacr.org/2013/543.pdf.
[4]ALIZADEH J,ALKHZAIMI H A,AREF M R,et al.Cryptanalysis of SIMON variants with connections[C]//RFIDSec 2014:Proceedings of the 10th Workshop on Radio Frequency Identification:Security and Privacy Issues.Berlin:Springer,2014:90-107.
[5]RADDUM H.Algebraic analysis of the SIMON block cipher family[C]//Latin Crypt 2015:Proceedings of the Fourth International Conference on Cryptology and Information Security in Latin America.Berlin:Springer,2015:157-169.
[6]万刘蝉,韦永壮.简化SIMON类算法的立方测试与分析[J].计算机应用研究,2017,34(1):246-250.(WAN L C,WEI Y Z.Cube test and analysis for reduced SIMON family of block ciphers[J].Application Research of Computers,2017,34(1):246-250.)
[7]BONEH D,DEMILLO R A,LIPTON R J.On the importance of checking cryptographic protocols for faults[C]//EUROCRYPT1997:Proceedings of the 14th Annual EUROCRYPT Conference on the Theory and Applications of Cryptologic Techniques.Berlin:Springer,1997:37-51.
[8]BAR-EL H,CHOUKRI H,NACCACHE D,et al.The sorcerer's apprentice guide to fault attack[EB/OL].(2004-05-07)[2017-01-16].http://eprint.iacr.org/2004/100.pdf.
[9]FUKUNAGA T,TAKAHASHI J.Practical fault attack on a cryptographic LSI with ISO/IEC 18033-3 block ciphers[C]//FDTC2009:Proceedings of the 2009 Fault Diagnosis and Tolerance in Cryptography.New York:ACM,2009:84-92.
[10]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C]//CRYPTO 1997:Proceedings of the 17th Annual International Cryptology Conference.Berlin:Springer,1997:513-525.
[11]COURTOIS N,WARE D,JACKSON K.Fault-algebraic attacks on inner rounds of DES[EB/OL].(2010-09-22)[2017-01-16].http://www.nicolascourtois.com/papers/dfasolv.pdf.
[12]吴克辉,赵新杰,王韬,等.PRESENT密码代数故障攻击[J].通信学报,2012,33(8):85-92.(WU K H,ZHAO X J,WANG T,et al.Algebraic fault attack on PRESENT[J].Journal on Communications,2012,33(8):85-92.)
[13]赵新杰,郭世泽,王韬,等.Piccolo密码代数故障分析研究[J].计算机学报,2013,36(4):882-894.(ZHAO X J,GUO S Z,WANG T,et al.Research of algebraic fault analysis on Piccolo[J].Chinese Journal of Computers,2013,36(4):882-894.)
[14]TUPSAMUDRE H,BISHT S,MUKHOPADHYAY D.Differential fault analysis on the families of SIMON and SPECK ciphers[EB/OL].(2014-05-30)[2017-01-16].http://eprint.iacr.org/2014/267.pdf.
[15]TAKAHASHI J,FUKUNAGA T.Fault analysis on SIMON family of lightweight block ciphers[C]//ICISC 2014:Proceedings of the2014 International Conference on Information Security and Cryptology.Berlin:Springer,2014:175-189.
[16]VáSQUEZ J C G,BORGES F,PORTUGAL R,et al.An efficient one-bit model for differential fault analysis on SIMON family[C]//FDTC 2015:Proceedings of the 2015 Fault Diagnosis and Tolerance in Cryptography.Washington DC:IEEE Computer Society,2015:61-70.