基于软件指令定位的新型高阶侧信道分析方法  

作　　者：郭志鹏[1] 唐明[1,2] 胡晓波 李煜光 彭国军[1] 张焕国[1] GUO Zhi-Peng;TANG Ming;HU Xiao-Bo;LI Yu-Guang;PENG Guo-Jun;ZHANG Huan-Guo(Key Laboratory of AIS & TC, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072;The Telecom ParisTech, Paris 75634 France;State Grid Key Laboratory of Power Industrial Chip Design and Analysis Technology,Beijing Smart-Chip Microelectronics Technology Co., Ltd., Beijing 100080)

机构地区：[1]武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室,武汉430072 [2]巴黎高科国立高等电信学校,法国巴黎75634 [3]北京智芯微电子科技有限公司电力芯片设计分析国家电网公司重点实验室,北京100080

出　　处：《计算机学报》2019年第5期929-941,共13页Chinese Journal of Computers

基　　金：国家自然科学基金(61472292;61332019);密码科学技术国家重点实验室开放课题基金(面上项目)(MMKFKT201821);湖北省技术创新专项(2018AAA046);密码芯片防护设计下的侧信道分析检测技术研究(2018J-10)资助~~

摘　　要：现有的大多数高阶掩码方案都采用了软件实现方式,这样可以防止硬件电路毛刺产生的安全泄漏,同时不会受到硬件平台资源不足的限制.在目前针对高阶掩码方案的多种分析方法中,高阶侧信道分析是最有效的分析方法之一.即使是满足理论安全性的高阶掩码方案,高于理论安全阶数的高阶侧信道分析依然可以对其进行攻击.然而,当掩码方案的阶数很高时,由于高阶分析的时间复杂度和数据复杂度非常高,这使得高阶分析方法难以成功实施.在该文中,作者基于指令识别提出了一种特征点选取方法,称作指令定位特征点选择方法(Instruction Recognition-based Points of Interest Selection,IR-PoIS).通过定位与敏感信息相关的指令,IR-PoIS方法可以确定高阶掩码方案中每个秘密共享因子对应功耗出现的具体位置,从而降低后续高阶分析方法的时间复杂度.对于一个有n个秘密共享因子的高阶掩码方案,IR-PoIS方法可以将高阶分析方法的时间复杂度水平从功耗曲线点数的n次方降低到线性水平,大大提高了高阶分析方法的效率.并且由于目标CPU的指令集是已知的,攻击者可以事先对敏感指令进行建模.在SASEBO-W开发板上的实验中,作者对LDD指令进行了定位.实验结果表明,只需十条左右的功耗曲线,IR-PoIS的定位成功率就可以达到100%.这表明IR-PoIS方法是一种非常高效的特征点选择方法.在此基础上,该文成功地攻击了三阶Coron14掩码方案的软件实现,验证了基于IR-PoIS的高阶侧信道分析方法的有效性.Masking is a very common and popular countermeasure against side - channel attacks. In a masking scheme, any sensitive variables in a cryptographic implementation are randomized by mask sequences. In order to resist higher-order attacks, masking schemes have been developed into higher-order masking schemes. A software implementation is the most common design of higher-order maskings for overcoming the glitch weakness and resource limitation. Until now, higher-order SCAs have been the only challenge to higher-order masking schemes, which were proven to be theoretically secure. However, owing to the large time and data complexities, higher- order analyses are sometimes regarded as infeasible when the order is very high. Thus, it is very important to identify the interesting tuples (or to narrow down a window of time samples as much as possible) prior to key recovery in order to maintain the computational complexity of a multivariate attack at a feasible level. Nevertheless, the existing PoI methods are based on exhaustive searching, and the time complexity is determined by the size of the sample window, the number of samples, and the order of the masking. In this paper, we propose a PoI selection method called IR-PoIS to locate the interesting points for the higher-order analysis because it is based on instruction recognition. By targeting the locations of the instructions corresponding to the sensitive information, IR-PoIS can find the precise locations of the different shares in a masking scheme. It is noted that IR-PoIS can decrease the time complexity from polynomial of degree n to linear in the number of points of a power trace, where n is the number of shares in the masking, which is a notable improvement in the higher-order analysis. As the RISC set is very popular in most existing CPUs, it is reasonable for an analyzer to build all the templates for sensitive instructions before collecting several power traces to analyze. In order to demonstrate the practicality and effectiveness of IR-PoIS, we physically e

关 键 词：侧信道分析 高阶分析 高阶掩码方案 指令识别 软件实现 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]