基于汉明重的SMS4密码代数旁路攻击研究  被引量：11

作　　者：刘会英[1] 赵新杰[1,2] 王韬[1] 郭世泽[1,2] 张帆[3] 冀可可[1] 

机构地区：[1]军械工程学院计算机工程系,石家庄050003 [2]北方电子设备研究所,北京100083 [3]康涅狄格大学计算机科学与工程系

出　　处：《计算机学报》2013年第6期1183-1193,共11页Chinese Journal of Computers

基　　金：国家自然科学基金(61173191;61272491)资助~~

摘　　要：基于汉明重泄露模型,对SMS4算法抗代数旁路攻击能力进行了评估.首先构建SMS4算法等价布尔代数方程组,然后采集SMS4加密功耗泄露,基于模板分析对加密中间状态字节的汉明重进行推断,并转化为与密码算法联立的代数方程组,最后利用解析器进行密钥求解.结果表明:SMS4密码易遭受代数旁路攻击;已知明文条件下,2个样本4轮连续汉明重泄露或26轮离散汉明重泄露可恢复128bit SMS4主密钥;未知明密文条件下,2个样本连续5轮汉明重泄露可恢复128bit SMS4主密钥;使用随机掩码防御的SMS4实现仍不能有效防御代数旁路攻击,已知明文条件下,2个样本连续14轮汉明重泄露可恢复128bit SMS4主密钥.为提高攻击实用性,提出了一种容错代数旁路攻击方法,结果表明汉明重推断错误率不超过60%的情况下,2个样本可恢复128bit SMS4主密钥.本文方法对其它分组密码代数旁路攻击研究具有一定的借鉴意义.We evaluate the resistance of SMS4 against algebraic side-channel attack （ASCA） based on the Hamming weight （HW） model. Firstly, SMS4 is described as a set of equations involving the public and key variables and the power leakages of the encryption are measured. Secondly, the HWs of immediate bytes are deduced through the template analysis and additional equations are generated. Thirdly, the sat-solver is adopted to recover the key. Experiment results show that SMS4 is vulnerable to ASCA. In the known-plaintext scenario, four rounds consecutive HW leakages or twenty-six rounds randomly distributed HW leakages in two traces are enough to recover the 128 bits master key. In the unknown-plaintext scenario, the HW leakages of the first five rounds in two traces are enough to recover the full key. We also show that SMS4 implemented with masking countermeasures is also vulnerable to ASCA. In known-plaintext scenario, the HW leakages of 14 rounds in two traces are enough to recover the full key. To improve the feasibility of the attack, an error tolerant ASCA is proposed. The mater key of SMS4 can be recovered with the leakages of the first 10 rounds in two traces, even when the error rate of HW deductions is 60 %. Our work can also be used to attack other block-ciphers.

关 键 词：SMS4 代数旁路攻击 汉明重 模板分析 掩码防护 容错 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]