摘要
安全SoC(System on Chip)芯片在各个领域中得到了广泛的应用,主要完成用户关键数据的安全存储、数据加解密、数字签名与认证、以及身份鉴别等。安全SoC芯片在各种应用系统中往往作为安全控制的核心和信任根源,因此安全SoC芯片自身的安全性对整个系统而言起着关键作用。受利益驱使,安全SoC芯片往往成为恶意实体或个人的破解目标,相关的破解手段包括软件攻击、旁路攻击以及物理攻击,其中旁路攻击特别是功耗攻击就是一种针对密码算法具体实现中存在的薄弱环节而实施的以破解密钥为目标的有效攻击技术。为此,本文将安全SoC中密码算法部件抗功耗攻击设计与实现的关键技术作为研究内容,主要包括以下三个方面:一是抗功耗攻击的密码算法部件辅助设计技术,二是创新的防护技术,三是面向安全约束的SoC设计技术与安全SoC原型芯片的设计与实现。
在本文的研究过程中,主要取得了如下创新成果:
(1)提出了识别密码算法具体实现中可被功耗攻击漏洞的分析方法,主要包括三个部分:识别密码算法具体实现中可被功耗攻击漏洞的基本理论,描述密码算法具体实现的增强数据相关图,以及识别可被功耗攻击漏洞的算法。发现密码算法具体实现中可被功耗攻击的漏洞不仅为设计具有高防护能力的密码算法实现模块提供有效指导信息,设计者可以据此采取有针对性的技术措施以抗功耗攻击;也可为建立抗功耗攻击的密码算法部件辅助设计EDA工具打下坚实的基础。
(2)提出了密码算法部件抗功耗攻击防护能力的量化评估方法。本文根据功耗攻击的信噪比来估算成功实施功耗攻击所需的样本数,并给出了不同设计层次(包括RTL级、综合后以及布局布线后等)下密码算法部件的瞬态功耗模拟技术。识别密码算法具体实现中可被功耗攻击的漏洞相当于定性分析防护能力,结合防护能力量化评估,可以有效指导抗功耗攻击的密码算法部件设计与实现。
(3)提出了基于随机掩码的抗高阶功耗攻击的AES算法实现技术,其目的在于消除可被功耗攻击的漏洞。定义了若干随机掩码的细粒度操作,将AES算法中各种变换转换为细粒度操作的序列,并保证所有的中间结果均被不同的随机量所掩码,结合运算过程随机化技术以达到更好的防护效果。基于该技术,可以采用软件、硬件以及软硬件混合等不同方式实现AES算法。
(4)提出了三种不同的旨在增大功耗攻击难度的防护技术:一是基于WDDL和行波流水技术的抗功耗攻击的分组密码算法实现技术,将WDDL逻辑单元的功耗恒定特性与行波流水技术的高运算性能有效结合,用以实现分组密码算法部件,不仅具有良好的抗功耗攻击防护能力,也具有较高的运算性能;二是基于混沌噪声的防护技术,利用混沌信号的高度复杂性和不可预测性,以混沌功耗噪声掩盖密码算法部件的有效功耗信息,适合于安全SoC芯片中对多个密码运算部件进行保护,且与密码算法部件的实现细节无关;三是基于细粒度任务调度的RSA和ECC算法抗功耗攻击实现技术,将RSA和ECC算法中关键操作即大整数模幂和椭圆曲线标量乘法转换为细粒度原子操作的随机序列,在运算过程中随机的插入数目可配置的伪操作,达到了防护能力和运算性能的灵活折衷。
(5)提出了面向安全约束的SoC芯片设计技术。在基于层次平台的SoC设计方法学基础上,提出了基于可信计算体系结构的安全SoC层次化设计平台,在安全SoC的设计中引入独立的安全约束,并给出了相应的安全约束映射技术和安全验证技术。从软件攻击和旁路攻击等角度,定义安全约束并验证防护技术的有效性。所提出的安全SoC设计技术不仅可以充分重用已有的设计资源,也可充分利用现有的层次平台设计技术及相关辅助设计工具。
Secure SoC (System on Chip) plays an important role in many applications. The function of secure SoC includes the protection and secure storage of private data, encryption/decryption, digital signature and verification, identity authentication etc. Secure SoC is always the key of security control or the root of trust. So the security of a secure SoC itself is the key to establish an information system with high dependability. To obtain illegal interest, some vicious entities or individuals may attempt to break the secure SoCs. The commonly used techniques to break a secure SoC include software attack, side-channel attack and physical attack. Side-channel attack, especially power analysis attack, is a very efficient method to break the private keys using the implementing weakness of a secure SoC. So the key techniques of power analysis resistant implementation of cryptographic devices in the secure SoC are the main target of this thesis. The research of this thesis includes the following three parts; the first one is the aided design method to implement power analysis resistant cryptographic devices, the second one is novel countermeasures for different cryptographic algorithms, and the last one is the design method of security oriented SoC and implementation of a secure SoC prototype.
Primary innovation works of this thesis can be summarized as follows.
(1) The technique to identify feasible power analysis attacks in the implementation of cryptographic devices is presented. This is equivalent to perform qualitative analysis of the cryptographic device's resistibility against power analysis attack. The identifying method includes three parts, the basic theory to identify feasible attacks, the enhanced data dependence graph to describe the implementation, and the algorithm to identify different kinds of attacks. The results of identified attacks are valuable guidance for designers to choose appropriate countermeasures while designing and implementing power analysis resistant cryptographic device. Besides, this technique lays the foundation of the EDA tools for the aided design of power analysis resistant cryptographic device.
(2) The technique to perform quantitative analysis of the cryptographic device's resistibility against power analysis attack is presented. The number of power trace measurements needed to perform a power analysis attack successfully is used to express the quantitative resistibility. And the number of samples is computed based on the signal-to-noise ratio of the corresponding power analysis attack. The technique of power trace simulations at multiple levels including RTL, synthesized and Placement & routing, is proposed. With the qualitative analysis and quantitative analysis of the resistibility against power analysis attack, a designer can implement a power analysis resistant cryptographic device efficiently.
(3) The AES implementation secure against high-order power analysis attack based on random masking is presented. This countermeasure aims to eliminate the feasible leaks which can be used to perform power analysis attacks. Several fine grained masked operations are defined. And all the transformations in AES are transferred to the sequence of the pre-defined masked operations. All the intermediate results are masked by different random values. Combined with randomized execution of the fine grained operations sequence, it is proven that the proposed countermeasure is secure against high-order power analysis attack. This countermeasure not only can be implemented as software or hardware blocks completely, but also can be implemented as software-hardware hybrid block.
(4) Three kinds of different countermeasures which aim to increase the difficulty of performing power analysis attack to an extremely large degree are presented. The first one is the implementation of block cipher coprocessor based on WDDL and wave-pipelining. A WDDL circuit can achieve nearly constant power consumption which is independent with the input signals. And wave-pipelining is an advanced technique which achieves extremely high performance. Block cipher coprocessor based on WDDL and wave-pipelining not only prevent power analysis attack effectively, but also achieves high performance and low power consumption. The second one is the countermeasure based on chaotic noise. Since the extremely high complexity and unpredictable nature of chaos, chaotic power noise is generated to mask the power trace of cryptographic device. This technique is suited for protecting multiple cryptographic blocks in a secure SoC. And it is unrelated to the implementation details of a cryptographic device. The third one is the implementation of RSA and ECC based on fine grained operation schedule. The large number modular exponentiation and elliptic curve scalar multiplication which are the key operations of RSA and ECC are transferred to the randomized sequence of fine grained operations. By inserting invalid operations with configurable amount, fine compromise is achieved between performance and the resistibility against power analysis attack.
(5) The key technique of security oriented SoC design is presented. With the hierarchical platform based SoC design methodology, the hierarchical secure SoC platform based on the architecture of trusted computing is constructed. Independent constraints of security are introduced to the design and implementation of secure SoC. And the transmission and validation of the security constraints are presented. The security constraints and validation include two sides, i.e., the ability to resist software attack and side-channel attack. The presented design method not only reuses the existing design resources to a large degree, but also reuses the existing platform based SoC design technique and aided design environment.
引文
[1]智能卡的应用.http://www.yicard.com/cardtech/smartcard/jichu/JCZS-03.htm
[2]B.schneier著,吴世忠等译.应用密码学,北京:国防工业出版社,1998
[3]P.Kocher,et al.Security as a new dimension in embedded system design.41th annual conference on Design automation,ACM,2004:753-760
[4]S.Ravi,A.Raghunathan.Security in Embedded Systems:Design Challenges.ACM Transactions on Embedded Computing Systems,2004,3(3):461-491
[5]KULRD & SCARD Consortium.Side Channel Attacks.Technical report,SCARD SCARD-KULRD-D4.1.http://www.scard-project.org
[6]S.Skorobogatov.Semi-invasive attacks-A new approach to hardware security analysis.Technical report,UCAM-CL-TR-630.http://www.cl.cam.ac.uk /techreports/UCAM-CL-TR-630.pdf
[7]P.Kocher.Timing Attacks on Implementations of Diffie-Hellman,RSA,DSS,and Other Systems.Advances in Cryptology'96,LNCS 1109,1996:104-113
[8]P.Kocher,J.Jaffe,B.Jun.Differential power analysis.Advances in Cryptology'99,LNCS 1666,1999:388-397
[9]E.Brier,C.Clavier,F.Olivier.Correlation Power Analysis with a Leakage Model.CHES 2004,LNCS 3156,2004:16-29
[10]T.Le,et al.A Proposition for Correlation Power Analysis Enhancement.CHES 2006,LNCS 4249,2006:174-186
[11]C.Clavier,J.S.Coron,N.Dabbous.Differential Power Analysis in the Presence of Hardware Countermeasures.CHES 2000,LNCS 1965,2000:252-263
[12]M.Gomukiewicz,M.Kutylowski.Hamming Weight Attacks on Cryptographic Hardware-Breaking Masking Defense.ESORICS'2002,LNCS 2502,2002:90-103
[13]K.Itoh,T.Izu,M.Takenaka.Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA.CHES 2002,LNCS 2523,2003:129-143
[14]L.Goubin.A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems.PKC 2003,LNCS 2567,2003:199-211
[15IN.P.Smart.An Analysis of Goubin's Refined Power Analysis Attack.CHES 2003,LNCS 2779,2003:281-290
[16]K.Schramm,et al.A Collision-Attack on AES Combining Side Channel-and Differential-Attack.CHES 2004,LNCS 3156,2004:163-175
[17]B.Robisson,P.Manet.Differential Behavioral Analysis.CHES 2007,LNCS 4727,2007:413-426
[18]D.Agrawal,et al.The EM Side-Channel(s).CHES 2002,.LNCS 2523,2003:29-45
[19]G.Piret,J.Quisquater.A Differential Fault Attack Technique against SPN Structures,with Application to the AES.CHES 2003,LNCS 2779,2003:77-88
[20]C.Giraud,H.Thiebeauld.A Survey on Fault Attacks.CARDIS 2004,2004:159-176
[21]C.Aumueller,et al.Fault Attacks on RSA with CRT:Concrete Results and Practical Countermeasures.CHES 2002,LNCS 2523,2002:260-275
[22] S. Yen, D. Kim. Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection. FDTC '04,2004 : 381-385
[23]Sining Liu, B. King, Wei Wang. A CRT-RSA Algorithm Secure against Hardware Fault Attacks. IEEE International Symposium on Dependable, Autonomic and Secure Computing, 2006 : 51-60
[24] E. Brier, M. Joye, Weierstra. Elliptic Curves and Side-Channel Attacks. PKC 2002, LNCS 2274,2002 : 335-345
[25] E. Oswald. Enhancing Simple Power-Analysis Attacks on Elliptic Curve Cryptosystems. CHES 2002, LNCS 2523, 2003 : 82-97
[26] C. Rechberger, E. Oswald. Practical Template Attacks. WISA 2004, LNCS 3325, 2004 :440-456
[27] W. Fischer, et al. Differential Power Analysis of Stream Ciphers. CT-RSA 2007, LNCS 4377,2007 : 257-270
[28] R. McEvoy, et al. Differential Power Analysis of HMAC Based on SHA-2, and Countermeasures. WISA 2007, LNCS 4867, 2007 : 317-332
[29] J. R. Rao, et al. Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards. IEEE Symposium on Security and Privacy, 2002 : 31-41
[30] A. Schuster. Differential Power Analysis of an AES Implementation. Technical Report, IAIK-TR2004/06/25. http://www.iaik.tu-graz.ac.at/research/sca-lab/index. Php
[31]S. B. (?)rs, et al. Power-Analysis Attack on an ASIC AES implementation. ITCC'04, 2004 : 546-552
[32]北京密安公司.基于DPA攻击的智能 IC 卡密码分析测试系统白皮书. http://www.onets.com.cn/baipil.htm
[33] E. Oswald. On Side-Channel Attacks and the Application of Algorithmic Countermeasures. Graz: Ph D dissertation of Graz University of Technology, 2003
[34] S. Mangard. Securing Implementations of Block Ciphers against Side-Channel Attacks. Graz: Ph D dissertation of Graz University of Technology, 2004
[35] T. S. Messerges, E. A. Dabbish, R. H. Sloan. Examining Smart-Card Security under the Threat of Power Attack Analysis. IEEE Trans. on computers, 2002, 51(5) : 541-552
[36] L. Goubin, J. Patarin. DES and Differential Power Analysis The "Duplication" Method. CHES'99, LNCS 1717,1999 : 158-172
[37]T. S. Messerges. Using Second-Order Power Analysis to Attack DPA Resistant Software. CHES 2000, LNCS 1965, 2000 : 238-251
[38] J. Waddle, D. Wagner. Towards Efficient Second-Order Power Analysis. CHES 2004, LNCS 3156, 2004: 1-15
[39] K. Okeya, K. Sakurai. A Second-Order DPA Attack Breaks a Window-Method Based Countermeasure against Side Channel Attacks. ISC 2002, LNCS 2433, 2002 : 389-401
[40] M. Joye, P. Paillier, B. Schoenmakers. On Second-Order Differential Power Analysis. CHES 2005, LNCS 3659, 2005 : 293-308
[41]E. Oswald, et al. Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers. CT-RSA 2006, LNCS 3860, 2006 : 192-207
[42] E. Peeters, et al. Improved Higher-Order Side-Channel Attacks with FPGA Experiments. CHES 2005, LNCS 3659, 2005 : 309-323
[43] K. Schramm, C. Paar. Higher Order Masking of the AES. CT-RSA, 2006, LNCS 3860, 2006 :208-225
[44]J.S. Coron, E. Prouff, M. Rivain. Side Channel Cryptanalysis of a Higher Order Masking Scheme. CHES 2007, LNCS 4727,2007 : 28-44
[45] P. Kocher, J. Jaffe. Using Unpredictable Information to Minimize Leakage from Smartcards and Other Cryptosystems. US. Patents, No. US 6327661
[46] M. Bucci, et al. A Power Consumption Randomization Countermeasure for DPA-Resistant Cryptographic Processors. Integrated Circuit and System Design, LNCS 3254, 2004 : 481-490
[47] K. Tiri. Design for Side-channel Attack Resistant Security ICs. California: PhD thesis of University of California, 2005
[48] K. Tiri, et al. A Side-Channel Leakage Free Coprocessor IC in 0.18μm CMOS for Embedded AES-based Cryptographic and Biometric Processing. DAC 2005, 2005 : 222-227
[49] K. Tiri, I. Verbauwhede. Securing Encryption Algorithms against DPA at the Logic Level: Next Generation Smart Card Technology. CHES2003, LNCS 2779, 2003: 125-136
[50] K. Tiri, et al. Prototype IC with WDDL and Differential Routing -DPA Resistance Assessment, CHES 2005, LNCS 3659,2005 : 354-365
[51]K. Tiri, I. Verbauwhede. A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation. DATE'04, 2004 : 246-251
[52] S. Moore, et al. Improving Smart Card Security using Self-timed Circuits. ASYNC'02,2002: 211-218
[53] Z. C. Yu, S. B. Furber, L. A. Plana. An Investigation into the Security of Self-timed Circuits. ASYNC'03, 2003 : 206-215
[54]Macdonald. A balanced-power domino-style standard cell library for fine-grain asynchronous pipelined design to resist differential power analysis attacks. Boston: Master thesis of Boston University, 2003
[55] R. Muresan. Modeling and Applications of Current Dynamics in a Complex Processor Core. Waterloo : PhD thesis of University of Waterloo, 2003
[56] G. B. Ratanpal, R. D. Williams, T. N. Blalock. An On-Chip Signal Suppression Countermeasure to Power Analysis Attacks. IEEE Transactions on Dependable and Secure Computing, 2004,1(3): 179-189
[57] A. Shamir. Protecting smart cards from power analysis with detachable power supplies. United States Patent, No. 6507913
[58]Technikon. SCARD - Side Channel Analysis Resistant Design Flow. Project Presentation Document, 2004. http://www.scard-project.org
[59] K. Okeya, K. Miyazaki, K. Sakurai. A Fast Scalar Multiplication Method with Randomized Projective Coordinates on a Montgomery-Form Elliptic Curve Secure against Side Channel Attacks. ICICS 2002, LNCS 2288, 2002 : 428-439
[60] H. Chang, Kwangjo Kim. Securing AES against Second-Order DPA by Simple Fixed-Value Masking. Joho Shori Gakkai Shinpojiumu Ronbunshu, 2003, 2003(15):145-150
[61]李翔宇,孙义和.用于密码芯片抗功耗攻击的功耗平衡加法器.半导体学报,2005,26(8):1629-1634
[62]韩军,曾晓洋,汤庭鳌.RSA密码算法的功耗轨迹分析及其防御措施.计算机学报,2006,29(4):590-596
[63]蒋惠萍,毛志刚.一种抗差分功耗攻击的改进DES算法及其硬件实现.计算机学报,2004,27(3):334-338
[64]M.Akkar,C.Giraud.An Implementation of DES and AES,Secure against Some Attacks.CHES 2001,LNCS 2162,2001:309-318
[65]M.Akkar,L.Goubin.A Generic Protection against High-Order Differential Power Analysis.FSE 2003,LNCS 2887,2003:192-205
[66]J.Lv,Y.Han.Enhanced DES Implementation Secure Against High-Order Differential Power Analysis in Smartcards.ACISP 2005,LNCS 3574,2005:195-206
[67]T.S.Messerges.Securing the AES Finalists Against Power Analysis Attacks.FSE 2000,LNCS 1978,2001:150-164
[68]E.Trichina,D.De Seta,L.Germani.Simplified Adaptive Multiplicative Masking for AES.CHES 2002,LNCS 2523,2003:187-197
[69]J D.Golic,C.Tymen.Multiplicative Masking and Power Analysis of AES.CHES 2002,LNCS 2523,2003:198-212
[70]E.Trichina,L.Korkishko.Secure and Efficient AES Software Implementation for Smart Cards.WISA 2004,LNCS 3325,2004:425-439
[71]E.Oswald,et al.A Side-Channel Analysis Resistant Description of the AES S-Box.FSE 2005,LNCS 3557,2005:413-423
[72]A.G.Rostovtsev,O.V.Shemyakina.AES side channel attacks protection using random isomorphisms.Cryptology ePrint Archive,2005/087.http://eprint.iacr.org
[73]J.Bl(A|¨)omer,J.G.Merchan,V.Krummel.Provably Secure Masking of AES.Selected Areas in Cryptography,LNCS 3357,2005:69-83
[74]E.Oswald,K.Schramm.An Efficient Masking Scheme for AES Software Implementations.WISA 2005,LNCS 3786,2006:292-305
[75]C.Herbst,E.Oswald,S.Mangard.An AES Smart Card Implementation Resistant to Power Analysis Attacks.ACNS 2006,LNCS 3989,2006:239-252
[76]N.T.Courtois,Louis Goubin.An Algebraic Masking Method to Protect AES Against Power Attacks.ICISC 2005,LNCS 3935,2006:199-209
[77]Y.Baek,M.Noh.DPA-Resistant Finite Field Multipliers and Secure AES Design.ISPEC 2006,LNCS 3903,2006:1-12
[78]E.Prouff,C.Giraud,S.Aum6nier.Provably Secure S-Box Implementation Based on Fourier Transform.CHES 2006,LNCS 4249,2006:216-230
[79]E.Prouff,M.Rivain.A Generic Method for Secure SBox Implementation.WISA 2007,LNCS 4867,2007:227-244
[80]J.Coron.Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems.CHES 1999,LNCS 1717,1999:292-302
[81]J.Ha,et al.Provably Secure Countermeasure Resistant to Several Types of Power Attack for ECC.WISA 2007,LNCS 4867,2007:333-344
[82]J.Coron,L.Goubin.On Boolean and Arithmetic Masking against Differential Power Analysis.CHES 2000,LNCS 1965,2000:231-237
[83]L.Goubin.A Sound Method for Switching between Boolean and Arithmetic Masking.CHES 2001,LNCS 2162,2001:3-15
[84]J.Coron,A.Tchulkine.A New Algorithm for Switching from Arithmetic to Boolean Masking.CHES 2003.LNCS 2779,2003:89-97
[85]童元满等.识别密码算法具体实现中潜在功耗攻击的理论分析方法.计算机辅助设计与图形学学报,2008,20(3):395-402
[86]E.Oswald,M.Aigner.Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks.CHES 2001,LNCS 2162,2001:39-50
[87]B.M(o|¨)ller.Securing Elliptic Curve Point Multiplication against Side-Channel Attacks.ISC 2001,LNCS 2200,2001:324-334
[88]K.Okeya,K.Sakurai.On Insecurity of the Side Channel Attack Countermeasure Using Addition-Subtraction Chains under Distinguishability between Addition and Doubling.ACISP 2002,LNCS 2384,2002:420-435
[89]T.,B.M(o|¨)ller,T.Takagi.Improved Elliptic Curve Multiplication Methods Resistant against Side Channel Attacks.INDOCRYPT 2002,LNCS 2551,2002:296-313
[90]B.M(o|¨)ller.Parallelizable Elliptic Curve Point Multiplication Method with Resistance against Side-Channel Attacks.ISC 2002,LNCS 2433,2002:402-413
[91]K.Okeya and T.Takagi.The width-w NAF method provides small memory and fast elliptic scalar multiplications secure against side channel attacks.CTRSA'03,LNCS 2612,2003:328-342
[92]M.Ahn,et al.A Rondom M-ary Method Based Countermeasure against Side Channel Attacks.ICCSA 2003,LNCS 2668,2003:338-347
[93]K.Okeya,T.Takagi,C.Vuillaume.On the Exact Flexibility of the Flexible Countermeasure Against Side Channel Attacks.ACISP 2004,LNCS 3108,2004:466-477
[94]C.Clavier,M.Joye.Universal Exponentiation Algorithm:A First Step towards Provable SPA-Resistance.CHES 2001,LNCS 2162,2001:300-308
[95]C.D.Walter.MIST.An Efficient,Randomized Exponentiation Algorithm for Resisting Power Analysis.CT-RSA 2002,LNCS 2271,2002:53-66
[96]B.Chevallier-Mames.Self-Randomized Exponentiation Algorithms.CT-RSA 2004,LNCS 2964,2004:236-249
[97]J.Daemen,V.Rijmen.Resistance against implementation attacks:a comparative study of the AES proposals.2nd AES Candidate Conference,1999:122-132
[98]S.Yang,et al.Power Attack Resistant Cryptosystem Design:A Dynamic Voltage and Frequency Switching Approach.DATE'05,2005:64-69
[99]H.Schneider.Analysis of the Resistance of Different Logic Styles Against SPA &DPA Attacks.Graz:Master thesis of Graz University of Technology,2003
[100]K.Tiri,I.Verbauwhede.A Digital Design Flow for Secure Integrated Circuits.IEEE Trans.on CAD of IC and Syst.,2006,25(7):1197-1208
[101]F.Mace,et al.A Design Methodology for Secured ICs Using Dynamic Current Mode Logic.PATMOS 2005,LNCS 3728,2005:550-560
[102]D.Mesquita,et al.Current Mask Generation:A Transistor Level Security Against DPA Attacks. 18th Symposium on Integrated Circuits and Systems Design, 2005: 115-120
[103] T. Popp, S. Mangard. Masked Dual-Rail Pre-charge Logic:DPA-Resistance Without Routing Constraints. CHES 2005, LNCS 3659, 2005 : 172-186
[104] T. Popp, et al. Evaluation of the Masked Logic Style MDPL on a Prototype Chip. CHES 2007, LNCS 4727,2007 : 81-94
[105] T. Izu, T. Takagi. A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks. PKC 2002, LNCS 2274,2002 : 280-296
[106] P. K. Mishra, P. Sarkar. Application of Montgomery's Trick to Scalar Multiplication for Elliptic and Hyperelliptic Curves Using a Fixed Base Point. PKC 2004, LNCS 2947,2004 : 41-54
[107] C. H. Lim. A New Method for Securing Elliptic Scalar Multiplication Against Side-Channel Attacks. ACISP 2004, LNCS 3108,2004 : 289-300
[108] S. Yen, et al. Relative Doubling Attack Against Montgomery Ladder. ICISC 2005, LNCS 3935,2006 : 117-128
[109] T. Popp. Semi-Custom Design Flow for a DPA-Resistant Logic Style. Graz: Diploma Thesis of Graz University of Technology, 2004
[110] S. Mangard. Calculation and Simulation of the Susceptibility of Cryptographic Devices to Power-Analysis Attacks. Graz: Diploma Thesis of Graz University of Technology, 2003
[111] S. Tillich. Evaluation of Side-Channel Attack Resistivity with Rapid Prototyping. Graz: Diploma Thesis of Graz University of Technology, 2003
[112] URM, IAIK, KURLD. Modeling & Simulation of SCA Effects. IAIK, Tech Report: SCARD - URM1 - D6.1,2005. (available at: http://www.scard-project.org)
[113] H. Li, et al. Security Evaluation Against Electromagnetic Analysis at Design Time. CHES 2005, LNCS 3659,2005 : 280-292
[114] M. Joye, Christophe Tymen. Protections against Differential Analysis for Elliptic Curve Cryptography. CHES 2001, LNCS 2162,2001 : 377-390
[115] R. M. Avanzi. Countermeasures against Differential Power Analysis for Hyperelliptic Curve Cryptosystems. CHES 2003, LNCS 2779, 2003 : 366-381
[116] M. Akkar, R. Bevan, L.Goubin. Two Power Analysis Attacks against One-Mask Methods. FSE 2004, LNCS 3017, 2004 : 332-347
[117] S. Chari, et al. Towards Sound Approaches to Counteract Power-Analysis Attacks. CRYPTO'99, LNCS 1666,1999 : 398-412
[118] N. R. Potlapally, et al. Satisfiability-based Framework for Enabling Side-channel Attacks on Cryptographic Software. DATE06, 2006 : 1-6
[119] S. Mangard. Hardware Countermeasures against DPA -A Statistical Analysis of Their Effectiveness. CT-RSA 2004, LNCS 2964, 2004 : 222-235
[120] Tiwari, S. Malik, and A. Wolfe. Power analysis of embedded software: A first step towards software power minimization. IEEE Transactions on VLSI Systems, 1994, 2(4): 437-445
[121] T. Simunic, L. Benini, G. De Micheli. Cycle-Accurate Simulation of Energy Consumption in Embedded Systems. IEEE Transactions on Computer-Aided Design of Circuits and Systems, 2001, 9(1): 15-28
[122]Q.Wu,et al.Cycle-Accurate Macro-Models for RT-Level Power Analysis.IEEE trans,on VLSI SYSTEMS,1998,6(4):520-528
[123]李杰,谢巍,刘明业.基于RTL级的数字电路功耗分析.北京理工大学学报,2001,21(1):1-5
[124]王永文,张民选.高性能微处理器微体系结构级功耗模型及分析.计算机学报,2004,27(10):1320-1327
[125]张盛,周润德,羊性滋.基于翻转信息熵的组合逻辑电路功耗分析.电子学报,2004,32(8):1526-1529
[126]李曦等.面向低功耗优化设计的系统级功耗模型研究.电子学报,2004,32(2):205-208
[127]李佳等.体系结构级功耗分析方法.系统仿真学报,2004,16(12):2821-2827
[128]徐勇军等.组合电路功耗敏感性统计分析.计算机辅助设计与图形学学报,2005,17(1):122-128
[129]石伟等.防DPA攻击的标准单元库的设计与实现.微电子学与计算机,2007,24(2):51-54
[130]A.Satoh,et al.A Compact Rijndael Hardware Architecture with S-Box Optimization.ASIACRYPT 2001,LNCS 2248,2001:239-254
[131]A.Rudra,et al.Efficient Rijndael Encryption Implementation with Composite Field Arithmetic.CHES 2001,LNCS 2162,2001:171-184
[132]S.Mangard,T.Popp,B.M.Gammel.Side-channel leakage of masked CMOS gates.CT-RSA 2005,LNCS 3376,2005:361-365
[133]S.Mangard,N.Pramstaller,E.Oswald.Successfully Attacking Masked AES Hardware Implementations.CHES 2005,LNCS 3659,2005:157-171
[134]S.Mangard,K.Schramm.Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations.CHES 2006,LNCS 4249,2006:76-90
[135]S.Tillich,J.Groβsch(a|¨)d.Instruction Set Extensions for Efficient AES Implementation on 32-bit Processors.CHES 2006,LNCS 4249,2006:270-284
[136]D.C.Wong,G De Micheli,M.J.Flynn.Designing high-performance digital circuits using wave pipelining:algorithms and practical experiences.IEEE Trans.On CAD of IC and Systems,1993,12(1):25-46
[137]K.J.Nowka.High Performance CMOS System Design Using Wave Pipelining.Technical report,CSL-TR-96-693.http://infolab.stanford.edu/TR/CSL-TR-96-693.html
[138]W.P.Burleson,et al.Wave-pipelining:a tutorial and research survey.IEEE Trans.On VLSI Systems,1998,6(3):464-474
[139]孙迎红,童元满,王志英.基于自适应滤波和模式识别的功耗攻击技术.通讯与计算机,2007,4(2):47-50
[140]李树均.数字化混沌密码的分析与设计.西安:西安交通大学博士学位论文,2003
[141]丁源源.混沌及其保密通信技术研究.武汉:武汉理工大学硕士学位论文,2004
[142]韦鹏程.混沌序列密码设计与实现研究.重庆:重庆大学硕士学位论文,2004
[143]何振亚等.细胞神经网络动态特性及其在保密通信中的应用.通信学报,1999,20(3):56-67
[144]蒋国平.基于细胞神经网络超混沌系统的扩频保密通信.南京邮电学院学报(自然科学版),2000,20(3):5-10
[145]孙克辉,张泰山.基于混沌序列的数据加密算法设计与实现.小型微型计算机系统,2004,25(7):1368-1371
[146]孙鑫,易开祥,孙优贤.基于混沌系统的图像加密算法.计算机辅助设计与图形学学报,2002,14(2):136-139
[147]L O Chua,L Yang.Cellular neural network:Theory.IEEE Transaction Circuits and System,1988,35(10):1257-1272
[148]F.Zou,J.A.Nossek.Bifurcation and Chaos in Cellular Neural Networks.IEEE Transaction on Circuits and System,1993,40(3):166-173
[149]J.M.Cruz,L.O.Chua.A 16×16 Cellular Neural Network Universal Chip:The First Complete Single-Chip Dynamic Computer Array with Distributed Memory and with Gray-Scale Input-Output.Analog Integrated Circuits and Signal Processing.Boston:Kluwer Academic Publishers 15,1998:227-237
[150]M.Salerno,F.Sargeni,V.Bonaiuto.A Dedicated Multi-Chip Programmable System for Cellular Neural Networks.Analog Integrated Circuits and Signal Processing.Boston,Kluwer Academic Publishers 18,1999:277-288
[151]B.Chevallier-Mames,M.Ciet,M.Joye.Low-Cost Solutions for Preventing Simple Side-Channel Analysis:Side-Channel Atomicity.IEEE Transaction on Computer,2004,53(6):760-768
[152]L.Batina,G.Bruin-Muurling,S.B.(O|¨)rs.Flexible Hardware Design for RSA and Elliptic Curve Cryptosystems.CT-RSA 2004,LNCS 2964,2004:250-263
[153]童元满等.可扩展公钥密码协处理器的设计与实现.小型微型计算机系统,2007,28(2):243-246
[154]童元满,戴葵,王志英.基于SD数据表示的大数除法VLSI高速实现.计算机工程与科学,2006,28(8):11-13
[155]H.Cohen,A.Miyaji,T.Ono.Efficient elliptic curve exponentiation using mixed coordinates.Advances in Cryptology,LNCS 1514,1998:51-65
[156]熊志辉等.一种基于层次平台的SoC系统设计方法.电子学报,2004,32(11):1815-1819
[157]熊志辉等.支持平台设计方法的系统芯片协同设计环境.计算机辅助设计与图形学学报,2005,17(7):1401-1406
[158]熊志辉等.基于平台的SoC系统建模方法研究.计算机工程与科学,2005,27(8):56-59
[159]何伟.基于平台的SoC设计技术研究.合肥工业大学学报,自然科学版,2007,30(6):727-731
[160]曾晓洋等.信息安全芯片SoC平台及应用.信息安全与通信保密,2005,7:358-360
[161]蒋斌,肖佐楠.SoC设计平台及应用实例.中国集成电路,2005,11:32-37
[162]Group T C.TPM main specification,http://www.trustedcomputinggroup.org
[163]张焕国等.一种新型安全计算机.武汉大学学报(理学版),2004,50(S1):001-006
[164]肖政等.基于可信计算平台的体系结构研究与应用.计算机应用,2006,26(8):1807-1809,1812
[165]邢启江等.一种基于TPM芯片的计算机安全体系结构.计算机工程,2007,33(15):152-154
[166]任江春.系统可信赖安全增强关键技术研究.长沙:国防科学技术大学博士学位论文,2006
[167]秦中元,胡爱群.可信计算系统及其研究现状.计算机工程,2006,32(14):111-113
[168]林小茶,李光.基于嵌入式技术的信任根研究.计算机工程与应用,2007,43(16):165-168
[169]T.R.Halfhil.TrustZone Security Extensions Strengthen ARMv6Architecture.US:Tom R.Hall,2003
[170]孙勇,陈伟,杨义先.嵌入式系统的可信计算.信息安全与通信保密.2006,9:50-52
[171]D.Agrawa,J.R.Rao,P.Rohatgi.Multi-channel Attacks.CHES 2003,LNCS 2779,2003:2-16