计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (11A): 523-527.doi: 10.11896/jsjkx.210200138

• 信息安全 • 上一篇    下一篇

持久故障攻击威胁性研究

王舰1,2, 陈华1, 匡晓云3, 杨祎巍3, 黄开天3   

  1. 1 中国科学院软件研究所可信计算与信息保障实验室 北京100190
    2 中国科学院大学 北京100049
    3 南方电网科学研究院 广州510663
  • 出版日期:2021-11-10 发布日期:2021-11-12
  • 通讯作者: 陈华(chenhua@iscas.ac.cn)
  • 基金资助:
    国家重点研发计划(2018YFB0904900,2018YFB0904901)

Study on Threat of Persistent Fault Attack

WANG Jian1,2, CHEN Hua1, KUANG Xiao-yun3, YANG Yi-wei3, HUANG Kai-tian3   

  1. 1 TCA Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China
    2 University of Chinese Academy of Sciences,Beijing 100049,China
    3 Electric Power Research Institute,China Southern Power Grid,Guangzhou 510663,China
  • Online:2021-11-10 Published:2021-11-12
  • About author:WANG Jian,born in 1998,postgraduate.His main research interests include side-channel analysis and countermea-sures.
    CHEN Hua,born in 1976,Ph.D,senior engineer,Ph.D supervisor.Her main research interests include side-channel analysis and countermeasures.
  • Supported by:
    National Key R&D Program of China(2018YFB0904900,2018YFB0904901).

PDF (PC)

568

摘要: 持久故障攻击是一种利用持久性故障及统计方法恢复密钥信息的强大攻击技术,可应用于分组密码查表实现的密钥恢复,其最大的优势在于仅需一次故障注入即可恢复密钥信息,并且持久故障攻击可以应用于检测技术、掩码技术等经典的分组密码防护实现。虽然如此,经典的故障攻击防护技术仍然提高了持久故障攻击难度,检测、感染技术都使得提取正确密钥所需的密文数量有了常数倍的提升,这对于实际场景中的攻击会造成阻碍。对S盒进行实时的健康性检测是一种防范持久故障攻击的有效手段,一旦检测到S盒被注入故障则不再进行后续加密。持久故障攻击充分利用了S盒的双射特性,故针对S盒的双射特性进行健康性检测是一种高效的防护方法,对于一个8比特的S盒,只需进行255次异或操作即可完成对S盒双射特性的检验,远高于SHA3等通用的校验方法。此外,激光传感器等非算法层面的防护也应受到重视。

关键词: 持久故障攻击, 防护技术, 分组密码, 健康性检验, 双射

Abstract: Persistent Fault Attack(PFA) is a powerful attack which relies on persistent fault and statistical analysis,it can be applied in extracting secret key of block cipher implementation based on lookup tables.The greatest advantage of PFA is that it can recover the secret key with only one fault injection,meanwhile,it can be applied in countermeasures on fault attack like detection,mask and so on.However,these countermeasures still can make the attack more difficult,key recovery on implementation with countermeasures based on detection and infection need several times cipher text,this will hinder actual attack.Built-in health test for S-box will be a good countermeasure for PFA,the cipher device will stop working once there is a fault injection.PFA relies on the bijective characteristic of the S-box in block cipher,therefore,testing the bijection characteristic of S-box is an effective method to get a health test result for S-box.Just 255 XOR operations will give a reliable health test result for S-box,it costs much less than a normal test method like SHA3.Furthermore,non-algorithmic countermeasures like laser sensor should attractive some attention.

Key words: Bijection, Block cipher, Countermeasures, Health test, Persistent fault attack

中图分类号: 

  • TP309.7
[1]BONEH D,DEMILLO R A,LIPTON R J.On the importance of checking cryptographic protocols for faults[C]//International Conference on the Theory and Applications of Cryptographic Techniques.Berlin,Heidelberg:Springer,1997:37-51.
[2]BIHAM E,SHAMIR A.Differential fault analysis of secret key cryptosystems[C]//Annual International Cryptology Conference.Berlin,Heidelberg:Springer,1997:513-525.
[3]BIEHL I,MEYER B,MÜLLER V.Differential fault attacks on elliptic curve cryptosystems[C]//Annual International Cryptology Conference.Berlin,Heidelberg:Springer,2000:131-146.
[4]DUSART P,LETOURNEUX G,VIVOLO O.Differential fault analysis on AES[C]//International Conference on Applied Cryptography and Network Security.Berlin,Heidelberg:Sprin-ger,2003:293-306.
[5]FUHR T,JAULMES E,LOMNÉ V,et al.Fault attacks on AES with faulty ciphertexts only[C]//2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.IEEE,2013:108-118.
[6]CLAVIER C.Secret external encodings do not prevent transient fault analysis[C]//International Workshop on Cryptographic Hardware and Embedded Systems.Springer,Berlin,Heidelberg,2007:181-194.
[7]CLAVIER D,EICHLSEDER M,KORAK T,et al.SIFA:exploiting ineffective fault inductions on symmetric cryptography[J].IACR Transactions on Cryptographic Hardware and Embedded Systems,2018:547-572.
[8]DOBRAUNIG C,EICHLSEDER M,GROβ H,et al.Statistical ineffective fault attacks on masked AES with fault countermeasures[C]//International Conference on the Theory and Application of Cryptology and Information Security.Cham:Springer,2018:315-342.
[9]ZHANG F,LOU X,ZHAO X,et al.Persistent fault analysis on block ciphers[J].IACR Transactions on Cryptographic Hardware and Embedded Systems,2018(3):150-172.
[10]ZHANG F,ZHANG Y,JIANG H,et al.Persistent fault attack in practice[J].IACR Transactions on Cryptographic Hardware and Embedded Systems,2020(2):172-195.
[11]BAR-EL H,CHOUKRI H,NACCACHE D,et al.The sorcerer'sapprentice guide to fault attacks[J].Proceedings of the IEEE,2006,94(2):370-382.
[12]LOMNÉ V,ROCHE T,THILLARD A.On the need of randomness in fault attack countermeasures-application to AES[C]//2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.IEEE,2012:85-94.
[13]MESSERGES T S.Securing the AES finalists against power analysis attacks[C]//International Workshop on Fast Software Encryption.Berlin,Heidelberg:Springer,2000:150-164.
[14]PAN J,ZHANG F,REN K,et al.One fault is all it needs:breaking higher-order masking with persistent fault analysis[C]//2019 Design,Automation & Test in Europe Conference &Exhibition (DATE).IEEE,2019:1-6.
[15]BLOM G,HOLST L,SANDELL D.Problems and Snapshotsfrom the World of Probability[M].Springer Science & Business Media,1993.
[16]CAFORIO A,BANIK S.A study of persistent fault analysis[C]//International Conference on Security,Privacy,and Applied Cryptography Engineering.Cham:Springer,2019:13-33.
[17]SELMKE B,BRUMMER S,HEYSZL J,et al.Precise laser fault injections into 90 nm and 45 nm sram-cells[C]//International Conference on Smart Card Research and Advanced Applications.Cham:Springer,2015:193-205.
[18]STALLINGS W.Cryptography and Network Security:Princi-ples and Practice[M].Beijing:Publishing House of Electronics Industry,2017:153-179.
[19]MANGARD S,OSWALD E,POPP T.Power Analysis Attacks[M].Beijing:Science Press,2010:181-185.
[20]YAO Y,YANG M,PATRICK C,et al.Fault-assisted side-channel analysis of masked implementations[C]//2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).IEEE,2018:57-64.
[21]DWORKIN M J.SHA-3 standard:Permutation-based hash and extendable-output functions:Federal Inf.Process.Stds.(NIST FIPS) - 202 [S].NIST:2015.
[22]MATSUDA K,FUJII T,SHOJI N,et al.A 286 f 2/cell distri-buted bulk-current sensor and secure flush code eraser against laser fault injection attack on cryptographic processor[J].IEEE Journal of Solid-State Circuits,2018,53(11):3174-3182.
[1] 沈璇, 王欣玫, 何俊, 孙志远.
PFP算法改进的不可能差分分析
Revised Impossible Differential Cryptanalysis of PFP Block Cipher
计算机科学, 2020, 47(7): 263-267. https://doi.org/10.11896/jsjkx.200200034
[2] 朱仁杰.
扩大故障注入范围的SM4差分故障攻击研究
Study on SM4 Differential Fault Attack Under Extended Fault Injection Range
计算机科学, 2019, 46(11A): 493-495.
[3] 李浪,刘波涛.
Surge:一种新型、低资源、高效的轻量级分组密码算法
Surge:A New Low-resource and Efficient Lightweight Block Cipher
计算机科学, 2018, 45(2): 236-240. https://doi.org/10.11896/j.issn.1002-137X.2018.02.041
[4] 李浪,邹祎,李株华,刘波涛.
DBlock密码算法差分故障分析
Differential Fault Analysis on DBlock Cipher Algorithm
计算机科学, 2017, 44(7): 116-119. https://doi.org/10.11896/j.issn.1002-137X.2017.07.022
[5] 黄玉划,代学俊,时阳阳,刘宁钟,曾庆喜,苏菲.
基于Feistel结构的超轻量级分组密码算法(PFP)
Ultra-lightweight Block Cipher Algorithm (PFP) Based on Feistel Structure
计算机科学, 2017, 44(3): 163-167. https://doi.org/10.11896/j.issn.1002-137X.2017.03.036
[6] 马猛,赵亚群,刘庆聪.
Zodiac算法的零相关-积分攻击
Integral Zero-correlation Cryptanalysis on Zodiac
计算机科学, 2017, 44(2): 202-205. https://doi.org/10.11896/j.issn.1002-137X.2017.02.032
[7] 代学俊,黄玉划,刘宁钟.
基于双伪随机变换和Feistel结构的轻量级分组密码VHF
VHF:A Lightweight Block Cipher Based on Dual Pseudo-random Transformation and Feistel Structure
计算机科学, 2017, 44(2): 192-194. https://doi.org/10.11896/j.issn.1002-137X.2017.02.030
[8] 董大强,殷新春.
基于REESSE3+算法的改进算法
New Improved Algorithm Based on REESSE3+
计算机科学, 2017, 44(12): 120-125. https://doi.org/10.11896/j.issn.1002-137X.2017.12.024
[9] 高红杰,卫宏儒.
用不可能差分法分析12轮ESF算法
Impossible Differential Attack on 12-round Block Cipher ESF
计算机科学, 2017, 44(10): 147-149. https://doi.org/10.11896/j.issn.1002-137X.2017.10.028
[10] 陈玉磊,卫宏儒.
ESF算法的不可能差分密码分析
Impossible Differential Cryptanalysis of ESF
计算机科学, 2016, 43(8): 89-91. https://doi.org/10.11896/j.issn.1002-137X.2016.08.018
[11] 孙翠玲 卫宏儒.
SMS4算法的不可能差分攻击研究
Research on Impossible Differential Attack of Cipher SMS4
计算机科学, 2015, 42(7): 191-193. https://doi.org/10.11896/j.issn.1002-137X.2015.07.042
[12] 温雅敏,黎凤霞,龚 征,唐韶华.
一种AVR环境下KLEIN分组密码抗计时和缓存边信道攻击的快速保护方法
Fast Implementation of KLEIN for Resisting Timing and Cache Side-channel Attacks on AVR
计算机科学, 2015, 42(3): 148-152. https://doi.org/10.11896/j.issn.1002-137X.2015.03.031
[13] 邱丰品,卫宏儒.
CLEFIA-128算法的不可能差分密码分析
Impossible Differential Cryptanalysis of CLEFIA-128
计算机科学, 2015, 42(11): 208-211. https://doi.org/10.11896/j.issn.1002-137X.2015.11.043
[14] 殷广丽,卫宏儒.
CLEFIA算法的不可能差分密码分析
Impossible Differential Cryptanalysis of CLEFIA
计算机科学, 2014, 41(Z6): 352-356.
[15] 计锋,王韬,赵新杰,张金中.
ARIA分组密码相关性功耗分析
Correlation Power Analysis on ARIA Block Cipher
计算机科学, 2012, 39(2): 92-94.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发