针对重用掩码AES算法的随机明文碰撞攻击  被引量：6

作　　者：赵秉宇 王柳生 张美玲[1,2] 郑东[1,2] ZHAO Bingyu;WANG Liusheng;ZHANG Meiling;ZHENG Dong(School of Cyberspace Security,Xi’an University of Posts&Communications,Xi’an 710121,China;National Engineering Laboratory for Wireless Security,Xi’an University of Posts&Telecommunications,Xi’an 710121,China)

机构地区：[1]西安邮电大学网络空间安全学院,西安710121 [2]西安邮电大学无线网络安全技术国家工程实验室,西安710121

出　　处：《计算机工程》2022年第6期139-145,153,共8页Computer Engineering

基　　金：国家重点研发计划项目(2017YFB0802000);陕西省重点研发计划项目(2020ZDLGY08-04)。

摘　　要：侧信道攻击是密码学研究的热点方向,碰撞攻击作为侧信道攻击的重要分支,可从泄露能量中有效提取中间值信息,根据中间值信息检测不同S盒之间的碰撞,并利用碰撞建立不同密钥字节之间的线性关系,缩小密钥候选值的空间。针对使用重用掩码的高级加密标准(AES)算法,自适应选择明文碰撞攻击方法需要预先建立攻击模板,并且实施攻击所需的前提条件较多。提出一种高效的随机明文碰撞攻击方法,基于2个不同S盒输入值的汉明距离及其对应能量迹的欧氏距离之间的关系,从256个密钥异或值中找出正确的密钥异或值。通过理论分析得出该方法无需预先确定碰撞阈值及建立攻击模板,即可有效利用能量迹中未发生碰撞的信息,并且所加密的明文是随机的,能在没有目标设备的情况下实施攻击。实验结果表明,与自适应选择明文碰撞攻击、改进型相关性碰撞攻击等方法相比,该方法减少了实现碰撞攻击所需的前提条件,并且扩大了攻击范围。The topic of side-channel attacks is popular in cryptographic research.As an important branch of sidechannel attacks,collision attacks can effectively extract information related to intermediate values from energy leakage.The attacker can detect collisions between two different S-boxes through an analysis of intermediate-value information,whereby a linear relationship between the different key bytes can be established through the collisions.These linear relationships can reduce the key candidate space.For the Advanced Encryption Standard(AES)algorithm with reused masks,an adaptive chosen-plaintext collision attack is proposed,requiring a pre-established attack template and high conditions to launch the attack.To address this problem,this study proposes an efficient random plaintext collision attack method.Based on the relationship between the Hamming distance of two different S-box input values and the Euclidean distance of the corresponding energy trace,the method determines the correct key XOR value from 256 key XOR values.Theoretical analysis is offered to prove that the method utilizes the information in power traces that do not collide while requiring neither a pre-established template nor a pre-determined suitable collision threshold in advance.In addition,this method is a known plaintext attack;therefore,it can be implemented when the attacker is unable to operate the target devices.The experimental results show that,compared with the adaptive chosen-plaintext collision attack,the Improved Collision-Correlation Attack(ICCA),and other methods,this method reduces the conditions to launch the attack,expanding the attack ranges.

关 键 词：侧信道攻击 碰撞攻击 汉明距离 欧氏距离 高级加密标准 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]