AES相关故障注入攻击  被引量：5

作　　者：王省欣 胡伟[1] 谭静 朱嘉诚 唐时博 WANG Xingxin;HU Wei;TAN Jing;ZHU Jiacheng;TANG Shibo(School of Cybersecurity,Northwestern Polytechnical University,Xi’an 710072,China)

机构地区：[1]西北工业大学网络空间安全学院,陕西西安710072

出　　处：《西安电子科技大学学报》2021年第4期192-199,208,共9页Journal of Xidian University

基　　金：国家自然科学基金(62074131);陕西省自然科学基金(2019JM-244);西北工业大学硕士研究生创意创新种子基金(CX2020297)。

摘　　要：由于故障注入攻击方法大多对故障注入的位置、时机和数量有严格的要求,密钥恢复过程中往往需要复杂的数学分析,或者需要大量时间来训练故障攻击模板,故提出一种针对不同密钥长度高级加密标准算法实现的简单相关故障注入攻击方法,利用高级加密标准故障效应传播中的相关关系恢复密钥。该攻击方法对故障注入位置和数量要求更为灵活,且只需通过简单的相关性分析即可破解密钥。实验结果表明:在不同密钥长度高级加密标准算法实现倒数第3轮(N_(r)-2)列混合变换前至S盒变换之间任意位置注入随机故障后,分析最后一轮S盒输入的故障效应相关关系即可恢复最后一轮的轮密钥;在192位和256位高级加密标准算法实现倒数第4轮(N_(r)-3)列混合变换前至S盒变换之间任意位置注入随机故障后可恢复倒数第2轮(N_(r)-1)列的轮密钥。该方法的密钥搜索复杂度为216,只需2个正确-错误密文对或同一明文下的4条错误密文即可恢复128位高级加密标准初始密钥;只需4个正确-错误密文对或同一明文下的8条错误密文即可恢复192和256位高级加密标准初始密钥。Fault injection attack is an effective cryptanalysis method.However,most existing fault injection attacks have strict restrictions on the location,time and number of faults injected,require complicated mathematical derivation during the key recovery process or need a huge amount of time to train fault attack templates.This paper proposes a comprehensive correlation fault injection attack on AES implementations of different key lengths,leveraging the correlation in the fault effect propagation in AES to recover the key.Our attack method uses a more flexible fault model in terms of the location and number of fault injections while only requiring simple correlation analysis to recover the key.Experimental results using AES implementations of variable key sizes show that random faults injected at any position before the mix-columns operation in the-2 round will allow successful recovery of the last round key through correlation analysis of the fault effects at the inputs of the S-Box in the final round.Additional random faults injected at any position before the mix-columns operation in the-3 round will allow the recovery of the round key before the final round.The key search complexity of the proposed method is 2^(16).Two correct and faulty ciphertext pairs or four faulty ciphertexts under the same plaintext are sufficient to recover the original key of AES-128 and four correct and faulty ciphertext pairs or eight faulty ciphertexts under the same plaintext are sufficient to recover the original key of AES-192 and AES-256.

关 键 词：侧信道分析 故障注入攻击 相关故障分析 高级加密标准 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]