轻量级分组密码SLIM的差分故障攻击  被引量：2

作　　者：高杨 王永娟[1,2] 高光普 袁庆军 王灿 GAO Yang;WANG Yong-Juan;GAO Guang-Pu;YUAN Qing-Jun;WANG Can(PLA Strategic Support Force Information Engineering University,Zhengzhou 450001,China;Henan Key Laboratory of Network Cryptography Technology,Zhengzhou 450001,China)

机构地区：[1]战略支援部队信息工程大学,郑州450001 [2]河南省网络密码技术重点实验室,郑州450001

出　　处：《密码学报》2022年第2期223-236,共14页Journal of Cryptologic Research

基　　金：国家自然科学基金(61872381);河南省网络密码技术重点实验室开放基金(LNCT2019-S02)。

摘　　要：SLIM是2020年提出的新型轻量级分组密码算法,因其极低的门电路功耗和良好的硬件实现性能,在受限的小规模加密场合具有一定应用前景.差分故障攻击是研究轻量级密码算法的有效手段,本文采用半字节故障攻击模型对SLIM算法进行研究,分析算法差分扩散规律,结合密钥扩展方案,提出一种故障注入策略.分别在第2至32轮注入宽度为1至4个半字节的故障,最少共注入62组故障可将恢复主密钥的计算复杂度降低至2^(3).本文研究SLIM算法S盒的差分不均匀性,通过分析输入差分、输出差分和可能输入值之间的对应关系建立S盒差分分布表,将差分方程的求解直接转化为查表操作,快速缩小方程解空间.进一步利用S盒差分分布统计规律系统分析了方程是否存在唯一解的情形,基于概率学知识计算出不同故障注入组数下各轮密钥恢复成功率,得到恢复主密钥所需故障注入组数期望值68.15组.经仿真模拟实验,1000次攻击恢复主密钥所需故障注入组数均值为69.07组,与理论结果较为接近.SLIM is a new lightweight block cipher proposed in 2020.Due to its extremely low gate-circuit power consumption and excellent hardware implementation performance,it has certain potential applications for resource-constrained devices for tiny-scale encryption systems.Differential fault attack is an effective method to threat lightweight ciphers.In this paper,the nibble fault attack model is introduced to analyze the SLIM cipher.Combined with the key expansion scheme and the differential diffusion properties in SLIM algorithm,a fault injection strategy is proposed.The faults with the width of 1 to 4 nibbles are injected in the second to 32nd rounds separately.The group of number of fault injection is at least 62,which can reduce the computational complexity of recovering the main key to 2^(3).This paper studies the differential non-uniformity of the S-box in SLIM cipher.The S-box differential distribution table is established by analyzing the correspondence between the input difference,the output difference and possible input values.Then solving a differential equation is directly converted into a lookup table,which can reduce the solution space of the differential equation efficiently.The properties of S-box differential distribution is further used to analyze whether the equation has a unique solution.Based on the knowledge of probability,the success rate of key recovery per round under different number of fault injection groups is calculated,and the expectation of fault injection groups of recovering the main key is 68.15.Simulation experiments show that,the average number of fault injection groups for 1000 attacks is 69.07,which is similar to the theoretical result.

关 键 词：差分故障攻击 轻量级分组密码 SLIM算法 概率分析 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]